Category Archives: Document

The basic legalities of scanned documents

Does a scanned document stand up in court?

In comparison to paper documents, the issues for electronic documents actually seem to rest on how much integrity they have in terms of ‘pedigree’ and authenticity rather than their admissibility. Courts and governing bodies now accept that electronic filing is normal procedure for many companies, and they fully accept electronic documents as evidence or supporting material so long as companies can prove that they’ve taken the appropriate measures to ensure their integrity.

The Basis in Law

The Civil Evidence Act 1995 is perhaps the most relevant point of law to address in relation to electronic documents. Its legacy is to take the onus off the question of physical admissibility, instead examining the actual weight carried by the electronic evidence submitted. The evidential value is then determined by the procedures followed by the company presenting the documents. To put is simply, if a company submits a document that has clearly been unaltered since its creation or which brings with it a clear audit trail that categorises any changes made to it along the way, then that holds for more evidential value than a document that could possibly have been amended in the interim. Simple procedures ensure document integrity for a company looking to move towards an electronic filing system.

Sections 8 and 9 of the Civil Evidence Act 1995 illustrate the legal guidelines for electronic documents as evidence:

8 (1) Where a statement contained in a document is admissible as evidence in civil proceedings, it may be proved;

(a) by the production of that document, or

(b) whether or not that document is still in existence, by the production of a copy of that document or of the material part of it, authenticated is such a manner as the court may approve.

(2) It is immaterial for this purpose how many removes there are between a copy and an original.

9 (1) A document that is shown to form a part of the records of a business or a public authority may be received in evidence in civil proceedings without an further proof

(2) A document should be taken to form part of the records of a business or public authority if there is produced to a court a certificate to that effect signed either by an officer of the business or authority to which the records belong.

Essentially, this law may be interpreted to show that an original document is not the only admissible evidence in civil courts. Electronic copies of documents are acceptable so long as their integrity can be proved. Criminal courts involve a more complex set of guidelines, and business with concerns about compliance in this area should check with a specialist lawyer.

Scanned documents and HM Customs & Excise

 What about the VAT

At present, the law makes no distinction between electronic or paper records. As a result, Customs & Excise simply refer to ‘records’ in their guidelines – whether a business keeps their records on paper or electronically makes little difference.

They do, however, insist that you inform them of the format you use for your records.

Section 5.4 of VAT Notice 700/21 reads as follows:

If you keep all or part of your records and accounts on a computer, you must make sure that you can meet your legal obligations to:

  • Account for VAT properly
  • Provide information to us whenever we visit you; and
  • Keep records in the required detail for the required length of time

In practical terms, a business should therefore advise their local VAT office that they wish to store scanned documents copies of all their records in ‘format X’ (either TIF or PDF format), and that those records will be held within ‘document management system

Customs & Excise do not recommend any particular software packages of file formats and at present an acceptable standard has not been precisely defined, but ‘may be taken to mean that all details on the reproduced documents are clear and legible’, which enables fairly broad interpretation.

By also following the Code of the British Standard BSI DISC PD0008 in addition to the requirements of Customs & Excise, a company can take the best precautions available to ensure that their records are acceptable for a VAT inspection.

Timescales for Record Keeping

The general requirement for record keeping is a period dating back at least 6 years. For many companies, keeping paper records for so long is fraught with difficulties. By agreement with the Commissioners, this time limit requirement may have a degree of flexibility. It could be noted, though, that if a company uses electronic filing, then the 6 year timescale is of little consequence.

One important consideration for Customs & Excise is their requirement that any original paper invoices must be retained for a period of no less than one VAT period. This would ensure that the current VAT return can be verified using original documentation. Depending on the nature of the company’s accounting pattern, this period is either 1 month, 3 months or 1 year in length.

After this time and submission of the return in question, the company can then consign those accounting records to electronic filing in confidence.

Scanned documents and the Inland Revenue

Not a world away from the requirements of Customs and Excise, the Inland Revenue has adopted a fairly flexible view of records stored electronically, based on the same grounds that the law does not at present differentiate between paper and electronic documents.

Set out in Tax Bulletin 37, the Revenue provides the following guidelines:

Records may be preserved on optical imaging systems, and the originals discarded, provided that what is retained in digital form represents a complete and unaltered image of the underlying paper document. We are now able to go further: Both in the case of companies and unincorporated businesses we can accept other methods which preserve the information in the record in a different form. This is so long as those methods capture all the information needed to demonstrate that a complete and correct tax return has been made and are capable of yielding up that information in a legible form.

They go on to confirm that some material, such as a company’s standard terms and conditions of sale, is not required to be retained for tax purposes. However, exactly what material should be retained and what can be discarded should be checked thoroughly with a tax adviser as regulations differ across industries.

In this Tax Bulletin, the Inland Revenue also makes the important acknowledgement that companies complying with the British Standard BSI DISC PD0008 will automatically satisfy the tax requirements for keeping electronic records.

At present, under the terms of the Companies Act, for most companies the timescales that the Revenue requires material to be retained is set at 6 years from the end of an accounting period. In cases of investigation or late return submission, then this period will extend accordingly. Once again, electronic records management is by for the easiest method of storage for convenience and space-saving benefits.

Advertisements

Terminology Explained PD0008

Information Management Policy 

Development and approval (at a senior level) of an Information Management Policy covering the Code’s specific requirements for Protective Marking, Approved

Storage Media Policy, Data File Formats(there is considerable information in the Code about how documents are to be scanned including document image quality), Disposal Policy, Data File Formats Policy as well as quality system processes to govern compliance.

Duty of Care

Development and implementation of an Information Security Policy, an Information Security Management System (ISMS), version control of all information types with date and time stamps as well as Data Retention and Disposal Policies in compliance with the Data Protection Act are required.

As the Standard isn’t a legislative or regulatory requirement, compliance is carried out on a risk based approach to determine the threats, impacts and vulnerabilities mapped off against the appropriate countermeasures needed to be implemented.

An effective Prince 2 compliant Risk Assessment Methodology should be used, such as CRAMM, and the implementation of the recommended countermeasures carried out and monitored as part of the ISMS auditing cycle.

The Code is concerned with the authenticity and integrity of Original Documents and has numerous recommendations surrounding images, macros and paper records and how they enter the electronic storage solution. These requirements must be built into the associated functionality of the solution, which itself should meet the requirements of the Standard for Records Management, BS ISO 1549.

Procedures and Processes

The Code is highly geared around the identification, development, implementation and maintenance of processes such as data capture and migration requirements, indexing, authentication of outputs to support the policies.

These all need to be available in a central repository of policies and procedures, subject to formal change control, which must be easy to read and lend themselves toTraining staff on how to apply them.

Enabling Technologies

Choosing a reliable and trustworthy electronic storage solution is essential. It must be capable of supporting access to the records based on the ‘need to know principle’ to ensure compliance with the Data Protection Act 1998. As such, role segregation and a Role Based Access Control Schema should be created, maintained and complied with. Integrity and availability of data are key themes within the Code.

Platform hardening standards should therefore be implemented, audit data trails maintained to allow for reconstruction of evidential records, cryptographicRequirements appropriately implemented and monitored, and contingency plans developed, implemented and tested.

Audit Trails

Audit trails are essential to provide a trustworthy record of the operations that have been performed on data stored within a document record management system. Logs of suspicious activity and of every access to any record and/or modification made to

Any data contained within the electronic storage solution should create an audit trail showing who made the changes, at what time and what the before and after data values are. Audit data should be stored on Write Once Read Many (WORM) systems (Optical media is preferable) in an encrypted form (or be the subject of Checksums to provide legal assurance of audit data integrity) but these shouldn’t be on the same system from which the audit data is derived. Compliance with the Code isn’t impossible – but it requires ongoing demonstrable auditing to prove the integrity of the records contained within it HM Revenue and Customs use PD0008 as the basis of their requirements for scanned documents to meet their specific requirements for both VAT and Tax records.

Summary

The business benefits of moving from a largely paper based system to an electronicStorage system (paperless office) is clear, but there are a significant numberOf issues that organizations should consider to ensure that their procurementOf an electronic storage solution and its deployment meets their internal business needs and legislative requirements, as well as  allowing them to retain the capability to produce evidential records recognized by our Courts of Law.

The accuracy and provenance of the original data must be scrutinized before there is any destruction of original hard copy files. All requirements of PD0008, the Civil Evidence Act 1995 and the Criminal Justice Act 2003 need to be considered in terms of maintaining the evidential probity of the evidence.


Complying with PD0008?

If you have read the first article you will have remembered that we discussed about PD0008?

Is it complicated to comply with PD0008?

Like any project or change of systems a starting point must be organized and followed, considerations must be taken into place. Before choosing any electronic document storage solution organizations, considerations must take place.

Data retention and disposal requirements

Derived from legislation including data weeding and disposal to ensure that destruction of data is secure and that evidential probity of scanned documents has been assured prior to hard copy data destruction

Audit data requirements

Meet ISO 17799, evidence legislation and the Data Protection Act1998

Access control considerations

Ensure compliance with ISO 17799, evidence legislation and the Data Protection Act 1998

Interface requirements

Including encryption and safeguarding of encryption keys

Backup obligations

Ensure use of optical WORM devices for legal integrity of data with0% data loss to prevent loss/corruption to ensure compliance with the Data Protection Act1998 and evidence based legislation

Disability Discrimination Act requirements

To ensure that the solution meets the needs of disabled users

ISO 17799

Evidence of compliance with this standard assists in showing a Court that the

Computer records can be relied upon.

Auditing the auditors

Who is auditing the system administrators? Checks need to be in place to ensure integrity of data or all other controls can be called in to question by a Court of Law

Testing

The electronic storage solution and ongoing patches to it will need to be tested including IT health checks before they are operated within the live environment – they shouldn’t be tested using live data

Clock Synchronization

The electronic storage solution’s application clock needs to be synchronized with those with the organization’s estate to ensure that audit data is consistent and reliable

Monitoring

Users that send information to or receive information from the solution must consent to and/or have been advised that interceptions of their communications may be made without notice

Freedom of Information Act 2000

The storage solution will need to support swift and easy searches for information

Technical and organization controls

Derived from legislative requirements

Printing of Evidential Records

All data contained within the electronic storage solution should be capable of being printed to produce a permanent record accompanied by authentication of the data, i.e. a digital signature proving the integrity of the original file by showing that it hasn’t been tampered with and that it will satisfy the test of repeatability, i.e. it will create the same output of data every time.


What Documents to keep (Paperless)

Is it advisable to remove and dispose of all your documents and paper, this is general thought of what documents and papers to keep, If you are thinking of starting a paperless office.

Please do not be put of with any legal requirements especially if you are starting a legal service or if you are self employed and you are on a limited budget, my only advise is if you are unsure of what documents to keep obtain legal advice form your accountant or solicitor, but below is a guide to get you started.

  • Documents dealing with family matters such as wills, divorce and adoption
  • Notices dealing with the consequences of late or non-payment or the termination of an agreement
  • Court documents
  • Product recall notices
  • Notices sent with hazardous materials
  • Original paper records of VAT records.

These need to be retained for no less than one VAT period for inspection by the VAT office. After a VAT return has been submitted, the original VAT records can then bescanned and filed electronically within the document record management system

Original vouchers for tax deducted or for tax credits.


Legal Foundations and the Paperless office

Most of the following information will only effect a small amount of you and is mainly towards the office of law, but it is interesting reading and does help us to understand the general roots of this area, not only that, but with a ever increasing management system applications and management polices this is a good understanding up to appoint of its origin. 

Civil Evidence Act 1995

In the Court’s view with regards to if any of these paper records can now be held within an electronic storage solution or form. The Civil Evidence Act 1995 provides that copies of information don’t need to be in their original form in order to be treated as evidence in a Court of Law.

A copy of an original document will be considered as evidence is largely based upon its authenticity, i.e. proof, based on an audit trail, that it has not been tampered with and that it still retains in its integrity and to its original record or form.

Electronic Communications Act 2000

UK Courts have now recognized the legality of electronic contracts and signatures as a result of the Electronic Communications Act 2000 and in general the key objective of a written signature is to demonstrate that an individual intended to take up a contract and understood the terms and conditions.

The functions provided by the written signature can be achieved using a series of technical controls and electronic signatures.

“The issue that presents a challenge in the absence of direct case law is the level ofInterpretation around the amount of information required to establish the facts around electronic contracts and signatures should it be required to be resolved in a Court. So, the challenge now moves on to how integrity of original paper documents, as well as the authenticity of electronic signatures and contracts can be ensured when using an electronic storage solution, i.e. how to prove integrity to a Court of Law” (Ison, white paper 2008)

Honesty and Storage Requirements to a Court

Or put it an other way integrity, generally the court are in a more favor to the companies and organizations showing conformity to BSI DISC PD0008, the British Standard which relates to the ‘Legal Admissibility and Evidential Weight of Information Stored.

The standard relating to this has been republished over the years; it started life as BSI DISC PD0008 was re-born as PID 2008: 2004 and in 2008 was revised to PID 0008: 2008

The BSI DISC PD0008 provides a framework and guidelines that identify key areas of good practice for the implementation and operation of electronic storage systems, whether or not any information held therein is ever required as evidence in event of a dispute. As such, compliance with this Code of Practice is regarded as a demonstration of responsible business management, although it doesn’t guarantee legal admissibility.

The code provides clear and concise direction for companies to implement an acceptable document management system.

The code is based upon several principles and is core to the code regardless of system or device:

Recognized and understand all types of information – implement an information policy.

  • Understand the legal issues and execute duty of care responsibilities.
  • Identify and specify business processes and procedures.
  • Identify enabling technologies to support business processes and procedures.
  • Monitor and audit business processes and procedures.

 As you can see the main theme is policy and audit.

For more information of this see the link below:

http://www.bsigroup.com/

Legal and regulatory requirements demand that organizations retain a significant number and variety of records in the form of contracts, transactional records, employment records, accounting data, research data and in some cases correspondence.

Traditionally this type of information held in original paper format including contracts with original signatures, have all been accepted in a Court of Law as proof of an evidential record.


Soliciting and law (paperless)

In time I will placing various posts with regards to the special requirements that are required when a paperless system is introduced to a section.

This will be closely linked to soliciting and law environments e.g. signatures, collection and presentation of documents, storage and any general area within this subject matter.


Document Management System

A document management system (DMS) is a computer system (or set of computer programs) used to track and store electronic documents and/or images of paper documents. The term has some overlap with the concepts of content management systems. It is often viewed as a component of enterprise content management (ECM) systems and related to digital asset management, document imaging, workflow systems and records management systems.

Document management systems commonly provide storage, versioning, metadata, security, as well as indexing and retrieval capabilities. Here is a description of these components:

  • Metadata
  • Integration
  • Capture
  • Indexing
  • Storage
  • Retrieval
  • Distribution
  • Security
  • Workflow
  • Collaboration
  • Versioning
  • Searching
  • Publishing

 

There are two web sites that offer this service, i have not tried them self, but if you have please leave a commment.

www.scan123.com

http://www.infonic-document-management.com/