Chain of custody refers to the sequence of events that follow once evidence has been collected. Evidence can be physical or more commonly, digital as technology is taking over workplace investigations. Chain of custody looks to record a trail that includes various processes and people. It looks at whether evidence was edited, by who, when and what happened after that. Documenting the whole process can verify that the original evidence has not been tampered with and still remains identical to its original form. The chain of custody is finalised once the evidence has been destroyed. But why do investigators need one?

Why is a chain of custody so important?

The name explains itself. A chain which refers to the record of those who had custody of the evidence at any point. Sometimes employees question the neutrality of an internal investigator which is why a chain of custody can prove that the investigator did not try in any way to influence the evidence. In both internal and external investigations, a chain of custody highlights that the investigators are committed to an accurate and fair outcome.

A chain of custody can identify whether there was malicious intent to alter evidence. If the state of the evidence has been altered, then the evidence will not be used in the investigation. To minimise the chances of evidence being tampered with and make the chain of custody more effective, the amount of people who are allowed to access evidence should be limited. The fewer people allowed to open the files the less likely it is for evidence to be inaccurate.

As evidence plays an important role in the outcome of an investigation, it is crucial that investigators record every piece of evidence and every time it changes hands carefully. Altered evidence can be the result of unintentional actions as well, as some evidence may be easier to modify than others. A chain of custody gives the investigator better control of the outcome and can lead to a more efficient process.

chain of custody

What chain of custody involves

Chain of custody is not a new concept – especially for people involved in investigations, like police and lawyers. It is frequently used by governments and logistics service providers along with other industries to ensure better quality service and accountability. In a workplace investigation, there are many kinds of evidence that will need to be recorded. Interviews, images, CCTV, messages or emails, all can count as evidence and a champion of custody may be needed to protect their integrity. There are various stages involved in the chain of custody. Those include:

  • Collection
  • Documentation
  • Storage
  • Removal


The chain of custody needs to include the date and time of the evidence collection along with who was the giver and the recipient. It should state the role of the evidence holder and what issues they face when collecting the evidence or if issues showed up when they were under their possession.

Depending on the investigation, evidence collection may be more difficult. For example, a bribery complaint or a theft complaint may require different types of evidence to ensure an accurate outcome. If a phone needs to be confiscated then the permission of the owner will need to be obtained. Physical evidence will have different collection procedures from digital evidence so all policies should be followed carefully to avoid non-compliance. 

The person in possession of the evidence may need to sign a document that confirms they are holding it. The evidence may be given a name that distinguishes it from other files. The method of collection should also be recorded along with a brief description of the document.


Documentation looks at the chronological series of events the evidence has gone through before it is put into storage. It details the analysis that may have taken place, if any copies were made and how long the evidence was in the possession of the holder. Each time the evidence is transferred to another person, it should be recorded who gave the files to who, for what purpose and when. The examination of the evidence may also describe how the evidence is relevant to the case. 


During the storage period, it should be outlined in the chain of custody log if someone has accessed the evidence as well as who put the evidence into storage and when. The investigator should include where the evidence is stored and clearly state the path that needs to be followed. For example if the evidence is stored online, the name of the files and folders or software should be disclosed. Similar names for folders should be avoided to prevent confusion.

If during the storage stage there was a failed attempt of an outsider to access the evidence, it should be noted in the chain of custody form along with any relevant details. The investigator may also include any information that may be useful on how they handled the threat and recommendations that could deter similar incidents.

Polonious complies with strict international standards and is ISO 27001 to ensure that all evidence is stored securely. Our high quality service protects the confidentiality of the people involved and the data we are entrusted with. All data is only accessible to authorised employees and can be accessed by them anywhere and anytime, and collated at the end of the investigation via our easy Brief of Evidence builder. If you want to learn more, request a demo and we will get back to you!


If the evidence needs to be removed from storage, it should be clear why it has been removed, by who and when. For example, the case may lead to a criminal trial that will require the evidence to be handled by the police. This should be recorded and a documented log may be given to the next possessor so they are aware of the authenticity of the files.

In some cases, evidence may need to be removed because it is now deemed irrelevant or it needs to be destroyed. As per the retainment policy of the company, if the retainment period has passed, then the company will need to discard the files carefully.

Final note

Businesses should have clear policies and procedures on how to accurately record a chain of custody. They may develop templates that will make it easier for them to record who had the evidence, where it was and when. A chain of custody will contribute to a better quality investigation with a more accurate outcome. The policies and procedures in place should also explain what consequences will follow if people try to tamper or alter the evidence.