Chain of custody for video evidence – definition
The chain of custody, also referred to as the evidentiary chain, is a documented and verifiable record of who accessed video footage or images, when, for what purpose, and to what extent, as well as what actions were performed on the file, storage media, or any copy of it. In compliance practice, this means maintaining continuous traceability of the material from the moment it is collected, through export, transfer, storage, analysis, and face and license plate blurring, all the way to disclosure or archiving.
In the context of video evidence, the chain of custody serves two purposes. First, it is intended to confirm the integrity of the footage, meaning that no undocumented changes have been made. Second, it helps demonstrate the lawfulness and proportionality of processing personal data visible in the image. This is particularly relevant for footage containing people’s faces, license plates, and other information that may enable identification. From both an evidentiary and regulatory perspective, it is not only the file itself that matters, but also the metadata, checksum, processing environment, operator permissions, and version history.
The importance of the chain of custody stems from general principles of information security and accountability. In personal data protection, the key legal basis includes Article 5(1)(f) and Article 5(2) of the GDPR, covering integrity, confidentiality, and accountability, as well as Article 32 GDPR on security of processing. In practice, ISO/IEC 27001:2022, ISO/IEC 27002:2022, ISO/IEC 27037:2012, and ISO/IEC 27042:2015 are also useful reference points, as they describe the identification, collection, preservation, and evaluation of digital evidence.
How to understand the chain of custody in video anonymization
Video anonymization does not remove the need to preserve evidential value. On the contrary, it requires a clear separation between the source material and the processed version. If an organization blurs faces or license plates before releasing footage, it must be able to show that the published version is derived from a specific source file and that the operation itself was carried out in a controlled manner.
In this model, there are usually at least two versions of the material:
- the source version – unchanged, with its checksum preserved and access restricted,
- the working version or copy intended for release after processing – with documented anonymization, export, and the defined scope of image redaction.
If an AI model is used to detect faces or license plates, audit documentation should cover not only the fact that blurring was performed, but also the process parameters. Deep learning is one of the techniques used to build object detection models that automate the identification of areas to be blurred. From a chain of custody perspective, however, the key issue is not how the model was trained, but which model version was used, when detection was performed, who approved the result, and whether any manual edits were recorded in the history of operations.
In the Gallio PRO environment, it is also important to clearly distinguish the scope of automation from manual actions. The software automatically blurs only faces and license plates. It does not automatically detect logos, tattoos, name badges, documents, or images displayed on screens. Such elements may be blurred manually in the editor. Every manual intervention should be included in the chain of custody documentation.
How to document every stage of video processing
An effective chain of custody for video evidence is based on a repeatable event log. Simply storing a file is not enough. You must be able to demonstrate the material’s full lifecycle, from collection to deletion or transfer. In practice, an approach based on events, identifiers, and checksums works best.
The minimum scope of documentation usually includes:
- a unique identifier for the case, storage media, and file,
- the date and time of collection, including the time zone,
- the source of the recording, for example CCTV camera, body camera, phone, or dashcam,
- the person or system that performed the import, copying, or export,
- the file checksum, most often SHA-256,
- the logical and physical location of the media or repository,
- access history and changes to permissions,
- the scope of anonymization – faces, license plates, and manually blurred areas,
- the version of the tool and configuration used for processing,
- information on export, transfer, retention, or deletion.
A simple rule is worth applying: every operation performed on the material should leave an evidentiary trace, but the trace itself should not contain personal data beyond what is necessary for accountability. This is also important because video anonymization systems should not generate logs containing unnecessary personal data. In the Gallio PRO environment, this principle is fully aligned with the design approach – the software does not collect logs containing personal data or special categories of personal data.
Key chain of custody attributes and metrics for video evidence
Evidential value depends on whether integrity, authenticity, and access control can be demonstrated. For compliance teams, measurable indicators are especially useful. Not all of them are normative in nature, but they make audits and risk assessments much easier.
Attribute | Practical description | Example metric
|
|---|---|---|
File integrity | The ability to confirm that the source file has not been altered | SHA-256 match before and after transfer |
Record completeness | The percentage of operations documented in the case history | 100% of critical events with operator ID and timestamp |
Traceability | The ability to link each version to the source material | Number of versions with a full reference to the source file |
Response time | Time from collection to securing the material | T1 - T0 in minutes or hours |
Access control | The number of accounts and their level of access to the material | RBAC, least privilege principle |
Anonymization quality | Effectiveness of detecting objects that need to be blurred | Precision, recall, number of manual corrections |
In the area of integrity, hash functions from the SHA-2 family, as described by NIST in FIPS 180-4, are most commonly used. Independent hashes can be calculated for the input file and the output version. If the source material has hash H1 and the working copy has hash H2, the documentation should explain why H1 and H2 differ, for example because anonymization was applied or the file container was changed.
A simple notation may look like this:
hash_integrity = SHA-256(file)
The importance of the chain of custody for GDPR compliance and privacy protection
In data protection practice, the chain of custody is not solely a forensic issue. It is also an accountability tool for the data controller. If an organization publishes or transfers footage after anonymization, it must be able to demonstrate the legal basis for processing, the appropriateness of the scope of disclosure, and the technical and organizational safeguards in place.
For video materials, the following are especially important:
- documenting the purpose of processing and the legal basis,
- separating the source material from the copy intended for disclosure,
- restricting access to the non-anonymized version,
- retention aligned with policy and sector-specific regulations,
- being able to demonstrate that faces and license plates were blurred where necessary.
When it comes to faces, the need for anonymization may arise from GDPR principles, protection of personality rights, and regulations governing the publication of a person’s image, taking into account exceptions for public figures and broader public scenes. In the case of license plates, the legal situation is not entirely uniform. In Poland, whether a registration number qualifies as personal data depends on the context and on whether an individual can be identified using means reasonably likely to be used. From a compliance perspective, it is safer to document the decision and the anonymization standard that was applied.
Challenges and limitations of the chain of custody in video processing
Even a well-designed process has its limitations. Video material is vulnerable to format changes, metadata loss, time synchronization errors, and ambiguity as to its source. In addition, automatic face and license plate detection does not guarantee 100% effectiveness, which is why manual verification may still be necessary.
The most common problems include:
- lack of consistent system time across devices and servers,
- exporting recordings to formats that remove some metadata,
- incomplete logging of manual operations,
- overly broad operator permissions,
- mixing working copies with source material,
- lack of a separate procedure for anonymization and for evidence preservation.
For this reason, an organization should specify in its procedure when work is carried out on a bit-by-bit copy or a logical copy, who approves anonymization, and how material versions are labeled. This reduces the risk of the evidential value being challenged and helps minimize privacy risks.
Normative references and source materials
The following documents are most commonly used as reference points when designing procedures for digital evidence and secure processing:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 – GDPR, in particular Articles 5 and 32
- ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems – Requirements
- ISO/IEC 27002:2022 – Information security controls
- ISO/IEC 27037:2012 – Guidelines for identification, collection, acquisition and preservation of digital evidence
- ISO/IEC 27042:2015 – Guidelines for the analysis and interpretation of digital evidence
- NIST FIPS PUB 180-4, Secure Hash Standard, August 2015
- NIST SP 800-86, Guide to Integrating Forensic Techniques into Incident Response, 2006