What the ACPO Good Practice Guide requires for UK digital evidence
The typical UK investigation now involves a WhatsApp screenshot, a recorded Teams meeting and a page scraped from a supplier's website. The document practitioners still cite when they acquire that material is the ACPO Good Practice Guide for Digital Evidence, version 5, published October 2011 by the Association of Chief Police Officers. ACPO itself was dissolved four years later.
That gap is where most disputes about UK digital evidence now live. The four ACPO principles are applied verbatim by solicitors, forensic providers and the courts, but the sources of evidence have moved on. The hard question, in practice, is what the ACPO Good Practice Guide actually requires when the data sits in a chat app, a SaaS tenant or a cloud meeting recording. What follows maps the four principles onto ISO/IEC 27037, looks at how UK courts have pushed back on software-generated evidence since Horizon, and sets out what an ACPO-compliant capture of modern digital provenance should look like.
Why ACPO still matters, even after NPCC replaced it
The Association of Chief Police Officers (ACPO) was closed on 31 March 2015 and replaced by the National Police Chiefs' Council (NPCC) on 1 April 2015, yet the ACPO Good Practice Guide for Digital Evidence (version 5, October 2011) remains the UK's working reference for anyone handling digital evidence for a UK court. The document is still published on the NPCC website and is cited by the College of Policing's Authorised Professional Practice, by defence solicitors and by private forensic providers. Its four principles govern every acquisition, preservation and analysis decision where the output may be relied upon in criminal or civil proceedings, and they are quoted verbatim in expert reports under Criminal Procedure Rules Part 19. The Guide predates cloud storage, end-to-end messaging and routine video-call recording, which is why practitioners now read the ACPO text together with ISO/IEC 27037:2012 and the Forensic Science Regulator's Code of Practice.
Two scholarly voices are worth naming. Graeme Horsman, in his 2020 paper ACPO principles for digital evidence: Time for an update?, argues the text has not kept pace with modern practice but still carries normative weight. Dr Gillian Tully, former Forensic Science Regulator for England and Wales, reaches a similar conclusion in her 2020 paper on quality standards for digital forensics: the four principles are authoritative, and the operational layer on top (FSR Code, ISO/IEC 17025, College of Policing APP) now does most of the regulatory work.
The four ACPO principles explained
Each principle is a single sentence in the Guide; meeting it in practice is what decides admissibility in a UK court.
Principle 1: no action should change data
Principle 1 of the ACPO Good Practice Guide for digital evidence states: "No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court." In operational terms the original device or data source must not be written to, booted or manipulated during acquisition. UK forensic laboratories meet this with write-blockers for storage media and a bit-for-bit forensic image before any analysis. For non-seizable evidence (a live web page, a WhatsApp chat viewed inside the app, a cloud document, an active video call) Principle 1 is met by capturing the rendered state through an isolated, instrumented browser that produces a sealed record with a cryptographic hash and trusted timestamp, while the source system stays untouched. The practical test a UK judge will apply is whether an independent examiner could verify, from the record alone, that no write occurred.
Principle 2: competent persons and traceable actions
Principle 2 says that, where an examiner must access original data, the person has to be competent and able to explain the relevance and implications of every action taken. Two things follow. A record of training and tool familiarity, which is the accreditation side. And a reasoned log of every step: why the action was necessary, what it touched, what it produced. Principle 2 is the one that most often breaks in workplace disputes, where a line manager has "had a look" on the employee's laptop before anyone thought to preserve the state.
Principle 3: audit trail reproducible by a third party
Principle 3 of the ACPO Good Practice Guide says that "an audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result." Reproducibility, in other words, is the legal test, not mere documentation. A compliant audit trail records every tool, tool version, command, hash value and operator action in a tamper-evident format that cannot be edited after the fact. ISO/IEC 27037:2012 clause 5.4.1 reinforces the point by setting out a chain of custody that must record, at minimum: unique identifier, source, operator, method, hash value, timestamp and handover events. For a WhatsApp screenshot or a recorded meeting to survive cross-examination in UK courts, the audit trail has to let an independent expert reconstruct the capture from the record alone, without access to the original device.
Principle 4: officer in charge overall responsibility
Principle 4 fixes accountability on the person leading the investigation. That individual carries overall responsibility for the law and the first three principles, even when specialist work is delegated. The equivalent role in a corporate setting is the named custodian of the evidence package: the solicitor, in-house counsel or compliance officer who can describe, at trial, how custody was preserved between capture and disclosure.
Where ACPO meets ISO/IEC 27037:2012
ISO/IEC 27037:2012 defines four operational processes for handling potential digital evidence: identification, collection, acquisition and preservation. Mapped to the ACPO Good Practice Guide, identification and collection sit under Principle 4 (the officer in charge decides relevance and scope), acquisition falls under Principles 1 and 2 (no alteration of the source, competent access by a qualified examiner), and preservation is continuous under Principle 3 (audit trail reproducible by an independent third party). ISO/IEC 27037 is read alongside ISO/IEC 27041 (assurance of investigation methods), ISO/IEC 27042 (analysis and interpretation of evidence) and ISO/IEC 27043 (incident investigation principles and processes). The ACPO text does not reference the ISO family explicitly, but UK forensic laboratories accredited to ISO/IEC 17025 by UKAS, and inspected by the Forensic Science Regulator, treat the ISO/IEC 27037 lifecycle as the operational expression of the four ACPO principles in day-to-day casework.
| ACPO principle | ISO/IEC 27037 process | What it looks like in practice |
|---|---|---|
| Principle 1: no alteration | Acquisition (read-only) | Write-blocker for seizable media; isolated browser or sealed capture agent for web, chat and cloud. |
| Principle 2: competent access | Acquisition + analyst qualification | Validated tooling, documented method, trained operator with accreditation trail. |
| Principle 3: audit trail | Preservation (continuous) | Cryptographic hash, trusted timestamp, tamper-evident log of every command, tool version and handover. |
| Principle 4: overall responsibility | Identification and collection governance | Named case officer or custodian, documented scope decisions, custody chain reproducible from the record alone. |
Applying ACPO to modern evidence: WhatsApp, web, cloud, recordings
Most UK disputes now turn on evidence the Guide did not contemplate, and the principles still apply even though the operational layer around them is different.
A WhatsApp chat is a live, cloud-synchronised record. A native extraction may meet Principle 1 in a police context, but in civil or employment investigations the chat is usually acquired while the account is live. Capturing a WhatsApp screenshot under Principle 3 requires a sealed record, a workflow delivered by TrueScreen through a cryptographic hash, trusted timestamp and reproducible audit trail. The capture has to prove the displayed content existed on the device at that moment, and that the audit log can be handed to an opposing expert without further explanation.
Cloud documents raise a different Principle 2 question. The evidence is rarely the PDF export: it is the live document at a specific revision, together with its provenance metadata (owner, last editor, sharing settings), captured in a way another examiner can repeat. A live web page is much the same: the persistent evidence is not the URL but the rendered DOM, headers, TLS chain and time of capture, sealed together. The same logic applies to screenshot evidence produced in workplace disputes.
Recorded Zoom, Teams or Google Meet meetings sit at the edge of ACPO and the Criminal Justice Act 2003 hearsay regime. A recorded meeting used to prove something a participant said is real evidence of the recording itself and hearsay of the statement. The ACPO requirement is met when the recording is preserved as a sealed artefact with an independent timestamp and a manifest of participants; admissibility of what was said then follows the hearsay rules.
Common failure modes: how evidence gets challenged in UK courts
Digital evidence appears in approximately 90% of criminal investigations, and the National Police Chiefs' Council has identified digital evidence as the number-one policing challenge for 2026. Against that volume, the most frequent reasons UK courts reject or discount digital evidence under the ACPO Good Practice Guide are: unverified screenshots with no hash value or independent timestamp; a broken chain of custody where intermediate handovers are not logged against Principle 3; tool output produced by an operator whose competence is not demonstrable under Principle 2; and reliance on the common-law presumption that "the computer is always right", now under Home Office scrutiny through the January 2025 call for evidence on software in criminal proceedings after the Post Office Horizon scandal. Each failure mode maps back to one of the four ACPO principles the court will weigh on admissibility.
Section 69 of the Police and Criminal Evidence Act 1984 was the original statutory guardrail: a party relying on computer output had to prove the system was operating properly. Parliament repealed s.69 in 1999, and the common-law presumption stepped into its place. Horizon showed what happens when that presumption goes unchallenged, and the Data (Use and Access) Act 2025 now includes Amendment 68, which requires a court to satisfy itself that the admissibility of digital evidence cannot reasonably be challenged. Parties can no longer assume their software output will be accepted because it looks authoritative.
Procedural rules do the rest of the work. CPR Part 31 and Practice Direction 31B set the civil standard for how electronic documents are preserved and produced; Criminal Procedure Rules 2020 Part 19 governs expert evidence and the duty to describe the method so that it is reproducible. Together with the FSR Code of Practice, these are the tests the ACPO principles are measured against in practice.
What does an ACPO-principles-compliant capture of modern digital evidence look like in practice?
A forensic methodology is ACPO-principles-compliant when it satisfies all four principles for evidence the Guide did not originally contemplate. TrueScreen, the Data Authenticity Platform, applies the methodology to non-seizable evidence (WhatsApp chats, cloud documents, live web pages, recorded video calls) through four operational steps that map 1:1 to the ACPO principles. Principle 1 is satisfied because the capture runs through an isolated browser and a dedicated mobile app that do not write to the source. Principle 2 is embedded: the capture environment is instrumented so the operator's actions are reproducible without specialist forensic skill. Principle 3 is delivered by sealing every capture with a cryptographic hash, trusted timestamp and an immutable log of technical artefacts. Principle 4 is preserved because the officer in charge retains custody of the evidence export and its verification record.
Principle 1 in practice: read-only acquisition
The source is never written to. A web page is rendered inside a controlled browser that captures the DOM, the MHTML snapshot and the network trail without injecting scripts or persisting state to the origin server. A chat app or cloud document is recorded through a mobile agent that does not modify the underlying account or device.
Principle 2 in practice: reproducible operator actions
Competence is split between tool and operator. The capture environment logs the exact actions taken (URL, gesture, scroll, screen) and validates the tool version against a known build. An operator with legal training but no forensic background can produce evidence a UK court will accept, because reproducibility sits in the artefact rather than in the operator's memory.
Principle 3 in practice: cryptographic chain of custody
Every capture is hashed with SHA-256, sealed with a trusted timestamp from a qualified trust service provider, and written to an immutable log that records tool, version, operator identity, capture time, device fingerprint and artefacts produced. An independent expert can verify the hash and read the log from the export alone.
Principle 4 in practice: investigator-retained custody
The evidence export belongs to the investigator, not the platform. The officer in charge holds the sealed artefact, a verification record and a copy of the audit log, and can demonstrate unbroken custody from capture to disclosure.
