Security Intelligence

Workplace Internal Investigations: Security and Legal Framework | CloseProtectionHire

Q: "What personal security risks do corporate investigators face during internal investigations?"

"Corporate investigators face escalating personal security risk as an investigation approaches conclusion, particularly where the subject of the investigation has resources, connections, or a history of aggressive behaviour. Control Risks Corporate Investigations 2025 identifies the following risk categories: direct intimidation (threats to investigators, legal teams, or witnesses by the subject or their representatives); physical surveillance by the subject (hired private investigators monitoring investigators' movements and meeting locations); interference with evidence (accessing or destroying documentation before it can be secured); witness intimidation; and, in P1 city environments, leveraged corruption of local authorities or security services to obstruct the investigation. The Mintz Group Beijing incident of March 2023 -- in which five national staff of the US corporate intelligence firm were detained by Chinese authorities under the Counter-Espionage Law 2023 -- demonstrated the specific risk profile for investigators operating in authoritarian markets where the investigation subject has state connections. In the UK domestic environment, investigators conducting surveillance under Regulation of Investigatory Powers Act 2000 (RIPA) requirements must be aware that subjects can legally conduct counter-surveillance and that harassment of investigators may be difficult to prove without contemporaneous records."

Q: "What are the legal requirements for conducting a lawful internal investigation in the UK?"

"The legal framework for UK corporate internal investigations combines employment law, evidence law, and data protection. Under the ACAS Code of Practice on Disciplinary and Grievance Procedures 2015 (revised 2024), employers must conduct investigations that are reasonable and thorough before taking any disciplinary action. The investigation must be conducted by someone not directly involved in the matter and should follow a documented procedure. Key legal parameters include: covert surveillance of employees requires lawful basis under UK GDPR (Article 6, legitimate interests) and must be proportionate -- the ICO Employment Practices: Monitoring at Work guidance 2023 sets out when covert monitoring is and is not permissible; interviews with employees are voluntary unless contractually required, but refusal can be taken into account in a disciplinary process; evidence gathered through unlawful means (covert devices installed without RIPA compliance in a position requiring directed or intrusive surveillance authority) may be excluded and creates personal liability for the investigators; and computer forensics must follow ACPO/NPCC Good Practice Guide for Digital Evidence to ensure chain of custody is maintained. Where there is a reasonable belief that criminal conduct has occurred, the investigation crosses into a different legal territory -- evidence gathered may need to meet PACE 1984 standards if it is to be used in criminal proceedings, and the investigator's obligations to refer to law enforcement under the Proceeds of Crime Act 2002 (POCA) may engage."

Q: "How should digital and physical evidence be handled during an internal investigation?"

"Evidence handling is the most common point of failure in internal investigations that subsequently proceed to employment tribunal or criminal court. The NPCC Good Practice Guide for Digital Evidence (5th Edition) requires: forensic imaging of devices rather than direct access (preserving the original state); hash verification of forensic images; a documented chain of custody from seizure through to production; and a contemporaneous exhibit log. For physical evidence, PACE Code B principles apply even in non-police investigations where the evidence may later need to be produced in court: items should be photographed in situ before being moved, stored in tamper-evident packaging, and logged with time, date, location, and the identity of the person who found them. Control Risks Corporate Investigations 2025 notes that the most frequent evidence failures are: accessing a subject's work email account without authority under the Computer Misuse Act 1990; taking original documents rather than certified copies; and failing to document the circumstances under which evidence was found. If criminal prosecution is a potential outcome, engaging a forensic accountant (for financial fraud) or digital forensics firm operating to ACPO standards at the outset is significantly cheaper than attempting to reconstruct a compliant evidence chain after initial mishandling."

Q: "What specific security risks apply to investigations in P1 cities?"

"Investigations in P1 city environments face risks that do not apply in most UK or European domestic contexts. In Nigeria, Colombia, Mexico, the Philippines, and Pakistan, investigators face: corruption of local law enforcement by the investigation subject, making reliable police assistance unavailable or counterproductive; physical intimidation of witnesses, which is documented in OSAC reports for all five of these markets; the risk that local staff engaged as investigators are themselves subject to pressure from the investigation subject's networks; and, in markets where organised crime has penetration of the corporate sector (Mexico, the Philippines, Nigeria), the possibility that the subject has connections capable of escalating from intimidation to physical threat. Kroll Due Diligence 2024 recommends that for investigations in markets with OSAC Level 2 or above risk ratings, any national staff employed as investigators should be vetted through a separate process than regular due diligence employees, that no national staff should be the sole custodian of sensitive evidence, and that findings should be transmitted to international headquarters through an encrypted channel rather than a locally hosted system. The Mintz Group Beijing detention of 2023 demonstrates a specific PRC-market risk: the Counter-Espionage Law 2023 (effective July 2023) contains a broad definition of espionage that encompasses information gathering on matters affecting PRC national interests, which a corporate investigation into a Chinese entity could theoretically engage."

Q: "When should an internal investigation be referred to external law enforcement?"

"The decision to refer an internal investigation to law enforcement involves legal obligations, strategic considerations, and risk assessment. Legal obligations to refer include: where there is evidence of money laundering, a Suspicious Activity Report (SAR) must be filed with the National Crime Agency (NCA) under POCA 2002 s.330 (failure to disclose by a nominated officer), and continued investigation after the decision to file without a 'consent or seven-day elapsed' status may constitute the offence of tipping-off under POCA 2002 s.333A; where there is evidence of terrorist financing, reporting obligations under the Terrorism Act 2000 engage; and where the investigation identifies a data breach, the ICO must be notified under UK GDPR Article 33 within 72 hours of awareness. Strategic considerations include: whether criminal prosecution is in the organisation's interest (which it often is not where reputational damage from proceedings exceeds the harm from the underlying conduct), whether civil recovery under POCA 2002 ss.266-303 provides a better outcome than prosecution, and whether the subject's connections to law enforcement in a P1 city make referral counterproductive. The SFO's Deferred Prosecution Agreement regime (Crime and Courts Act 2013, Schedule 17) provides a framework for self-reporting serious fraud or bribery where the organisation wishes to cooperate in exchange for a negotiated outcome rather than prosecution."

Security guide for corporate internal investigations. Covers investigator personal risk, PACE evidence handling, ACAS Code 2015, covert surveillance legality, and P1 city investigation environments.

12 May 2026

Written by James Whitfield, Senior Security Consultant

Speak to the Team

Corporate internal investigations carry a risk profile that most organisations underestimate. An investigation into a significant fraud, a senior employee’s misconduct, or a compliance failure in a P1 city market is not a paper-based HR procedure. It is a process that creates adversarial dynamics, involves the handling of sensitive evidence that must meet legal standards, and – in high-risk environments – can expose investigators, witnesses, and the investigation itself to direct physical and legal threat.

The following framework covers the security dimensions that internal investigations create, not the HR or legal procedure itself.

The Adversarial Dynamic

The moment a corporate investigation begins, the subject – or the subject’s representatives – have an interest in its failure. That interest ranges from passive obstruction (claiming documents are unavailable, delaying responses) to active interference (intimidating witnesses, instructing legal teams to challenge every procedural step, and, in the most serious cases, direct action against investigators or evidence).

Control Risks Corporate Investigations 2025 categorises the principal adversarial risks as: interference with evidence custody (particularly in the early stages before evidence is secured); witness intimidation; surveillance of investigators (by hired private investigators or, in P1 markets, by state-connected assets); corruption of local authorities; and direct threats.

The security response begins at the design stage of the investigation, not after interference has already occurred. Key decisions include: who in the organisation knows that an investigation has started (the circle of knowledge should be as small as possible); how evidence is stored and who has access; how witnesses are identified and approached without alerting the subject; and what the escalation procedure is if direct threats emerge.

Legal Framework: UK Domestic

ACAS Code of Practice on Disciplinary and Grievance Procedures 2015 (revised 2024) establishes the baseline for employment law compliance. An investigation must be reasonable and thorough. It must be conducted by someone not directly involved in the subject matter. It must follow a documented procedure that the employee subject to it can subsequently scrutinise at tribunal. Failure to meet these requirements does not prevent an employer from taking disciplinary action, but it significantly increases the risk that any dismissal will be found unfair under the Employment Rights Act 1996, s.98.

PACE 1984 and associated Codes of Practice are not directly binding on private investigators – they apply to constables and designated persons. However, where evidence gathered during an internal investigation may subsequently be produced in criminal proceedings, courts assess its admissibility against PACE standards. Evidence obtained through unlawful means may be excluded under PACE s.78 (which applies to any person’s evidence in criminal proceedings, not just police-obtained evidence) at judicial discretion.

UK GDPR and the ICO Employment Practices guidance 2023 regulate the monitoring of employees. Any covert monitoring – accessing emails, deploying keyloggers, installing device monitoring software – requires a lawful basis under Article 6 (typically legitimate interests), a data protection impact assessment, and a documented proportionality assessment. Covert monitoring that does not meet these requirements creates ICO enforcement risk and potential civil liability.

RIPA 2000 governs directed and intrusive surveillance. Corporate entities are not generally authorised to conduct RIPA-compliant directed surveillance (following a person in a public place) or intrusive surveillance (devices in residential premises or private vehicles) without lawful authority. In practice, most legitimate corporate investigations do not require surveillance that engages RIPA, but investigators should be aware of where the line is.

POCA 2002 creates a reporting obligation where the investigation uncovers evidence of money laundering. Filing a Suspicious Activity Report (SAR) with the NCA through the Suspicious Activity Reports Online portal is mandatory for nominated officers in regulated sectors. Continuing an investigation after the point where reporting obligations engage – and before the NCA has provided consent or the seven-day period has elapsed – creates tipping-off risk.

Evidence Handling

The NPCC Good Practice Guide for Digital Evidence (5th Edition) provides the standards that criminal courts apply to digital evidence. For internal investigations, applying the same principles protects the admissibility of evidence if proceedings follow:

Forensic imaging before access. A device should be imaged using a write-blocker before any examination, preserving the original state and allowing the original to be produced unaltered.
Hash verification. MD5 or SHA-256 hash values of the forensic image should be documented to demonstrate that the copy is a true reproduction of the original.
Chain of custody documentation. Every person who handles an exhibit, every location where it is stored, and every access to it should be recorded in an exhibit log.
Contemporaneous notes. The investigator’s notes should be made at the time of the relevant event, not reconstructed after the fact.

Physical evidence follows the same principles. Documents should be photographed in situ before being moved, handled using gloves where fingerprint evidence may be relevant, placed in tamper-evident packaging, and logged with time, date, location, and finder identity.

P1 City Investigation Environments

In Nigeria, Mexico, Colombia, the Philippines, and Pakistan, the normal assumptions of a domestic investigation do not hold. Kroll Due Diligence 2024 identifies the specific compounding risks:

Corruption of local law enforcement. An investigation subject with significant resources can approach local police or prosecutors to identify the investigation team, obtain copies of interview notes, or create legal obstacles for investigators. For investigations where the subject is a local senior official or well-connected business figure, formal law enforcement channels may be compromised from the outset.

Witness intimidation. OSAC reports for Nigeria, Mexico, the Philippines, and Colombia all document organised intimidation of witnesses in commercial disputes and corporate investigations. Planning for witness security – conducting interviews in secure, neutral locations; considering remote interview formats; briefing witnesses on their rights and on available support – is a prerequisite, not an afterthought.

Organised crime interface. In markets where organised crime has penetration of the corporate sector, the investigation subject may have recourse to resources capable of escalating from legal obstruction to physical threat. The investigation team should conduct a pre-investigation threat assessment that addresses whether this interface exists and what mitigation it requires.

PRC-specific legal risk. Following the Mintz Group Beijing detention of March 2023 and the enactment of the Counter-Espionage Law 2023 (effective July 2023), any information-gathering activity in China that touches on matters affecting PRC national interests carries specific legal exposure for locally-present investigators. The practical approach for PRC-market investigations is to maximise remote evidence collection, minimise physical presence in China, and obtain legal advice on each investigative step before it is taken.

For related guidance on handling insider threats, see the article on insider threat detection and corporate security. For the specific context of whistleblower-originated investigations and the security considerations they create, see security for whistleblowers and corporate investigators.

James Whitfield is a Senior Security Consultant with 20 years of experience in executive protection, threat assessment, and corporate security across the UK and internationally.

Summary

Key takeaways

The ACAS Code of Practice requires a reasonable investigation before any disciplinary action

An employer who takes disciplinary action without conducting a reasonable investigation is exposed to unfair dismissal claims at employment tribunal regardless of whether the underlying conduct actually occurred. The ACAS Code 2015 (revised 2024) is not legally binding, but employment tribunals take it into account when assessing whether a dismissal was fair. A documented investigation, conducted by a person not involved in the matter, following a structured procedure, protects both the employer and the integrity of any subsequent proceedings.

Covert surveillance of employees requires a legal basis and must be proportionate

Installing monitoring software on employee devices, accessing personal email accounts, or deploying physical surveillance devices in the workplace without a lawful basis under UK GDPR and compliance with RIPA 2000 creates personal criminal liability for the investigators and civil liability for the employer. The ICO Employment Practices: Monitoring at Work guidance 2023 requires employers to conduct a data protection impact assessment (DPIA) before any covert monitoring, to document the legitimate interests basis, and to be able to demonstrate proportionality. Where a criminal offence is suspected, engagement with law enforcement who have the appropriate lawful authority is the correct route.

Evidence handling failures are the most common cause of investigation results being unusable

An investigation that produces genuine evidence of serious misconduct but failed to maintain a documented chain of custody, used forensic methods that altered the original data, or accessed information without legal authority has produced evidence that may be excluded at tribunal or in court. The NPCC Good Practice Guide for Digital Evidence and PACE Code B principles should be applied from the first moment an investigation involves document or device examination, not retrospectively when proceedings are anticipated.

Witness security in P1 city investigations is not a procedural detail -- it is a prerequisite

In markets where the investigation subject has significant resources, organised crime connections, or relationships with local authorities, witnesses face genuine physical risk from intimidation or retaliation. This is not theoretical: Kroll and Control Risks both document cases in Nigeria, Mexico, Colombia, and the Philippines where witnesses in corporate investigations were subject to direct threats. Planning for witness security before interviews begin -- including whether the interview can be conducted remotely, whether the witness's identity can be protected, and what support can be offered if threats emerge -- is part of the investigation methodology, not an afterthought.

The Mintz Group Beijing detention defines the PRC-market risk for corporate investigators

In March 2023, five national staff of US corporate intelligence firm Mintz Group were detained by Chinese authorities in Beijing. The Counter-Espionage Law 2023 that came into effect in July 2023 broadened the definition of espionage to include information that affects PRC national interests. Any due diligence or investigation involving a Chinese entity or subject in the PRC now carries a specific legal risk for investigators operating locally. For PRC-market investigations, all evidence collection should be conducted remotely where possible, local staff should not be sole custodians of sensitive materials, and legal advice on the specific investigative steps should be obtained before any fieldwork begins.

FAQ

Frequently Asked Questions

Corporate investigators face escalating personal security risk as an investigation approaches conclusion, particularly where the subject of the investigation has resources, connections, or a history of aggressive behaviour. Control Risks Corporate Investigations 2025 identifies the following risk categories: direct intimidation (threats to investigators, legal teams, or witnesses by the subject or their representatives); physical surveillance by the subject (hired private investigators monitoring investigators’ movements and meeting locations); interference with evidence (accessing or destroying documentation before it can be secured); witness intimidation; and, in P1 city environments, leveraged corruption of local authorities or security services to obstruct the investigation. The Mintz Group Beijing incident of March 2023 – in which five national staff of the US corporate intelligence firm were detained by Chinese authorities under the Counter-Espionage Law 2023 – demonstrated the specific risk profile for investigators operating in authoritarian markets where the investigation subject has state connections. In the UK domestic environment, investigators conducting surveillance under Regulation of Investigatory Powers Act 2000 (RIPA) requirements must be aware that subjects can legally conduct counter-surveillance and that harassment of investigators may be difficult to prove without contemporaneous records.

The legal framework for UK corporate internal investigations combines employment law, evidence law, and data protection. Under the ACAS Code of Practice on Disciplinary and Grievance Procedures 2015 (revised 2024), employers must conduct investigations that are reasonable and thorough before taking any disciplinary action. The investigation must be conducted by someone not directly involved in the matter and should follow a documented procedure. Key legal parameters include: covert surveillance of employees requires lawful basis under UK GDPR (Article 6, legitimate interests) and must be proportionate – the ICO Employment Practices: Monitoring at Work guidance 2023 sets out when covert monitoring is and is not permissible; interviews with employees are voluntary unless contractually required, but refusal can be taken into account in a disciplinary process; evidence gathered through unlawful means (covert devices installed without RIPA compliance in a position requiring directed or intrusive surveillance authority) may be excluded and creates personal liability for the investigators; and computer forensics must follow ACPO/NPCC Good Practice Guide for Digital Evidence to ensure chain of custody is maintained. Where there is a reasonable belief that criminal conduct has occurred, the investigation crosses into a different legal territory – evidence gathered may need to meet PACE 1984 standards if it is to be used in criminal proceedings, and the investigator’s obligations to refer to law enforcement under the Proceeds of Crime Act 2002 (POCA) may engage.

Evidence handling is the most common point of failure in internal investigations that subsequently proceed to employment tribunal or criminal court. The NPCC Good Practice Guide for Digital Evidence (5th Edition) requires: forensic imaging of devices rather than direct access (preserving the original state); hash verification of forensic images; a documented chain of custody from seizure through to production; and a contemporaneous exhibit log. For physical evidence, PACE Code B principles apply even in non-police investigations where the evidence may later need to be produced in court: items should be photographed in situ before being moved, stored in tamper-evident packaging, and logged with time, date, location, and the identity of the person who found them. Control Risks Corporate Investigations 2025 notes that the most frequent evidence failures are: accessing a subject’s work email account without authority under the Computer Misuse Act 1990; taking original documents rather than certified copies; and failing to document the circumstances under which evidence was found. If criminal prosecution is a potential outcome, engaging a forensic accountant (for financial fraud) or digital forensics firm operating to ACPO standards at the outset is significantly cheaper than attempting to reconstruct a compliant evidence chain after initial mishandling.

Investigations in P1 city environments face risks that do not apply in most UK or European domestic contexts. In Nigeria, Colombia, Mexico, the Philippines, and Pakistan, investigators face: corruption of local law enforcement by the investigation subject, making reliable police assistance unavailable or counterproductive; physical intimidation of witnesses, which is documented in OSAC reports for all five of these markets; the risk that local staff engaged as investigators are themselves subject to pressure from the investigation subject’s networks; and, in markets where organised crime has penetration of the corporate sector (Mexico, the Philippines, Nigeria), the possibility that the subject has connections capable of escalating from intimidation to physical threat. Kroll Due Diligence 2024 recommends that for investigations in markets with OSAC Level 2 or above risk ratings, any national staff employed as investigators should be vetted through a separate process than regular due diligence employees, that no national staff should be the sole custodian of sensitive evidence, and that findings should be transmitted to international headquarters through an encrypted channel rather than a locally hosted system. The Mintz Group Beijing detention of 2023 demonstrates a specific PRC-market risk: the Counter-Espionage Law 2023 (effective July 2023) contains a broad definition of espionage that encompasses information gathering on matters affecting PRC national interests, which a corporate investigation into a Chinese entity could theoretically engage.

The decision to refer an internal investigation to law enforcement involves legal obligations, strategic considerations, and risk assessment. Legal obligations to refer include: where there is evidence of money laundering, a Suspicious Activity Report (SAR) must be filed with the National Crime Agency (NCA) under POCA 2002 s.330 (failure to disclose by a nominated officer), and continued investigation after the decision to file without a ‘consent or seven-day elapsed’ status may constitute the offence of tipping-off under POCA 2002 s.333A; where there is evidence of terrorist financing, reporting obligations under the Terrorism Act 2000 engage; and where the investigation identifies a data breach, the ICO must be notified under UK GDPR Article 33 within 72 hours of awareness. Strategic considerations include: whether criminal prosecution is in the organisation’s interest (which it often is not where reputational damage from proceedings exceeds the harm from the underlying conduct), whether civil recovery under POCA 2002 ss.266-303 provides a better outcome than prosecution, and whether the subject’s connections to law enforcement in a P1 city make referral counterproductive. The SFO’s Deferred Prosecution Agreement regime (Crime and Courts Act 2013, Schedule 17) provides a framework for self-reporting serious fraud or bribery where the organisation wishes to cooperate in exchange for a negotiated outcome rather than prosecution.

Get in Touch

Request a Consultation

Describe your security requirements below. All enquiries are confidential and handled by licensed consultants.