E-records and the law

1. E-records and the law John D. Gregory Policy Division Ministry of the Attorney General May 14, 2007

2. Why do you care? • Reasons why the law will apply to e-records: • administrative – a government department (such as the tax people) wants to see them • regulatory – a public agency (such as the Securities Commission) wants to see them • judicial – they are needed for a court case MGS - IM - E-records and the law

3. The Law of Evidence in a (small) nutshell • Admitting documentary evidence: •  authentic – the record is what it purports to be  • best evidence – an original, or an explanation • not hearsay (a content rule not a form rule) • reliable and necessary • business records rule • statutory records rules • Ontario Evidence Act, Canada Evidence Act MGS - IM - E-records and the law

4. The Law of Evidence in a (small) nutshell • Electronic documents – how does this change? • Authenticity: basic rule is OK – document supported by live witness – but e-documents are more subject to manipulation (sometimes). May be hard on a challenge. • May be asked why the witness believes the record is accurate. • Original (best evidence): may be meaningless for electronic document. Changed by legislation from a record-based test to a system-based test • Hearsay: no change in principle – because content does not change with the medium. Still “ordinary course of business” test. MGS - IM - E-records and the law

5. The extreme case? • “the focus is not on the … creation of the record, but rather on the … preservation of the record during the time it is in the file” • “the entity’s policies and procedures for the use of the equipment, database and programs are important. How access to the … database [and to the specific program are] controlled is important. How changes in the database are logged, as well as the structure and implementation of backup systems and audit procedures for assuring the continued integrity of the database, are pertinent.” • In re Vee Vinhee, US appeal court, 2005. MGS - IM - E-records and the law

6. The Legislation • To ease admission, the law provides presumptions that the record-keeping system has integrity: • for one’s own computer, OK if one can show • the computer was working fine all the time, or • if it wasn’t, the problem did not affect the integrity of the record-keeping system • for a record from an adverse party’s computer, OK (since the other party knows more about it) • for a record from an independent third party, OK if kept in the ordinary course of business. MGS - IM - E-records and the law

7. The Legislation • If the presumption is rebutted, so one has to show the integrity of a record-keeping system: For the purposes of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavour that used, recorded or stored the electronic record and the nature and purpose of the electronic record. (Evidence Act s.34.1(8)) MGS - IM - E-records and the law

8. Standards • Canadian General Standards Board • part of Public Works Canada • Microfilm as documentary evidence (1988) • Microfilm and electronic imaging … (1993) • Electronic records as documentary evidence (2005) • And still to come • Electronic Signatures • Codes for retention and disposition of e-records • Long term preservation of digital information MGS - IM - E-records and the law

9. The CGSB Standard and you • The key rule of the Standard: think about it! •  In other words: • Make a policy about how e-records are managed • Communicate the policy • Implement the policy • Monitor compliance with the policy • Adjust the policy as required by circumstances • Have a policy manual that you can point to. • Have someone responsible (CRO) (+ witness) MGS - IM - E-records and the law

10. The CGSB Standard and you • Characteristics of the Standard: • high level language • it applies to lots of records • it applies to lots of record-keepers • question: small and medium-sized enterprises •  technology neutral • it is flexible in its application now • it is adaptable to evolution of technology • it does not make business choices for its users MGS - IM - E-records and the law

11. The CGSB Standard and you • Complying with the Standard • Authorization: • senior management have to buy in formally • someone is put in charge • responsibilities apply even if outsourced work • the policy is documented, changes are documented • Electronic Records Management Program Policy • “closely aligned” with the information management security policy MGS - IM - E-records and the law

12. The CGSB Standard and you • Policy contains statements on, among other things, • data file formats and version control • enabling technologies • quality assurance • metadata capture and preservation • information and records covered by the policy • includes physical and logical structure of info held by the organization • security classification and how to implement it MGS - IM - E-records and the law

13. The CGSB Standard and you • Policy contains statements on, among other things (contd) • security processes and procedures including • user authentication and permission control • firewall protection • systems backups • disaster recovery • retention and destruction policies • system and procedure audits for compliance MGS - IM - E-records and the law

14. The CGSB Standard and you • The Policy manual: • Keep a manual complete and current • It may refer to other standards and procedures • It authorizes the life-cycle metadata of records • It tells how data is captured and stored • It controls data migration and conversion • Indexing (self-explanatory) MGS - IM - E-records and the law

15. The CGSB Standard and you • Audit trail: • A historical record of all significant events associated with the e-record management system • date of storage of information • movement of info from medium to medium • evidence that controls operate and are effective • Provides evidence of authenticity of records • Contains system- and operator-generated logs. • Standard gives lengthy list of contents. MGS - IM - E-records and the law

16. Conclusion • Authenticity is a result of the integrity of the record-keeping system • Having a documented policy with documented enforcement will help ensure that electronic records are admitted as evidence. • The CGSB standard is not the only way but it is a good one and starting to be recognized. MGS - IM - E-records and the law

17. Some sources • Uniform Electronic Evidence Act • http://www.ulcc.ca/en/us/index.cfm?sec=1&sub=1u2 • Implementation status • http://www.ulcc.ca/en/cls/index.cfm?sec=4&sub=4d • Ontario Evidence Act, R.S.O. 1990 c.E.23 • as amended • http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/90e23_e.htm • Canada Evidence Act R.S.C. 1985 s.C-5 • as amended • http://laws.justice.gc.ca/en/showtdm/cs/C-5 MGS - IM - E-records and the law

18. Some sources • Canadian General Standard Board • http://www.pwgsc.gc.ca/cgsb/home/index-e.html • Chasse “Computer-produced records in Court Proceedings” (1994 ULCC) • http://www.ulcc.ca/en/poam2/index.cfm?sec=1994&sub=1994ac • CICA on Information Security principles and audits • Information Technology Control Guidelines (3d ed.) • http://www.cica.ca/index.cfm/ci_id/1004/la_id/1.htm • Conference in March 2008 on Auditing IT systems • http://www.cica.ca/index.cfm/ci_id/10763/la_id/1.htm MGS - IM - E-records and the law

19. Some sources • Industry Canada – Authentication materials • http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/vwGeneratedInterE/h_gv00090e.html - Authentication principles (2004) • http://strategis.ic.gc.ca/epic/site/ecic-ceac.nsf/en/h_gv00240e.html  American Bar Association – “Record Retention and Destruction: Current Best Practices” • http://www.abanet.org/buslaw/newsletter/0019/materials/recordretention.pdf MGS - IM - E-records and the law