Monthly Archives: July 2010

Terminology Explained PD0008

Information Management Policy 

Development and approval (at a senior level) of an Information Management Policy covering the Code’s specific requirements for Protective Marking, Approved

Storage Media Policy, Data File Formats(there is considerable information in the Code about how documents are to be scanned including document image quality), Disposal Policy, Data File Formats Policy as well as quality system processes to govern compliance.

Duty of Care

Development and implementation of an Information Security Policy, an Information Security Management System (ISMS), version control of all information types with date and time stamps as well as Data Retention and Disposal Policies in compliance with the Data Protection Act are required.

As the Standard isn’t a legislative or regulatory requirement, compliance is carried out on a risk based approach to determine the threats, impacts and vulnerabilities mapped off against the appropriate countermeasures needed to be implemented.

An effective Prince 2 compliant Risk Assessment Methodology should be used, such as CRAMM, and the implementation of the recommended countermeasures carried out and monitored as part of the ISMS auditing cycle.

The Code is concerned with the authenticity and integrity of Original Documents and has numerous recommendations surrounding images, macros and paper records and how they enter the electronic storage solution. These requirements must be built into the associated functionality of the solution, which itself should meet the requirements of the Standard for Records Management, BS ISO 1549.

Procedures and Processes

The Code is highly geared around the identification, development, implementation and maintenance of processes such as data capture and migration requirements, indexing, authentication of outputs to support the policies.

These all need to be available in a central repository of policies and procedures, subject to formal change control, which must be easy to read and lend themselves toTraining staff on how to apply them.

Enabling Technologies

Choosing a reliable and trustworthy electronic storage solution is essential. It must be capable of supporting access to the records based on the ‘need to know principle’ to ensure compliance with the Data Protection Act 1998. As such, role segregation and a Role Based Access Control Schema should be created, maintained and complied with. Integrity and availability of data are key themes within the Code.

Platform hardening standards should therefore be implemented, audit data trails maintained to allow for reconstruction of evidential records, cryptographicRequirements appropriately implemented and monitored, and contingency plans developed, implemented and tested.

Audit Trails

Audit trails are essential to provide a trustworthy record of the operations that have been performed on data stored within a document record management system. Logs of suspicious activity and of every access to any record and/or modification made to

Any data contained within the electronic storage solution should create an audit trail showing who made the changes, at what time and what the before and after data values are. Audit data should be stored on Write Once Read Many (WORM) systems (Optical media is preferable) in an encrypted form (or be the subject of Checksums to provide legal assurance of audit data integrity) but these shouldn’t be on the same system from which the audit data is derived. Compliance with the Code isn’t impossible – but it requires ongoing demonstrable auditing to prove the integrity of the records contained within it HM Revenue and Customs use PD0008 as the basis of their requirements for scanned documents to meet their specific requirements for both VAT and Tax records.

Summary

The business benefits of moving from a largely paper based system to an electronicStorage system (paperless office) is clear, but there are a significant numberOf issues that organizations should consider to ensure that their procurementOf an electronic storage solution and its deployment meets their internal business needs and legislative requirements, as well as  allowing them to retain the capability to produce evidential records recognized by our Courts of Law.

The accuracy and provenance of the original data must be scrutinized before there is any destruction of original hard copy files. All requirements of PD0008, the Civil Evidence Act 1995 and the Criminal Justice Act 2003 need to be considered in terms of maintaining the evidential probity of the evidence.


Complying with PD0008?

If you have read the first article you will have remembered that we discussed about PD0008?

Is it complicated to comply with PD0008?

Like any project or change of systems a starting point must be organized and followed, considerations must be taken into place. Before choosing any electronic document storage solution organizations, considerations must take place.

Data retention and disposal requirements

Derived from legislation including data weeding and disposal to ensure that destruction of data is secure and that evidential probity of scanned documents has been assured prior to hard copy data destruction

Audit data requirements

Meet ISO 17799, evidence legislation and the Data Protection Act1998

Access control considerations

Ensure compliance with ISO 17799, evidence legislation and the Data Protection Act 1998

Interface requirements

Including encryption and safeguarding of encryption keys

Backup obligations

Ensure use of optical WORM devices for legal integrity of data with0% data loss to prevent loss/corruption to ensure compliance with the Data Protection Act1998 and evidence based legislation

Disability Discrimination Act requirements

To ensure that the solution meets the needs of disabled users

ISO 17799

Evidence of compliance with this standard assists in showing a Court that the

Computer records can be relied upon.

Auditing the auditors

Who is auditing the system administrators? Checks need to be in place to ensure integrity of data or all other controls can be called in to question by a Court of Law

Testing

The electronic storage solution and ongoing patches to it will need to be tested including IT health checks before they are operated within the live environment – they shouldn’t be tested using live data

Clock Synchronization

The electronic storage solution’s application clock needs to be synchronized with those with the organization’s estate to ensure that audit data is consistent and reliable

Monitoring

Users that send information to or receive information from the solution must consent to and/or have been advised that interceptions of their communications may be made without notice

Freedom of Information Act 2000

The storage solution will need to support swift and easy searches for information

Technical and organization controls

Derived from legislative requirements

Printing of Evidential Records

All data contained within the electronic storage solution should be capable of being printed to produce a permanent record accompanied by authentication of the data, i.e. a digital signature proving the integrity of the original file by showing that it hasn’t been tampered with and that it will satisfy the test of repeatability, i.e. it will create the same output of data every time.


What Documents to keep (Paperless)

Is it advisable to remove and dispose of all your documents and paper, this is general thought of what documents and papers to keep, If you are thinking of starting a paperless office.

Please do not be put of with any legal requirements especially if you are starting a legal service or if you are self employed and you are on a limited budget, my only advise is if you are unsure of what documents to keep obtain legal advice form your accountant or solicitor, but below is a guide to get you started.

  • Documents dealing with family matters such as wills, divorce and adoption
  • Notices dealing with the consequences of late or non-payment or the termination of an agreement
  • Court documents
  • Product recall notices
  • Notices sent with hazardous materials
  • Original paper records of VAT records.

These need to be retained for no less than one VAT period for inspection by the VAT office. After a VAT return has been submitted, the original VAT records can then bescanned and filed electronically within the document record management system

Original vouchers for tax deducted or for tax credits.


Legal Foundations and the Paperless office

Most of the following information will only effect a small amount of you and is mainly towards the office of law, but it is interesting reading and does help us to understand the general roots of this area, not only that, but with a ever increasing management system applications and management polices this is a good understanding up to appoint of its origin. 

Civil Evidence Act 1995

In the Court’s view with regards to if any of these paper records can now be held within an electronic storage solution or form. The Civil Evidence Act 1995 provides that copies of information don’t need to be in their original form in order to be treated as evidence in a Court of Law.

A copy of an original document will be considered as evidence is largely based upon its authenticity, i.e. proof, based on an audit trail, that it has not been tampered with and that it still retains in its integrity and to its original record or form.

Electronic Communications Act 2000

UK Courts have now recognized the legality of electronic contracts and signatures as a result of the Electronic Communications Act 2000 and in general the key objective of a written signature is to demonstrate that an individual intended to take up a contract and understood the terms and conditions.

The functions provided by the written signature can be achieved using a series of technical controls and electronic signatures.

“The issue that presents a challenge in the absence of direct case law is the level ofInterpretation around the amount of information required to establish the facts around electronic contracts and signatures should it be required to be resolved in a Court. So, the challenge now moves on to how integrity of original paper documents, as well as the authenticity of electronic signatures and contracts can be ensured when using an electronic storage solution, i.e. how to prove integrity to a Court of Law” (Ison, white paper 2008)

Honesty and Storage Requirements to a Court

Or put it an other way integrity, generally the court are in a more favor to the companies and organizations showing conformity to BSI DISC PD0008, the British Standard which relates to the ‘Legal Admissibility and Evidential Weight of Information Stored.

The standard relating to this has been republished over the years; it started life as BSI DISC PD0008 was re-born as PID 2008: 2004 and in 2008 was revised to PID 0008: 2008

The BSI DISC PD0008 provides a framework and guidelines that identify key areas of good practice for the implementation and operation of electronic storage systems, whether or not any information held therein is ever required as evidence in event of a dispute. As such, compliance with this Code of Practice is regarded as a demonstration of responsible business management, although it doesn’t guarantee legal admissibility.

The code provides clear and concise direction for companies to implement an acceptable document management system.

The code is based upon several principles and is core to the code regardless of system or device:

Recognized and understand all types of information – implement an information policy.

  • Understand the legal issues and execute duty of care responsibilities.
  • Identify and specify business processes and procedures.
  • Identify enabling technologies to support business processes and procedures.
  • Monitor and audit business processes and procedures.

 As you can see the main theme is policy and audit.

For more information of this see the link below:

http://www.bsigroup.com/

Legal and regulatory requirements demand that organizations retain a significant number and variety of records in the form of contracts, transactional records, employment records, accounting data, research data and in some cases correspondence.

Traditionally this type of information held in original paper format including contracts with original signatures, have all been accepted in a Court of Law as proof of an evidential record.


Soliciting and law (paperless)

In time I will placing various posts with regards to the special requirements that are required when a paperless system is introduced to a section.

This will be closely linked to soliciting and law environments e.g. signatures, collection and presentation of documents, storage and any general area within this subject matter.


Alternative to the mouse

I wrote an article some time ago about the end of the mouse as we know it, but what else could replace it Apple think it’s the track pad although I do not totally agree that this will replace the mouse.

 I generally believe that will be a short interim measure before all computers will be touch screen but it’s a step in the right direction.

It obvious that the likes of Apple are heading in this direction with the I phone and I pad completely multi-touch-based so there no requirement for the mouse

If this is the overall trend of apple surely people will follow?


paper file

We all understand that managements flow systems may have helped the development of the paperless office system. But one of the areas that may still be behind is that of paper file.

Unfortunately the management flow systems does have it disadvantages it will help to store filing requirements but as in all office environment paper files will always have to be viewed and printed

What are the reasons for us to print a file is this because this has become the normal way of reading or is it because there has not been an alternative way to the level that is acceptable and sociable

Printing is a requirement for posting could it be for writing additional note on the file, or passing the information to a third party etc, there could be a lot of reasons why we need to print.

 The main three or four reasons that could contribute to a file are:

  • Reading
  • Posting
  • Physically checking the document
  • Viewing for internal and external usage

The file will always be a requirements a storage device that will keep documents long or short term.

The traditional file has normally been a lever arch file type but as technology grows will the paper file be a thing of the past.

One of the reasons which have been discussed in the previous chapters is that of sociability. Has an electronic file made the system an impact and can it replace the paper file.