Conducting the investigation: Collecting records

Internal investigations demand a comprehensive approach to data collection and management to ensure a sound and legally defensible process. Inadequate records collection practices may result in the loss or destruction of crucial evidence, whether through deliberate actions or unintentional oversights. Such circumstances compromise the integrity of the investigation, exposing the organization to potential adverse legal consequences, reputational damage, or financial loss. In Part 4 of Focus on Investigations, we consider best practices to guide your organization through this critical process.

Understand the organization’s data collection and preservation practices

The initial consideration in document collection and management involves a comprehensive understanding of your organization’s current practices. This includes identifying what data is archived, where it is stored and in what format, and how long it is retained.

We recommend that organizations assess their document collection and management systems well in advance of any investigation. These systems should be assessed through the lens of an investigation and should consider whether adequate retention methods exist to ensure that key records are available in the event of an investigation. IT professionals can provide guidance to organizations to enable the centralized preservation of records. This ensures that records are retained for a specific duration, even if they are manually deleted or lost by a user.

At the outset of an investigation, a key first step for the investigation team is to understand the document retention systems and establish “back end” system wide holds on key databases or users. These steps can preserve important evidence from destruction, whether done intentionally by users or unintentionally through the systems deletion protocols.

Preservation notices and confidentiality

At the outset of the investigation, the investigation team should consider whether it will issue a “litigation hold” or document preservation notice to safeguard vital data. Litigation holds are written notices provided to specific employees, contractors or others in the organization, directing them to preserve and maintain certain specific records for the purposes of the investigation.

While a litigation hold or document preservation notice is an important and effective mechanism to ensure preservation of important records, it also discloses to the recipients of those litigation holds that there is an investigation into serious misconduct. In many instances, where secrecy and stealth are key (such as where the investigation may lead to asset preservation orders against wrongdoers), an early litigation hold is not recommended.

Engage forensic IT specialists

In investigations involving complex digital evidence, engaging forensic IT specialists becomes imperative. These IT experts should possess the required skills to extract and preserve data securely and in a forensically defensible manner. The IT experts will need to:

• preserve, maintain, and extract records from any central document database or email accounts;
• extract files in an appropriate format that preserves metadata;
• conduct forensically sound imaging of computers, mobile devices, and hard drives; and
• assist with data analysis and review.

In some instances, internal IT teams have the skills necessary to assist. However, in high stakes investigations or matters where litigation is likely, we recommend engaging external IT professionals. These experts are able to navigate these difficult technical issues and are experienced in providing expert testimony in litigation, if necessary.

In all instances, the IT professionals should be engaged and instructed through legal counsel. This assists in maintaining privilege over the work conducted by the external IT professionals. We considered privilege issues in investigations in Part 3 of Focus on Investigations.

Utilize AI and analytics tools

Internal investigations can generate a substantial volume of records for investigators to review. Investigation teams should consider AI, analytics tools, and machine learning technologies to address challenges related to document production and review. These tools can assist to streamline the review of large volumes of data and identify the records that are most likely to be relevant to the investigation.

Compliance with data protection and data privacy laws

Investigative teams must navigate Canadian data protection and privacy laws to ensure that their collection, use and disclosure of data align with legal requirements. For instance, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) governs the collection, use and disclosure of personal information in the private sector in Canada. PIPEDA only applies in provinces that lack privacy legislation that is “substantially similar” to those set out in PIPEDA. Alberta, Quebec, and British Columbia currently have in place their own legislation, and those statutes need to be carefully considered where the data involves those provinces. PIPEDA generally permits the collection, use and disclosure of personal information without the consent of the individual where it is required for an investigation into breaches of laws. Notwithstanding this general exception in PIPEDA to the requirement for consent, we generally recommend that organizations institute computer use policies in which users acknowledge and agree that the organization may collection, use and disclose information on the organization’s system, even if it includes personal information.

Additionally, there are federal and provincial sector-specific laws that deal with the protection of personal information. For example, bank secrecy laws prohibit banking institutions, and their officers and employees, from disclosing customer data to third parties, except where there is an exception permitting disclosure.

International investigations often require careful consideration of data protection laws in other countries, where the organization may have information or records. We will provide our thoughts on these challenges in Part 8 of Focus on Investigations.