Skip to main content
Investigative Journalism

Building and Managing a Source Network

How to cultivate sources over time, manage ethical obligations, maintain source-rotation hygiene, handle secure introductions, and protect source identity under UK law.

8 min read

Last reviewed: Next review due:

Why source cultivation is a long-term discipline

Sources are the lifeblood of investigative journalism. Public records and OSINT techniques can establish what is on the official record — but sources give you what is not: the context behind a decision, the document that was never filed, the meeting that has no official record, the person who was in the room.

Building a source network is not transactional — it is a long-term investment in relationships built on trust, honesty about what you can and cannot do for a source, and consistency in protecting confidentiality. Sources talk to journalists they trust. Trust takes years to build and can be destroyed in a single careless moment.

This guide covers the practical mechanics of source development, the ethical framework governing source relationships under the NUJ Code and IPSO Editors' Code, the digital security considerations for source protection, and how to manage a network over the long term without creating dependencies or ethical problems.

When source network management is most critical

  • 1Starting out on a new beat where you have no existing contacts in the sector or institution.
  • 2An investigation requires information from inside an organisation that has no press office or actively hostiles media contact.
  • 3You need to verify a claim from one source against an independent source in the same area.
  • 4A source relationship has become complicated — a source is asking for something in return, attempting to control your coverage, or their reliability has come into question.
  • 5A source faces legal jeopardy and asks what you can do to protect them.
  • 6You are handing over a beat to a colleague and need to manage source introductions responsibly.

Red flags to watch for

  • Payment for information: offering money in exchange for tips or documents risks distortion, entrapment, and breaching IPSO Clause 15.
  • Single dependency: relying on one source for an entire beat creates a conflict of interest and a vulnerability — if that source is compromised, so is your coverage.
  • Source coercion: implicitly or explicitly threatening to expose or embarrass a source to obtain information is a serious ethical breach and may be unlawful.
  • A source who consistently offers exclusives in exchange for favourable coverage: this is a transactional relationship that compromises your independence.
  • A source who appears to be running an agenda — selectively leaking information to damage particular targets while protecting others.
  • Over-contact: repeatedly contacting a source who has expressed reluctance risks harassment under the Protection from Harassment Act 1997.
  • Storing source contact details in an unencrypted or cloud-based system accessible to third parties or susceptible to a production order.

Source network development checklist

  • I have mapped the beat I am covering and identified the key institutional and individual contacts I need to develop over the coming year.
  • I have established a routine contact schedule for my most important sources — periodic contact even when there is no immediate story keeps relationships active.
  • I have been honest with each source about what I can and cannot offer in terms of confidentiality and source protection.
  • I have established a clear ground-rules conversation with each confidential source before receiving sensitive information.
  • I have reviewed my expenses and gifts policy in line with my outlet's editorial standards and the NUJ Code.
  • I have a secure means of communicating with sensitive sources (Signal, SecureDrop, or an equivalent).
  • I am maintaining source diversity — I do not rely on any single source for more than one story at a time without independent corroboration.
  • I have reviewed which sources I have used in the last three months and identified any dependency patterns.
  • I understand the legal framework under the Police and Criminal Evidence Act 1984 and the Investigatory Powers Act 2016 for compelled source disclosure, and have briefed my editor.
  • I have a plan for what I would do if I received a production order or phone tap disclosure relating to a source.

Tools for source protection and secure communications

Use our Source Protection Guide for step-by-step protocols, and our Digital Security hub for encrypted communications setup for sensitive source contacts.

Common mistakes

  • Treating source relationships as purely instrumental — sources who feel used rather than respected will eventually stop talking to you.
  • Not having an explicit conversation about ground rules before receiving sensitive information.
  • Storing source names and contact details in a phone, email, or cloud service that is not encrypted and could be subject to compelled disclosure.
  • Failing to tell a source upfront that you cannot guarantee their anonymity in the event of a legal challenge.
  • Allowing a long-standing source relationship to blur into friendship in ways that compromise your editorial independence.
  • Not rotating sources: over-reliance on one person for a beat creates both a dependency and a conflict of interest.
  • Using a source's name in copy when the story could be published without identifying them — always ask whether identification is necessary.

Related guides

Primary sources

Frequently asked questions

What does the NUJ Code say about sources?
The NUJ Code of Conduct (Clause 7) states that a journalist “protects the identity of a source who supplies information in confidence and material gathered in the course of her/his work.” This is a professional obligation, not merely an aspiration. It applies even after the story is published, even if the source has changed their mind about confidentiality, and even under pressure from legal proceedings. Breaching source confidentiality without consent is a serious breach of the code and can result in disciplinary action by the union.
Can I pay sources for information in the UK?
Payment to sources is tightly regulated under IPSO's Editors' Code (Clause 15). Payment for information to witnesses or potential witnesses in active criminal proceedings is prohibited without specific public-interest justification. Payment to convicted criminals for stories about their crimes is prohibited. More broadly, paying sources for information risks distorting their account (they will tell you what earns a payment) and undermining your credibility. The NUJ Code does not explicitly prohibit payment but emphasises that journalists must not allow financial or other inducements to colour their professional judgment.
What is “source rotation hygiene” and why does it matter?
Source rotation refers to deliberately varying your sources so that you do not become over-reliant on a single individual or institution. This matters for two reasons: first, a source who knows they are your primary or only contact in an area gains leverage over your coverage; second, over-reliance on one source creates a single point of failure for your source network. Practical hygiene means: tracking which stories each source contributed to, regularly refreshing your routine contacts in each beat, and being alert to sources who attempt to become your exclusive pipeline.
How do I handle a source who wants to control the story?
Be clear from the first contact about what you can and cannot agree to. You can agree to show a source their quotes for accuracy checking; you cannot agree to give them editorial control over the framing, headline, or what else you include in the story. If a source makes their cooperation conditional on editorial control, you should decline. Document any attempts to impose conditions and inform your editor. The Dart Center and CPJ Journalist Security Guide both address managing sources who attempt to instrumentalise journalists.
Should I use a CRM (contact management system) for sources?
Many senior investigative journalists keep a private contact database, but it carries risks: a CRM containing source names and contact details is a high-value target for hackers, police production orders, and legal discovery. If you maintain a digital source directory, store it on an encrypted device (VeraCrypt container or a device with full-disk encryption), never on a cloud service that could be subject to a US CLOUD Act request or a UK Production Order. Some journalists prefer to keep source information only in their own memory or in handwritten notes kept physically secure.
How do I introduce two sources to each other safely?
Direct introductions between sources should be done only with the informed consent of both parties and only when you are confident neither will compromise the other's safety. Use Signal for any introductions involving sensitive material. Consider whether the introduction could, if either source is later investigated, reveal the identity of the other. In high-risk environments, prefer to relay information between sources rather than introducing them directly. The CPJ Journalist Security Guide and Rory Peck Trust both provide detailed guidance on managing source networks in hostile environments.