The Legal Admissibility of information stored on Electronic Document Management Systems
British Standards Institution (BSI)
BIP 0008
Code of Practice on Legal Admissibility and Evidential Weight of Information Stored Electronically
The BSI Code of Practice is concerned with 'the authenticity,
integrity and availability of electronically stored information, to the
demonstrable levels of certainty required by an organisation. It is particularly
applicable where this stored information may be used as evidence in disputes
inside and outside the legal system'
ISO 15489 (BS ISO 15489-1:2001) is the international standard on records
management. As there is overlap between the BSI Code of Practice and the
International Standard, the 2004 revision of the Code of Practice was to ensure
that the two documents could be implemented together.
The 2004 Code contains an
annex mapping the content of the records management International Standard to
the Code of Practice.
The Code of
Practice was originally
published in 1996 as BSI DISC PD 0008. It was updated in 1999 as BSI DISC PD 0008:1999.
The current Code of Practice is BSI BIP 0008:2004.
Overview
The
issue of Legal Admissibility is at the core of records management principles.
An organisation needs to be able to prove (to a court of law or some other statutory
body) that the contents of a particular document or data file created or
existing within an Electronic Document Management System have not changed
since the time of storage. If the data file is an electronically stored image of
an original paper document, an organisation must be able to prove that the electronic image is a
true representation of the original. Proving the authenticity of electronically
stored documents is crucial to their admissibility in a court.
In England and Wales, the main statute governing the
admissibility of documents is the Civil Evidence Act 1995. This Act resolved
many of the outstanding legal difficulties that had arisen through the use of
computers for information storage. The Civil Evidence Act shifted the argument
from legal admissibility to evidential weight or value. It makes it easier to
prove the authenticity of documents, by producing the original or a copy,
irrespective of the number of removes between the original and the copy and
irrespective of whether or not the document is a paper one or an electronic one.
The court needs to be satisfied as to the authenticity of the copy, and
therefore an organisation needs to be able to demonstrate that it has
administrative procedures that will satisfy the court as to a document's
authenticity.
Irrespective of issues of legal admissibility or
evidential weight, an organisation should ensure that the electronic storage of
information complies at all times with best practice. As well as needing to meet
legal requirements an organisation has business and ethical reasons for ensuring
that the information it controls is not mishandled.
An organisation needs to demonstrate that it complies
with the five principles of
information management on which the Code is based. These principles are
encapsulated into a code of practice - the Code of Practice for Legal
Admissibility and Evidential Weight for Information Stored Electronically
(BIP0008) published by the British Standards Institute. Compliance with BIP0008
will ensure that the organisation manages its information according to best
practice, thereby maximising the chance of electronic records being
satisfactorily authenticated.
An organisation will need to have in place the following five
information management components:
1. Representation of
Information (i.e. an information management policy)
2. A Duty
of Care
3.
Business Procedures and Processes
4.
Enabling Technologies
5. Audit
Trails
1.
Representation of Information
An information management policy document will set out,
for operating staff and any future litigants, the rules surrounding the various
forms in which documents are held, the documents' life cycles and the legal
advice sought and acted upon.
The policy should set out in as much detail as necessary
the variety of documents that will be presented for storage, for example:
Internal and external correspondence, reports, drawings and specifications,
legal documents and, perhaps, photographs, video and audio files.
It will typically describe the different types of
information held within the organisation and, for each type, specify:
the level of security
appropriate storage media
formats
and version control
information management standards, e.g. quality
retention
and destruction policy
responsibilities and roles for information management functions
responsibilities for compliance with the code BIP0008
An system needs to be flexible enough to satisfy the
requirements of the organisation's information management policy. It must be
capable of:
meeting the highest security
standards set out in the policy
integrating with a wide range of storage media
handling different document types
managing documents under version control
meeting the retention requirements
meeting information management standards, e.g. storing images to the quality
standard set out in the policy
allowing documents to be permanently erased
The 2004 Code recommends that a document management
policy be developed, expanding on the retention schedule to include such details
as media type, file format, destruction policy and responsibilities.
2. Duty of Care
To fulfil its responsibilities under the duty of care
principle, an organisation will need to have in place:
an awareness of the
legislative and regulatory bodies pertinent to its industry
a chain of accountability and defined responsibility for activities
involving electronic document management at all levels
a system to keep up to date with information management theory and practice,
and developments among appropriate bodies and organisations
a documented information security policy
Under the duty of care responsibilities the system must
have the functionality to allow for separation of roles. The person who inputs
data should not be the same person who performs quality checks. This separation
of administrative roles should be able to be mirrored in the logical access
controls within the EDMS.
The British Standard BS 7799: 1999 (ISO 17799) "Code of Practice for Information
Security Management" is the UK/European reference document for
information security. Proof of compliance with BS 7799 will usually demonstrate
that an organisation has exercised a duty of care.
3. Business
Procedures and Processes
An organisation should have documented operating
procedures (a user manual) for each of the information management systems it runs.
The procedure manual is the document that
the organisation will produce, if it's electronic storage methods are ever
challenged, to prove to auditors, lawyers or judges that the processes are
precise, secure and approved for its normal business procedures.
The user manual will typically define the
following:
Document types
Preparation of documents prior to scanning
Photocopies
Batch control
Scanning processes
Scanning specific documents
Image Processing
Compression Techniques
How information is indexed
Quality control
Procedures for producing authenticated output
procedures for authenticating copies of documents
how information is transmitted within the system
Procedures for document retention and destruction
System maintenance schedules
Security and protection, including encryption and the use of digital
certificates
Backup and system recovery procedures
Use of bureau services
workflow
date/time stamping
version control
It is important for the system to be able to produce
output that will ensure that a document is appropriately authenticated.
The Code insists that the procedures and processes be
audited annually, or more frequently for legally sensitive archives, to make
sure that the approved procedures are being observed or that new ones meet the
requirements of the Code and are formally and properly incorporated in the
manual
Some specific recommendations in the code include:
Preparation of documents prior to scanning
The
code requires that:
"Documents
should be examined prior to the scanning process, to ensure their suitability.
Such factors as their physical state (thin paper, creased, stapled, etc.) and
the attributes of the information (black and white, colour, tonal range, etc.)
should be noted. Procedures for this examination process should be documented
in the user manual."
The Scanning Process
The Code requires,
for example, that records be kept on the system audit trail of key information
concerning imported documents. This information should include as a
minimum:
Unique
identifier for each batch of documents
Date and time of scanning
Identity of the person who performed
the scanning
Type of material scanned (e.g. paper
document, microfilm, aperture card, etc.)
Number of documents and number of pages
in each document scanned
Detail of post-scanning processes
(de-skewing, de-speckling, etc.) performed
The Code recommends that records be kept in batches so it is easier to check
that:
All required
activity has been performed
Any anomalies have been noted
Appropriate quality procedures have
been completed
Records of any exception processing
have been made
These batching recommendations allow you to acknowledge that your system
cannot be perfect, but that you have seen the anomalies and have registered
them, either with a view to correcting them or merely making note of them.
If the accuracy your system is challenged in court, you will be able to say
you know where mistakes are made.
Indexing
The
Code makes the statement:
"Indexing
is a vital part of the process of storing documents"
Whether
your system involves automatic indexing, manual data entry, or a combination
of these, the Code insists that:
"Procedures
for indexing documents should be described in the user manual. These
procedures should include methods of checking the accuracy of the index
records created."
It
sets out what should be recorded, what the audit trails should reveal and
operator training requirements. It reminds the records management team to set
realistic quality control criteria and processes for noting errors and levels
of legibility.
Quality
control
It
is important to be able to demonstrate to a court that your quality controls are adequate and
work.
The Code sets out several
important processes, including these:
"A sample set of original
documents, or of documents equivalent in characteristics to the original
documents, should be assembled for the purposes of bench-marking scanning
system performance against the quality control criteria."
and
"The result of all quality control checks,
including Test Target scans, should be recorded in the quality control
log."
The records manager must test and check regularly and
record the results of those tests and checks.
Document
retention
The Code says that all retention
and destruction procedures should be recorded in the user manual. It sets out
instances when, even if company policy is to destroy all documents after
scanning, some papers may have to be retained:
Where
photocopies have been used to aid the scanning process
Where the original is of
poor quality and below the standard required by your system
Where an original contains
amendments that cannot be identified on a scanned image.
"No
original source document should be destroyed until the write processes have
been verified and appropriate backup procedures completed."
Dont shred originals until you are sure that the scanning and indexing
processes have been completed properly and the data has been backed-up.
Security
and Protection
Security and protection covers user
access, mixed and/or removable media storage, file transfer protocols, data
and hardware security, virus infection, power failure and auditing.
The Code states:
"Where mixed-media hierarchical storage systems
are used, they should be assessed to ensure that they are used in a write-once
mode only."
"Data file transfers, such as moving documents
from one device to another, should be controlled by the application software.
It should not be possible to move documents or change index data without an
entry in the audit trail."
"Although the user facilities (document input and
output) may be provided in a normal (unprotected) environment, the central
part of the system (file servers, data storage, system software, etc.) should
be installed in a secure area with restricted physical access."
4. Enabling
Technologies
A typical system will be comprised of many different
technologies. Each of these technologies, or rather their component parts, will
need to comply with BIP0008.
The Code describes technologies that may be used in a storage system and how
they should be utilised and controlled to ensure that the system will
store documents in accordance with BIP0008. These technologies include:
storage media
access control mechanisms
system and data integrity
image processing
compression techniques
compound documents
data migration
document deletion
Each of these properties of an EDMS is critically
important.
Storage Media
The issue of appropriate storage media is critical.
There are two types of storage media, distinguished by the medium's ability to be written to many times or
just once:
write many - or 're-writable' technologies
write once - commonly referred to as WORM ('write once - read
many') technologies
An alternative way of considering data
storage technologies is to distinguish between magnetic media and optical
media. In general, magnetic media are write-many technologies while optical
media may be write-once or write-many. CD-RW (CD re-writable) and erasable
optical disks are optical technologies that can be written to many times.
It isn't necessary to use WORM technology to comply with BIP0008. While WORM has the
advantage that it is not possible to directly modify data once it has been
stored, in practice data is modified by deleting the original data and writing
the modified data. Each time a file is modified a new copy of the file has to be
written, rather than just overwriting the existing file. The available storage space can be reduced much more quickly
than expected. As WORM storage is more expensive than magnetic
disk (and even RAID array), the use of WORM exclusively for storage can be
expensive. Access to data on a
WORM drive, particularly one in a jukebox, is slower than access to data stored in a
RAID array.
Data stored on magnetic disk can in principle be modified. However
the risk of this happening, while significant, is small and the risk can be
minimised, if not eliminated altogether, by ensuring that adequate controls
are implemented in both the storage system and the EDMS access control system.
Users with read only access rights cannot modify the data but those with
read/write access obviously can, and therefore there is a requirement to
securely log at the system level all read/write accesses so that unauthorised writes to the
system can be detected.
Access Control
The system must have an adequate access
control mechanism implemented so that individuals, groups and roles can be
distinguished, and permissions granted based on the access control list.
System and Data Integrity
The system should provide an environment in
which the integrity of the data is preserved, including the transfer
of data between the EDMS software and the storage medium. Data integrity
should be inherent to the EDMS and any integrity
anomalies should be automatically detected and reported. Malicious attempts to change the data
should be detected, though if the person acting
maliciously has sufficient knowledge of the system's integrity checking
mechanism, it might be possible for that person to alter a document and to
'fool' the integrity checking.
Digital signature technology ensures that the integrity of a data file or a document in a system can be
verified. A document that has been digitally signed cannot be
altered without invalidating the signature. The EDMS software should be
capable of working with the technology that implements digital signing. The
signature also has a secondary role, one of non-repudiation - the person creating a
document and signing it cannot subsequently deny authorship.
Compound documents
A
compound document contains a variety of parts - photographs, graphics, text,
and video perhaps. It may be disassembled and each part processed in different
ways. The Code advises that they be stored on the same storage device along
with the metadata needed to identify the respective locations automatically
and make an "accurate and unambiguous reconstruction" of the
complete document.
Image Processing
Image processing is a
post-scanning technique to improve the quality of a scanned document. These processes can include de-skewing, de-speckling,
background clean-up, border, "noise" and forms removal.
Though there can be good reasons for improving image quality, care must be exercised in image
cleanup to ensure that essential detail is not removed. The Code warns that the techniques are used "with
extreme care". De-speckling, for instance, carries a high risk of
removing punctuation or decimal points. Any image processing should be
identified in the system user manual.
Any image processing techniques used could reduce the evidential weight of
subsequent retrieved images.
Compression Techniques
Systems storing
scanned images normally use compression algorithms to reduce file sizes so that storage
requirements are reduced and system performance improved. It is important to ensure that images, when compressed, are not subject to data loss. If the
compression technique is a 'lossy' one (for example storing an image as a
JPEG) then detail necessary to authenticate the stored image may be lost,
reducing the evidential weight of the image. If
lossy compression is used, a sample set of scanned images should be made to
check and approve the level of information loss. Lossy
compression should not be used for documents containing primarily text, but
may be more acceptable with photographs.
Data Migration
A system should have the ability to migrate documents and data
to some to other hardware/software platforms and other storage
media. Documents, such as
personnel records, may have a lifetime longer than the current
system and therefore at some point will need to be migrated. The system should
use open or industry standards for data storage rather than proprietary ones.
Document Deletion
To meet the requirements of
Privacy or Data Protection Acts, it may be necessary to amend or delete
documents, or parts of documents.
This might occur routinely, as part of the organisations' retention policy, or
exceptionally as a result of legal or regulatory requirements. Note that a
WORM ('write-once, read-many') storage medium could make this operation
difficult.
The Code sets
out acceptable methods - use of masks, index entry cancellation, document
replacement, etc. - which should be identified in the user manual and whose
use must be recorded in the system audit trail.
See the "Guide to the Data Protection Act" for further details.
5. Audit Trails
BIP0008 requires that a system must have full auditing
functionality.
Without detailed audit trails (i.e. a record of a
document's life history) authenticating a document, and therefore satisfying a legal body,
may not be possible. In addition,
irrespective of legal requirements, an organisation will require audit trails to
meet its own managerial requirements, such as internal audit. The audit trail,
as a minimum, should log details of each significant event in the life of a
document in the system.
The audit trail should:
be generated automatically by
the system
contain date/time stamps for each event
be non-alterable
be stored in accordance with the organisation's information management
policy
be subject to appropriate access control
be securely stored and backed-up
The system should be able to provide an enquirer, with
appropriate permissions, (even one unfamiliar with the processes) access to the
full audit trail record and, preferably, have a reporting tool to allow
production of customised reports from the trail.
There is also the issue of retention periods. If
documents are kept for, say, seven years, then it is likely that you will need
to keep audit information for at least seven years also.
Compliance
with the
requirements of the Code of Practice
To assess the current status of compliance with the
requirements of the Code of Practice, the BSI publish a Compliance Workbook (BIP
0009). This Workbook consists of a series of questions, each of which needs to
be reviewed and answered. Typically, it takes one to three days to complete the
Workbook for the first time. Some investigations may need to be carried out on
particular issues, which may lead to more time being needed. There may also be a
need to consult with the system supplier.
Typical most of the compliance points are addressed by
implemented systems. Compliance points that are often missing from systems
include:
no Information Policy
document
no retention schedule
inappropriate security controls
lack of procedural documentation
insufficient control on document input procedures
insufficient information about the technology from the system supplier
use of inappropriate facilities, such as image clean-up
no thought of future migration requirements
lack of documentation on audit trail content and access procedures.
Each of these could potentially compromise the ability to
demonstrate the authenticity of the stored documents.
Compliance
Workbook (BSI BIP 0009)
The
British Standards Institution Compliance Workbook (BIP0009) is available to aid
implementation of the Code.
Its pages parallel those of the Code, reminding and instructing systems managers
what to undertake. All questions have a Yes/No or Not Applicable tick box to ensure compliance.
BIP 0009 was previously known as PD 0009.
Principles
of Good Practice (BSI PD0010)
The
Image and Document Management Association (IDMA) Principles of Good Practice
for Information Management, PD0010, is published by the British Standards
Institution as the third in its "legal set" of guidelines.
It
is "Intended
to help those who have responsibility for assisting their employers to develop
and operate new methods
"
PDF/A: An ISO Standard
for long term archiving.
ISO 19005-1 is an International Standards Organisation (ISO) Standard that was published on October 1, 2005:
ISO 19005-1: Document Management - Electronic document file format for long term preservation - Part 1: Use of PDF 1.4 (PDF/A-1).
This ISO standard defines a standard format (PDF/A-1) for the long-term archiving of electronic documents and is based on the PDF Reference Version 1.4 from Adobe Systems Inc. (PDF 1.4 is largely equivalent to the functionality implemented in Adobe Acrobat 5).
The BSI standards are available from British
Standards Online
Return to Records
& Document Management, Document
Management, Records
Management, Home
Alliance Imager document management system, Global 360 Imaging for
Windows,
document imaging, Microsoft document
Imaging for Windows, document scanning, Alliance PaperChase records
management, Alliance BatchScan scanning documents, life cycle of records,
barcoding, RFID readers.
| 
