rabelani dagada electronic records management chetty law 2011
DESCRIPTION
Rabelani Dagada, Author and IntellectualTRANSCRIPT
Electronic Records Management
Jenna Cuming &
Katherine Thompson
CL Johannesburg
© Chetty Law 2011
Guest Lecture Presented During Rabelani Dagada's Technology & Information Management's Class at the Wits Business School, 3 February 2011
Electronic Communications and Transactions Act
Electronic Records Management
Electronic Evidence & E-Discovery
Boardroom ConversationsChecklists
Records Management Imperative
Legal Compliance (Mandate, Industry)Evidence – Proof of Existence of Facts
Operational Efficiency
Governance ImperativeKing III
Archives Imperative
National Archives Prescriptions
Access to Justice and Access to Information Imperative
PAJA & PAIA (PPI Bill)
Enter the ECT Act…..
© Chetty Law 2011
Intention:To maximize the benefits of electronic transactions and
internet usage by all South Africans.
In effect:Electronic transactions have the same legal
force as paper based transactions.
In Short
© Chetty Law 2011
Information is not without legal force and effect merely on the
grounds that it is wholly or partly in the form of a data message… or is
merely referred to in such data message.
ECT : Section 11(1) & (2)
© Chetty Law 2011
Means:Data generated, sent, received or stored by
electronic means and includes voice, where the voice is used in an
automated transaction; and a stored record.
Definition of a Data Message
© Chetty Law 2011
Includes:data (electronic information) in email, internet, intranet, sms, voice between
persons and stored records
Excludes: voice between natural person and an
automated voice response system
Data Message
© Chetty Law 2011
“Legal force and effect to information…referred to in a way that a reasonable
person would have noticed the reference and accessible in a form in which it may
be read, stored and retrieved by the other party, whether electronically or as a computer printout (able to be reduced to
electronic form)”
Incorporation By Reference
© Chetty Law 2011
Radicati Group Email Statistics Report 2010, the average corporate user sends
and receives 110 e-mail messages daily.
http://www.radicati.com/wp/wp-content/uploads/2010/04/Email-
Statistics-Report-2010-2014-Executive-Summary2.pdf
Only e-mails…
© Chetty Law 2011
All sources of records!
A record is defined in the ECT Act, as “recorded information
regardless of form or medium”
Can include e-mails, sms’s and instant message logs
What is a record?
© Chetty Law 2011
“ if any other law requires the retention of documents or records, such documents and
records may be retained in electronic format, subject to certain conditions”
ECT sets out requirements for electronic records retention:
information is accessible for subsequent reference
- is in format generated, sent or received or format that accurately represents information
- origin and destination of data message and date & time it was sent or received can be determined
Section 16
© Chetty Law 2011
Exceptions
Agreements:
Alienation of LandLong term property lease
Execution:Will or Codicil
Bill of Exchange
© Chetty Law 2011
Electronic evidence must not be denied
admissibility (a) on grounds that it is in electronic format or (b) if it is best evidence.
Must be given due evidential weight.
Section 15
© Chetty Law 2011
To qualify as an original,
Integrity must be maintained:- Complete, unaltered, except for endorsement or change in
normal course of communication, storage or display.- Must pass assessment.
Capable of being displayed or produced to person to whom it is presented.
.
Original ito Section 14
© Chetty Law 2011
Assessed in terms of:- reliability of the manner in which it was generated, stored
or communicated & manner in which integrity was maintained
- manner in which originator was identified- any other relevant factor.
(Course of business) Data message certified be to correct by an officer in service of company will be admissible as
evidence.
Evidential Weight
© Chetty Law 2011
Where law prescribes a signature, must use advanced signatures, other cases consensus
between parties is sought (includes “click-wrap” and “browse-wrap” agreements).
Signatures s13
© Chetty Law 2010
Electronic Signaturevs.
Advanced Electronic Signature
Signatures s13
© Chetty Law 2011
The Electronic Evidence Issue Paper
© Chetty Law 2011
Judge HCJ Flemming (1996): Video Conferencing?
Letter to Minister of Justice (1997): Telecommunication Technology in Trials
Law Reform Commission (1997): Investigation Recommendation: use of “audio-visual links” – e.g.
leave to appeal
Project 113 – Project 126
Facilitate a focused debateAllow stakeholders opportunity to raise relevant
matters
Rationale for Issue Paper
© Chetty Law 2011
Rapid developments in technologyAnonymity, Abundance, Assumptions
Multiple sources and formats,Ease of manipulation
ObsolescenceReading data
Metadata
ECT Act Presumptions
Interaction with rule against hearsay
Rationale for Issue Paper
© Chetty Law 2011
-Legal Issue of indirect evidence, challenges for cross-examination
-Level of reliance that can be placed on such evidence
The Promotion of Access to Information Act (PAIA)
© Chetty Law 2011
Promotion of Access to Information Act/ Intention
“PAIA gives effect to the constitutional right
of access to any information held by the State and any information by another
person that is required for the exercise or protection of any rights”
© Chetty Law 2011
Promotion of Access to Information Act/ Non Disclosure
“Where the information requested
relates to certain confidential information of a third party: IO must
refuse the request for access to information, if the disclosure thereof
would amount to a breach of a duty of confidence owed to the third party in
terms of an agreement”
© Chetty Law 2011
Head of private body must compile & keep updated a manual containing:
Address, phone, fax and emailGuide to request recordsCategories of recordsDescription of recordsDetail to facilitate a requestSubjects and categories of records
What needs to be done?
Head of private body must compile & keep updated a manual containing:
Address, phone, fax and emailGuide to request recordsCategories of recordsDescription of recordsHow to requestCosts of requestSubjects and categories of records
© Chetty Law 2011
Protection of Personal Information Bill
© Chetty Law 2011
Purpose
“To protect the privacy with regard to the processing of personal information; and balance the right to privacy against other rights such as the right of access to information.”
© Chetty Law 2011
Data Subject
“data subject” = the person to whom personal information relates
© Chetty Law 2011
Personal Information
Information relating to an identifiable, living, natural person & where it’s applicable, an identifiable, existing juristic person, including but not limited to:
*Race, gender, sex, pregnancy, marital status,national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
* Education or the medical, financial, criminal or employment history of the person;
* Any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;
* The blood type or any other biometric information of the person;
© Chetty Law 2011
* The personal opinions, views or preferences of the person;
* Correspondence sent by the person that is implicitly or explicitly of a privateor confidential nature or further correspondence that would reveal the contents of the original correspondence;
* The views or opinions of another individual about the person; and
* The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal informationabout the person;
© Chetty Law 2011
Processing Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:-
(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use;
(b) dissemination by means of transmission, distribution or making available in any other form; or
(c) merging, linking, as well as blocking, degradation, erasure or destruction of information
© Chetty Law 2011
The 8 Principles
Principles of Processing
(1) Accountability
(2) Processing Limitation
(3) Purpose Specification (Specific, Defined, Deletion, Retention)
(4) Further Processing Limitation (compatibility)
(5) Information Quality
(6) Openness
(7) Security Safeguards
(8) Data Subject Participation
© Chetty Law 2011
Trans-border Flow Not Transfer to 3rd party in foreign country unless
recipient subject to law, code, contract which upholds principles substantially similar to principles in Act and includes provisions similar to section relating to further transfer
consent
transfer necessary for contract performance (DS & RP)
transfer is for benefit of DS and not reasonably practicable to obtain consent to transfer / DS would have consented if reasonably practicable
© Chetty Law 2011
And let’s hand over to Katherine….
Electronic Discovery
© Chetty Law 2011
What is E-Discovery?
“Parties to litigation have the right to
receive copies of the “records” to be used as evidence during the litigation process.
Failure to provide such “records” results in the inadmissibility of such records as
evidence”
© Chetty Law 2011
E-Discovery Challenges
“includes email messages (including
backups and deleted messages), instant messages (IM), web site information
whether in text, graphic or audio format, log files, voicemail messages and logs, data
files (documents, spreadsheets, database files, etc.), program files, cache files,
cookies”
© Chetty Law 2011
http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202426600692
Responding to requests has
become more complex
Need to pull Data from voicemail, email, sms, instant messaging
Still no Policies for preservation of electronic evidence
Significant risk
Coleman vs. Morgan Stanley
“Morgan Stanley & Co. Inc. has agreed to pay a $15 million civil fine to settle federal
regulators' charges that it repeatedly failed to provide tens of thousands of e-mails that
they sought in major investigations over several years”
Numerous misstatements about practices
© Chetty Law 2011
Zubulake vs. UBS Warburg
“A $29 million verdict was returned against
UBS because the company had destroyed email messages that were demanded as
evidence in the case”
© Chetty Law 2011
Arndt vs. First Union Banks
“Evidence has been received that tends to show that
certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First
Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even
though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you
are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to
the defendant”
© Chetty Law 2011
Edgars Consolidated Stores Limited (EDCON) v CCMA
Ms A, an employee of Edgars, received an email from
another Edgars employee. The email had racist connotations. Ms A did not consider the email as
offensive– in fact she thought it was funny – and she in turn forwarded the email to family members and
friends, none of whom were employed by Edgars.
“used the Company’s electronic mail to transmit offensive mail internally and externally, thereby
causing harm to the Company’s reputation”
© Chetty Law 2011
SIHLALI, MAFIKA v SABC
Resignation/Firing by SMS?
Contract of Employment with SABC, sent sms to Chairman of the Board resigning.
Resignation accepted, tried to go back but Court said no.
© Chetty Law 2011
Companies Act 71 of 2008
© Chetty Law 2011
“electronic communication’’ has the meaning set out in section 1 of the Electronic Communications
and Transactions Act
“present at a meeting’’ means to be present in person, or able to participate in the meeting by
electronic communication, or to be represented by a proxy who is
present in person or able to participate in the meeting by electronic communication”
Companies Act / Definitions
© Chetty Law 2011
“An unaltered electronically or
mechanically generated reproduction of any document, other than a share
certificate, may be substituted for the original for any
purpose for which the original could be used ito the Act
If, in terms of this Act, a notice is required or permitted to be given or published to any person, it is sufficient if the notice is transmitted electronically directly to that
person in a manner and form such that the notice can conveniently be printed by the
recipient within a reasonable time and at a reasonable cost”
Companies Act / E-Documents
© Chetty Law 2011
National Archive and Record Services (NARS) Act
© Chetty Law 2011
Act requires the retention of records for reasons including the preservation of the social memory of the organisation. While the National Archives Act impacts mainly public institutions, it would also impact the records practices of companies
to whom public institutions outsource certain services.
Records are needed to serve as evidence that the functions of the entity have been fulfilled,
required for management, accountability, operational continuity, legal evidence and
disaster recovery, part of the organisations memory and cultural heritage and may be
intrinsically linked to the rights of citizens.
NARS
© Chetty Law 2011
King III Code
© Chetty Law 2011
Associated Policies
© Chetty Law 2011
- Establish guidelines &
responsibilities for use
- Avoid risk
- Achieve compliance
- Accountability
Why do you need policies?
© Chetty Law 2011
• Lost a disk with details 370 000 policy holders
• Password protected but not encrypted
• Posted
http://www.dofonline.co.uk
http://www.bbc.co.uk
• Details of affairs, debts and drugs
• Memory stick encrypted with password on sticky note
• Memory stick with government information -
subcontractor
• Personal financial details on a computer sold on e-bay
• Bank customersAccount details, signatures, contact details, family details
http://www.bbc.co.uk
Electronic Communications Policy pertaining to acceptable and unacceptable use of the electronic communications facilities of the company; Interception and Monitoring Policy that specifies the circumstances under which the company shall intercept and/or monitor personnel communications; the procedures to the be followed by the company in compliance with RICA; and limitations placed on the manner in which the records emanating from such interception or monitoring shall be used;
Typical Electronic Records Policies
© Chetty Law 2011
Electronic Records Management Policies pertaining to the proper storage and management of electronic records; the treatment of email records and website records; the mandatory and specific metadata to be retained in respect of electronic records;
Disaster Recovery and Business Continuity Strategies, Statements and Policies that specify the steps taken by the company internally and by technology providers to ensure the availability of electronic records systems and electronic records and the procedures for recovery to business interruptions;
Typical Electronic Records Policies
© Chetty Law 2011
Records Retention Schedules that specify the retention period and the appropriate date for destruction for electronic records including email records;
E-mail Management Policies that provide more detailed and contextualised information on e-mail and e-mail records management specifically
Typical Electronic Records Policies
© Chetty Law 2011
Case Study 1
© Chetty Law 2011
SA Records Retention Periods Example
Title of Legislation Title of Record Retention Period
Companies Act No. 61 of 1973
Memorandum and Articles of Association
Indefinite
Basic Conditions of Employment Act No. 75 of 1997
Employee’s name and occupationRemuneration paid to each employee
3 years
National Credit Act No. 34 of 2005
Employers should keep records for each employee specifyingthe nature of any disciplinary transgressions, the actions taken by the employer and the reasons for the actions
Indefinite
Income Tax Act No. 58 of 1962
Vendors are obliged to keep the following records (from date the income tax return was lodged):- Record of all goods and services- Invoices- Tax invoices- Bank statements- Deposit slips
5 years
Case Study 2
© Chetty Law 2010
Retention and Evidentiary Quality of Electronic Evidence
Substantive Considerations
Electronic Communications and Transactions Act
UNCITRAL Model Laws(Insight on Interpretation of ECT Act)
National Archives and Records Service Act
Guidance on Electronic Records Management, Disposal of Records, Metadata Requirements
Procedural Considerations
Uniform Rules of Court(E-Discovery)SEDONA Principles,
Federal Rules of Civil Procedure,Case law on E-Discovery
Judicial Precedents & Application
Best Evidence Rule,Hearsay,
Case law on Electronic Evidence
Approaches to the Legal Question
International Legal Opinions
Write
© Chetty Law 2011
Basic Health-Check
-Official Records created, captured upon creation or receipt in appropriate
records management system
-Access managed - policies and procedures
-Found on demand and reliable as evidence
-Managed and planned strategically- Employees and personnel are trained
- Reporting and accountability- Policies and procedures are updated
© Chetty Law 2011
http://www.lib.az.us/records/GuidanceAndRelatedResources/21st_century_rm_checklist.pdf
http://www.lib.az.us/records/GuidanceAndRelatedResources/21st_century_rm_checklist.pdf
http://www.whitefoot-forward.com/iso_15489-1.pdf
Getting started
© Chetty Law 2011
Phase 1
• Assembly of a Task Team that comprises representatives of selected departments in your organisation that would be role players in the development and implementation of the systems, policies and procedures
Phase 2• Identification and Consolidation of existing policies in force that
may be updated or need to be taken into account.• Drafting of additional policies and procedures
Phase 3
• Identification of suitable technology providers of electronic records management systems
• Assessment of the available systems against the legal requirements for electronic evidence specified in the ECT Act.
Phase 4• Implementation of policies, procedures and selected
technologies• Training and Awareness
Ongoing• Monitoring and Evaluation according to a specified schedule• Amend and update policies and procedures, upgrade
technologies
www.chettylaw.co.zahttp://twitter.com/ChettyLaw
Road Block
- Records Retention vs. Wikileaks
- Practical use of electronic signatures