Practice what you keep - U.K. standards group creates five codes for electronic storage
Following two years of work involving some 130 organizations, the British Standards Institution (BSI) issued a Technical Code of Best Practice for the storage of documents in electronic form. The purpose of the code is to set a standard of system and process controls, which instill confidence that records have been stored and retained according to best practice.
Record retention under those codes is subject to far more controls than those applied to paper, and therefore it can be argued that the electronic record should carry more weight for legal purposes than paper.
Storage: Addresses the issues of system planning and the use of the document storage system, with particular attention to establishing formal procedures and demonstrating that those procedures have been followed.
Although documents are commonly considered text-based, the code applies to any type of data file. That may contain text, moving or still images, sound, computer software or any combination of those.
Electronic communication: If a document has been created and stored so that it can be presented as legally admissible evidence, any communication system that is to be used to move the document between locations must be similarly stringent.
The code describes procedures and processes for transferring electronic documents between computers. It does not specify the nature of the system or address any particular system, but is equally applicable to networks, remote communication via carrier, circuit-switched or message-switched systems and to any type of data communications hardware.
Electronic identity, signature and copyright: The code covers the suitability, control and use of digital techniques providing copyright protection and signatures for legal admissibility. It provides criteria for system design, including the application of signatures to the storage and communication of documents.
In addition to ensuring compliance with legal standards, adherence to Code 3 requirements will identify potential threats to system integrity and security, and will require the implementation of an action plan to counter such threats.
Using and acting as a certification authority: Certification Authority is the trusted third party responsible for verifying the digital authentication keys and certificates issued to and used by the organization in relation to its documents.
The code outlines the benefits of using trusted third parties and provides guidelines on the recommended content of contractual agreements with third parties, including dispute-handling procedures. It does not recommend specific technological solutions, but outlines the procedures for handling and responding to verification requests, including coverage of the appropriate legal and regulatory frameworks.
Using trusted remote archives: A legally compliant remote archive, operated by a trusted and independent third party, enables storage of documentation without threat to its confidentiality, integrity and availability.
The code includes requirements for storage equipment and media, addresses the issues relating to retrieval of stored documents and includes procedures for verification that documents have not been amended during their time in storage.
Paper-based document systems have been retained because there has been no clear route for companies to transfer to electronic originals. Evidence suggests that there have already been cases in which organizations have lost in court when electronic documents have been ruled inadmissible as evidence.
There are dangers and pitfalls for any business in the implementation of electronic, Internet-based trading, but the real challenge of the new electronic environment lies in the way in which we conduct and document our business.
Information provided by the G5 Messaging Forum (www.g5forum.org), a non-profit body established to create a single, open specification for integrated multimedia messaging.