Transcript Document
ELECTRONIC RECORDS INTEGRITY AND AUTHENTICITY AND STANDARDS OF EVIDENCE John D. Gregory Ministry of the Attorney General (Ontario) IQPC February 25, 2004 1 Integrity and authenticity What are they? Why do you care? for business reasons have to trust your records for legal reasons others may have to trust them IQPC February 25, 2004 2 The legal reasons administrative – a government department (such as the tax people) wants to see them regulatory – a public agency (such as the Securities Commission) wants to see them judicial – they are needed for a court case IQPC February 25, 2004 3 Judicial reasons - Court rules We focus on court rules here because: they are a general standard – not specific to an agency they are a single standard – not multiple as with agencies their standard influences others’ rules Note on Audit Standards See later discussion by Brian Ludmer CICA has information security audit standard IQPC February 25, 2004 4 The Law of Evidence in a (small) nutshell Admissibility vs weight: for courts, most of discussion touches the former for agencies and regulators, will affect the latter IQPC February 25, 2004 5 The Law of Evidence in a (small) nutshell the “normal” rule: oral evidence, under oath, subject to cross-examination but: lots of exceptions notable exception: documents “documentary evidence” includes papers, pictures, audio and videotapes, and contents of computers IQPC February 25, 2004 6 The Law of Evidence in a (small) nutshell Criteria for admission of documentary evidence: authentic – the record is what it purports to be best evidence – an original, or an explanation not hearsay (a content rule not a form rule) reliable and necessary business records rule statutory records rules Ontario Evidence Act, Canada Evidence Act IQPC February 25, 2004 7 The Law of Evidence in a (small) nutshell Electronic documents – how does this change? Authenticity: basic rule is OK – document supported by live witness – but e-documents are more subject to manipulation (sometimes). May be hard on a challenge. Original (best evidence): may be meaningless for electronic document. Changed by legislation from a record-based test to a system-based test Hearsay: no change in principle – because content does not change with the medium. Still OCB test. IQPC February 25, 2004 8 The Law of Evidence in a (small) nutshell In practice: Electronic records get admitted readily Everyone knows records are made on computers “Notice to admit” procedure – know ahead of time Risk (in costs) of objecting on speculation IQPC February 25, 2004 9 The Law of Evidence in a (small) nutshell BUT If there is a serious dispute, how do you defend your records? How do you demonstrate authenticity, originality? SO Legislation to help answer these questions. IQPC February 25, 2004 10 The Legislation Uniform Electronic Evidence Act (federal government, 6 provinces incl. Ontario + Yukon) Ontario Evidence Act s. 34.1 (2000) Canada Evidence Act s. 31.1 – 31.8 Quebec – distinct (Civil Code and special Act) IQPC February 25, 2004 11 The Legislation The key to the legislation: system integrity general application: the best evidence rule – no original needed In addition: any evidence supporting system integrity may be used to support admissibility IQPC February 25, 2004 12 The Legislation To ease admission, the law provides presumptions that the record-keeping system has integrity: for one’s own computer, OK if one can show the computer was working fine all the time, or if it wasn’t, the problem did not affect the integrity of the record-keeping system for a record from an adverse party’s computer, OK (since the other party knows more about it) for a record from an independent third party, OK if kept in the ordinary course of business IQPC February 25, 2004 13 The Legislation AND if the presumption is rebutted, so one has to show the integrity of a record-keeping system: For the purposes of determining under any rule of law whether an electronic record is admissible, evidence may be presented in respect of any standard, procedure, usage or practice on how electronic records are to be recorded or stored, having regard to the type of business or endeavour that used, recorded or stored the electronic record and the nature and purpose of the electronic record. (UEEA s. 146) IQPC February 25, 2004 The Legislation Standards may be of variable degrees of formality (official, semi-official, private) applicability (sectoral, record-type) generality (could be bilateral agreement) Proof that the presumptions apply or that standards are complied with may be by affidavit of a person with knowledge of the recordkeeping practices of the party that wants to produce the record in evidence. The person should be available for cross-examination. IQPC February 25, 2004 15 Standards Canadian General Standards Board part of Public Works Canada Microfilm as documentary evidence (1988) Microfilm and electronic imaging … (1993) Electronic records as documentary evidence (2004) – in the final stages of adoption And still to come Electronic Signatures Codes for retention and disposition of e-records Long term preservation of digital information IQPC February 25, 2004 16 Standards Legal effect of a Standard The standard is itself not a law, it is a guideline. Compliance with the standard is not mandatory. Compliance with the standard is a kind of safe harbour, not a guarantee of any legal result. The standard is a statement of best practices. The Evidence Act says a court “may consider” compliance with the standard – if a party asks. IQPC February 25, 2004 17 Standards But The standard is written in mandatory language – the Person “shall” do X and Y. If you say you comply and do not, there may be civil and regulatory consequences for misrepresentation. Sometimes compliance is given an advantage, e.g. the law of evidence, the tax authorities (for the CGSB imaging standard). IQPC February 25, 2004 18 Standards The standard could become a common-law standard of prudent behaviour, so that failure to comply could be found to be negligence. The standard could be adopted in legislation or regulations and made mandatory for some sectors or some purposes. (e.g. Canadian Standards Association or Underwriters’ Laboratories for electrical goods) The legal effects may be indirect or private (e.g. give an ability to prove reliability of records) IQPC February 25, 2004 19 The CGSB Standard and you The key rule of the Standard: think about it! In other words: Make a policy about how e-records are managed Communicate the policy Implement the policy Monitor compliance with the policy Adjust the policy as required by circumstances Have a policy manual that you can point to. Have someone responsible (CRO) (+ witness) IQPC February 25, 2004 20 The CGSB Standard and you Characteristics of the Standard: high level language it applies to lots of records it applies to lots of record-keepers question: small and medium-sized enterprises technology neutral it is flexible in its application now it is adaptable to evolution of technology it does not make business choices for its users IQPC February 25, 2004 21 The CGSB Standard and you Complying with the Standard Authorization: senior management have to buy in formally someone is put in charge responsibilities apply even if outsourced work the policy is documented, changes are documented Electronic Records Management Program Policy” “closely aligned” with the information management security policy IQPC February 25, 2004 22 The CGSB Standard and you Policy contains statements on, among other things, data file formats and version control enabling technologies quality assurance metadata capture and preservation information and records covered by the policy includes physical and logical structure of info held by the organization security classification and how to implement it IQPC February 25, 2004 23 The CGSB Standard and you Policy contains statements on, among other things (contd) security processes and procedures including user authentication and permission control firewall protection systems backups disaster recovery retention and destruction policies system and procedure audits for compliance IQPC February 25, 2004 24 The CGSB Standard and you The Policy manual: Keep a manual complete and current It may refer to other standards and procedures It authorizes the life-cycle metadata of records It tells how data is captured and stored It controls data migration and conversion Indexing (self-explanatory) IQPC February 25, 2004 25 The CGSB Standard and you Authenticated data output for legal proceedings: you display the contents of the e-records by printouts or live display or electronic display (e.g. CD) you have to be able to show that what you are displaying is the same as what is in the computer. Signature of authorized person may be used have to document the reasons for any change in format IQPC February 25, 2004 26 The CGSB Standard and you Security and protection: document details of all levels of access need notification of and protection against unauthorized access to documents maintain environment according to suppliers’ recommendations and (inter)national standards encryption may improve security and integrity take caution on self-modifying electronic records need key management, certificate management consider use of time and date stamps document any correction of errors control who has access to clocks IQPC February 25, 2004 27 The CGSB Standard and you Audit trail: A historical record of all significant events associated with the e-record management system date of storage of information movement of info from medium to medium evidence that controls operate and are effective Provides evidence of authenticity of records Contains system- and operator-generated logs. Standard gives lengthy list of contents. IQPC February 25, 2004 28 Conclusions E-records need extra care and control Partly because of lack of familiarity Essence is integrity of information measured over the life-cycle of the record Compliance with the Standard is a good way to take the care required Compliance with the Standard will help in meeting common-law and statutory tests of admissibility IQPC February 25, 2004 29 Conclusions If your electronic records can meet these tests, then evidence law does not make you produce the paper even if the paper still exists, i.e. you don’t have to destroy it but you can BUT there are other laws that require retention of records, e.g. tax law, industry-specific regs SO you may have to keep the paper anyway. A sound records retention and destruction schedule can only help. IQPC February 25, 2004 30 SOME SOURCES Uniform Electronic Evidence Act Implementation status http://www.ulcc.ca/en/us/index.cfm?sec=1&sub=1u2 http://www.ulcc.ca/en/cls/index.cfm?sec=4&sub=4d Ontario Evidence Act, R.S.O. 1990 c.E.23 as amended http://www.e-laws.gov.on.ca/DBLaws/Statutes/English/90e23_e.htm Canada Evidence Act R.S.C. 1985 s.C-5 as amended http://laws.justice.gc.ca/en/c-5/text.html IQPC February 25, 2004 31 Some Sources Canadian General Standard Board Chasse “Computer-produced records in Court Proceedings” (1994 ULCC) http://www.pwgsc.gc.ca/cgsb/home/index-e.html http://www.ulcc.ca/en/poam2/index.cfm?sec=1994&sub=1994ac CICA on Information Security principles and audits Information Technology Control Guidelines (3d ed.) http://www.cica.ca/index.cfm/ci_id/1004/la_id/1.htm Conference in March 2004 on Auditing IT systems www.cica.ca/itaudit IQPC February 25, 2004 32 Some Sources Industry Canada – Authentication materials http://e-com.ic.gc.ca/epic/internet/inecicceac.nsf/vwGeneratedInterE/h_gv00090e.html Authentication principles (draft 2003) http://e-com.ic.gc.ca/epic/internet/inecicceac.nsf/vwapj/authentication_principles.pdf/$FILE/authentication_principl es.pdf American Bar Association – “Record Retention and Destruction: Current Best Practices” http://www.abanet.org/buslaw/newsletter/0019/materials/ recordretention.pdf IQPC February 25, 2004 33