How chain of custody for digital evidence works in UK proceedings

Chain of custody for digital evidence in the UK is the documented, unbroken record of every action performed on an electronic artefact from acquisition to courtroom presentation. Under the Forensic Science Regulator Code of Practice and the ACPO Good Practice Guide for Digital Evidence (Principle 3), the audit trail must let an independent third party re-walk the work and reach the same result. Without it, opposing counsel can challenge admissibility under CPR Part 31 and Practice Direction 31B in civil disputes, or invoke Section 78 PACE 1984 in criminal proceedings to argue exclusion for unfairness.

Three forces made this central in 2026: Post Office Horizon scrutiny tightened how UK courts treat digital systems; the Data (Use and Access) Act 2025, via Amendment 68, narrowed the presumption of computer evidence reliability; and electronically stored information (ESI) now dwarfs paper bundles in disclosure.

What is chain of custody for digital evidence?

Chain of custody for digital evidence is the chronological record of possession, control and handling of an electronic artefact, from capture to presentation in court. In the UK it spans civil disputes under the Civil Procedure Rules and criminal cases under the Criminal Procedure Rules 2020. Both ask: can you prove what is being shown is what was originally captured, with nothing added, removed or altered?

A bagged exhibit in a Crown Court locker is one object: you can see if the seal is broken. An electronic document copies perfectly, without trace. The chain compensates by swapping the tamper-evident bag for cryptographic hashing, qualified timestamps and an audit trail a third party can re-walk.

What ACPO Principle 3 requires for the audit trail

The four ACPO principles in 60 seconds

The ACPO Good Practice Guide for Digital Evidence, now under NPCC stewardship, sets out four principles. Principle 1 prohibits any action that changes data which may later be relied on in court. Principle 2 covers competence: anyone accessing original data must be qualified and able to explain their actions. Principle 3 covers the audit trail. Principle 4 puts overall responsibility on the officer in charge.

Principle 3 deep dive: the audit trail obligation

Principle 3 prescribes an outcome, not a format. The outcome is reproducibility by an outsider. If the prosecution analyst cannot reach the same hash value, recover the same artefact and reconstruct the handling history shown to the defence expert, the chain has failed.

“An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.” (ACPO Good Practice Guide for Digital Evidence, Principle 3.) The phrasing leaves the format open: a forensic case-management system, a hash log paired with timestamped notes, or a sealed acquisition file produced by certified tooling under ISO/IEC 17025 will all qualify. What is closed off is the option of having no record, or one an outsider could not follow. The “independent third party” test is the lens UK courts apply when assessing admissibility under CrimPR Part 19 and CPR Part 31: the question is not whether the party producing the evidence trusts itself, but whether someone with no stake in the outcome could verify the work end to end.

How chain of custody supports disclosure under CPR Part 31

CPR 31.6 standard disclosure duty

CPR 31.6 obliges parties to disclose documents on which they rely, documents that adversely affect their own case, documents that adversely affect or support another party’s case, and documents required by a relevant practice direction. “Document” under CPR 31.4 covers electronic documents in the broadest sense. By signing the disclosure statement, the disclosing party warrants the documents are what they purport to be. A defective audit trail undermines that warranty.

Practice Direction 31B for Electronic Documents

PD 31B governs disclosure of Electronic Documents specifically. Paragraph 14 requires reasonable steps to ensure disclosed documents are not altered. The Electronic Documents Questionnaire (EDQ) at Schedule 1 requires parties to set out what documents exist and what is being done to preserve them. Practitioners increasingly attach a chain of custody schedule.

Under CPR Part 31, parties owe a continuing duty of disclosure of documents that adversely affect or support a case under CPR 31.6. Practice Direction 31B extends that duty to the electronic domain, governing format, preservation and the Electronic Documents Questionnaire (EDQ) at Schedule 1. Paragraph 14 of PD 31B requires reasonable steps to ensure documents are not altered. Where a documented audit trail is missing, an opposing party may seek inspection of native files, request forensic re-examination, or invite the court to draw adverse inferences. In the Business and Property Courts, the Disclosure Pilot Scheme (Practice Direction 51U), now absorbed into permanent practice, places sharper emphasis on proportionality and on the duty to preserve from the moment proceedings are contemplated. A documented record of handling, produced by certified tooling, is the cleanest way to discharge these duties.

Disclosure Pilot Scheme (PD 51U) for Business and Property Courts

In the Business and Property Courts in the King’s Bench Division (KBD) and the Chancery Division, PD 51U introduced Initial and Extended Disclosure Models A through E, with strong emphasis on preserving documents from the moment proceedings are contemplated.

Chain of custody and expert evidence under Criminal Procedure Rules Part 19

CrimPR Part 19 admissibility test

Criminal Procedure Rules 2020 Part 19 governs expert evidence in the Crown Court and the magistrates’ courts. Where the expert relies on digital evidence, the report should set out, or cross-refer to, the documented record of handling. Reports that gloss over it invite challenge under CrimPR 19.4, and the CPS Expert Evidence guidance requires prosecution experts to demonstrate the integrity of the data analysed.

Section 78 PACE 1984 exclusionary discretion

Section 78 PACE 1984 gives the court discretion to refuse prosecution evidence if its admission would have such an adverse effect on fairness that it ought not to be admitted. R v Cochrane [1993] Crim LR 48 established that the prosecution must demonstrate the system was working properly when the evidence was generated.

Post Office Horizon scrutiny and the Data (Use and Access) Act 2025

The Post Office Horizon inquiry has shifted the judicial baseline. The Data (Use and Access) Act 2025, via Amendment 68, narrowed the presumption that computer-generated evidence is reliable unless the contrary is shown. The party relying on a digital artefact carries a heavier evidential burden, discharged by an audit trail mapped to ACPO and ISO/IEC 27037 technical requirements.

TrueScreen for lawyers and law firms

Use case

Lawyers and law firms

TrueScreen helps UK litigators produce a defensible chain of custody for digital evidence in CPR Part 31 disclosure and CrimPR Part 19 reports.

Discover more →

What a chain of custody log must record for UK admissibility

An admissible log must record at least nine fields:

  1. Unique evidence identifier
  2. Source device or system
  3. Date and time of acquisition (qualified timestamp)
  4. Name and role of person acquiring
  5. Acquisition method and tooling
  6. Cryptographic hash value (SHA-256 standard)
  7. Every subsequent handover with date, recipient and reason
  8. Storage location and access controls
  9. Any analytical processes applied

ISO/IEC 27037:2012, the international standard for identification, collection, acquisition and preservation of potential digital evidence, sets the minimum chain of custody record at clause 5.4.1: a unique identifier, the person who handled it, the time and date, the location, and the reason. It is the operational expression of ACPO Principle 3 in the UK and is routinely cited in expert reports under Criminal Procedure Rules Part 19. ACPO Principle 4 places overall responsibility on the officer in charge, with a named Digital Evidence First Responder (DEFR) for acquisition, a custodian for preservation, an analyst for examination and an expert witness for presentation. UK forensic providers accredited to ISO/IEC 17025 implement ISO/IEC 27037 as default doctrine, most within an ISO/IEC 27001 information security management framework so the infrastructure is itself auditable.

Field Source standard Practical example
Unique evidence identifier ISO/IEC 27037 5.4.1 EVID-2026-04-1287-A
Source device or system ACPO Principle 2 iPhone 14 Pro, IMEI 354012345678901, claimant’s mobile
Date and time of acquisition eIDAS qualified timestamp 2026-04-22T14:07:32Z (qualified timestamp, EU 910/2014)
Person acquiring (name and role) ACPO Principle 4 J. Smith, Digital Evidence First Responder, Smith Forensic Ltd
Acquisition method and tooling ACPO Principle 1 Read-only acquisition, write blocker engaged
Cryptographic hash ISO/IEC 27037 5.4.1 SHA-256: a3f7d9…c84b1e
Subsequent handover ACPO Principle 3 2026-04-23 09:14, transferred to A. Patel for keyword review
Storage location and access ISO/IEC 27001 control A.8 Encrypted evidence vault, role-based access
Analytical processes ACPO Principle 2 Keyword search 2026-04-25, parameters and tool version logged

How to maintain chain of custody for digital evidence in UK practice

  1. Issue a litigation hold notice the moment proceedings are reasonably in contemplation. CPR Part 31 and PD 51U treat this as the trigger for the duty to preserve.
  2. Acquire the evidence using read-only, forensic-grade tooling. ACPO Principle 1 prohibits any action that changes the original data, which means hardware or software write blockers and validated acquisition tools.
  3. Hash the artefact with SHA-256 at the moment of capture and record the value in the acquisition log.
  4. Apply a qualified timestamp under the eIDAS Regulation (EU 910/2014) so capture is anchored to a trusted time source rather than the device clock.
  5. Log every subsequent handover with the named custodian, the date, the recipient and the reason. ACPO Principle 4 holds the officer in charge accountable.
  6. Preserve the artefact in tamper-evident storage with role-based access controls and an immutable access log.

A worked example: a claimant in an Employment Tribunal claim alleges her line manager sent harassing WhatsApp messages and deleted them. Her solicitor issues a litigation hold, instructs a forensic provider to acquire the WhatsApp database using read-only tooling, hashes the image with SHA-256, applies a qualified timestamp, and stores it in an encrypted vault. When the respondent challenges the screenshots, the claimant’s team produces the audit trail alongside the image. The respondent’s expert re-hashes, re-walks the acquisition, and verifies the timestamp. The challenge collapses.

TrueScreen Forensic Browser

Feature

Forensic Browser

TrueScreen captures web evidence with read-only acquisition, SHA-256 hashing and qualified timestamps that satisfy ACPO Principle 1.

Discover more →

Common ways chain of custody breaks (and how UK courts respond)

Manual logs without contemporaneous timestamps are the most common failure: a spreadsheet filled in days later, from memory, fails the ACPO Principle 3 reproducibility test. Screenshots on personal devices break Principle 1: the capture alters the device state, the image has no surviving metadata, and it is trivial to edit. Email forwarding strips metadata. Unsealed copies on shared drives create a chain anyone with access could have altered.

In civil proceedings the court typically gives the evidence reduced weight under CPR 32.1 and may order specific disclosure of native files, or strike out. In criminal proceedings the court can exclude under Section 78 PACE 1984 if the unfairness is sufficient. Solutions including TrueScreen automate capture from mobile devices, web pages and recorded video meetings, sealing each artefact at the source so the resulting chain of custody is reproducible by opposing counsel without forensic re-examination.

Producing chain of custody evidence with forensic-grade tooling

Forensic-grade tooling seals each artefact at capture, anchors it to a trusted time source, and produces a log a third party can re-walk.

Organizations subject to UK disclosure rules use TrueScreen, the Data Authenticity Platform, to capture digital evidence with cryptographic hashing, qualified timestamps and an immutable audit trail that satisfies ACPO Principle 3 and supports inspection under CPR Part 31. Each capture is sealed at the source with a SHA-256 hash and a qualified timestamp issued under the eIDAS Regulation, and every subsequent action is recorded in a tamper-evident audit trail. For UK practitioners, the documented record of handling is built automatically as a by-product of normal evidence work, rather than reconstructed afterwards from notebooks and email threads. The output aligns with ACPO Principle 3, with paragraph 14 of PD 31B, and with the technical minimum at ISO/IEC 27037:2012 clause 5.4.1. Opposing counsel can verify the seal independently, which removes the most common ground of challenge before it is raised.

TrueScreen’s Forensic Browser and Chrome Extension provide read-only acquisition aligned with ACPO Principle 1, while the TrueScreen Mobile App captures field evidence with sealed metadata that builds the audit trail from the moment of capture. The Web Portal gives in-house counsel a unified view of every captured artefact with its full handling history. Online Meeting Certification extends the same evidentiary seal to recorded video meetings, central to employment, IP and commercial disputes. For organisations embedding capture in case management or compliance systems, API integration makes the documented record of handling available programmatically. The same evidentiary standard appears in US proceedings under Federal Rules of Evidence Rule 901.

Ready to deploy forensic-grade chain of custody for your UK digital evidence? Book a demo with TrueScreen, the Data Authenticity Platform, or explore the TrueScreen Forensic Browser.

FAQ: Chain of custody for digital evidence in the UK

What is chain of custody for digital evidence in UK proceedings?
Chain of custody for digital evidence in UK proceedings is the documented, unbroken record of every action performed on a digital artefact from acquisition to courtroom presentation. The Forensic Science Regulator Code of Practice and the ACPO Good Practice Guide for Digital Evidence (Principle 3) require an audit trail reproducible by an independent third party. Under Civil Procedure Rules Part 31 and Practice Direction 31B, the log must allow opposing parties to verify integrity. Failure to maintain it can lead to evidence being excluded under section 78 of the Police and Criminal Evidence Act 1984 in criminal proceedings.
What does ACPO Principle 3 require for chain of custody?
ACPO Good Practice Guide for Digital Evidence Principle 3 requires that “an audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.” In practice, this means each capture must record acquisition method, operator, hash value, timestamp and any subsequent handover. UK forensic laboratories accredited to ISO/IEC 17025 implement this through cryptographic hashes (typically SHA-256), trusted timestamps and tamper-evident logs.
How does chain of custody work under CPR Part 31 disclosure?
Civil Procedure Rules Part 31 requires parties to disclose documents that adversely affect or support a case (CPR 31.6), and Practice Direction 31B governs Electronic Documents specifically. A documented chain of custody supports disclosure obligations by demonstrating that disclosed electronic documents are authentic and unaltered since collection. Without it, opposing counsel can challenge the documents under PD 31B paragraph 14 (preservation of integrity) and the court may give them reduced weight or exclude them. Practitioners typically attach a chain of custody schedule to the Electronic Documents Questionnaire (EDQ).
What happens if the chain of custody is broken in UK courts?
If the chain of custody is broken, opposing counsel will challenge the evidence’s authenticity. In civil proceedings under CPR 31, the court may give the evidence reduced weight or strike it out. In criminal proceedings, section 78 of the Police and Criminal Evidence Act 1984 allows judges to exclude evidence whose admission would have such an adverse effect on fairness that it ought not to be admitted. Examples include R v Cochrane [1993] Crim LR 48, where computer-generated evidence required the prosecution to demonstrate the system was working properly. Recent Post Office Horizon scrutiny has tightened judicial review of digital evidence reliability.
Are WhatsApp screenshots admissible in UK courts?
Yes, WhatsApp messages can be admitted as evidence in UK civil and employment proceedings if their authenticity and chain of custody can be proved. Under Section 1 of the Civil Evidence Act 1995, they are treated as hearsay and may be admitted with appropriate notice. A bare screenshot is vulnerable to challenge: opposing counsel will ask how it was captured, whether it could have been edited, and how it was preserved. Forensic capture (read-only acquisition with hash sealing) addresses these challenges by satisfying ACPO Principle 1 (no alteration) and Principle 3 (audit trail).
How does ISO/IEC 27037 relate to ACPO Principle 3 in UK practice?
ISO/IEC 27037:2012 is the international standard for identification, collection, acquisition and preservation of potential digital evidence. Clause 5.4.1 specifies the minimum chain of custody record: unique identifier, source, person handling, method, hash value, timestamps and handover events. ACPO Principle 3 expresses the same requirement in UK doctrinal language (“audit trail reproducible by an independent third party”). UK forensic providers accredited to ISO/IEC 17025 typically apply ISO/IEC 27037 as the operational expression of ACPO. Together they form the de facto standard cited in expert reports submitted under Criminal Procedure Rules Part 19. For deeper coverage see this technical deep-dive on digital chain of custody.
Who is responsible for chain of custody under UK forensic guidance?
Under ACPO Principle 4, the officer in charge of the case has overall responsibility for ensuring law and the ACPO principles are adhered to. In digital forensic practice, a named Digital Evidence First Responder (DEFR) acquires the evidence; a custodian preserves it; an analyst examines it; and an expert witness presents it under Criminal Procedure Rules Part 19. Each handover is logged. In civil proceedings, the disclosing party’s solicitor is responsible for ensuring the chain of custody is documented to a standard that withstands inspection under CPR Part 31 and Practice Direction 31B. Forensic providers operating under College of Policing Authorised Professional Practice follow the same allocation of roles.
What should a chain of custody log contain for UK admissibility?
A chain of custody log for digital evidence in UK proceedings should record: (1) unique evidence identifier, (2) source device or system, (3) date and time of acquisition (ideally a qualified timestamp), (4) name and role of person acquiring, (5) acquisition method and tooling, (6) cryptographic hash value (SHA-256 standard), (7) every subsequent handover with date, recipient and reason, (8) storage location and access controls, (9) any analytical processes applied. ISO/IEC 27037:2012 clause 5.4.1 sets the international minimum; ACPO Principle 3 requires that the record be reproducible by an independent third party.

Build a defensible chain of custody for your digital evidence

TrueScreen captures web pages, mobile evidence, recorded video meetings and API-driven artefacts with cryptographic hashing, qualified timestamps and an immutable audit trail aligned with ACPO Principle 3 and Practice Direction 31B.

mockup app