What counts as forensically defensible collection, and when can custodians self-collect their own ESI?
In e-discovery, collection is the step of gathering potentially relevant electronically stored information (ESI) from its sources — email accounts, file shares, devices, cloud systems — once a duty to preserve has attached. Collection is forensically defensible when it is reasonable, documented, and reliable enough to withstand challenge by an opposing party or a court.
What makes collection defensible
Defensibility is about process, not a particular tool. The core elements are:
- Preserve integrity. Gather ESI without altering the content or, where required, the underlying file. Where metadata matters (authorship, dates, recipients), capture it intact rather than overwriting it by, for example, dragging-and-dropping files.
- Maintain chain of custody. Track what was collected, from which source and custodian, by whom, and when, so the data’s handling can be reconstructed later.
- Be repeatable and verifiable. Use a method another competent person could follow and validate, often supported by hash values that confirm a copy matches the original.
- Document decisions. Record the scope, sources searched, and choices made, including what was reasonably excluded.
These principles flow from the broader duty to act reasonably and in good faith and to be able to explain your process. The Sedona Conference offers widely cited guidance on defensible, proportionate ESI practices.
When custodians can self-collect
Custodian self-collection — having the individual gather their own ESI — is sometimes proportionate, but it carries risk because custodians may have an interest in the outcome and rarely understand technical preservation. It is more defensible when:
- The data is simple and low-stakes (for example, a handful of clearly identified documents).
- Custodians are given clear, written instructions and are not left to decide relevance unaided.
- Collection is supervised and verified by counsel, records/IG, or IT, with integrity and chain of custody preserved.
- The approach is proportional to the matter’s size and importance.
Self-collection is generally inappropriate for complex, high-value, or hard-to-locate ESI, or where a custodian’s credibility may be questioned. When in doubt, involve qualified IT or forensic support and supervised, technology-assisted methods.
Jurisdiction matters
Much U.S. civil e-discovery is governed by the Federal Rules of Civil Procedure, but state courts and other countries apply different rules and standards. Always confirm the requirements for your specific matter.
Learn more about e-discovery fundamentals.
Sources & further reading
Authoritative government and non-profit references.
- The Sedona Conference publications — The Sedona Conference
- Federal Rules of Civil Procedure — U.S. Courts
How to cite this page
APA
RM University Editorial. (2026). What counts as forensically defensible collection, and when can custodians self-collect their own ESI?. Records Management University. https://www.recordsmgmt.org/questions/defensible-collection-vs-custodian-self-collection-esi/
MLA
RM University Editorial. "What counts as forensically defensible collection, and when can custodians self-collect their own ESI?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/defensible-collection-vs-custodian-self-collection-esi/.
Related questions
- A key custodian left the company—how do we preserve and collect their email and files after they're gone?
- An employee admitted to deleting emails relevant to a lawsuit—what do we do now?
- Are curative measures or monetary fines available when lost data can be replaced through other sources?
- Can a company be sanctioned for spoliation when an employee auto-deleted text messages or ephemeral chats?
- Can a court order cost-shifting or limit search terms when keyword searches return an unmanageable hit count?