Electronic Records as Documentary Evidence Standard (CAN

Download Report

Transcript Electronic Records as Documentary Evidence Standard (CAN 

Electronic Records as
Documentary Evidence
Standard (CAN-CGSB 72.34)
A Case Study from The
University of Calgary
By Regina Landwehr ©
University Archives
Presented at ARMA Canada
Conference, Winnipeg, 6 June 2007
Agenda
Reasons for choosing the standard
 Overview of standard
 Applying the standard
 Assessment findings and recommendations
 Future steps
 Comments on the standard

NOT MY JOB!
Reasons for choosing standard




Who’s responsibility is it?
 Continuum of Care model at UofC
The issue: e-records replaced paper records in the
admissions process
Can e-records take the place of paper records?
Legislative research: Electronic Transactions Act
(ETA), Alberta Evidence Act
Reasons for choosing standard

The Acts:
 UofC must always be prepared to
produce its records as evidence
 Core requirements for admissibility:
 Authenticity of the record
 Integrity of the information system
 Truthfulness of the record’s content
THE VOTING MACHINE
Reasons for choosing standard
The Acts:
 Follow national standard(s)
 Microfilm and Electronic Images as
Documentary Evidence Standard
(CAN/CGSB-72.11.93)
 Conversion from paper to scans only
 Surprise: more than scans –
 Email and EDMS record annotations

Overview of standard (GGSB
72.34)



Published in 2005
Applies to public and private sectors, to profit and not-for
profit activities
Purpose:
 To ensure records can provide reliable support for
business decisions
 To maximize admissibility and weight of records
 To protect the value of e-records in documenting the
content and accountability of decisions and transactions
Overview of standard



Provides structure and principles for developing a
comprehensive e-records management program
Defines best practices
Sections 5-8 are the ‘meat’ of the standard
 Legal requirements for e-records as evidence
 Components of an e-records management
system program incl. system requirements
 QAP
 Audit trail requirements
Overview of standard
Technology neutral
 ISO 15489-1 and 2, ‘Records Management’
standard (2000) is its foundation


References:
 Fisher, Paul. Electronic Records as Evidence: The
case for Canada’s new standard (Information
Management Journal, March/April 2004)
 Gurushanti, Vigi. e-Evidence Standard: Proving the
integrity, reliability and trust of electronic records
(ARMA/CIPS conference, 2002)
Key records concepts


Records in whatever format serve as evidence of
activities
Characteristics of records to act as evidence
 Trustworthy-stand for the facts a record is
about
 Trustworthy over time-not altered, falsified,
substituted
 Authoritative-capable of generating
consequences
Records are trustworthy if….

Contain complete information
 Date written and/or received
 Author and title of author
 Sender and title of sender
 Recipient and title
 Type of record
 Body of text
 Content description-re: subject
 File code/classification #
 Comments/notes on record
 Attachments
 Stamp for copy/draft
 Signature(s)
Records are authoritative if…
Authority given through permission
 Permission is defined by position
 Positions reflect competence for a
function/activity
 Functions are mandated in business plan

Records are trustworthy over time
if…
Placed and kept in a file that relates to the
matter (classification)
 Access to file remains privileged
 Track whereabouts of files if removed
 Check for completeness upon return
 Keep records only as long as required by
retention authority

ENSURING COMPLIANCE
Functional and Procedural Requirements to Ensure Compliance with the
Freedom of Information and Protection of Privacy Act, the Electronic
Transactions Act, and the Alberta Evidence Act as per the Electronic
Records as Documentary Evidence Standard (CAN-CGSB 72.34)
Information System Requirements
1. The system must be capable of authenticating the author of
a record.
2. The system must be capable of capturing IT metadata.
3. The system must be able to create audit trail information
consisting of a record of all historical activities or events
associated with the system and the records that may need to
be reconstructed in the future as additional evidence to support
stored records.
4. The following security features must be provided:
a. Protection against unauthorized access
b. Processing verification of data and information in
records
c. Safeguarding of record transmission over time and
space
d. Maintenance of backup copies of records
e. Establishment of a business continuity plan for
electronic records and associated data
5. A set of procedures must be developed to allow for
monitoring and assessing the system’s quality.
6. The system must not permit records to be altered once they
are saved as complete, official records.
7. The system must be able to support records retention and
disposition requirements.
8. The system must be able to record comments (notes and
annotations) related to a record.
University of Calgary Archives, June 2007
Existing?
Yes No
Check list-requirement 1:
authenticate the source of a record
Identify/verify the author of record
 Identify/verify the operator of the system
 Identify/verify the system/software from
where record originates

Check list-requirement 2: ability to
capture IT metadata
System design architecture
 Entity and attribute definitions
 Description of how to use the operating
system and program application
Beware!
 Issue of proprietary systems preventing
effective testing and maintenance

Check list-requirement 3: ability to
create audit trails



Record of all historical activities/events performed
on the records and the records system
System and operator generated logs
 Initial capture
 Changes to access privileges
 Nature of processing events
 Changes to record formats
 Destruction/erasures and their attempts
Audit trails must be kept as long as records exist
and stored separately from system
Check list-requirement 4: security
features
a. Ability to assign permissions must be
protected
 b. Processing verification must be available
 c. Safeguarding of communication and
transmission lines
 d. Maintenance of backup copies of records
 e. Business continuity plan for system and
records

Check list-requirement 5: quality
testing
Quality Assurance Program (QAP)
 Regular testing of:
 System operability
 Completeness of records
 Documentation that testing took place
 Independent audit of QAP

Check list-requirement 6: nonalterable official record

Records are locked:
 Scans: unchangeable format-pdf
 Email: correspondence sent is fixed
 Annotation records-no overwrite
Check list-requirement 7: support
records retention and disposition
Schedule records
 Notification of destruction readiness
 Generate disposition lists
 Log dispositions completed

Check list-requirement 8: record
annotations/instructions
Capability to create legible annotations
 Associate annotation with record
 Inseparability of annotation from record
 Unalterable annotation

THE FIRST IT HELP DESK
ENSURING COMPLIANCE
Functional and Procedural Requirements to Ensure Compliance with the
Freedom of Information and Protection of Privacy Act, the Electronic
Transactions Act, and the Alberta Evidence Act as per the Electronic
Records as Documentary Evidence Standard (CAN-CGSB 72.34)
Information System Requirements
1. The system must be capable of authenticating the author of
a record.
2. The system must be capable of capturing IT metadata.
3. The system must be able to create audit trail information
consisting of a record of all historical activities or events
associated with the system and the records that may need to
be reconstructed in the future as additional evidence to support
stored records.
4. The following security features must be provided:
a. Protection against unauthorized access
b. Processing verification of data and information in
records
c. Safeguarding of record transmission over time and
space
d. Maintenance of backup copies of records
e. Establishment of a business continuity plan for
electronic records and associated data
5. A set of procedures must be developed to allow for
monitoring and assessing the system’s quality.
6. The system must not permit records to be altered once they
are saved as complete, official records.
7. The system must be able to support records retention and
disposition requirements.
8. The system must be able to record comments (notes and
annotations) related to a record.
University of Calgary Archives, June 2007
Existing?
Yes No
Assessment findings
No satisfactory back-up procedures
 No system’s maintenance/testing plan
 No scheduling and disposition function
 No audit trail is kept of record deletions
 No business continuity plan

Assessment recommendations






Paper records where exist will remain the official
record
E-records in Synergize will be reference copies
Annotations and e-mail records as yet unresolved
Develop a Procedures Manual for this system
Develop a vital records system plan
Develop a disposition tool with vendor
Outlook
Record making systems are difficult to
convert into record keeping systems
 DoD compliant enterprise wide ERS in its
pilot phase
 Strengthen the policy framework around
system security and quality assurance
 Continue assessing other record making
systems using this standard

Comments on standard
Strengthen significance of business process
analysis
 Add system requirement for annotations
 Add system requirement to specify a
retention for audit trail of destruction
 Clarify some definitions and terms
 Records vs. information vs. data
