ELECTRONIC RECORDS

1
ELECTRONIC RECORDS   INTEGRITY AND
AUTHENTICITY   AND   STANDARDS OF EVIDENCE   John
D. Gregory Ministry of the Attorney General
(Ontario)
2
Integrity and authenticity

• What are they?
• Why do you care?
• for business reasons
• have to trust your records
• for legal reasons
• others may have to trust them 

3
The legal reasons

• administrative a government department (such as
  the tax people) wants to see them
• regulatory a public agency (such as the
  Securities Commission) wants to see them
• judicial they are needed for a court case

4
Judicial reasons - Court rules

• We focus on court rules here because
• they are a general standard not specific to an
  agency
• they are a single standard not multiple as with
  agencies
• their standard influences others rules
• Note on Audit Standards
• See later discussion by Brian Ludmer
• CICA has information security audit standard

5
The Law of Evidence in a (small) nutshell

• Admissibility vs weight
• for courts, most of discussion touches the
  former
• for agencies and regulators, will
• affect the latter

6
The Law of Evidence in a (small) nutshel l

• the normal rule oral evidence, under oath,
  subject to cross-examination
• but lots of exceptions
• notable exception documents
• documentary evidence includes papers, pictures,
  audio and videotapes, and contents of computers

7
The Law of Evidence in a (small) nutshel l

• Criteria for admission of documentary evidence
•  authentic the record is what it purports to
  be 
• best evidence an original, or an explanation
• not hearsay (a content rule not a form rule)
• reliable and necessary
• business records rule
• statutory records rules
• Ontario Evidence Act, Canada Evidence Act

8
The Law of Evidence in a (small) nutshel l

• Electronic documents how does this change?
• Authenticity basic rule is OK document
  supported by live witness but e-documents are
  more subject to manipulation (sometimes). May be
  hard on a challenge.
• Original (best evidence) may be meaningless for
  electronic document. Changed by legislation from
  a record-based test to a system-based test
• Hearsay no change in principle because content
  does not change with the medium. Still OCB test.

9
The Law of Evidence in a (small) nutshel l

• In practice Electronic records get admitted
  readily
• Everyone knows records are made on computers
• Notice to admit procedure know ahead of time
• Risk (in costs) of objecting on speculation

10
The Law of Evidence in a (small) nutshel l

• BUT
• If there is a serious dispute, how do you defend
  your records?
• How do you demonstrate authenticity, originality?
• SO
• Legislation to help answer these questions.

11
The Legislation

• Uniform Electronic Evidence Act (federal
  government, 6 provinces incl. Ontario Yukon)
• Ontario Evidence Act s. 34.1 (2000)
• Canada Evidence Act s. 31.1 31.8
• Quebec distinct (Civil Code and special Act)

12
The Legislation

• The key to the legislation system integrity
• general application the best evidence rule no
  original needed
• In addition any evidence supporting system
  integrity may be used to support admissibility

13
The Legislation

• To ease admission, the law provides presumptions
  that the record-keeping system has integrity
• for ones own computer, OK if one can show
• the computer was working fine all the time, or
• if it wasnt, the problem did not affect the
  integrity of the record-keeping system
• for a record from an adverse partys computer, OK
  (since the other party knows more about it)
• for a record from an independent third party, OK
  if kept in the ordinary course of business

14
The Legislation

• AND if the presumption is rebutted, so one has to
  show the integrity of a record-keeping system
• For the purposes of determining under any rule
  of law whether an electronic record is
  admissible, evidence may be presented in respect
  of any standard, procedure, usage or practice on
  how electronic records are to be recorded or
  stored, having regard to the type of business or
  endeavour that used, recorded or stored the
  electronic record and the nature and purpose of
  the electronic record. (UEEA s. 6)

15
The Legislation

• Standards may be of variable degrees of
• formality (official, semi-official, private)
• applicability (sectoral, record-type)
• generality (could be bilateral agreement)
• Proof that the presumptions apply or that
  standards are complied with may be by affidavit
  of a person with knowledge of the record-keeping
  practices of the party that wants to produce the
  record in evidence.
• The person should be available for
  cross-examination.

16
Standards

• Canadian General Standards Board
• part of Public Works Canada
• Microfilm as documentary evidence (1988)
• Microfilm and electronic imaging (1993)
• Electronic records as documentary evidence (2004)
  in the final stages of adoption
• And still to come
• Electronic Signatures
• Codes for retention and disposition of e-records
• Long term preservation of digital information

17
Standards

• Legal effect of a Standard
• The standard is itself not a law, it is a
  guideline.
• Compliance with the standard is not mandatory.
• Compliance with the standard is a kind of safe
  harbour, not a guarantee of any legal result.
• The standard is a statement of best practices.
• The Evidence Act says a court may consider
  compliance with the standard if a party asks.

18
Standards

• But
• The standard is written in mandatory language
  the Person shall do X and Y.
• If you say you comply and do not, there may be
  civil and regulatory consequences for
  misrepresentation.
• Sometimes compliance is given an advantage, e.g.
  the law of evidence, the tax authorities (for the
  CGSB imaging standard).

19
Standards

• The standard could become a common-law standard
  of prudent behaviour, so that failure to comply
  could be found to be negligence.
• The standard could be adopted in legislation or
  regulations and made mandatory for some sectors
  or some purposes. (e.g. Canadian Standards
  Association or Underwriters Laboratories for
  electrical goods)
• The legal effects may be indirect or private
  (e.g. give an ability to prove reliability of
  records)

20
The CGSB Standard and you

• The key rule of the Standard think about it!
•  In other words
• Make a policy about how e-records are managed
• Communicate the policy
• Implement the policy
• Monitor compliance with the policy
• Adjust the policy as required by circumstances
• Have a policy manual that you can point to.
• Have someone responsible (CRO) ( witness)

21
The CGSB Standard and you

• Characteristics of the Standard
• high level language
• it applies to lots of records
• it applies to lots of record-keepers
• question small and medium-sized enterprises
•  technology neutral
• it is flexible in its application now
• it is adaptable to evolution of technology
• it does not make business choices for its users

22
The CGSB Standard and you

• Complying with the Standard
• Authorization
• senior management have to buy in formally
• someone is put in charge
• responsibilities apply even if outsourced work
• the policy is documented, changes are documented
• Electronic Records Management Program Policy
• closely aligned with the information management
  security policy

23
The CGSB Standard and you

• Policy contains statements on, among other
  things,
• data file formats and version control
• enabling technologies
• quality assurance
• metadata capture and preservation
• information and records covered by the policy
• includes physical and logical structure of info
  held by the organization
• security classification and how to implement it

24
The CGSB Standard and you

• Policy contains statements on, among other things
  (contd)
• security processes and procedures including
• user authentication and permission control
• firewall protection
• systems backups
• disaster recovery
• retention and destruction policies
• system and procedure audits for compliance

25
The CGSB Standard and you

• The Policy manual
• Keep a manual complete and current
• It may refer to other standards and procedures
• It authorizes the life-cycle metadata of records
• It tells how data is captured and stored
• It controls data migration and conversion
• Indexing (self-explanatory)

26
The CGSB Standard and you

• Authenticated data output for legal proceedings
• you display the contents of the e-records by
  printouts or live display or electronic display
  (e.g. CD)
• you have to be able to show that what you are
  displaying is the same as what is in the
  computer.
• Signature of authorized person may be used
• have to document the reasons for any change in
  format

27
The CGSB Standard and you

• Security and protection
• document details of all levels of access
• need notification of and protection against
  unauthorized access to documents
• maintain environment according to suppliers
  recommendations and (inter)national standards
• encryption may improve security and integrity
• need key management, certificate management
• take caution on self-modifying electronic records
• consider use of time and date stamps
• document any correction of errors
• control who has access to clocks

28
The CGSB Standard and you

• Audit trail
• A historical record of all significant events
  associated with the e-record management system
• date of storage of information
• movement of info from medium to medium
• evidence that controls operate and are effective
• Provides evidence of authenticity of records
• Contains system- and operator-generated logs.
• Standard gives lengthy list of contents.

29
Conclusions

• E-records need extra care and control
• Partly because of lack of familiarity
• Essence is integrity of information
• measured over the life-cycle of the record
• Compliance with the Standard is a good way to
  take the care required
• Compliance with the Standard will help in meeting
  common-law and statutory tests of admissibility

30
Conclusions

• If your electronic records can meet these tests,
  then evidence law does not make you produce the
  paper
• even if the paper still exists, i.e. you dont
  have to destroy it but you can
• BUT there are other laws that require retention
  of records, e.g. tax law, industry-specific regs
• SO you may have to keep the paper anyway.
• A sound records retention and destruction
  schedule can only help.

31
SOME SOURCES

• Uniform Electronic Evidence Act
• http//www.ulcc.ca/en/us/index.cfm?sec1sub1u2
• Implementation status
• http//www.ulcc.ca/en/cls/index.cfm?sec4sub4d
• Ontario Evidence Act, R.S.O. 1990 c.E.23
• as amended
• http//www.e-laws.gov.on.ca/DBLaws/Statutes/Englis
  h/90e23_e.htm
• Canada Evidence Act R.S.C. 1985 s.C-5
• as amended
• http//laws.justice.gc.ca/en/c-5/text.html

32
Some Sources

• Canadian General Standard Board
• http//www.pwgsc.gc.ca/cgsb/home/index-e.html
• Chasse Computer-produced records in Court
  Proceedings (1994 ULCC)
• http//www.ulcc.ca/en/poam2/index.cfm?sec1994sub
  1994ac
• CICA on Information Security principles and
  audits
• Information Technology Control Guidelines (3d
  ed.)
• http//www.cica.ca/index.cfm/ci_id/1004/la_id/1.ht
  m
• Conference in March 2004 on Auditing IT systems
• www.cica.ca/itaudit

33
Some Sources

• Industry Canada Authentication materials
• http//e-com.ic.gc.ca/epic/internet/inecic-ceac.ns
  f/vwGeneratedInterE/h_gv00090e.html
• - Authentication principles (draft 2003)
• http//e-com.ic.gc.ca/epic/internet/inecic-ceac.ns
  f/vwapj/authentication_principles.pdf/FILE/authen
  tication_principles.pdf
•  
• American Bar Association Record Retention and
  Destruction Current Best Practices
• http//www.abanet.org/buslaw/newsletter/0019/mater
  ials/recordretention.pdf