Mythbusting signatures – wet, electronic or digital?

Electronic signatureHave you recently enjoyed the convenience of completing a form electronically, only to get to the end of the process and realise that you need to print it out so you can sign it? Does your agency have any processes that start as electronic, only to stumble at the last hurdle and require a physical signature?

In the age of ‘born digital, stay digital’, there is an increased expectation that the majority of routine transactions should be processed digitally from beginning to end. However, for a variety of reasons, this can seem to be the exception rather than the norm.

To help debunk some of the myths that maintain the use of wet (physical) signatures, we’ve developed a new mythbuster that summarises some of the most common questions we receive. The information below provides some advice that might assist with the transition from wet to electronic signatures.

Are electronic signatures the same as digital signatures?

Without getting too technical, an electronic signature essentially refers to the method of authenticating a person as the source of a digital message and also indicates that person’s approval of the information contained in the message.

There are a variety of types of electronic signatures, including:

  • digitised signatures – e.g. a scanned handwritten signature inserted as an image; use of signature blocks (e.g. on emails)
  • online forms – e.g. Adobe forms; workflow approvals in applications (e.g. timesheets)
  • touch screens – e.g. Australia Post courier delivery
  • digital signatures – e.g. use of encryption technology to transform a message to a seemingly unintelligible form and back again.

What does the legislation say about using electronic signatures?

For cultural reasons, some people still like to rely on wet signatures. However the Electronic Transactions (Queensland) Act 2001 provides for the use of electronic signatures, as long as they meet three key criteria:

  • the signature identifies a person and indicates their intention (e.g. providing approval via an email)
  • is appropriate (reliable) for the purposes in which they are used (noting that digital signatures offer greater security compared to digitised signatures)
  • the person receiving the document consents to receiving a signature in electronic form.

Some exclusions regarding the use of electronic signatures are outlined in Schedule 1 of the Act. You may also have more specific provisions within legislation relevant to your business which may require legal analysis.

An informative article published by the Queensland Law Society – Electronic signatures: When are they effective? – goes into more detail about the relationship between electronic signatures and legislative framework for electronic communications.

What’s QSA’s advice about using electronic signatures?

Here within the Government Recordkeeping team, we often receive queries from government agencies regarding the use of electronic signatures. Questions are usually along the lines of “How can we implement electronic signatures to reduce the need for ‘wet’ signatures”?

At QSA, we asked ourselves this very same question as we started our paperlite journey last year. What we found during our transition, and through discussions with other agencies, is that while the process of implementing electronic signatures isn’t a one-size-fits-all approach, there are a few key recordkeeping steps that will help with the implementation of electronic signatures. These include:

  • perform (and document) a risk assessment for the use of electronic signatures for the work processes you would like to digitise – some records may potentially require more robust forms of identification/authorisation than others (e.g. contractual documents over a certain value)
  • undertake an environmental scan for business requirements or other legal or policy obligations which may require ‘wet’ signatures
  • develop and document processes and/or any policies and related responsibilities regarding the use of electronic signatures
  • ensure any newly developed processes are understood so they can be implemented as standard business practice (for defensibility)
  • ensure appropriate security measures are in place to prevent any unauthorised use of electronic signatures
  • appropriate management of the document to which the signature has been added as a record, to ensure it maintains its ‘full and accurate’ characteristics throughout its life (see principle 7 from IS40: Recordkeeping).

It is also important to note that any significant change will take time to establish and embed, for example:

  • to identify business processes that can transition to using electronic signatures
  • to obtain necessary support and approvals
  • to overcome potential resistance.

Signing off

It’s an old catch phrase, but the most appropriate solution in relation to using electronic signatures needs to be a risk-based one. Therefore, that big expensive contract worth millions of dollars will most likely be best served with a physical signature. However, documents with a lower level of risk, such as your timesheet or an internal memo requesting approval to attend a free one-hour training session, can realistically be signed off electronically. If you are unsure, obtain legal advice to fully understand your own specific requirements.

If you’ve been able to bust some of the common myths around using wet signatures in your agency, we would like to hear about your experiences, including what worked and what the main challenges were. You can contact us via email, Twitter or Facebook.

Troy Pullen

A/Principal Policy Officer

7 thoughts on “Mythbusting signatures – wet, electronic or digital?

  1. Thanks Troy,
    A good article. We have been navigating the path to Digital Signatures for around 12 months now and are embarking on our early adopters in the coming months. Lots of groundwork is required to ensure that your procedures can achieve appropriate security and actual time-savings within the processes themselves.

    Like

    • Hi Fiona,
      We’d love to talk to you about your experience with digital signatures and see if we could write a case study to help others. Please let us know if you’re interested!
      Thanks
      GRK

      Like

  2. Hi GRK,

    One of the issues that concerns me in relation to digital signatures if not internally hosted is the reliance on vendor supplied PKI and the ability over time to validate a digital signature if the vendor agreement is severed for whatever reason. Without their certificate are we still able to validate that signature over the longer term given that the retention for a particular document may be lengthy depending on the applicable schedule. My testing to date is inconclusive but I’m cautious to say the least. Another consideration in relation to third party vendor licensing is cost, the per seat licensing for some systems is significant and the cost benefit analysis needs to be done carefully, we may find ourselves locked into an agreement for a lengthy period.

    Like

    • Hi Mike, thanks very much for your feedback. We agree that the topics you have raised carry potential for long term recordkeeping implications. They are areas that will likely require collaboration across a number of areas of government to consider in more detail such as with the Queensland Government Chief Information Office. In the meantime, taking a risk based approach to use of vendor supplied PKI will be essential. E.g. considering whether documents that require long term retention should have vendor supplied PKI applied or are there alternate methods of digital signatures that may be more suitable – or perhaps there are some documents that due to their level of risk, still need to be stored as a hard copy.

      Like

  3. Schedule 1 of the Electronic Transactions Act (Queensland) point 6, excludes transactions with ” A requirement or permission for a document to be attested, authenticated, verified or witnessed by a person other than the author of the document.” I interpret this as documents that need provable signatures cannot be electronically signed, as does the commentary on the Act I have read. In applying this to technology I take the position that if PKI or other crypto solutions are necessary, they probably run into this exclusion and so should not be used . i.e. the documents have to be wet signed regardless. For other documents I do not see a need to have a stronger identity verification/signature verification regime than we currently require for wet signatures. e.g. If we are happy to leave a form on someones desk, walk away and trust they and not their secretary signs it, then why do we want more from a digital system?

    Like

    • Hi Alby, thanks for your great summary. I think one of the key points to be made based on advice that has been published and from discussions with those who have implemented, is that performing a risk assessment to consider the legal and technical implications of any potential use of electronic signatures is very important. While we want to encourage use of electronic signatures (and help information born in a digital format to stay in a digital format) wherever possible, we still need to be mindful of any legitimate requirements that exist for a wet signature.

      Like

  4. Hi Queensland Museum is working on a project to assist staff and better use resources in making the decision to use wet digital or electronic signatures. I would be keen to hear from agencies who have developed any decision tree or risk assessment matrix to assist staff.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s