A firm facing an offence attributed to it under Section 250 of the Crime and Policing Act 2026 will need a contemporaneous record of what it knew, what it did, and when. "We had a policy" is not enough. Documentary evidence of action is. This guide walks through what that evidence has to look like to hold up in 2027 or 2028.
The shape of a Section 250 evidence record
Section 250(1) attributes a senior manager's offence to the organisation: where a senior manager of a body corporate or partnership, acting within the actual or apparent scope of their authority, commits a criminal offence under the law of England and Wales, Scotland or Northern Ireland, the organisation commits it too. The scope is any UK criminal offence, not only offences created by the Act itself.
The statute does not provide an adequate-procedures or reasonable-steps defence. Documented governance still matters because it is evidence of how the organisation identified its senior managers, told them they fell within s.250, required them to declare relevant responsibilities, chased non-responses and incomplete declarations, and escalated when something looked wrong.
Each link in that chain has to be evidenced as it happened, built before the offence rather than assembled after it.
The Civil Evidence Act 1995, sections 8-9
In civil proceedings, the route to admit business records like an evidence pack runs through the Civil Evidence Act 1995. Section 8 governs how a statement contained in a document is proved: where the statement is admissible, it may be proved by producing the document, or by producing an authenticated copy of it or the material part. Section 9 provides that a document shown to form part of the records of a business or public authority may be received in evidence without further proof, where a certificate to that effect is signed by an officer of the business or authority.
The practical effect is that an evidence pack which visibly forms part of the firm's business records, kept in the ordinary course of business, produced through a consistent process and attributable to the firm, clears a substantial evidential hurdle by virtue of how it was made, before anyone reads the contents. It does not have to be a sworn statement. It has to be a business record.
What makes a document a "business record"
There is no single test, but case law on equivalent provisions points to recurring features. The document was made by someone acting under a duty rather than out of choice. It was made at the time of the events it records, not reconstructed afterwards. It was produced through a process the business follows routinely, not improvised for the litigation. And it sits within a series of similar records following the same process, which lends credibility to any one of them.
A board evidence pack that captures the firm's ongoing Section 250 programme meets each of these features when an automated, versioned process generates it on a regular cycle.
Why immutability matters more than encryption
A pack that was generated, hashed and timestamped at production time carries more weight than one simply pulled from a sealed digital store. The reason is evidential. The hash records what the firm produced, and when. If the firm later produces a document that matches the hash, the document has not changed since the hashed event. If it produces one whose hash differs from the audit-database record, the discrepancy is itself evidence.
The PDF/A-3B format (ISO 19005-3) is built for exactly this lifecycle: a self-describing document with no external dependencies, carrying embedded XMP metadata that locates it in its production context. The format itself does not make a document admissible. Admissibility is a question of evidence law and process, decided case by case on authenticity, integrity and chain of custody. What PDF/A-3B does is support those three things, which is why an output produced this way is built to stand up as evidence rather than merely to look official. CoverProof generates evidence packs to this standard and records the SHA-256 hash in the audit database at the moment of generation. Our Sample evidence pack shows a full example.
The RFC 3161 trusted timestamp
A SHA-256 hash recorded in the firm's own audit database is internally consistent, but a sceptical opponent can argue the firm backdated the database. To answer that, you need a second timestamp from an entity outside the firm's control.
The RFC 3161 Timestamp Protocol supplies it. A Trust Service Provider receives the SHA-256 hash and returns a Timestamp Token, signed and dated by the provider, which is then embedded in the evidence pack. The result is a chain. The hash binds the document to the moment of timestamping. The provider's timestamp binds that moment to an external authority. A reviewer in 2028 can verify both ends.
The audit trail beyond the pack
An evidence pack is a snapshot. The governance record needs evidence of the programme that produced it: the gap analysis was triggered on a date, declarations went out on dates, individual responses came back on dates, reminders were sent on dates, escalations were made on dates.
CoverProof records every such event in an append-only audit log keyed to the firm. The evidence pack PDF carries this log as a structured XML attachment, so a reviewer reading the pack can follow the timeline without touching the live system. A reviewer who does want access can confirm the pack's audit log matches the live log against the recorded hash.
What a reviewer will ask, and what the evidence must answer
Did the firm know who its senior managers were? The gap analysis, with documented methodology and a per-individual classification record, answers that.
Did the firm act on what it knew? The declaration audit log, with timestamps for issued, accessed, submitted, expired and bounced, answers that.
Did the firm take action when something looked wrong? The log of reminders sent and escalations recorded answers that.
Can the firm prove the documents in front of the reviewer are the documents it produced at the time? The SHA-256 hash and RFC 3161 timestamp answer that. The evidence record is the sum of those four answers, and the evidence pack is built to surface all four in one place.
What a compliance officer should do this quarter
Set the cadence of evidence-pack generation now. A pack produced on the day of the 29 June 2026 commencement is less credible than one produced as part of a quarterly cycle that happens to include the deadline.
Document the methodology before you need it: how the gap analysis is run, who reviews classifications, when overrides happen, what gets escalated. Then test the chain end to end. Generate a pack, verify the hash, retrieve the timestamp, save the artefact in the firm's document management system, and record the act of doing so. The day you are asked to produce Section 250 evidence is not the day to find out the timestamping integration was never configured correctly.
Related articles
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- Civil Evidence Act 1995, ss.8-9www.legislation.gov.uk/ukpga/1995/38/section/8
- ISO 19005-3 (PDF/A-3)www.iso.org/standard/57229.html
- RFC 3161 — Internet X.509 PKI Time-Stamp Protocolwww.rfc-editor.org/rfc/rfc3161
- FCA Registerregister.fca.org.uk/