Division B: Scanning and Archiving Documents
All outsourcing providers should be made aware of these provisions and required to comply with them.
A. Electronic storage of files may be a practical way of dealing with storage, but reference should also be made to the Society’s Cloud Computing – Advice for the profession, the relevant BSI standards , ISO standards and ICO guidance .
The following should be borne in mind:
(1) Scanned documents should preferably be scanned into a native Portable Document Format (“PDF”). Failing that they should certainly be in a format that allows output in PDF and see explanatory note D. below.
(2) Subject to compliance with this guidance, retaining a scanned copy having destroyed the original will be deemed compliant with the guidance on the Ownership and Destruction of Documents. It is prudent to keep original documents in a "buffer" following scanning for a period of 28 days prior to destruction so that they might be retrieved within that timescale if there is a problem, error, or client query in the interests of risk management. If an original document has not been scanned it should be retained in paper form in terms of that guidance.
(3) In the event that original documents are to be destroyed the intent to do so should be intimated in writing to the client. Tacit consent such as acceptance of Terms of Engagement is acceptable.
(4) The normal duties of care and confidentiality in the storage of clients papers in terms of the rules would, for the avoidance of doubt, apply to scanned archive material. Offsite electronic copies of the scanned archive should form part of the practice unit's contingency planning strategy. A data retention policy should be in place. This should include data expiry/deletion provisions. A disaster recovery policy should also be in place and consideration should be given to policy in relation to data transfers outside the EEA. The Society’s Cloud Computing - Advice for the profession has more specifics in relation to Cloud Computing storage outside the EEA.
(5) Documents should be scanned before at least one witness and where technology permits, a digital encrypted signature certifying them a true copy should be included, or alternatively a signed daily logbook certifying authenticity should be maintained.
(6) Although documents which have only ever existed electronically may be printed and scanned, they should be retained in original format where possible or converted into PDF electronically, which may retain some of their "Metadata" with its forensic benefits
(7) Where a mandate is received or clients request a copy of the file, the practice unit's obligations in that regard should be covered in Terms of Engagement. The Society would expect files to be made available within the Society's recommended retention periods. If the Terms of Engagement are silent on the point, a client is entitled to request the file in either paper or electronic form and any cost of printing from electronic to paper should be borne by the practice unit.
(8) If the practice unit merges with or is taken over by another practice unit care should be taken to ensure systems used to hold scanned documents are compatible, accessible (where stored and with details of passwords, encryption keys etc.) and that paper copies can be printed if required. If new technology supersedes an existing system, scanned material should be transferred to it or a means of reading and printing the material retained.
(9) It is recommended that the practice unit adopts a quality assurance procedure by frequently checking the integrity of archived PDF files. Regular random checks involving the opening and reviewing the content of archived PDF files and documenting the results will provide the practice unit with a record of their archived PDF quality assurance process.
B. Terms of Engagement should include clarification on:
(1) Whether the practice unit intends to scan and destroy original documents in accordance with the Society's guidance.
(2) The practice unit's policy in relation to when original documents are destroyed; for example, immediately upon receipt, or kept in a "buffer" following scanning for a specified period prior to destruction, or on closure of the file, or on expiry of the Society's recommended retention periods.
(3) The risk that in any subsequent dispute or court case electronic copies may not have the same status as original documents potentially reducing their evidential value.
(4) The practice unit's policy in relation to documents submitted by clients which are not to be destroyed. And whether or not the practice unit keeps original documents in a "buffer" for a period prior to destruction.
(5) The practice unit's policy in relation to mandate requests and if necessary any costs associated with paper copies being produced.
(6) The practice unit's policy in relation to retention of electronic documentation, for example whether the electronic copies will be retained beyond the Society's recommended retention periods or not.
The practice unit’s policy in relation to Crown Copyright. The policy should make it clear that original birth, marriage and death certificates will be scanned for filing purposes only, that the scanned copies are not substitutes for the originals and that if originals are required (for the purposes of providing certified copies or otherwise) further extracts will have to be obtained from the Registrar.
C. The following should also be noted:
(1) If scanning/copying books, magazines and journals not on the excluded works list, an annual CLA licence return will be required.
(2) As electronic storage of files may cross foreign jurisdictional boundaries the applicability of foreign legislation, including the US Patriot Act (“UPA”) and The Sarbanes-Oxley Act 2002, (“SOX”) should be considered.
(3) UPA facilitates the ability of the US to extend its e-discovery activities when recovering electronically stored information held around the world. UPA was signed in response to 9/11 and has significantly reduced the restrictions on US law enforcement agencies gathering intelligence both within and outside the US. It also extends the searches of business records by US law enforcement agencies. UPA allows government agencies to gather foreign intelligence information from both US and non-US countries. More wide-ranging provisions allow for disclosure of electronic communications to law enforcement agencies to counter any terrorist activity that crosses jurisdictional boundaries.
(4) As a result of the introduction of SOX, the senior management of a client affected by SOX must now certify the accuracy of financial accounting. The information may be held in electronic files across various jurisdictions. In the event that fraudulent financial information activities are discovered financial penalties are likely to be severe and your client needs to be aware of this.
D. Explanatory note on PDF
PDF has been approved as an ISO standard (ISO32000) and is widely recognised and used within businesses worldwide. PDF files are normally generated from Microsoft Office documents: i.e. word/excel files and remove metadata from the working file and create a flattened version. Almost every file (regardless of the application used to create them, Microsoft has been used for the purposes of this guide, however the same rules apply to other office applications) contains ‘metadata’ of some sort, that is information about data that is automatically embedded within Microsoft Office/PDF documents.
Below is a list of the metadata that may be found within Microsoft Office files:-
(1) Track Changes: marks that show where a deletion, insertion, or other editing change has been made in a document;
(2) Comments: notes or annotations that an author or reviewer adds to a document. Microsoft Word displays the comment in a balloon in the margin of the document or in the Reviewing Pane;
(3) Your name and initials;
(4) Your email address;
(5) Your company or organisation's name;
(6) Other document and file properties and summary information, such as file size, date/time the file was created, modified and accessed and the location where the file is stored (e.g., C:\MyDocuments\FinanceInformation\AccountDetails);
(7) The names of previous document authors;
(8) Document revisions;
(9) Document versions;
(10) Template information: determines the basic structure for a document and contains document settings such as fonts, macros, page layout, special formatting, and styles;
(11) Hidden text: text that is visible to search engines but invisible to humans. It is mainly accomplished by using text in the same colour as the background colour of the page. It is primarily used for the purpose of including extra keywords in the page without distorting the aesthetics of the page;
(12) Macros: mini-programs that will execute a series of commands in series, saving the user having to repeat typing or data input. Macros are typically created to perform frequently used tasks; and
(13) Hyperlinks, these are links to websites or web based files.
Where a PDF is generated from a document in another format most of the above metadata will be removed in the process. Every PDF file contains metadata; however, this is far more limited than the above metadata contained within Microsoft Office files. PDF metadata mainly provides additional information about the PDF file itself, such as the author, the company, when it was created, any changes made, what application was used to create it and any potential copyright restrictions.
Always use a professional PDF application to generate PDF files, some free PDF applications may maintain sensitive metadata within the PDF that is generated.