Now and then at Recordkeeping Innovation we encounter questions from clients about the use of signatures, and in particular moving away from hard copy signed documents. Transitioning from paper to digital recordkeeping is a great opportunity for innovation and change in the way we conduct business. Sometimes, though, when it comes to implementing new systems we can tend to look for digital equivalents of past paper practices without thought as to what we might be able to do differently.
The use of digital signatures is a good example of this. Before starting to wonder what form of authentication is needed to replace a signature on a piece of paper, we should be questioning: is that level of authentication needed at all?
Image: Andrys at PixaBay http://pixabay.com/en/fountain-pen-letter-handwriting-447576/
From seals to signatures, certain business transactions have always required an additional element of authentication to engender trust and/or support the lawfulness of the exchange. For example in the case of contracts that need to be witnessed, or personal authorisation of expenditure.
However in other cases, signatures have been added by habit or convention without a specific need for them. So, as well as considering things like formats, metadata and relationships with other records when moving from a paper based process to a digital one, this is the perfect time to consider: Is a signature really needed for this transaction?
Reasons that a signature or other authentication might be required
In some instances there is a requirement in law for a ‘signature’. For example documents that have to be witnessed or financial transactions requiring authorised signatories. In other cases, there may be no requirement by law, but where trust and accountability are seen as critical, signatures are deemed necessary for particular transactions. That is not to say that when converting from a paper based process to a digital one, the assumption should automatically be made that a signature continues to be required. The business context, risk profile and requirements affecting the need for authentication may have changed. That’s why a fresh appraisal process at the time of this kind of business process reengineering is valuable, to ensure that such changes are accommodated. Appraisal, a core activity in recordkeeping, is the process of evaluating business activities and work processes to determine which records need to be created and captured and how long the records need to be kept. It can also indicate the essential characteristics that are needed in a record – such as authentication. Appraisal is a recurrent process, and the move from paper based to digital processes is a good point to conduct it again. An appraisal process may indicate that the risks associated with not including an authentication have reduced – or indeed may confirm the need for this extra layer of trustworthiness.
If authentication really is required..
Where the requirement for a signature remains, there are actually few options available to you to meet the authentication requirement. The method used need not be by signing a piece of paper – or even by making a scan of a signature. Seeing that forcing a reliance on paper was increasingly impractical, steps were taken some years ago to ensure that the law provides for equivalence between the old signatures on paper and the new digital versions of these.
A post on State Records NSW’s Future Proof blog provides a handy explanation of the most relevant pieces of legislation:
“There are two key pieces of legislation which affect the legality of using any form of digital signature:
The Electronic Transactions Act 2000 allows government organisations to use electronic technologies to do business, and specifies particular signature requirements and elements of a signature that digital signature methods must satisfy if they are to replace written signatures. Essentially, according to section 9 of the Electronic Transactions Act, a signature must identify a person and indicate their consent for the transaction, the method used to sign must be reliable and appropriate, and the recipient of the signature must be satisfied with this form of signature. Apart from these general guidelines, the Act doesn’t specify any characteristics for legally acceptable digital signatures – these are left to business needs to determine.
The Evidence Act 1995 (mirrored as Commonwealth and State based legislation) which abolishes the ‘best evidence’ rule and allows for evidence which is, for example, a copy of a document in electronic format, or a version of a document produced by a device such as a computer. There is, however, under the Act, a need to support the admissibility of this evidence by authentication (i.e. giving evidence that the digital output/copy is what it purports to be). This sort of authentication may involve testing the way a document was produced or kept or some other means of demonstrating that the methods by which you keep and maintain digital information are secure, reliable and well managed. For scanned digital signatures to be acceptable under this legislation, you may need to be able to prove that only an authorised person had access to a signature, that the signature was maintained securely, that the signature always reproduced appropriately, that the signature was only used for these specific transactions etc.”
Source: ‘More digital recordkeeping FAQs from State Records NSW, November 2012’ Future Proof NSW (Nov 2012) http://futureproof.records.nsw.gov.au/more-digital-recordkeeping-faqs-from-state-records-nsw-november-2012/
So, if you have determined that a signature is needed and you have elected to use a digital signature (such as a scan of a signature or use of an encrypted ‘stamp’ signifying authenticity), you should be aware that any type of digital signature used should be managed appropriately and carefully. For example:
- keep scanned images of signatures secure to prevent unauthorised use
- where scanned images of signatures are embedded in documents or emails, make sure they can be seen once the document or email is registered in your organisation’s EDRMS; and
- ensure that adequate systems security is in place and develop and implement procedures so that the process of using digital signatures is carefully controlled and so that your organisation is able to legally defend the integrity of the process in court.
About the author
Cassie Findlay is a Senior Consultant with Recordkeeping Innovation. In past roles, Cassie has worked strategically at the whole of public sector level on digital recordkeeping, training and open data / open government initiatives. In planning for and establishing the NSW Government’s first Digital State Archive, she gained practical experience in designing and implementing a large and complex technical and procedural infrastructure for keeping digital information. She was also responsible for a number of open data initiatives and the design and launch of OpenGov NSW, the NSW Government’s website for published information Cassie has a Masters degree in information management from the University of NSW and particular strengths in digital recordkeeping and information management strategy, digital preservation, training and communications design and delivery, systems design and implementation, and open data.