What current records need to be made and kept in paper? July 18, 2013

NotturnoUnder the requirements of the State Records Act, the answer is none. The State Records Act says nothing about what formats you should use to make and keep your records. Its requirements just state that:

  • you need to make and keep the evidence and the information you need to support your business operations, and
  • you should do this in the ways that best support your business.

It is very common, however, for people to think that there are specific legislative or compliance based drivers to make and keep hard copy records. If it best suits your business operations to do this, then by all means make and keep paper records. Today, however, the majority of systems and transactions are digital and so it makes sense that the records of these should be digital as well.

At State Records we do get a surprising number of questions each month asking about what records need to be kept in paper form and we also frequently receive the opposite question, asking for help to wean staff away from making and keeping paper records.

These challenges both seem to stem from the same central issue. People like paper.  And people find comfort and security in paper. But we all need to start to embrace the business efficiencies, accountabilities and benefits that can come from managing information digitally.

To do this, it can help to emphasise the benefits of digital recordkeeping and at the same time quash the perceived threats and risks posed by digital information management practices.

 

Emphasising the benefits

The National Archives of Australia has some excellent documentation on its website to support its Digital Transition Policy which explain the many, many business benefits of digital information management. This can be used to help staff understand the business benefits of digital records.

A core message of State Records’ Standard on digital recordkeeping (2008) is that if a record is born digital it should stay digital. It is most evidential, useable and reuseable in its original digital form. In addition, digital records come packed with metadata and the value and potential of this data is lost when the record is converted to paper form.

 

Mitigating the perceived risks

People often seem wedded to paper because they are concerned that born-digital records, or scanned digital versions of paper originals are less evidential or legally admissable than paper records.

 

Wet signatures

For this reason many people insist on paper file creation so that they can have a ‘wet’ signature on a paper record rather than scanned or digital signatures on a digital record.

There is no legal need for a ‘wet’ signature, however.

There are two key pieces of legislation which affect the legality of using any form of digital signature:

The NSW Electronic Transactions Act 2000 allows government organisations to use electronic technologies to do business, and specifies particular signature requirements and elements of a signature that digital signature methods must satisfy if they are to replace written signatures.

Essentially, according to section 9 of the Electronic Transactions Act, a signature must identify a person and indicate their consent for the transaction, the method used to sign must be reliable and appropriate, and the recipient of the signature must be satisfied with this form of signature. Apart from these general guidelines, the Act doesn’t specify any characteristics for legally acceptable digital signatures – these are left to business needs to determine.

The Evidence Act 1995 abolishes the ‘best evidence’ rule and allows for evidence which is, for example, a copy of a document in electronic format, or a version of a document produced by a device such as a computer.

There is, however, under the Act, a need to support the admissibility of this evidence by authentication (i.e. giving evidence that the digital output/copy is what it purports to be). This sort of authentication may involve testing the way a document was produced or kept or some other means of demonstrating that the methods by which you keep and maintain digital information are secure, reliable and well managed. For scanned digital signatures to be acceptable under this legislation, you may need to be able to prove that only an authorised person had access to a signature, that the signature was maintained securely, that the signature always reproduced appropriately, that the signature was only used for these specific transactions etc.

The National Archives of Australia has published a good summary of evidence issues from a recordkeeping perspective. Because the NSW Evidence Act mirrors the Commonwealth Evidence Act, this advice is applicable to both Commonwealth and NSW organisations.

Whatever decision you make about signatures, you should be aware that any type of digital signature should be managed appropriately and carefully. For example:

  • keep scanned images of signatures secure to prevent unauthorised use
  • where scanned images of signatures are embedded in documents or emails, make sure they can be seen once the document or email is registered in your organisation’s EDRMS
  • ensure that adequate systems security is in place, and
  • develop and implement procedures so that the process of using digital signatures is carefully controlled and so that your organisation is able to legally defend the integrity of the process in court.

As with virtually all areas of business, you just need a defensible process and a standard procedure to demonstrate that this is a normal business practice.

 

Legal admissability of scanned records

People also often ask about the legal admissability of scanned records, thinking that they should not digitise their paper files because this might affect their legal admissability.

Again, this is not true.

In NSW there is no barrier to organisations tendering digital images of records as evidence. They can be considered suitable to submit in legal proceedings in response to Government Information (Public Access) Act (GIPA) applications and for other evidentiary purposes.

However, the value or credibility of a scanned image as evidence can still be questioned. The authenticity of a presented record may be challenged or a judge may be given some other reason to doubt the reliability of a digital image. In these cases, an organisation’s documentation regarding how the digitisation (scanning) was conducted and the digital images created and kept may help to demonstrate that the digital image is an authentic and credible representation of the original.

State Records has published some guidance for NSW public offices on digitising (scanning) records. This guidance includes a section on the legal admissibility and credibility of digital images.

To make sure that you are producing good quality scanned records to replace your paper originals you should ensure that:

  • All requirements for retaining originals have been assessed and fulfilled – ie you have no business needs or requirements that say your records have to be in paper
  • The scanned copies you create are authentic, complete and accessible – ie your scanning process has given you a fully legible and accessible digital copy to work with
  • The scanned copies can be kept for as long as you legally need to keep these records – ie records legally need to be kept for different periods of time – some 2 years, 5 years, 7 years, 20+ years depending on the type of business they are documenting. You can destroy the paper original if you are confident that you are able to keep the scanned version accessible and useable for as long as is legally required to be kept
  • The original paper records should be kept for quality control purposes for an appropriate length of time after copying – ie make sure you have time to validate that the scanning was successful and the scanned copy of the record is complete and legible.
  • The scanned records should have good title and description information attached to them so that you can easily find and use them and it means that these records should be captured into a secure system where they can be protected and managed.

 

Other compliance drivers

We also hear the view that if certain records are required for audit or quality control or compliance assessment purposes then these records must be kept in paper form or, if they are born-digital, printed into paper form.

Again, this is not true. In many instances, a paper surrogate of a digital record may not be the best evidence anyway. These paper versions of born digital records will have lesser integrity and lesser capacity to leverage the inherent business and accountability components of born digital records.

Therefore, we shouldn’t let people’s fondness for paper distract us. There are no general requirements for records to be made and kept in paper form.

Ultimately recordkeeping is a business need and not a separate compliance process divorced and separate from your standard business operations. Recordkeeping does not impose requirements on you that are alien to your business needs and requirements. Recordkeeping exists to provide your organisation with the evidence and information it needs, when it needs it and in the form that best suits your business operations, now and into the future.

photo by: gualtiero
4 Comments
Dr Natasha Khramtsovsky July 18th, 2013

Dear Kate,

This post IMHO fails to recognize the usefulness of analogue records in certain niches.

The position of your standard that “if a record is born digital it should stay digital” is good for promoting transition to electronic recordkeeping. Unfortunately it’s inadequate as a general principle. Sometimes (especially when a very long term retention is involved) the best way to preserve an original digital record is to migrate it to paper or other analogue medium. My opinion is: Never wall up the door you might need one day :)

NB: Ordinary good-quality paper book is actually a digital non-electronic object because the information is coded using a limited set of reliably identified symbols :)

It’s true that there is no legal need for a ‘wet’ signature. However proving the authenticity and integrity of digital records might be challenging (especially in the long term). Problems with validation of digital signatures begin with expiration of certificates i.e. usually within a year after signing.

You also forget about disaster recovery/business continuity needs. Immediately after the disaster digital records might be unusable, so it’s advisable to duplicate some vital records on paper or microfilm.

Kate Cumming July 22nd, 2013

Dear Natasha – lovely to hear from you again. And you are right, I too believe there will always be a need for analogue records in certain niches. For example, I am doing some work with a really small organisation at the moment and their monthly meeting minutes are their key records that document all their actions, outcomes and decisions. Staff in this organisation change very frequently, their roles and responsibilities are updated regularly but there are long accountabilities associated with the organisation’s actions, expenditures and decisions. Given this tricky combination of administrative flux and long term accountabilities, I have recommended that all their minutes be kept in paper form.

A short term experiment in keeping digital files proved unsuccessful because there is no one person or position with a coordinating role for maintaining their key information over time – staff and positions change too frequently for this type of continuity. Instead business information is disaggregated and dispersed through many email systems. To ensure the long term information they will need in the future will remain accessible, central paper minutes will now be kept as their core long term record. Everything else will be digital because this makes best sense for the business and helps the small, dynamic staff to do their work most effectively.

So yes, there will always be a need for paper but I think it will increasingly be in small organisations like this that need a simple information continuity solution to deal with their administrative challenges. The majority of organisations however seem to be holding onto paper-based outputs and processes as a default, without necessarily thinking through what makes best business sense for the organisation.

Decisions about information management always need to be business focussed, considered and strategic, not just default options. And as long as decision making is business focussed, considered and strategic, organisations will come up with the right management decisions and processes for their business records through time.

All the best, Kate

Dr Natasha Khramtsovsky August 8th, 2013

Dear Kate, thank you for your thoughtful reply! I think we are in agreement on all the important issues :)

I’ve re-read the article, and now I would like to ask – exactly how one should “keep scanned images of signatures secure to prevent unauthorised use”? Do you believe it’s even possible? If a person can lay his/her hands on a record signed with such a signature (or on a paper record signed with wet signature), (s)he can also copy the image of the signature and even process it in a graphical editor making it more believable than a “genuine” one!

With my best wishes, – Natasha

Kate Cumming August 12th, 2013

Hi Natasha – I always enjoy our online conversations! Thanks for this really interesting question. Like anything in recordkeeping, I think signature management should be a risk-based decision. If needed, recordkeeping software and tools generally have good functionality for restricting record access, even at the document level if required. So you could apply a security setting to an individual document or set of documents created by a specific decision maker, if you have particular concerns about inappropriate access to an individual, high level signature.

In a digital environment, however, I don’t think we are as wedded to a specific signature necessarily as the only marker of accountable decision making any more. There is now is so much more metadata, more audit trails, work flows, email flows etc, and each of these bring with them their own accountability layers. With digital recordkeeping we are developing and implementing much more business process analysis, workflows and awareness of where specific risks and accountabilities lie, and all of this can drive much more accountable and managed decision making, with many other points of validation other than an individual signature. While it will always be challenging to control all channels when someone is determined to behave corruptly, I do think there are many more checks and balances in place in digital frameworks to make this behaviour more difficult, more apparent and therefore less likely to occur. Hopefully!

All the best as always, Kate

Leave a Reply

You must be logged in to post a comment.