If you are reading this, the chances are something has happened. A laptop has been seized in the course of a workplace investigation. A phone needs examining as part of a divorce or a fraud case. A litigation team has been told that digital evidence may be challenged in court and the question of how it was handled has suddenly become central to the case.
In any of those situations, the ACPO Good Practice Guide for Digital Evidence is the document that matters. The four ACPO principles set the standard against which the integrity of digital evidence is measured in the UK courts, and they have done so for more than two decades. Get them right and your evidence stands up. Get them wrong and the evidence, however damning, may be inadmissible.
I spent years at the Metropolitan Police Hi-Tec Crime Unit before founding Forensic Control. The ACPO principles were the framework I worked under every day, in cases that ended up in front of judges and juries. What follows is an explanation of what the four principles actually mean, what gets them breached most often, and what happens when they are.
The first principle, in the words of the guide, is that no action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
In plain English: the digital evidence you present in court must be the digital evidence as it existed at the moment it was seized. Not as it existed after someone had a quick look. Not as it existed after IT booted the laptop to check whether it was working. As it was, untouched, at the moment it came into the chain of custody.
The most common breach of this principle is not malicious. In my time at the Hi-Tech Crime Unit, the typical scenario was a well-meaning IT manager who powered on a seized device to verify what was on it before sending it for analysis. By the time the device reached the forensic examiner, the operating system had already written to disk, updated timestamps, run scheduled tasks, and in some cases overwritten unallocated space that previously contained recoverable evidence. The case was not lost, but it was harder.
This is why a properly conducted forensic examination uses a write blocker, a piece of hardware that allows data to be read from a device without anything being written back to it, and works from a forensically sound bit-by-bit copy of the original media rather than the original itself. The original is sealed and stored. The examination happens on the copy.
Principle 2 acknowledges that there are situations where the first principle cannot be honoured in full. Some devices cannot be examined without being powered on. Some encrypted systems require the original device to be live for keys to be recovered. In those cases, the principle does not say “do not proceed”. It says: if you must access the original, you must be competent to do so, and you must be able to explain in court exactly what you did and what the impact of those actions was on the evidence.
The word that does the heavy lifting here is competent. Competence is not self-declared. It is demonstrated through training, qualifications, professional standing and a track record of work that has stood up to scrutiny in court.
This is the principle that most often catches out organisations who have tried to handle digital evidence in-house. The IT team are technically capable of accessing the device. They are not, in the legal sense, competent to give evidence about what they did or to explain the forensic implications of those actions when challenged by opposing counsel. When the case turns on whether evidence was preserved correctly, the absence of a competent witness can collapse it.
Principle 3 requires that an audit trail or other record of all processes applied to digital evidence should be created and preserved, and that an independent third party should be able to examine those processes and achieve the same result.
In practice this means contemporaneous documentation of every step. Every device handled, every hash value calculated, every tool used, every analyst involved, every action taken. The standard is reproducibility: a different forensic examiner, working from the same source material with the same tools, must be able to repeat the process and arrive at the same conclusion.
Hash values do most of the work here. A cryptographic hash is a fixed-length value calculated from a file or a disk image which changes if any of the underlying data changes by even a single bit. If the hash of the original media at seizure matches the hash of the working copy at examination and matches the hash of the evidence presented in court, the chain of integrity is intact. If it does not, something has changed, and an explanation is required.
I have seen cases where the audit trail was the difference between admissible and inadmissible. The technical work was sound. The documentation was not. The evidence was excluded.
The fourth principle places overall responsibility for ensuring the principles are followed on the person in charge of the investigation. This is not a technical role. It is a leadership and oversight role, and it is the principle that organisations most often misunderstand.
Responsibility for ACPO compliance does not sit with the forensic examiner alone, or with IT, or with external counsel. It sits with the person leading the investigation, who is expected to ensure that everyone touching the evidence at every stage understands and follows the framework. In a workplace investigation that is the HR director or the head of legal. In a litigation context it is the instructing solicitor. In a regulatory matter it is the designated investigations lead.
If you are that person, the practical implication is that your forensic provider should be answerable to you on ACPO compliance, in writing, with documentation you can produce on request. If they cannot articulate this, you have the wrong forensic provider.
The ACPO Good Practice Guide for Digital Evidence was first published in the late 1990s and went through several revisions, the most widely cited of which is version 5, published in 2012. ACPO itself, the Association of Chief Police Officers, was disbanded in 2015 and replaced by the National Police Chiefs’ Council (NPCC). The guidance has not, however, been formally superseded. The four principles remain the de facto standard referenced in UK case law, professional certification frameworks and procurement requirements for forensic services.
There is an international equivalent, ISO/IEC 27037, which covers the identification, collection, acquisition and preservation of digital evidence and which broadly aligns with the ACPO framework. For most UK criminal, civil and corporate matters, the ACPO principles are the working standard. For multi-jurisdictional matters or where international admissibility is in scope, ISO 27037 may be invoked alongside or instead of ACPO.
The consequences of a breach depend on which principle was breached, by whom, in what context, and how material the breach was to the evidence in question. There is no automatic exclusion. The court will assess the breach on its facts. That said, the practical consequences I have seen in cases over the years fall into three broad categories.
The first is reduced evidential weight. The evidence may still be admitted, but the breach gives opposing counsel a basis on which to argue that the integrity of the evidence is compromised. Even if the evidence ultimately stands, the case becomes harder to win, the costs increase, and the outcome becomes less certain.
The second is partial or complete exclusion. If the breach is material enough, particularly where the chain of custody cannot be reconstructed or where competent evidence about the breach cannot be given, the court may exclude the affected evidence. If that evidence is central to the case, the case may collapse.
The third, and the one organisations most often fail to anticipate, is reputational and regulatory. Where a breach occurs in a regulated environment, in a public sector context, or in a matter where evidence has been disclosed to a third party, the breach itself may become a separate issue. Internal investigations, regulatory referrals and professional conduct proceedings can follow.
If you are a litigation lawyer with digital evidence in a live case, ACPO compliance is the first thing the other side will probe. The question is not whether your forensic provider followed the principles but whether they can prove it under cross-examination.
If you are an in-house compliance, risk or HR lead designing an internal investigation procedure, ACPO is the framework you should be aligning to. Bespoke procedures that do not reference an established standard tend not to hold up when tested.
If you are a board director responsible for incident response, ACPO governs how digital evidence will be handled in the event of a breach, an insider matter, or a regulatory investigation. The time to ensure your incident response provider is ACPO-compliant is before the incident, not during.
And if you are a forensic provider yourself, the principles are your professional baseline. They are not optional.
Forensic Control’s digital forensics practice operates to ACPO standards across every instruction. Our team includes former Metropolitan Police Hi-Tech Crime Unit investigators, and we have advised on digital evidence in workplace investigations, civil litigation, regulatory matters and criminal proceedings since 2008. If you have a live case where digital evidence is in play, or you are scoping how your organisation should handle digital evidence in future, contact an expert directly or call 020 7664 4522.
ACPO stands for the Association of Chief Police Officers, the UK organisation that produced the original Good Practice Guide for Digital Evidence. ACPO itself was disbanded in 2015 and replaced by the National Police Chiefs’ Council (NPCC), but the four ACPO principles remain the de facto UK standard for handling digital evidence and continue to be referenced in case law and professional practice.
The four ACPO principles are:
(1) no action should change data that may later be relied upon in court
(2) if original data must be accessed, the person doing so must be competent and able to explain their actions
(3) an audit trail of all actions must be created and preserved so that an independent third party can repeat the process and reach the same result
(4) the person in charge of the investigation has overall responsibility for ensuring the principles are followed.
The ACPO Good Practice Guide is not statute, so it is not legally binding in the same way as legislation. It is, however, the standard against which the integrity of digital evidence is measured in UK courts. Failure to follow the principles can lead to evidence being given reduced weight or being excluded altogether. In practice, ACPO compliance is treated as a baseline requirement by courts, regulators and procurement frameworks.
The consequences depend on which principle was breached and how material the breach was to the evidence. Outcomes range from reduced evidential weight (the evidence is admitted but its integrity is challenged) through to complete exclusion of the affected evidence. In regulated environments, a breach may also trigger separate regulatory or professional conduct proceedings. There is no automatic exclusion; each case is assessed on its facts.
ACPO principles apply to anyone handling digital evidence that may be relied upon in legal proceedings. This includes police forces, professional digital forensics providers, expert witnesses, and increasingly in-house teams handling internal investigations, HR matters, regulatory referrals and litigation hold processes. The fourth principle places overall responsibility on the person leading the investigation, regardless of who is doing the technical work.
ACPO is the UK-specific framework for handling digital evidence, set out in the ACPO Good Practice Guide for Digital Evidence. ISO/IEC 27037 is an international standard covering the identification, collection, acquisition and preservation of digital evidence. The two frameworks broadly align. For UK matters, ACPO is the working standard. For multi-jurisdictional matters or where international admissibility is required, ISO 27037 may be invoked alongside or instead of ACPO.
Safeguard your business with our expert cyber security solutions. Whether you require digital forensics, penetration testing or proactive security assessments, our team is ready to assist. Contact us today to discuss your security needs and take the first step towards a more secure future.
