Category Archives: Acts and Regulations and the Paperless System

Paperless and ISO 1799 (27001) (27002)

If these acts are very broadly all to do with security (see early posts for a more details description) and in fact any organizations that handles and depends on information.

How can a paperless system assist these regulations?

I think we have to look at the wider picture and understand why we use a paperless system to try to find an answer for this area.

It’s certainly not a case to say that we have to design a special area for this act to take place within a paperless system as nearly all companies will be connected to these acts in some way due to the fact we must handle peoples information just to employ and of cause some companies will require a more complex system if they depend on peoples information.

So do we design a paperless system to accommodate these acts or do we try to place these requirements into an already paperless system which could be better known as a Document Management System with added security due to the possible sensitivity of the information.

Some of the companies who have installed a respectable Document Management system will be happy with the outcome and to a certain degree this is more than acceptable to a normal company dependant of the type of information and type of company who has to use these regulations to a great degree, these two statements go without saying and are pretty common.

But could we say that a process of actions and processors within a system is the best answer, I think it’s more to do with we have to use what is available to us at the time of installation and what has been designed and already accepted.

It obvious that security has to play a big part if we intend to use the computer as an office or to assist a paperless system, that it the main point of the acts to protect people information.

One of the better areas of these acts is that is more to do with a code of practice/guideline rather than a certification standard, organizations are free to select and implement other controls, or indeed adopt alternative complete suites of information security controls as they see fit.

We can all agree that technology will grow and become better as technology grows in time, so could you say that this will always be open to debate in the areas of acceptability and how this will react to a paperless system.

We could say that this will always be the case, simple because technology will always grow but we do have to find that intermediate where a practical solution will be available to provide a practical answer.


ESR 2000 Interpretation (Original)

In the previous section we looked at the general introduction which gave us a good ides to what the regulations covered .This section will look at the original regulations and to see what the interpretations where back at the time of implementation which was the 8th march 2002.

In these Regulations

       “advanced electronic signature” means an electronic signature—

(a) which is uniquely linked to the signatory,

(b) which is capable of identifying the signatory,

(c)which is created using means that the signatory can maintain under his sole control, and(d)which is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;

certificate” means an electronic attestation which links signature-verification data to a person and confirms the identity of that person;

certificationservice-provider” means a person who issues certificates or provides other services related to electronic signatures;

Directive” means Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures

“electronic signature” means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;

“qualified certificate” means a certificate which meets the requirements in Schedule 1 and is provided by a certification-service-provider who fulfils the requirements in Schedule 2;

“signatory” means a person who holds a signature-creation device and acts either on his own behalf or on behalf of the person he represents;

“signature-creation data” means unique data (including, but not limited to, codes or private cryptographic keys) which are used by the signatory to create an electronic signature;

“signature-creation device” means configured software or hardware used to implement the signature-creation data;

  • “signature-vertification data” means data (including, but not limited to, codes or public cryptographic keys) which are used for the purpose of verifying an electronic signature;
  • “signature-vertification device” means configured software or hardware used to implement the signature-verification data;
  • “voluntary accreditation” means any permission, setting out rights and obligations specific to the provision of certification services, to be granted upon request by the certification-service-provider concerned by the person charged with the elaboration of, and supervision of compliance with, such rights and obligations, where the certification-service-provider is not entitled to exercise the rights stemming from the permission until he has received the decision of that person.


Data Protection Act 1998

The Data Protection Act is a complex act and generally gives individuals the right to know what information is held about them. It provides a framework to ensure that personal information is handled properly.

 Because of it’s complexity we will try to break down to the key areas and understandings and separate this into eight areas.

 The Act works in two ways it states that anyone who processes personal information must comply with the following, to make sure that personal information is:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than is necessary
  • Processed in line with your rights
  • Secure
  • Not transferred to other countries without adequate protection

 The second area covered by the Act provides individuals with important rights, including the right to find out what personal information is held on computer and most paper records.

 Those are the eight principals which cover the act and are straight forward to the contents of which they state.

 We could break down the above eight principals and cover them to their contents and try to define them with in the areas of the law.

Data may only be used for the specific purposes for which it was collected.

Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information. It is an offence for other parties to obtain this personal data without authorization.

Individuals have a right of access to the information held about them, subject to certain exceptions (for example, information held for the prevention or detection of crime).

Personal information may be kept for no longer than is necessary and must be kept up to date.

Personal information may not be sent outside the European Economic Area unless the individual whom it is about has consented or adequate protection is in place, for example by the use of a prescribed form of contract to govern the transmission of the data.

Subject to some exceptions for organizations that only do very simple processing and for domestic use all entities that process personal information must register with the Information Commissioner’s Office.

Entities holding personal information are required to have adequate security measures in place. Those include technical measures (such as firewalls) and organizational measures (such as staff training).

Subjects have the right to have factually incorrect information corrected (note: this does not extend to matters of opinion)

The above information will give you a general background of the the act and as stated above it is a long and sometimes complex Act and certainly need professional advice in all areas if you require a more detailed analysis.

 The reason why Acts and Regulations are placed into this blog about the Paperless Office and systems is that if you have a good understanding of the various Acts and regulations then it will help you to understand how the paperless system and office has to be regulated to meet these needs.

 This blog entry is not intended to provide legal advice.