330 likes | 356 Views
Explore the importance of integrity and authenticity in electronic records for business, legal, and regulatory reasons. Understand the impact of court rules on evidence and the challenges of electronic documents. Learn about legislation that helps establish authenticity and the use of standards in supporting admissibility.
E N D
ELECTRONIC RECORDS INTEGRITY AND AUTHENTICITY AND STANDARDS OF EVIDENCE John D. Gregory Ministry of the Attorney General (Ontario) IQPC February 25, 2004
Integrity and authenticity • What are they? • Why do you care? • for business reasons • have to trust your records • for legal reasons • others may have to trust them IQPC February 25, 2004
The legal reasons • administrative – a government department (such as the tax people) wants to see them • regulatory – a public agency (such as the Securities Commission) wants to see them • judicial – they are needed for a court case IQPC February 25, 2004
Judicial reasons - Court rules • We focus on court rules here because: • they are a general standard – not specific to an agency • they are a single standard – not multiple as with agencies • their standard influences others’ rules • Note on Audit Standards • See later discussion by Brian Ludmer • CICA has information security audit standard IQPC February 25, 2004
The Law of Evidence in a (small) nutshell • Admissibility vs weight: • for courts, most of discussion touches the former • for agencies and regulators, will affect the latter IQPC February 25, 2004
The Law of Evidence in a (small) nutshel l • the “normal” rule: oral evidence, under oath, subject to cross-examination • but: lots of exceptions • notable exception: documents • “documentary evidence” includes papers, pictures, audio and videotapes, and contents of computers IQPC February 25, 2004
The Law of Evidence in a (small) nutshel l • Criteria for admission of documentary evidence: • authentic – the record is what it purports to be • best evidence – an original, or an explanation • not hearsay (a content rule not a form rule) • reliable and necessary • business records rule • statutory records rules • Ontario Evidence Act, Canada Evidence Act IQPC February 25, 2004
The Law of Evidence in a (small) nutshel l • Electronic documents – how does this change? • Authenticity: basic rule is OK – document supported by live witness – but e-documents are more subject to manipulation (sometimes). May be hard on a challenge. • Original (best evidence): may be meaningless for electronic document. Changed by legislation from a record-based test to a system-based test • Hearsay: no change in principle – because content does not change with the medium. Still OCB test. IQPC February 25, 2004
The Law of Evidence in a (small) nutshel l • In practice: Electronic records get admitted readily • Everyone knows records are made on computers • “Notice to admit” procedure – know ahead of time • Risk (in costs) of objecting on speculation IQPC February 25, 2004
The Law of Evidence in a (small) nutshel l • BUT • If there is a serious dispute, how do you defend your records? • How do you demonstrate authenticity, originality? • SO • Legislation to help answer these questions. IQPC February 25, 2004
The Legislation • Uniform Electronic Evidence Act (federal government, 6 provinces incl. Ontario + Yukon) • Ontario Evidence Act s. 34.1 (2000) • Canada Evidence Act s. 31.1 – 31.8 • Quebec – distinct (Civil Code and special Act) IQPC February 25, 2004
The Legislation • The key to the legislation: system integrity • general application: the best evidence rule – no original needed • In addition: any evidence supporting system integrity may be used to support admissibility IQPC February 25, 2004
The Legislation • To ease admission, the law provides presumptions that the record-keeping system has integrity: • for one’s own computer, OK if one can show • the computer was working fine all the time, or • if it wasn’t, the problem did not affect the integrity of the record-keeping system • for a record from an adverse party’s computer, OK (since the other party knows more about it) • for a record from an independent third party, OK if kept in the ordinary course of business IQPC February 25, 2004
The Legislation • AND if the presumption is rebutted, so one has to show the integrity of a record-keeping system: For the purposes of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavour that used, recorded or stored the electronic record and the nature and purpose of the electronic record. (UEEA s. 6) IQPC February 25, 2004
The Legislation • Standards may be of variable degrees of • formality (official, semi-official, private) • applicability (sectoral, record-type) • generality (could be bilateral agreement) • Proof that the presumptions apply or that standards are complied with may be by affidavit of a person with knowledge of the record-keeping practices of the party that wants to produce the record in evidence. • The person should be available for cross-examination. IQPC February 25, 2004
Standards • Canadian General Standards Board • part of Public Works Canada • Microfilm as documentary evidence (1988) • Microfilm and electronic imaging … (1993) • Electronic records as documentary evidence (2004) – in the final stages of adoption • And still to come • Electronic Signatures • Codes for retention and disposition of e-records • Long term preservation of digital information IQPC February 25, 2004
Standards • Legal effect of a Standard • The standard is itself not a law, it is a guideline. • Compliance with the standard is not mandatory. • Compliance with the standard is a kind of safe harbour, not a guarantee of any legal result. • The standard is a statement of best practices. • The Evidence Act says a court “may consider” compliance with the standard – if a party asks. IQPC February 25, 2004
Standards • But • The standard is written in mandatory language – the Person “shall” do X and Y. • If you say you comply and do not, there may be civil and regulatory consequences for misrepresentation. • Sometimes compliance is given an advantage, e.g. the law of evidence, the tax authorities (for the CGSB imaging standard). IQPC February 25, 2004
Standards • The standard could become a common-law standard of prudent behaviour, so that failure to comply could be found to be negligence. • The standard could be adopted in legislation or regulations and made mandatory for some sectors or some purposes. (e.g. Canadian Standards Association or Underwriters’ Laboratories for electrical goods) • The legal effects may be indirect or private (e.g. give an ability to prove reliability of records) IQPC February 25, 2004
The CGSB Standard and you • The key rule of the Standard: think about it! • In other words: • Make a policy about how e-records are managed • Communicate the policy • Implement the policy • Monitor compliance with the policy • Adjust the policy as required by circumstances • Have a policy manual that you can point to. • Have someone responsible (CRO) (+ witness) IQPC February 25, 2004
The CGSB Standard and you • Characteristics of the Standard: • high level language • it applies to lots of records • it applies to lots of record-keepers • question: small and medium-sized enterprises • technology neutral • it is flexible in its application now • it is adaptable to evolution of technology • it does not make business choices for its users IQPC February 25, 2004
The CGSB Standard and you • Complying with the Standard • Authorization: • senior management have to buy in formally • someone is put in charge • responsibilities apply even if outsourced work • the policy is documented, changes are documented • Electronic Records Management Program Policy” • “closely aligned” with the information management security policy IQPC February 25, 2004
The CGSB Standard and you • Policy contains statements on, among other things, • data file formats and version control • enabling technologies • quality assurance • metadata capture and preservation • information and records covered by the policy • includes physical and logical structure of info held by the organization • security classification and how to implement it IQPC February 25, 2004
The CGSB Standard and you • Policy contains statements on, among other things (contd) • security processes and procedures including • user authentication and permission control • firewall protection • systems backups • disaster recovery • retention and destruction policies • system and procedure audits for compliance IQPC February 25, 2004
The CGSB Standard and you • The Policy manual: • Keep a manual complete and current • It may refer to other standards and procedures • It authorizes the life-cycle metadata of records • It tells how data is captured and stored • It controls data migration and conversion • Indexing (self-explanatory) IQPC February 25, 2004
The CGSB Standard and you • Authenticated data output for legal proceedings: • you display the contents of the e-records by printouts or live display or electronic display (e.g. CD) • you have to be able to show that what you are displaying is the same as what is in the computer. • Signature of authorized person may be used • have to document the reasons for any change in format IQPC February 25, 2004
The CGSB Standard and you • Security and protection: • document details of all levels of access • need notification of and protection against unauthorized access to documents • maintain environment according to suppliers’ recommendations and (inter)national standards • encryption may improve security and integrity • need key management, certificate management • take caution on self-modifying electronic records • consider use of time and date stamps • document any correction of errors • control who has access to clocks IQPC February 25, 2004
The CGSB Standard and you • Audit trail: • A historical record of all significant events associated with the e-record management system • date of storage of information • movement of info from medium to medium • evidence that controls operate and are effective • Provides evidence of authenticity of records • Contains system- and operator-generated logs. • Standard gives lengthy list of contents. IQPC February 25, 2004
Conclusions • E-records need extra care and control • Partly because of lack of familiarity • Essence is integrity of information • measured over the life-cycle of the record • Compliance with the Standard is a good way to take the care required • Compliance with the Standard will help in meeting common-law and statutory tests of admissibility IQPC February 25, 2004
Conclusions • If your electronic records can meet these tests, then evidence law does not make you produce the paper • even if the paper still exists, i.e. you don’t have to destroy it but you can • BUT there are other laws that require retention of records, e.g. tax law, industry-specific regs • SO you may have to keep the paper anyway. • A sound records retention and destruction schedule can only help. IQPC February 25, 2004
SOME SOURCES • Uniform Electronic Evidence Act • http://www.ulcc.ca/en/us/index.cfm?sec=1&sub=1u2 • Implementation status • http://www.ulcc.ca/en/cls/index.cfm?sec=4&sub=4d • Ontario Evidence Act, R.S.O. 1990 c.E.23 • as amended • http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/90e23_e.htm • Canada Evidence Act R.S.C. 1985 s.C-5 • as amended • http://laws.justice.gc.ca/en/c-5/text.html IQPC February 25, 2004
Some Sources • Canadian General Standard Board • http://www.pwgsc.gc.ca/cgsb/home/index-e.html • Chasse “Computer-produced records in Court Proceedings” (1994 ULCC) • http://www.ulcc.ca/en/poam2/index.cfm?sec=1994&sub=1994ac • CICA on Information Security principles and audits • Information Technology Control Guidelines (3d ed.) • http://www.cica.ca/index.cfm/ci_id/1004/la_id/1.htm • Conference in March 2004 on Auditing IT systems • www.cica.ca/itaudit IQPC February 25, 2004
Some Sources • Industry Canada – Authentication materials • http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/vwGeneratedInterE/h_gv00090e.html - Authentication principles (draft 2003) • http://e-com.ic.gc.ca/epic/internet/inecic-ceac.nsf/vwapj/authentication_principles.pdf/$FILE/authentication_principles.pdf • American Bar Association – “Record Retention and Destruction: Current Best Practices” • http://www.abanet.org/buslaw/newsletter/0019/materials/recordretention.pdf IQPC February 25, 2004