We live in the time of an overwhelming Information boom where the vast majority of information is created and maintained in electronic form. Electronic documents and electronic signatures are constantly used for business transactions worldwide.
Many records that are still in paper form are being gradually converted into electronic form. As electronic transactions and electronic storage expand to encompass the management of information, so too the rules regarding that information grow and expand.
Let’s examine some requirements for managing electronic records.
Electronic Records Management Requirements
In the US, it is the federal Electronic Signatures in Global and National Commerce Act (ESIGN – PDF link) and the Uniform Electronic Transactions Act (UETA – PDF link), later adopted by the majority of states. Both acts stipulate that records related to a transaction may not be denied legal effect, validity, or enforceability only because they are in electronic form. These acts do not prescribe the use of a specific technology nor recognize different types of electronic signatures.
The European Union’s Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market sets out the conditions for electronic documents and signatures use within the EU. As in the US, an electronic document should not be denied legal effect and admissibility solely because it is in electronic form. Unlike ESIGN and UETA though, the regulation recognizes different levels and types of electronic signatures (seals, stamps) and provides rules related to the validity of each. It, nevertheless, remains technology neutral and prohibits mandating requirements exceeding the listed obligations.
Similar laws have been adopted in many countries around the world, generally authorizing the use of electronic documents and signatures without specifying a particular technology to be used for effecting transactions and documents storage.
Legal Requirements for Business Records
There are some legal obligations regarding record-keeping that include prescription of a form in which the records are to be kept. These obligations oftentimes permit maintaining records on electronic media if certain conditions are met. Systems used for maintaining information are typically, across jurisdictions, required to be capable of accurately and completely reflecting the information recorded and keeping the information in a legible form.
Conversion into a paper record must, according to most countries’ rules, be possible within a reasonable time or without undue delay. For tax obligation purposes, authorities in many jurisdictions need to be able to access the information residing in the electronic system as well as download it and use it. Online access is mandated in some cases. Security measures are required to be in place that will protect information from loss, damage, alteration, unauthorized additions and that are able to control access to the information. Documentation of any modifications and back-ups anywhere or on a separate electronic storage device are common obligations.
Other express legal requirements pertaining to electronic retention of records are more rare. For example, prior approval of the system used by an authority, electronic system having life expectancy at least equal to the applicable record retention period, or enabled suitability testing of electronic programs and electronic data processing.
Managing Sensitive Records Electronically
Storage of certain types of information, for example some personal information, mandates in many jurisdictions a higher standard of protection. Encryption required for biometric information in France is an example as well as encryption or effective alternative compensating controls required for nonpublic information kept by financial institutions in the state of New York.
(Read more in our blog post “Privacy Compliance Demystified!”)
Some of the electronic system’s characteristics required are directly related to another aspect of the question of electronic records and their legality. In order for an electronic record to be accepted as evidence during legal proceedings, it has to satisfy the evidentiary standard. So where the law does not prescribe the features and processes that must be in place, organizations need to make decisions that take into consideration the value of the record and a possible need for its use as evidence during legal proceedings. The entity managing the record will have to balance the need for security and accuracy against cost and other burdens associated with acquiring and managing technology.
Courts, as in the case of non-electronic documents, look at the record’s integrity and authenticity. In order to show that the electronic system used to keep the records is organization might need to present evidence that the equipment and/or software was operating reliably when the record was prepared as well as throughout its retention. This is where a certified system/provider that uses standardized protocol for processing information can be useful.
Electronic Records Management: One Size Never Really Fits All
The the requirements for managing electronic records will depend on the kind of records that are being maintained. Some type of information will require a more sophisticated electronic system with high levels of protection and thorough protocol. Other types of information can be kept without a robust process.
In case of personal information an organization will likely (if not already, depending on the location of its operations and the data that it keeps) need to be capable of individuals’ information identification in order to respond to requests under the European General Data Protection Regulation and the California Consumer Privacy Act (effective January 2020).
The electronic system also needs to be able to comply with maximum retention periods and allow for deletion when the time comes. In ideal case there would be an interplay between selecting and setting up an electronic records management system and creating a records retention schedule so that all the above considerations could be accommodated.
To learn more, watch our MeR webcast recording: How to Incorporate Data Privacy into your Enterprise IG Program.