Electronic signatures guideline
Purpose
The purpose of this guide is to provide guidance on when electronic signatures are considered accepted means of validating the identity of a signer in Queensland Government department electronic documents and correspondence, and thus a substitute for traditional wet signatures, within the organisation. Because communication has become primarily electronic, the goal is to reduce confusion about when an electronic signature is trusted.
Electronic signatures (e-signatures) are the electronic version of manually handwritten signatures. This guideline provides guidance on:
- the use of e-signatures for government purposes
- compliance issues with relevant standards for Commonwealth and State laws.
Guide
The guideline covers various considerations for using e-signatures as an authentication mechanism in Queensland Government.
This guideline is not about:
- implementing a technology solution for e-signatures
- using e-signatures for implementing a security solution for ICT systems.
While relevant laws are referenced, this guideline is not a substitute for professional guidance on legal matters.
Applicability
This guideline applies to all Queensland Government departments (as defined by the Public Sector Act 2022). Accountable officers (not already in scope of the Public Sector Act 2022) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this guideline in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.
What are e-signatures?
Like a manuscript signature (also called wet signature), the goal of e-signatures is to bind a signatory to a document in a way that makes later repudiation difficult (Foder, 2010). However, the validity of e-signatures under a law depends on the type of the e-signature and the purpose of its use.
By definition, an e-signature is any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with an intent to authenticate a writing or a data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication (Blythe, 2005).
Examples of e-signatures may include but are not limited to the following a (Ibid, p3):
- digitised version of a manuscript signature i.e. scanned image of the wet signature; signing on a touch screen
- digitised fingerprint i.e. digitised image of a fingerprint.
- biometric scan like a fingerprint, iris, vocal signature
- typed name at the end of an email message
- clicking or ticking of an I Agree or Purchase Now button or box on a computer screen
- digital signature which uses encryption and decryption technology alongside a Public Key Infrastructure (PKI).
Each type of e-signature will be useful at a certain security level. Each type will meet different success criteria in meeting the requirements for a valid signature at law (Christensen, Duncan, & Low, 2003).
Benefits of using e-signatures
E-signatures serve the same purposes as that of manuscript signatures(Christensen, Duncan, & Low, 2003).
- Identity to prove that the document was signed by an identifiable person (authentication) and that the person cannot credibly deny their identity (non-repudiation)
- Consent or Approval to prove that the person affixing the signature approves of the contents of the document and the person cannot deny so (non-repudiation)
- Integrity to indicate that the document has not been altered since it was signed.
Different types of e-signatures have varying degrees of success in performing these functions. Their performance needs to be assessed against the purpose for which they are being used and their ability to withstand scrutiny under various applicable laws discussed below.
According to the Electronic Commerce Expert Group (Tyree, n.d.), the following are the primary uses for e-signatures:
- Evidentiary to serve as admissible evidence in a court of law, such as the Statute of Frauds
- Cautionary to attest a document and its significant legal consequences e.g. wills
- Reliance to attest to the reader the veracity or truthfulness of the contents of a document
- Channelling to categorise documents into more or less legal significance
- Recordkeeping to abide by government regulations to safe keep documents such as taxation and customs.
Considerations for using e-signature
Legal considerations
This section describes legal considerations for using e-signatures but should not be taken as a substitute for professional legal advice.
There are provisions in some legislation that allow for the use of e-signatures in transactions. The Commonwealth (1999) and Queensland Government, (2001) deal with the use of e-signatures in their respective Electronic Transactions Act (ETA). When necessitated by state law in Queensland, the requirement for a signature is purported to be met by electronic means when the following criteria are met, the:
- method used identifies the person and indicates the person's approval of information
- method used is as reliable and appropriate for the purpose for which the information is communicated
- person to whom the signature is provided consents to the requirement being met using the e-signature method.
There are some exemptions where e-signatures cannot be used as stipulated in the Queensland ETA's Schedule 1. For example a requirement or permission for a:
- person to file a document with a court or tribunal for a proceeding.
- document to be served personally or by post.
- document to be attested, authenticated, verified or witnessed by a person other than the author of the document.
The Commonwealth ETA (1999) also has a list of laws and regulations that are exempt from the Act as stipulated in the Electronic Transactions Regulations 2000 (Australian Government, 2000)
The respective electronic transaction laws have both the aims of:
- confirming the effectiveness of a transaction that has been undertaken electronically
- specifying the requirements for an electronic communication to act as a signature when a law requires the signature of a person.
The laws also provide overarching regulatory framework that:
- recognize the importance of the information economy to the future economic and social prosperity of Queensland
- facilitates and promotes confidence to the use of electronic transactions in business, community, and the government.
The critical element in all cases is the signature indicates that the person approves of something and hence is expressly or implicitly indicating the e-signature containing their name or initials is considered an expression of intention. Like a manuscript signature, an e-signature can be challenged for forgery or against the laws criteria. Nonetheless, the ETA eliminates the need for wet signatures when the criteria are met in digital form.
E-signatures should apply to individuals only. E-signatures for roles, positions, or titles (e.g. the CFO) should not be considered valid. The CFOs office should maintain an organisation-wide list of the types of documents and correspondence that are not to be used with e-signatures.
Queensland legislation allows for the electronic signature and witnessing of documents in some circumstances. The Justice and Other Legislation Amendment Act 2021 (Qld) modernises the signing and witnessing of affidavits and statutory declarations in Queensland. The reforms commenced by proclamation on 30 April 2022, and provide an additional execution method.
For further guidance relating to the use of e-signatures in Queensland, please see Crown Law’s Please sign electronically 2.0.
Technical considerations
The Commonwealth and Queensland ETA are neutral on the technology to be used to support e-signatures if the ETAs criteria for e-signatures are met. This provides flexibility for people and businesses to determine the signature technology that is most appropriate to their particular needs (Australian Government, 1999).
Different types of e-signatures meet legislative criteria at varying degrees. For example, a digitised wet signature to authenticate a persons identity is less credible than encrypted digital signature certificates. The admissibility of these technologies in court and their ability to achieve compliance with existing standards will depend on meeting the criteria set by applicable laws and relevant standards.
Guidance also exists from the Australian Government Information Management Office (AGIMO, 2009) e-Authentication Framework regarding the use of e-signatures.
E-signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer), and the employee receiving/reading the document or correspondence (hereafter the recipient).
Responsibilities when using public key infrastructure (PKI)
This section outlines suggested responsibilities for both signer and recipients when departments are using public key infrastructure (PKI).
Signer responsibilities
- Signers should obtain a signing key pair from departments identity management group or equivalent. This key pair will be generated using departments public key
- Infrastructure (PKI) and the public key will be signed by the departments certificate authority (CA).
- Signers should sign documents and correspondence using software approved by their departments IT organisation.
- Signers should protect their private key and keep it secret.
- If a signer believes that the signers private key was stolen or otherwise compromised, the signer should contact departments identity management group or equivalent immediately to have the signers digital key pair revoked.
Recipient responsibilities
- Recipients should read documents and correspondence using software approved by their departments IT organisation.
- Recipients should verify that the signers public key was signed by their departments CA, by viewing the details about the signed key using the software they are using to read the document or correspondence.
- If the signers digital signature does not appear valid, the recipient should not trust the source of the document or correspondence.
- If a recipient believes that a digital signature has been abused, the recipient should report the recipients concern to their departments identity management group or equivalent.
Recordkeeping requirements
In Queensland, the Public Records Act 2002 and Records governance policy apply to records in all formats, regardless of the technology used to create, transmit or authenticate the record.
Advantages and disadvantages of e-signatures
The organisation should weigh the advantages and disadvantages of using e-signatures to their organisational structure. Some of these considerations are below.
Advantages
- Reduced costs from filing, printing, faxing or mailing
- Instant transmission by electronic means which can improve productivity and process efficiency
- Improved tamper-proofing by digital encryption and electronic storage
- Improved storage of documents by electronic means
- Can leverage existing electronic systems
- Reduces error from manual processes of handwriting signatures and dates.
Disadvantages
- Can be difficult to implement due to technical challenges
- Need for electronic displays and systems which can be expensive if they do not already exist in the organisation
- Not all stakeholders may have the capacity to sign documents electronically due to lack of appropriate technology.
Any organisation considering the use of e-signatures is advised to perform a risk assessment of their transactional processes to carefully consider legal and technical implications. This ensures the functions and purposes for using e-signature is reliable and appropriate, provides greater advantage than disadvantage and is in accordance with the organisations goals and needs. See ICT risk management for more information on this topic.
The Queensland State Archives has published resources on assessing the implementation of e-signatures, including the need to undertake environmental scans of obligations which may require wet signatures, and identifying processes and records that may need more robust forms of authentication.
Example implementations
The following are example implementations provided by Queensland Government departments:
- Approved documents are attached to an email. The email system authenticates the sender and the act of sending the email signifies approval and consent.
- Timesheets are authenticated and approved using the Electronic Documents and Records Management System (eDRMS). With this, they can track alterations to the timesheets using audit trails. The timesheet saved then becomes a record that cannot be altered.
- Some departments use third-party certified, digital signature solutions that are either in-house or cloud based.
Summary
E-signatures come in various forms and have the capacity to meet various purposes (authentication, approval, integrity) and various uses (evidentiary, recordkeeping, etc). In most cases a signature required under legislation can be met using a digital alternative and will be deemed equivalent to a manuscript signature provided it meets the criteria stipulated in the law (Commonwealth or Queensland).
To support the digitisation of services and internal processes Queensland Government departments are encouraged to consider their requirements for signatures and assess circumstances where digital alternatives would be suitable and/or efficient.
References
AGIMO 2009, National e-Authentication Framework. Retrieved from Department of Finance and Deregulation, <http://www.finance.gov.au/files/2012/04/NeAFFramework.pdf>.
Australian Government 1999, Electronic Transactions Act, retrieved September 2015, from Attorney-General's Department,<https://www.ag.gov.au/RightsAndProtections/ECommerce/Documents/ElectronicTransactionsAct1999infosheet.pdf>.
Australian Government.2000, Electronic Transactions Regulations 2000, retrieved from Australian Government ComLaw, <https://www.comlaw.gov.au/Details/F2015C00665>.
Blythe, S. E. 2005, Digital Signature Law of the United Nations, European Union, United Kingdom and United States: Promotion of Growth in E-Commerce with Enhanced Security. Richmond Journal of Law and Technology, 11(2), retrieved from <http://law.richmond.edu/jolt/v11i2/article6.pdf>.
Christensen, S., Duncan, W., & Low, R. 2003, (12). The Statute of Frauds in the Digital Age - Maintaining the Integrity of Signatures. Murdoch University Electronic Journal of Law, 10(4). 09 January, 2015 from <http://eprints.qut.edu.au/4281/1/4281.pdf>.
Foder, J. 2010, The inadequate legislative responses to e-signatures. Computer law and security, 26(4), 418-426, retrieved from <http://epublications.bond.edu.au/law_pubs/333>
ICA. 2008). International Council on Archives: Principles and Functional Requirements for Records in Electronic Office Environments. Retrieved 09 January, 2015, from <http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/guidelines_functional_requirements.pdf>
Law, U. N. 2020, 07 16, Electronic Commerce. retrieved from United Nations Commission International Trade Law,<https://uncitral.un.org/en/texts/ecommerce>.
Queensland Government. 2001, Electronic Transactions (Queensland) Act 2001. Queensland, Australia, retrieved from <https://www.legislation.qld.gov.au/legisltn/current/e/electrontrqa01.pdf>
Queensland State Archives. 2009, Recordkeeping and digital signatures. Queensland, Australia, retrieved 09 January, 2015, from <http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Public_Records_Briefs.pdf>.
Queensland State Archives, 2015, 10, Mythbusters - Signatures. Retrieved 25 October, 2015, from Queensland State Archives: <http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Mythbuster3-Signatures.pdf>.
S., Charles. 2019, July 17, How to electronically approved documents and expenditure. retrieved from Queensland Audit Office: <https://www.qao.qld.gov.au/blog/how-electronically-approve-documents-expenditure>.
Tyree, A. (n.d.). Electronic Signatures. Retrieved 09 01, 2015, from Australasian Legal Information Institute, <http://austlii.edu.au/~alan/electronic-signatures.html>.