Data Collection and Privacy

This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight

Introduction to data collection and privacy

In this chapter we will be exploring the principles of data collection to support a corporate investigation.

We will also discuss the general principles of privacy in the wider context of investigations. Investigators must bear in mind that privacy has many legal requirements, and these may vary from country to country. Data privacy is a complex topic and there are many resources available to assist you in navigating the topic. In this this chapter the aim is to raise awareness on the topic.

The most important thing to consider is always seek legal advice where privacy concerns need to be addressed or rely on established company policy which addresses specific privacy concerns.

What is data?

The Oxford Dictionary defines data as: ‘facts or information, especially when examined and used to find out things or to make decisions’.

The consensus of personal data is defined as:

Information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.

  • Personal data, also known as personal information or Personally Identifiable Information (PII) is any information related to an identifiable person.
  • Data can be stored in various formats and media. This chapter will be looking at digital information or Electronically Stored Information (ESI) in investigations.
  • Digital information can be obtained from several information technology platforms and devices such as computers, mobile or smart devices, servers, and system applications.

In combination or separately, this data has the potential to help investigators find evidence or intelligence to support their investigation.

Due to the rapid evolution and scalability in information technology people and organisations create, store, and share vast amounts of data. In some cases, users may not even be aware of the data that their devices collect, and this data can be of significant value to you as an investigator. This is particularly relevant where smart devices are concerned. Apps collect significant amounts of data, and this data can be relevant in some investigations.


Metadata is data about data. This data is often not visible when viewing items such as Microsoft Office documents, images, and Portable Document Format (PDF). Metadata may be of significant value in many circumstances where it can provide collaborative evidence between people as they may not be aware of what of information is stored within their document. In some cases, images may still contain Exchangeable Image File Format (EXIF), data such as geographical location of where the photograph was taken.

This type of data could be significant to you as an investigator and should be considered along with more traditional data sources mentioned.

Investigators will already be familiar with terms such as digital forensics and eDiscovery. Whilst these are two separate fields of specialism there are many similarities and principles that overlap. We will explore these further in this chapter.


In this chapter privacy is defined as follows:

Data privacy or information privacy is a generic term, but essentially data privacy is a part of the data protection area that deals with the proper handling of data and compliance with data protection regulations. Data protection in investigations has become increasingly complex, where the data protections regimes in different county jurisdiction may appear to have conflicting obligations on data holders.

This includes how data should be collected, stored and shared or transferred with any third parties, as well as compliance with the applicable privacy laws.

Some examples of regulations and laws are:

  • General Data Protection Regulations (GDPR) Europe
  • The California Consumer Privacy Act (CCPA) in California (US)
  • The Protection of Personal Information Act (POPI) in South Africa
  • The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada
  • LGPD, the General Data Protection Act in Brazil
  • The Data Protection Act of 2018 in the United Kingdom

This is not an exhaustive list of regulations or laws. You should familiarise yourself with the applicable legislation in your country and jurisdictions in which you may operate as an investigator.

It is worth noting that these Laws and Regulations set out key principles such as:

  • Right to know
  • Subject access request
  • Right to be Forgotten
  • Right to delete
  • Consent
  • Data transfer

These principles could have an impact on your investigation when it comes to collecting or transferring data for a case. Your organisation will have policies that cover data retention and data transfer. As an investigator it is crucial to know what these are and you should ensure you are familiar and up to date with these regulations. You cannot rely on data if it no longer exists, or you are limited by data transfer rules.

Digital data in investigations

As technology has developed, organisations have moved from storing hard copy material to a digital format. This means we can store and review far greater quantities of information and manage our data more efficiently. Data storage volumes continue to grow and this is a trend we will continue to see for many years.

Whilst this chapter is not intended to be a history lesson, it is worthwhile to consider how investigation principles have evolved when it comes to data.

If we consider that in the late 1970’s law enforcement still relied heavily on paper based systems to manage large scale investigations, it was evident that crucial evidence and intelligence could be missed with catastrophic results.

Take for example the UK’s ‘Yorkshire Ripper’ murder case in the later 1970’s early 1980’s. This was a step change in the investigation process and the first time we saw the move from paper based data to digital data.

The investigations team found that they were overwhelmed with data and had to develop a method to ingest and review this data. Whilst the data itself was not complex, the infancy of using computers and creating credible workflows was immature.

The workflow as illustrated below was used and we can see that the basic principles formed the foundation of how we use computers in investigations to search data today.


Figure – 1 - The Sir Lawrence Byford Report[1]

Due to the complex nature of the investigation and that not all data was digitised, the investigations team missed crucial evidence that may have identified the ‘Yorkshire Ripper’ much sooner and saved lives. The name of Peter Sutcliffe appeared in numerous lines of enquires but was discounted by the senior investigating officers at the time. The blunder was down to a simple card index system that was overwhelmed with information.

This meant vital evidence was lost in the system and information not properly cross referenced. Sutcliffe’s named was identified on nine occasions but was still overlooked. What was learnt from this and other major investigations was that data needed to be properly collected, indexed, and analysed.

Today we have the benefits of well implemented workflows and processes, and we will discuss these further using industry standards that are repeatable, defensible and have been tested in the legal systems of justice and regulation.

The investigation process

As investigators you are likely to engage in different activities where data is collected. The collection of data can be proactive or reactive, but the basic principles will be similar.


An investigation can be instigated through several processes in the corporate environment, and these can be reactive or proactive.

Reactive investigations are most likely to come through internal ‘speak up’ channels, compliance monitoring, regulatory requirements or reporting.

Proactive investigations may be triggered by internal monitoring of high-risk areas to the business and trigger certain activities as non-compliant that require investigation.

Initial investigation

Investigators should conduct early fact finding enquiries and secure potential evidence. This is particularly important where there is a reliance on ESI. Company retention and data privacy policies may have an impact on your case. If data is expunged from IT systems based on retention policies, you may miss the opportunity to secure this potential evidence. You should have a good understanding of your company’s policies and work with your forensic or IT specialist to secure data.

Investigators must make use of legal preservation holds through their legal teams whether this is in-house or external to secure and preserve data. It is also possible with the support of your IT Team or forensic services team to secure and preserve data for non-privileged cases. In-place holds can be created or retention policies can be suspended for specific accounts.

Further investigation

Once it has been established that an allegation or concern has been identified through your fact finding activities and a decision has been made to move the matter to investigation status, you should establish an investigation plan. In this chapter we will focus on a digital plan or digital strategy.

Case management

Investigators should have proper processes and procedures for managing their cases. ESI needs careful management and should adhere to local or company regulations and best practice to maintain data integrity.

Never work on the original data sets, create working copies if data needs to be interrogated.

As corporate investigators you may think this is very police centric and not relevant. Ask yourself this question, ‘What if I identify serious criminality in my case and have an obligation to report it’?

If you have failed to follow good practice and principles, you may have undermined your case and it may fall at the first hurdle as the evidence will be deemed unreliable.

The above principles apply equally to civil cases and even to internal disciplinary hearings. It is important to remember that an individual’s career may depend on the quality and integrity of your evidence.

Whilst this may seem drastic in the context of corporate investigations, we should always look to investigate at the highest standards. Remember it may be difficult or impossible to go back and start again.

Digital investigations

We will now explore the world of digital forensics. Digital forensics is defined as, ‘the application of science to the identification, collection, examination and analysis of electronic data whilst preserving the integrity of the information and maintaining the chain of custody of that data’.

When we looked at case management, we briefly mentioned that ESI needs careful management and should adhere to local or company regulations and best practice to maintain data integrity.

There are four basic principles that should be followed:

  1. That no action is taken that should change data held on a digital device including a computer or mobile phone that may subsequently be relied upon as evidence in court.
  2. Where a person finds it necessary to access original data held on a digital device that the person must be competent to do so and able to explain their actions and the implications of those actions on the digital evidence to a court.
  3. That a trail or record of all actions taken has been applied to the digital evidence should be created and preserved. An independent third party forensic expert should be able to examine those processes and reach the same conclusion.
  4. That the individual in charge of the investigation has overall responsibility to ensure that these principles are followed.

By following these principles as investigators, you will put yourself, your organisation, and your investigation on a solid foundation if your evidence was to be challenged in court, a HR disciplinary hearing or by a regulator.

Identifying and preserving digital evidence

As investigators in the corporate world, we are fortunate that we can obtain potential evidence from corporate devices and systems. Our main challenges are legal and privacy concerns when it comes to the examination of these devices.

Where companies have a Bring Your Own Device (BYOD) policy it may not be possible to obtain data from the user’s device. In instances like this you should check your company’s policies to understand what is permitted to get access. Do not be afraid to ask the user to volunteer disclosure.

Investigators should always seek the assistance of in-house or external forensic specialists or IT specialist to secure digital evidence.

Investigators are encouraged to work with their IT specialist in such cases. It is possible to target data collections from personal devices where personal data can be excluded from such collections. Specialist forensic software or data collections tools can be configured to very specific data and should be considered as part of your investigation strategy. A well-structured data collection plan will reduce the levels of collateral intrusion where personal data is concerned.

Whilst traditional digital investigations have related to physical devices such as laptops and mobile devices, investigators should consider other data sources as these may hold important evidence or intelligence for your case and could prove or disprove an allegation. Cyber security or enterprise systems collect a lot of information about devices and user activity. These are areas worth exploring further. When setting out your investigation plan you should incorporate a digital strategy as part of that plan.

Digital strategies

A digital strategy will help you identify potential sources of evidence and intelligence to support your investigation. A basic plan will consist of the following sections:

  1. Overall case allegation and ‘points to prove’.
  2. Potential evidential opportunities.

This does not need to be an extensive document, but it should capture the scope of what is sought and what can be considered. It should have agreed timelines. Remember, these are evidential opportunities and the decision-making rests with you as the investigator.

An example of a digital strategy can be seen below.

Section 1 – Case Details
Forensic Manager:Steve Stator
Case Number/Project Name:21-01-12345
Date Created:08/01/2021
Lead Investigator Name:Joe Bloggs
Allegation(s):Unauthorised Travel & Expenses (T&E) and abuse of Corporate card. Additional concerns of inappropriate relationship and conflict of interest
Objectives/Points to Prove:

To establish if there is evidence of abuse of:

T&E Policy and collusion between the reported parties.

Breach of company policies or Code of Conduct.

Section 2 – Potential Evidential Opportunities

This section will provide high level information on opportunities that may exist to support this investigation. The forensic manager will discuss the benefits of each option with the lead investigator and agree which options should be progressed, if any, the timeline and priority. The final decision on progression will always rest with the lead investigator.

T & ELead investigator to request and review T & E report

In place hold to preserve potential data prior to collection.

Email, Skype or MS Teams messaging review to identify data that may confirm or disprove the allegation of collusion between the individuals.

Time period: 4 October 2020 – 1 January 2021

Custodians: Bob Smith (BCS12345) and Sally Jones (SPJ52378)

Keywords: To be agreed following T & E review.

Device analysisSubject to any findings, a forensic collection of the Company issued laptops and mobile devices could be carried out to determine the veracity of any collusion or inappropriate relationship. Data held on these devices could include photographs, messages, and other information not available elsewhere.
OtherSubject to completing the above processes and potential interviews, other system log information may be available to support or contradict any accounts given. Consider building entry and exits logs from staff passes.
Review meetingMeeting scheduled with Joe Bloggs and forensic manager to discuss options and agree actions, 15:00 Wednesday 20 January 2021.

Remember, you may not need to conduct all these activities as you may find compelling evidence from one source and this may be enough to prove or disprove the allegation or concern being investigated.

As Investigators you will be all too familiar with time pressure from your stakeholders to conclude investigations early. By having a good investigation plan and identifying early evidential opportunities you stand a good chance of closing cases much sooner.

Where complex cases exist due to large volumes of data, you should seek assistance from in-house or external vendors to conduct electronic reviews with industry approved e-discovery tools.

We will not be discussing the various tools and vendors available but will focus on the basic principles of e-discovery.


What is e-discovery?

For this chapter, we consider e-discovery to be the process where large volumes of data have been collected, processed and analysed using specialist software to help find relevant material or evidence.

The purpose of carrying out e-discovery may vary but will be concerned with one of the following activities:

  • Litigation
  • Government or regulatory requirements
  • Investigations
  • Freedom of Information Act request
  • Data Subject Access Requests (DSAR)
  • Compliance

Since about 2005, e-discovery has followed what we call the Electronic Discovery Reference Model,[2] (EDRM). This model has nine stages and we will look at each stage and what this means.

EDRM stages

Information Governance: Getting your electronic house in order to mitigate risk & expenses should e-discovery become an issue, from initial creation of electronically stored information (ESI) through its final disposition.

  • Identification: Locating potential sources of ESI and determining its scope, breadth & depth.
  • Preservation: Ensuring that ESI is protected against inappropriate alteration or destruction.
  • Collection: Gathering ESI for further use in the e-discovery process, processing, review, etc.
  • Processing: Reducing the volume of ESI and converting it, if necessary, to forms more suitable for review & analysis.
  • Review: Evaluating ESI for relevance & privilege.
  • Analysis: Evaluating ESI for content & context, including key patterns, topics, people & discussion.
  • Production: Delivering ESI to others in appropriate forms & using appropriate delivery mechanisms.
  • Presentation: Displaying ESI before audiences, e.g. at depositions, hearings, trials, especially in native and near-native forms, to elicit further information, validate existing facts or positions, or persuade an audience.

A visual representation of the model can be seen overleaf.


You will have noticed that some of the same principles or steps apply in other parts of our investigation process and digital forensics. The EDRM is a conceptual view of the process and as investigators you may only be involved in some steps and not others. It may be an iterative process and may also revisit some steps as your investigation unfolds.

As an investigator you should look to establish a close working relationship with your IT department as they have knowledge of the company’s digital landscape and its information governance. Knowing where data is and how it can be accessed is always the biggest challenge, so a good working partnership will go a long way to helping you navigate this landscape.

In addition to the above, you must also be cognisant of the fact that in some cases data protection issues may prevent you from moving data from one jurisdiction to another. Careful consideration must be given to data protections law, transfer mechanisms and statutes that may prevent data transfer and how reviews can or should be conducted.

These challenges are different depending on your jurisdiction and too complex to cover in this guide. You are therefore encouraged to seek proper guidance from experts within your organisation or external experts.

Digital evidence storage

Corporate investigations functions must have suitable mechanisms and processes for storing digital evidence that has been obtained or collected during an investigation. Corporate and legal data retention policies must be followed and applied to ensure data is not expunged from systems. This is particularly important where cases may take some time to be concluded or become the subject of appeals and litigation. It is also important that investigators have a corporate and consistent approach to how case files and data are managed. A good practice is to set up an agreed folder structure that all investigators use to store material. An example of this could be as follows:

  • Case_Folder_Template
    • Documentation
    • Evidence
    • IntelOSINT
    • Notes
    • Other
    • Reports

Many corporate investigations functions will have a case management system that is used to manage their ‘speak-up’ or Whistleblower programme. Where these applications have the functionality, investigators should use the system to manage and store digital evidence and all relevant material gathered or produced during the investigation within this system.


In this chapter we have discussed what digital information and evidence is and how we should go about securing, collecting, analysing, and presenting it to support investigations. We have seen there are many similarities in the process or steps we follow, be it our investigation plan, digital forensics, or e-discovery. What is key and you are encouraged to take away as a learning, is that when combined and properly managed, digital data has a part to play in you investigation and may just give you that key piece of evidence early in your case.

On the other hand, you should also be acutely aware that digital data may overwhelm you and your investigation so you should always seek guidance from specialist in the fields of digital forensics and e-discovery.

Legally reviewed by Joanna Ludlam (Baker McKenzie).


Unlock unlimited access to all Global Investigations Review content