Glossary
Chain of Custody
The documented record of who handled evidence, when, and with what authority, from receipt through final disposition. Defective chain of custody can render evidence inadmissible in disciplinary, civil, or criminal proceedings. Practical discipline requires cryptographic hashes on upload, immutable log entries on access, signed URLs that expire, and an exportable audit trail.
Full definition
Chain of custody is the audit record that establishes the integrity of evidence collected during a whistleblower investigation. It documents who received the evidence, when, in what state, who had access at each step, what was done to it, and where it ended up. In whistleblower investigations chain of custody matters for two reasons: first, evidence may be needed in a later disciplinary proceeding, civil claim, or criminal prosecution, where defective chain of custody can render evidence inadmissible; second, demonstrating proper chain of custody is itself part of Article 18 recordkeeping. Practical chain-of-custody discipline in case management software requires: cryptographic hashes of every attachment computed on upload, immutable log entries on every access, signed URLs that expire, separation of access by role, and an exportable audit trail. Confidly hashes every attachment with SHA-256 on upload and records the hash in the audit log; access events to attachments are recorded with the staff member's identity and IP.
Related terms
- Audit Log An append-only record of every action taken on a whistleblower case, used to demonstrate compliance to regulators. Existing entries cannot be modified or deleted, only new entries added. Auditors at competent authorities such as Germany's Bundesamt für Justiz typically request the audit log first when inspecting a channel for EU Directive 2019/1937 Article 18 compliance.
- Recordkeeping The legal obligation to retain documentation of every whistleblower report and its handling. EU Directive 2019/1937 Article 18 requires records be kept as long as necessary and proportionate. National transpositions vary: Germany sets 3 years, France sets case duration plus 3 years, Spain sets 10 years for criminal cases. The obligation justifies derogation from GDPR erasure.
- Investigation Plan A written plan that scopes a whistleblower investigation, identifies evidence sources, and assigns roles. A typical plan includes a neutral statement of alleged conduct, rules potentially breached, evidence sources, witness order, privilege assessment, confidentiality protocol, timeline anchored to the 3-month feedback deadline, named roles, and a decision-rights matrix.