Electronic Records as Documentary Evidence Standard (CAN
Download
Report
Transcript Electronic Records as Documentary Evidence Standard (CAN
Electronic Records as
Documentary Evidence
Standard (CAN-CGSB 72.34)
A Case Study from The
University of Calgary
By Regina Landwehr ©
University Archives
Presented at ARMA Canada
Conference, Winnipeg, 6 June 2007
Agenda
Reasons for choosing the standard
Overview of standard
Applying the standard
Assessment findings and recommendations
Future steps
Comments on the standard
NOT MY JOB!
Reasons for choosing standard
Who’s responsibility is it?
Continuum of Care model at UofC
The issue: e-records replaced paper records in the
admissions process
Can e-records take the place of paper records?
Legislative research: Electronic Transactions Act
(ETA), Alberta Evidence Act
Reasons for choosing standard
The Acts:
UofC must always be prepared to
produce its records as evidence
Core requirements for admissibility:
Authenticity of the record
Integrity of the information system
Truthfulness of the record’s content
THE VOTING MACHINE
Reasons for choosing standard
The Acts:
Follow national standard(s)
Microfilm and Electronic Images as
Documentary Evidence Standard
(CAN/CGSB-72.11.93)
Conversion from paper to scans only
Surprise: more than scans –
Email and EDMS record annotations
Overview of standard (GGSB
72.34)
Published in 2005
Applies to public and private sectors, to profit and not-for
profit activities
Purpose:
To ensure records can provide reliable support for
business decisions
To maximize admissibility and weight of records
To protect the value of e-records in documenting the
content and accountability of decisions and transactions
Overview of standard
Provides structure and principles for developing a
comprehensive e-records management program
Defines best practices
Sections 5-8 are the ‘meat’ of the standard
Legal requirements for e-records as evidence
Components of an e-records management
system program incl. system requirements
QAP
Audit trail requirements
Overview of standard
Technology neutral
ISO 15489-1 and 2, ‘Records Management’
standard (2000) is its foundation
References:
Fisher, Paul. Electronic Records as Evidence: The
case for Canada’s new standard (Information
Management Journal, March/April 2004)
Gurushanti, Vigi. e-Evidence Standard: Proving the
integrity, reliability and trust of electronic records
(ARMA/CIPS conference, 2002)
Key records concepts
Records in whatever format serve as evidence of
activities
Characteristics of records to act as evidence
Trustworthy-stand for the facts a record is
about
Trustworthy over time-not altered, falsified,
substituted
Authoritative-capable of generating
consequences
Records are trustworthy if….
Contain complete information
Date written and/or received
Author and title of author
Sender and title of sender
Recipient and title
Type of record
Body of text
Content description-re: subject
File code/classification #
Comments/notes on record
Attachments
Stamp for copy/draft
Signature(s)
Records are authoritative if…
Authority given through permission
Permission is defined by position
Positions reflect competence for a
function/activity
Functions are mandated in business plan
Records are trustworthy over time
if…
Placed and kept in a file that relates to the
matter (classification)
Access to file remains privileged
Track whereabouts of files if removed
Check for completeness upon return
Keep records only as long as required by
retention authority
ENSURING COMPLIANCE
Functional and Procedural Requirements to Ensure Compliance with the
Freedom of Information and Protection of Privacy Act, the Electronic
Transactions Act, and the Alberta Evidence Act as per the Electronic
Records as Documentary Evidence Standard (CAN-CGSB 72.34)
Information System Requirements
1. The system must be capable of authenticating the author of
a record.
2. The system must be capable of capturing IT metadata.
3. The system must be able to create audit trail information
consisting of a record of all historical activities or events
associated with the system and the records that may need to
be reconstructed in the future as additional evidence to support
stored records.
4. The following security features must be provided:
a. Protection against unauthorized access
b. Processing verification of data and information in
records
c. Safeguarding of record transmission over time and
space
d. Maintenance of backup copies of records
e. Establishment of a business continuity plan for
electronic records and associated data
5. A set of procedures must be developed to allow for
monitoring and assessing the system’s quality.
6. The system must not permit records to be altered once they
are saved as complete, official records.
7. The system must be able to support records retention and
disposition requirements.
8. The system must be able to record comments (notes and
annotations) related to a record.
University of Calgary Archives, June 2007
Existing?
Yes No
Check list-requirement 1:
authenticate the source of a record
Identify/verify the author of record
Identify/verify the operator of the system
Identify/verify the system/software from
where record originates
Check list-requirement 2: ability to
capture IT metadata
System design architecture
Entity and attribute definitions
Description of how to use the operating
system and program application
Beware!
Issue of proprietary systems preventing
effective testing and maintenance
Check list-requirement 3: ability to
create audit trails
Record of all historical activities/events performed
on the records and the records system
System and operator generated logs
Initial capture
Changes to access privileges
Nature of processing events
Changes to record formats
Destruction/erasures and their attempts
Audit trails must be kept as long as records exist
and stored separately from system
Check list-requirement 4: security
features
a. Ability to assign permissions must be
protected
b. Processing verification must be available
c. Safeguarding of communication and
transmission lines
d. Maintenance of backup copies of records
e. Business continuity plan for system and
records
Check list-requirement 5: quality
testing
Quality Assurance Program (QAP)
Regular testing of:
System operability
Completeness of records
Documentation that testing took place
Independent audit of QAP
Check list-requirement 6: nonalterable official record
Records are locked:
Scans: unchangeable format-pdf
Email: correspondence sent is fixed
Annotation records-no overwrite
Check list-requirement 7: support
records retention and disposition
Schedule records
Notification of destruction readiness
Generate disposition lists
Log dispositions completed
Check list-requirement 8: record
annotations/instructions
Capability to create legible annotations
Associate annotation with record
Inseparability of annotation from record
Unalterable annotation
THE FIRST IT HELP DESK
ENSURING COMPLIANCE
Functional and Procedural Requirements to Ensure Compliance with the
Freedom of Information and Protection of Privacy Act, the Electronic
Transactions Act, and the Alberta Evidence Act as per the Electronic
Records as Documentary Evidence Standard (CAN-CGSB 72.34)
Information System Requirements
1. The system must be capable of authenticating the author of
a record.
2. The system must be capable of capturing IT metadata.
3. The system must be able to create audit trail information
consisting of a record of all historical activities or events
associated with the system and the records that may need to
be reconstructed in the future as additional evidence to support
stored records.
4. The following security features must be provided:
a. Protection against unauthorized access
b. Processing verification of data and information in
records
c. Safeguarding of record transmission over time and
space
d. Maintenance of backup copies of records
e. Establishment of a business continuity plan for
electronic records and associated data
5. A set of procedures must be developed to allow for
monitoring and assessing the system’s quality.
6. The system must not permit records to be altered once they
are saved as complete, official records.
7. The system must be able to support records retention and
disposition requirements.
8. The system must be able to record comments (notes and
annotations) related to a record.
University of Calgary Archives, June 2007
Existing?
Yes No
Assessment findings
No satisfactory back-up procedures
No system’s maintenance/testing plan
No scheduling and disposition function
No audit trail is kept of record deletions
No business continuity plan
Assessment recommendations
Paper records where exist will remain the official
record
E-records in Synergize will be reference copies
Annotations and e-mail records as yet unresolved
Develop a Procedures Manual for this system
Develop a vital records system plan
Develop a disposition tool with vendor
Outlook
Record making systems are difficult to
convert into record keeping systems
DoD compliant enterprise wide ERS in its
pilot phase
Strengthen the policy framework around
system security and quality assurance
Continue assessing other record making
systems using this standard
Comments on standard
Strengthen significance of business process
analysis
Add system requirement for annotations
Add system requirement to specify a
retention for audit trail of destruction
Clarify some definitions and terms
Records vs. information vs. data