83
Electronic Records Management Jenna Cuming & Katherine Thompson CL Johannesburg © Chetty Law 2011 Guest Lecture Presented During Rabelani Dagada's Technology & Information Management's Class at the Wits Business School, 3 February 2011

Rabelani dagada electronic records management chetty law 2011

Embed Size (px)

DESCRIPTION

Rabelani Dagada, Author and Intellectual

Citation preview

Page 1: Rabelani dagada electronic records management   chetty law 2011

Electronic Records Management

Jenna Cuming &

Katherine Thompson

CL Johannesburg

© Chetty Law 2011

Guest Lecture Presented During Rabelani Dagada's Technology & Information Management's Class at the Wits Business School, 3 February 2011

Page 2: Rabelani dagada electronic records management   chetty law 2011

Electronic Communications and Transactions Act

Electronic Records Management

Electronic Evidence & E-Discovery

Boardroom ConversationsChecklists

Page 3: Rabelani dagada electronic records management   chetty law 2011

Records Management Imperative

Legal Compliance (Mandate, Industry)Evidence – Proof of Existence of Facts

Operational Efficiency

Governance ImperativeKing III

Archives Imperative

National Archives Prescriptions

Access to Justice and Access to Information Imperative

PAJA & PAIA (PPI Bill)

Page 4: Rabelani dagada electronic records management   chetty law 2011

Enter the ECT Act…..

© Chetty Law 2011

Page 5: Rabelani dagada electronic records management   chetty law 2011

Intention:To maximize the benefits of electronic transactions and

internet usage by all South Africans.

In effect:Electronic transactions have the same legal

force as paper based transactions.

In Short

© Chetty Law 2011

Page 6: Rabelani dagada electronic records management   chetty law 2011
Page 7: Rabelani dagada electronic records management   chetty law 2011

Information is not without legal force and effect merely on the

grounds that it is wholly or partly in the form of a data message… or is

merely referred to in such data message.

ECT : Section 11(1) & (2)

© Chetty Law 2011

Page 8: Rabelani dagada electronic records management   chetty law 2011
Page 9: Rabelani dagada electronic records management   chetty law 2011
Page 10: Rabelani dagada electronic records management   chetty law 2011

Means:Data generated, sent, received or stored by

electronic means and includes voice, where the voice is used in an

automated transaction; and a stored record.

Definition of a Data Message

© Chetty Law 2011

Page 11: Rabelani dagada electronic records management   chetty law 2011

Includes:data (electronic information) in email, internet, intranet, sms, voice between

persons and stored records

Excludes: voice between natural person and an

automated voice response system

Data Message

© Chetty Law 2011

Page 12: Rabelani dagada electronic records management   chetty law 2011

“Legal force and effect to information…referred to in a way that a reasonable

person would have noticed the reference and accessible in a form in which it may

be read, stored and retrieved by the other party, whether electronically or as a computer printout (able to be reduced to

electronic form)”

Incorporation By Reference

© Chetty Law 2011

Page 13: Rabelani dagada electronic records management   chetty law 2011
Page 14: Rabelani dagada electronic records management   chetty law 2011

Radicati Group Email Statistics Report 2010, the average corporate user sends

and receives 110 e-mail messages daily.

http://www.radicati.com/wp/wp-content/uploads/2010/04/Email-

Statistics-Report-2010-2014-Executive-Summary2.pdf

Only e-mails…

© Chetty Law 2011

Page 16: Rabelani dagada electronic records management   chetty law 2011

A record is defined in the ECT Act, as “recorded information

regardless of form or medium”

Can include e-mails, sms’s and instant message logs

What is a record?

© Chetty Law 2011

Page 17: Rabelani dagada electronic records management   chetty law 2011

“ if any other law requires the retention of documents or records, such documents and

records may be retained in electronic format, subject to certain conditions”

ECT sets out requirements for electronic records retention:

information is accessible for subsequent reference

- is in format generated, sent or received or format that accurately represents information

- origin and destination of data message and date & time it was sent or received can be determined

Section 16

© Chetty Law 2011

Page 18: Rabelani dagada electronic records management   chetty law 2011

Exceptions

Agreements:

Alienation of LandLong term property lease

Execution:Will or Codicil

Bill of Exchange

© Chetty Law 2011

Page 19: Rabelani dagada electronic records management   chetty law 2011

Electronic evidence must not be denied

admissibility (a) on grounds that it is in electronic format or (b) if it is best evidence.

Must be given due evidential weight.

Section 15

© Chetty Law 2011

Page 20: Rabelani dagada electronic records management   chetty law 2011

To qualify as an original,

Integrity must be maintained:- Complete, unaltered, except for endorsement or change in

normal course of communication, storage or display.- Must pass assessment.

Capable of being displayed or produced to person to whom it is presented.

.

Original ito Section 14

© Chetty Law 2011

Page 21: Rabelani dagada electronic records management   chetty law 2011

Assessed in terms of:- reliability of the manner in which it was generated, stored

or communicated & manner in which integrity was maintained

- manner in which originator was identified- any other relevant factor.

(Course of business) Data message certified be to correct by an officer in service of company will be admissible as

evidence.

Evidential Weight

© Chetty Law 2011

Page 22: Rabelani dagada electronic records management   chetty law 2011

Where law prescribes a signature, must use advanced signatures, other cases consensus

between parties is sought (includes “click-wrap” and “browse-wrap” agreements).

Signatures s13

© Chetty Law 2010

Page 23: Rabelani dagada electronic records management   chetty law 2011

Electronic Signaturevs.

Advanced Electronic Signature

Signatures s13

© Chetty Law 2011

Page 24: Rabelani dagada electronic records management   chetty law 2011

The Electronic Evidence Issue Paper

© Chetty Law 2011

Page 25: Rabelani dagada electronic records management   chetty law 2011

Judge HCJ Flemming (1996): Video Conferencing?

Letter to Minister of Justice (1997): Telecommunication Technology in Trials

Law Reform Commission (1997): Investigation Recommendation: use of “audio-visual links” – e.g.

leave to appeal

Project 113 – Project 126

Facilitate a focused debateAllow stakeholders opportunity to raise relevant

matters

Rationale for Issue Paper

© Chetty Law 2011

Page 26: Rabelani dagada electronic records management   chetty law 2011

Rapid developments in technologyAnonymity, Abundance, Assumptions

Multiple sources and formats,Ease of manipulation

ObsolescenceReading data

Metadata

ECT Act Presumptions

Interaction with rule against hearsay

Rationale for Issue Paper

© Chetty Law 2011

Page 27: Rabelani dagada electronic records management   chetty law 2011

-Legal Issue of indirect evidence, challenges for cross-examination

-Level of reliance that can be placed on such evidence

Page 28: Rabelani dagada electronic records management   chetty law 2011

The Promotion of Access to Information Act (PAIA)

© Chetty Law 2011

Page 29: Rabelani dagada electronic records management   chetty law 2011

Promotion of Access to Information Act/ Intention

“PAIA gives effect to the constitutional right

of access to any information held by the State and any information by another

person that is required for the exercise or protection of any rights”

© Chetty Law 2011

Page 30: Rabelani dagada electronic records management   chetty law 2011

Promotion of Access to Information Act/ Non Disclosure

“Where the information requested

relates to certain confidential information of a third party: IO must

refuse the request for access to information, if the disclosure thereof

would amount to a breach of a duty of confidence owed to the third party in

terms of an agreement”

© Chetty Law 2011

Page 31: Rabelani dagada electronic records management   chetty law 2011

Head of private body must compile & keep updated a manual containing:

Address, phone, fax and emailGuide to request recordsCategories of recordsDescription of recordsDetail to facilitate a requestSubjects and categories of records

Page 32: Rabelani dagada electronic records management   chetty law 2011

What needs to be done?

Head of private body must compile & keep updated a manual containing:

Address, phone, fax and emailGuide to request recordsCategories of recordsDescription of recordsHow to requestCosts of requestSubjects and categories of records

© Chetty Law 2011

Page 33: Rabelani dagada electronic records management   chetty law 2011

Protection of Personal Information Bill

© Chetty Law 2011

Page 34: Rabelani dagada electronic records management   chetty law 2011

Purpose

“To protect the privacy with regard to the processing of personal information; and balance the right to privacy against other rights such as the right of access to information.”

© Chetty Law 2011

Page 35: Rabelani dagada electronic records management   chetty law 2011

Data Subject

“data subject” = the person to whom personal information relates

© Chetty Law 2011

Page 36: Rabelani dagada electronic records management   chetty law 2011

Personal Information

Information relating to an identifiable, living, natural person & where it’s applicable, an identifiable, existing juristic person, including but not limited to:

*Race, gender, sex, pregnancy, marital status,national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;

* Education or the medical, financial, criminal or employment history of the person;

* Any identifying number, symbol, e-mail address, physical address, telephone number or other particular assignment to the person;

* The blood type or any other biometric information of the person;

© Chetty Law 2011

Page 37: Rabelani dagada electronic records management   chetty law 2011

* The personal opinions, views or preferences of the person;

* Correspondence sent by the person that is implicitly or explicitly of a privateor confidential nature or further correspondence that would reveal the contents of the original correspondence;

* The views or opinions of another individual about the person; and

* The name of the person if it appears with other personal information relating to the person or if the disclosure of the name itself would reveal informationabout the person;

© Chetty Law 2011

Page 38: Rabelani dagada electronic records management   chetty law 2011

Processing Any operation or activity or any set of operations, whether or not by automatic means, concerning personal information, including:-

(a) the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation, use;

(b) dissemination by means of transmission, distribution or making available in any other form; or

(c) merging, linking, as well as blocking, degradation, erasure or destruction of information

© Chetty Law 2011

Page 39: Rabelani dagada electronic records management   chetty law 2011

The 8 Principles

Principles of Processing

(1) Accountability

(2) Processing Limitation

(3) Purpose Specification (Specific, Defined, Deletion, Retention)

(4) Further Processing Limitation (compatibility)

(5) Information Quality

(6) Openness

(7) Security Safeguards

(8) Data Subject Participation

© Chetty Law 2011

Page 40: Rabelani dagada electronic records management   chetty law 2011

Trans-border Flow Not Transfer to 3rd party in foreign country unless

recipient subject to law, code, contract which upholds principles substantially similar to principles in Act and includes provisions similar to section relating to further transfer

consent

transfer necessary for contract performance (DS & RP)

transfer is for benefit of DS and not reasonably practicable to obtain consent to transfer / DS would have consented if reasonably practicable

© Chetty Law 2011

Page 41: Rabelani dagada electronic records management   chetty law 2011

And let’s hand over to Katherine….

Page 42: Rabelani dagada electronic records management   chetty law 2011

Electronic Discovery

© Chetty Law 2011

Page 43: Rabelani dagada electronic records management   chetty law 2011

What is E-Discovery?

“Parties to litigation have the right to

receive copies of the “records” to be used as evidence during the litigation process.

Failure to provide such “records” results in the inadmissibility of such records as

evidence”

© Chetty Law 2011

Page 44: Rabelani dagada electronic records management   chetty law 2011

E-Discovery Challenges

“includes email messages (including

backups and deleted messages), instant messages (IM), web site information

whether in text, graphic or audio format, log files, voicemail messages and logs, data

files (documents, spreadsheets, database files, etc.), program files, cache files,

cookies”

© Chetty Law 2011

Page 45: Rabelani dagada electronic records management   chetty law 2011

http://www.law.com/jsp/legaltechnology/pubArticleLT.jsp?id=1202426600692

Responding to requests has

become more complex

Need to pull Data from voicemail, email, sms, instant messaging

Still no Policies for preservation of electronic evidence

Significant risk

Page 46: Rabelani dagada electronic records management   chetty law 2011

Coleman vs. Morgan Stanley

“Morgan Stanley & Co. Inc. has agreed to pay a $15 million civil fine to settle federal

regulators' charges that it repeatedly failed to provide tens of thousands of e-mails that

they sought in major investigations over several years”

Numerous misstatements about practices

© Chetty Law 2011

Page 47: Rabelani dagada electronic records management   chetty law 2011

Zubulake vs. UBS Warburg

“A $29 million verdict was returned against

UBS because the company had destroyed email messages that were demanded as

evidence in the case”

© Chetty Law 2011

Page 48: Rabelani dagada electronic records management   chetty law 2011

Arndt vs. First Union Banks

“Evidence has been received that tends to show that

certain profit and loss statements and E-mails were in the exclusive possession of the defendant, First

Union; and, [sic] have not been produced for inspection, by the plaintiff or his counsel, even

though defendant, First Union, was aware of the plaintiff's claim. From this, you may infer, though you

are not compelled to do so, that the profit and loss statements and the E-mails would be damaging to

the defendant”

© Chetty Law 2011

Page 49: Rabelani dagada electronic records management   chetty law 2011

Edgars Consolidated Stores Limited (EDCON) v CCMA

Ms A, an employee of Edgars, received an email from

another Edgars employee. The email had racist connotations. Ms A did not consider the email as

offensive– in fact she thought it was funny – and she in turn forwarded the email to family members and

friends, none of whom were employed by Edgars.

“used the Company’s electronic mail to transmit offensive mail internally and externally, thereby

causing harm to the Company’s reputation”

© Chetty Law 2011

Page 50: Rabelani dagada electronic records management   chetty law 2011

SIHLALI, MAFIKA v SABC

Resignation/Firing by SMS?

Contract of Employment with SABC, sent sms to Chairman of the Board resigning.

Resignation accepted, tried to go back but Court said no.

© Chetty Law 2011

Page 51: Rabelani dagada electronic records management   chetty law 2011

Companies Act 71 of 2008

© Chetty Law 2011

Page 52: Rabelani dagada electronic records management   chetty law 2011

“electronic communication’’ has the meaning set out in section 1 of the Electronic Communications

and Transactions Act

“present at a meeting’’ means to be present in person, or able to participate in the meeting by

electronic communication, or to be represented by a proxy who is

present in person or able to participate in the meeting by electronic communication”

Companies Act / Definitions

© Chetty Law 2011

Page 53: Rabelani dagada electronic records management   chetty law 2011

“An unaltered electronically or

mechanically generated reproduction of any document, other than a share

certificate, may be substituted for the original for any

purpose for which the original could be used ito the Act

If, in terms of this Act, a notice is required or permitted to be given or published to any person, it is sufficient if the notice is transmitted electronically directly to that

person in a manner and form such that the notice can conveniently be printed by the

recipient within a reasonable time and at a reasonable cost”

Companies Act / E-Documents

© Chetty Law 2011

Page 54: Rabelani dagada electronic records management   chetty law 2011

National Archive and Record Services (NARS) Act

© Chetty Law 2011

Page 55: Rabelani dagada electronic records management   chetty law 2011

Act requires the retention of records for reasons including the preservation of the social memory of the organisation. While the National Archives Act impacts mainly public institutions, it would also impact the records practices of companies

to whom public institutions outsource certain services.

Records are needed to serve as evidence that the functions of the entity have been fulfilled,

required for management, accountability, operational continuity, legal evidence and

disaster recovery, part of the organisations memory and cultural heritage and may be

intrinsically linked to the rights of citizens.

NARS

© Chetty Law 2011

Page 56: Rabelani dagada electronic records management   chetty law 2011

King III Code

© Chetty Law 2011

Page 57: Rabelani dagada electronic records management   chetty law 2011
Page 58: Rabelani dagada electronic records management   chetty law 2011
Page 59: Rabelani dagada electronic records management   chetty law 2011

Associated Policies

© Chetty Law 2011

Page 60: Rabelani dagada electronic records management   chetty law 2011

- Establish guidelines &

responsibilities for use

- Avoid risk

- Achieve compliance

- Accountability

Why do you need policies?

© Chetty Law 2011

Page 61: Rabelani dagada electronic records management   chetty law 2011

• Lost a disk with details 370 000 policy holders

• Password protected but not encrypted

• Posted

http://www.dofonline.co.uk

Page 62: Rabelani dagada electronic records management   chetty law 2011

http://www.bbc.co.uk

• Details of affairs, debts and drugs

• Memory stick encrypted with password on sticky note

• Memory stick with government information -

subcontractor

Page 63: Rabelani dagada electronic records management   chetty law 2011

• Personal financial details on a computer sold on e-bay

• Bank customersAccount details, signatures, contact details, family details

http://www.bbc.co.uk

Page 64: Rabelani dagada electronic records management   chetty law 2011

Electronic Communications Policy pertaining to acceptable and unacceptable use of the electronic communications facilities of the company; Interception and Monitoring Policy that specifies the circumstances under which the company shall intercept and/or monitor personnel communications; the procedures to the be followed by the company in compliance with RICA; and limitations placed on the manner in which the records emanating from such interception or monitoring shall be used; 

Typical Electronic Records Policies

© Chetty Law 2011

Page 65: Rabelani dagada electronic records management   chetty law 2011

 

Electronic Records Management Policies pertaining to the proper storage and management of electronic records; the treatment of email records and website records; the mandatory and specific metadata to be retained in respect of electronic records;

Disaster Recovery and Business Continuity Strategies, Statements and Policies that specify the steps taken by the company internally and by technology providers to ensure the availability of electronic records systems and electronic records and the procedures for recovery to business interruptions;

Typical Electronic Records Policies

© Chetty Law 2011

Page 66: Rabelani dagada electronic records management   chetty law 2011

 

Records Retention Schedules that specify the retention period and the appropriate date for destruction for electronic records including email records;

 E-mail Management Policies that provide more detailed and contextualised information on e-mail and e-mail records management specifically

Typical Electronic Records Policies

© Chetty Law 2011

Page 67: Rabelani dagada electronic records management   chetty law 2011

Case Study 1

© Chetty Law 2011

Page 68: Rabelani dagada electronic records management   chetty law 2011
Page 69: Rabelani dagada electronic records management   chetty law 2011
Page 70: Rabelani dagada electronic records management   chetty law 2011
Page 71: Rabelani dagada electronic records management   chetty law 2011
Page 72: Rabelani dagada electronic records management   chetty law 2011
Page 73: Rabelani dagada electronic records management   chetty law 2011

SA Records Retention Periods Example

Title of Legislation Title of Record Retention Period

Companies Act No. 61 of 1973

Memorandum and Articles of Association

Indefinite

Basic Conditions of Employment Act No. 75 of 1997

Employee’s name and occupationRemuneration paid to each employee

3 years

National Credit Act No. 34 of 2005

Employers should keep records for each employee specifyingthe nature of any disciplinary transgressions, the actions taken by the employer and the reasons for the actions

Indefinite

Income Tax Act No. 58 of 1962

Vendors are obliged to keep the following records (from date the income tax return was lodged):- Record of all goods and services- Invoices- Tax invoices- Bank statements- Deposit slips

5 years

Page 74: Rabelani dagada electronic records management   chetty law 2011

Case Study 2

© Chetty Law 2010

Page 75: Rabelani dagada electronic records management   chetty law 2011

Retention and Evidentiary Quality of Electronic Evidence

Substantive Considerations

Electronic Communications and Transactions Act

UNCITRAL Model Laws(Insight on Interpretation of ECT Act)

National Archives and Records Service Act

Guidance on Electronic Records Management, Disposal of Records, Metadata Requirements

Procedural Considerations

Uniform Rules of Court(E-Discovery)SEDONA Principles,

Federal Rules of Civil Procedure,Case law on E-Discovery

Judicial Precedents & Application

Best Evidence Rule,Hearsay,

Case law on Electronic Evidence

Approaches to the Legal Question

International Legal Opinions

Write

© Chetty Law 2011

Page 76: Rabelani dagada electronic records management   chetty law 2011

Basic Health-Check

-Official Records created, captured upon creation or receipt in appropriate

records management system

-Access managed - policies and procedures

-Found on demand and reliable as evidence

-Managed and planned strategically- Employees and personnel are trained

- Reporting and accountability- Policies and procedures are updated

© Chetty Law 2011

Page 77: Rabelani dagada electronic records management   chetty law 2011

http://www.lib.az.us/records/GuidanceAndRelatedResources/21st_century_rm_checklist.pdf

Page 78: Rabelani dagada electronic records management   chetty law 2011

http://www.lib.az.us/records/GuidanceAndRelatedResources/21st_century_rm_checklist.pdf

Page 79: Rabelani dagada electronic records management   chetty law 2011

http://www.whitefoot-forward.com/iso_15489-1.pdf

Page 80: Rabelani dagada electronic records management   chetty law 2011

Getting started

© Chetty Law 2011

Phase 1

• Assembly of a Task Team that comprises representatives of selected departments in your organisation that would be role players in the development and implementation of the systems, policies and procedures

Phase 2• Identification and Consolidation of existing policies in force that

may be updated or need to be taken into account.• Drafting of additional policies and procedures

Phase 3

• Identification of suitable technology providers of electronic records management systems

• Assessment of the available systems against the legal requirements for electronic evidence specified in the ECT Act.

Phase 4• Implementation of policies, procedures and selected

technologies• Training and Awareness

Ongoing• Monitoring and Evaluation according to a specified schedule• Amend and update policies and procedures, upgrade

technologies

Page 82: Rabelani dagada electronic records management   chetty law 2011

www.chettylaw.co.zahttp://twitter.com/ChettyLaw

Page 83: Rabelani dagada electronic records management   chetty law 2011

Road Block

- Records Retention vs. Wikileaks

- Practical use of electronic signatures