Using electronic signatures
The Victorian Government is using electronic communications as a means of conducting business more than ever before. Many Victorian government agencies are therefore having to manage evidence and verification issues regarding records of transactions that were either created digitally or are converted into a digital format.
In Victoria, certain transactions require a written signature to be legally enforceable. In accordance with the Electronic Transactions Act 2000, a transaction will not be invalid simply because it is conducted electronically. The act establishes a set of factors which, when applied, will mean that any written or signature requirements under the statute are satisfied even though the transaction was performed electronically.
What is the difference between electronic and digital signatures?
An electronic signature or e-signature on an electronic document is intended to perform the same purpose as a handwritten signature on a paper document. Types of e-signatures include, for example:
- applying a generic email signature
- applying a digitised image of a handwritten signature to a scanned copy of a document or a born-digital document
- typing a name and then clicking ‘accept’ to agree to terms and conditions on a website
- scanned copy of a wet (i.e. ink) signature
- using a digital pen to manually sign on an electronic device.
A digital signature is a cryptographic technique that creates a unique and unforgeable identifier in an electronic document. This type of signature can be checked by the receiver to verify the identity of the author and that it has not been interfered with.
What is PROV’s view on the legality of digitised signatures?
Most commercial contracts executed by agencies are documented and signed by the contracting parties as proof that the contract was authorised and can be legally enforced. Courts should now accept documents as evidence in their native form, whether born-digital or paper.
Public Record Office Victoria (PROV) does not prescribe particular requirements to agencies upon the use of digitised signatures in terms of ensuring that the records represent legal enforceability transactions.
However, to ensure that agencies continue to meet PROV recordkeeping standards the use of digitised signatures should not impact on the preservation of the record or undermine the integrity of the record itself.
Retaining hardcopy records for evidential purposes
When a record is converted to a digital image and entered into an agency’s records management system, it becomes the converted record and the ‘official’ record. The original hardcopy scanned record is the ‘source record’.
All agencies should retain the source records for a determined period of time (see PROS 11/07 G1 Guide to Digitisation Requirements) and in accordance with PROS 10/01 Converted Source Records Retention and Disposal Authority.
In addition to these requirements, where the hardcopy source record represents a transaction, including a record authenticated with a wet signature, agencies should consider the particular risks associated with the record type and its value.
Where the value of the document is low (e.g. routine correspondence) it may not be necessary to retain the source record, including those which have a wet signature, so long as your agency has a reliable recordkeeping system in place. It can be helpful to document the decision not to retain the source records for later verification purposes. On the other hand, if the value of the transaction and associated risk is high, then it may be prudent to keep the hardcopy/signed wet signature source record to verify the authenticity of the transaction, for at least the duration period of the agreement.
Agencies must verify with their legal team that their management of records with electronic and/or wet signatures complies with their particular business needs and legal obligations.
Evidence and EDRMS
An Electronic Document Records Management System (EDRMS) can strengthen the credibility of a record by documenting the process used to generate the record and, if necessary, could be used to show that this was the normal process used to generate such records. Typically, the EDRMS would be set up to:
- record an explicit approval step, together with the copy that was ‘approved’, and the date and time it was approved
- prevent subsequent tampering or disposal of the record of approval
- have audit logs listing who accessed the record.
Where a dispute arises as to the credibility of a record, it might be necessary to demonstrate the quality of the EDRMS and the integrity of its configuration. Controls such as the following would be important markers of a quality system with the appropriate configuration:
- proposed procedures/business rules would be part of normal business practice
- publishing takes a document out of draft and creates a 'published' version
- inability to delete a document marked as ‘Corporate Value’
- an audit trail supports the process by recording events
- security can be applied if necessary to restrict access to the document once signed e.g. to apply for read-only access
- the document can be rendered into a PDF version if necessary
- use of the EDRMS ‘approval’ process
- the signatory controls the process
- should any changes be made to the document, they are captured.