New York State Laws on Optical Images

State Archivist and Records Manager:

Director (Vacant)

NYS Archives & Records Admin.

State Education Dept., Albany NY 12230

518-474-1195

Guidelines for the Legal

Acceptance of Public Records

in an Emerging

Electronic Environment

The State Archives and Records Administration provides centralized records man-

agement services to State agencies. The State Government Records Management

Information Series includes booklets, fact sheets, and brochures on many aspects of

sound records and information management.

This booklet presents guidelines regarding the legal acceptance of electronically

produced records based on current State and Federal laws. A range of measures

which can be taken by agencies to enhance authenticity and admissibility of public

records is clearly defined. And special considerations for records generated by

emerging technologies are explored.

State Archives and

Records Administration

The University of the State of New York

The State Education Department

1994

Contents

Introduction ........................................................................: ..................................1

Recordkeeping Requirements and Responsibilities

Background ........................................................................................................2

Jurisdiction .........................................................................................................3

Roles and Responsibilities ..............................................................................5

Admissibility and Rules of Evidence

Acceptance as Evidence in Legal Proceedings ............................................ 6

Evidence for Administrative Hearings and Regulatory Proceedings ..10

Evidentiary Requirements for Audits ........................................................11

Measures to Enhance the Authenticity and Legal Acceptance

of Records

Overview ..........................................................................................................12

General Characteristics of a System or Process ........................................14

Produce Written Policies and Procedures .................................................14

Provide Training and Support .....................................................................15

Develop Adequate System Controls ...........................................................15

Develop and Implement System Audit Trails .......................................... 16

Conduct Routine Tests of System Performance ....................................... 16

Test and Document the Reliability of Hardware and Software ............ 17

Provide Adequate Security ...........................................................................17

Establish Controls for Accuracy and Timeliness of Input

and Output .................................................................................................18

Create and Maintain Comprehensive System Documentation ............. 19

Retain Sufficient Documentation .................................................................20

Special Considerations for Newer Technologies

Originals versus Duplicates ..........................................................................22

Digital Imaging ...............................................................................................23

Electronic Data Interchange (EDI) ...............................................................24

Retention of Records ......................................................................................25

Additional Information .....................................................................................26

Notes ......................................................................................................................28

Appendix A: Excerpts of Relevant New York State Statutes ................... 30

Appendix B: Selected Sources .........................................................................33

...

111

Introduction

Government organizations today confront an expand-

ing array of options for the systems and technologies that

they can use to create, maintain, and reproduce public

records. Many new recordkeeping techniques employ

digital technology and computers. While new information

technologies enable government agencies to streamline

recordkeeping practices and reduce records creation and

storage costs, they also pose new risks to the authenticity

of records. In this evolving environment, information sys-

tems and records management policies need thorough

review and possible modification to ensure that agencies

produce and maintain reliable, complete, and accurate

records that prove acceptable for legal, audit, and other

purposes. Agency program managers, data processing

personnel, and records managers, in consultation with

legal counsel, can take actions to enhance the authenticity

and reliability of their records.

This booklet provides guidance for State agencies in the

design, management, and operation of automated infor-

mation systems to enhance the likelihood that the records

they produce will be admissible in legal proceedings and

accepted as authentic for other purposes. In this booklet,

an automated information system is defined as any

process or system that employs optical, magnetic, elec-

tronic, or other technology for producing or reproducing

records. The guidelines are organized in four sections. The

first section discusses recordkeeping requirements and

the responsibilities of State government personnel in

meeting these requirements. The second section discusses

the legal concepts and statutes that address the admissi-

bility of records. The third section describes measures that

agency personnel can take to enhance the acceptance of

records in legal proceedings and for other purposes. A

final section raises special considerations for newer tech-

nologies. Appendices include excerpts from relevant New

York State statutes and a bibliography.

Recordkeeping Requirements

and Responsibilities

BACKGROUND

Traditionally courts classified records as hearsay, and

hence not admissible as evidence. In modem times,

through exceptions to the hearsay rule, courts have admit-

ted records into evidence when they meet specific criteria

for admissibility. Exceptions to the hearsay rule for public

records are based on the presumption that public records

reflect accurate information produced by trustworthy

procedures. These exceptions were at first restricted to

"original writings," but they were later modified to

accommodate the impact of printing and other duplica-

tion technologies, such as microfilm and photocopying.

As government agencies make increasing use of newer

technologies for recordkeeping, such as electronic filing,

digital imaging, electronic data interchange (EDI), and

other computer-based technologies, recordkeeping prac-

tices should be reviewed and modernized so that agencies

continue to produce records that are reliable, complete,

and accurate for legal, audit, and other purposes.

Under the existing Federal and state rules of evidence,

State agencies can use records produced by automated

information systems to meet recordkeeping requirements,

provided that the records are created in the normal course

of business and their authenticity and reliability can be

established. Establishing the authenticity and reliability of

records depends on the accuracy of the process or system

used to produce the record, the source of the information

in the record, and the method and time of its preparation.

Problems may arise if appropriate procedures are not fol-

lowed in creating and maintaining records, making it dif-

ficult to lay a proper foundation for admissibility. By care-

fully planning for new information systems, developing

proper pohcies and procedures, and training staff, agen-

cies can take advantage of the many benefits of new infor-

mation technologies, while limiting the risk that their

records will be lost, corrupted, or challenged.

Records primarily serve the needs of the agency that

creates and maintains them. They are a means to docu-

ment decisions, transactions, communications, and other

official actions as well as to provide management account-

ability, operational continuity, and institutional memory.

Records are also an informational resource for multiple

uses such as planning and research. In order to support

agency operations and meet recordkeeping requirements,

records must be managed in a way that ensures their

authenticity and accuracy in compliance with the myriad

of laws, regulations, policies, and standard practices of the

jurisdiction in which the agency operates.

JURISDICTION

Decisions about the creation, maintenance, and use of

documents and records and their management systems

must be made in the context of the legal and administra-

tive jurisdictions under which an agency operates and the

laws or rules governing that jurisdiction. This means that

the management of records must comply with applicable

international, Federal, state, and local legal codes, regula-

tions, and agreements; with established records manage-

ment, data processing, auditing, and related professional

practices and standards; and with applicable administra-

tive rules and policies.

Federal jurisdictions are governed by Federal Rules of

Evidence and the specific statutes and regulations of Fed-

eral regulatory authorities.1 Evidence that is introduced in

the legal jurisdiction of the State of New York is subject to

the New York State Civil Practice Law and Rules (CPLR)

and specific State laws.2 New York State statutes and reg-

ulations establish the legal basis for defining records and

providing for their use as evidence. According to the Arts

& Cultural Affairs Law (57.05) and State Government

Archives and Records Management Regulations (8

NYCRR, Part 188.2(h)), "records" are defined as:

all books, papers, microforms, computer-readable

tapes, discs or other media, maps, photographs,

film, video and sound recordings, or other docu-

mentary materials regardless of physical form or

characteristics, made or received by a State agency

or the judiciary in pursuance of law or in connection

with the transaction of public business, and retained

by that agency or its legitimate successor as evidence

of the organization, function, policies, decisions,

procedures, operations, or other activities, or

because of the information contained therein.

Records management regulations also establish the basic

framework of policies and procedures for the creation,

maintenance, disposition, and selected preservation of

State government records. The New York State Govern-

ment Accountability, Audit, and Internal Control Act

(Chapter 814, Laws of 1987) requires agencies to maintain

sufficient records to document management decisions and

the authorization of financial transactions and to safeguard

assets. The State Administrative Procedure Act (Article 3,

Adjudicatory Proceedings, Section 306 Evidence) estab-

lishes rules of evidence for administrative hearings.

In addition to legal provisions that are generally applic-

able to all State agency records, specific Federal and state

laws, policies, and standards may apply to particular

records. The United States Internal Revenue Service, for

example, has specific regulations that establish basic

requirements for taxpayers' records maintained within an

automated system.3 Programs that are supported by Fed-

eral funds or subject to Federal regulations may be

required to comply with specific requirements or proce-

dures for recordkeeping. Professional standards may

apply to certain types of applications. For example, the

American Bar Association has developed model EDI

Trading Partner Agreements.4

Some State agencies issue guidelines and regulations

that apply to specific types of records, such as the guide-

lines for State accounting systems issued by the Office of

the State Comptroller for financial records. Individual

agencies may promulgate recordkeeping requirements

applicable to all agency records as part of their agency

records management, internal controls, or internal audit

functions. Finally, State agencies may establish and

enforce recordkeeping requirements for local govern-

ments, private parties, or nonprofit organizations that

they fund, regulate, or contract with for services.

ROLES AND RESPONSIBILITIES

The agency Records Management Officer, program

managers, records custodians, information technology

staff, and legal counsel all must be involved with manag-

ing records to ensure their legal acceptance and authentic-

ity. Program managers have an obligation to make sure

that the records they create and maintain meet general

requirements for recordkeeping and the specific audit

requirements for any programs they oversee. All records

custodians are responsible for following established pro-

cedures for the creation, maintenance, and disposition of

records. Increasingly, professionals in the information

management and technology field are called upon to

design and operate automated systems, establish policies

and procedures for system operation and data adminis-

tration, train staff, and provide for security and physical

preservation of electronic records. Records managers are

responsible for the design and conduct of the agency

records management program. Agency legal counsel has

special expertise and responsibilities for advising on

issues of authenticity and admissibility of agency records.

Meeting admissibility requirements in a complex,

changing environment is a challenging undertaking that

requires cooperation and coordination within agencies.

To ensure that records are trustworthy requires a compre-

hensive, credible information management program.

Such a program includes aspects of organizational cul-

ture; formal organizational arrangements for the manage-

ment of records; clarification of responsibilities; policies,

procedures and practices that are in place; and the num-

ber, quality, skills mix and proficiency of the people

responsible for stewardship of an agency's information

assets. An agency information management program goes

well beyond the characteristics of its information systems,

and many elements of information management are not

under the direct control of the information technology

manager or the records manager. With the growth of

decentralized computing and distributed information sys-

tems, each end user also has a role in producing and main-

taining trustworthy records.

Admissibility and Rules

of Evidence

ACCEPTANCE AS EVIDENCE IN LEGAL

PROCEEDINGS

Admissibility refers to a court's willingness to accept

records as evidence in legal proceedings. Modern rules of

evidence, enacted into Federal and state laws, address two

principle objections to the admissibility of records into

evidence. The hearsay rule prohibits the admissibility of

any out-of-court statements to prove the truth of a matter.

The best evidence rule precludes the admissibility of any-

thing other than an original writing, barring an acceptable

reason for the absence of the original. Neither rule is

meant to preclude evidence that can be proven necessary

and reliable. Therefore, Federal and state rules of evidence

provide exceptions for overcoming the hearsay and best

evidence objections based on circumstantial proof of reli-

ability and trustworthiness. These exceptions contain the

specific legal requirements for admitting records into evi-

dence.

Federal and state rules of evidence contain similar

exceptions to the hearsay and best evidence rules because

the Federal government and most states have adopted uni-

form laws containing standard provisions for the legal

admissibility of records. The following three uniform laws,

drafted by the National Conference of Commissioners on

Uniform State Laws, provide exceptions to the hearsay and

best evidence objections in states that have enacted them.

The most recent of the three, the Uniform Rules of Evi-

dence, incorporates the provisions of the two earlier rules

and makes more explicit references to electronic records.

New York State has not adopted the Uniform Rules of Evi-

dence, but it has enacted the two older, well-established,

and more general rules of evidence to provide exceptions

to the hearsay and best evidence objections.

Uniform Business Records as Evidence Act (1936)

establishes the admissibility of records created in the

regular course of business if the sources of informa-

tion, method, and time of preparation justify their

admission.

Uniform Photographic Copies of Business and

Public Records as Evidence Act (1949) establishes

the admissibility of duplicate records made in the

regular course of business by any process which

accurately reproduces them, provided the records

are satisfactorily identified.

Uniform Rules of Evidence (1974), modeled after

the Federal Rules of Evidence, addresses the admis-

sibility of both original and duplicate records. It

incorporates the provisions in the uniform laws

above, and addresses the admissibility of records

produced or reproduced by modern information

technology systems, defined as: "[a]ny process or

system that employs a mechanical, photo-optical,

magnetic, electronic, or other technological device

for producing or reproducing records." New York

State has not enacted this rule.

The New York State Rules of Evidence, part of the New

York State Civil Practice Law and Rules (CPLR), incorpo-

rates the Uniform Business Records as Evidence Act

(CPLR 4518) and the Uniform Photographic Copies of

Business and Public Records as Evidence Act (CPLR 4539)

for overcoming the hearsay and best evidence objections.

These statutes address the admissibility of records in all

formats, including records that have been created and

filed electronically.5

The rationale for the business records exception is that

businesses depend on accurate recordkeeping to function

effectively. Records are generally considered trustworthy

if they are created in the normal course of business in

either the government or private sector. Records created

to support typical business activities, such as those pro-

duced in the regular course of operations, are more inher-

ently reliable than those produced especially for litigation.

Creating records in the normal course of business is not

limited to a pattern of activity that produces records on a

daily, weekly, monthly, yearly, or other cyclical schedule.

Many agencies create records as part of their regular pro-

grams, but at irregular times. Many organizations, for

example, produce audit reports intermittently as one of

their normal activities. Agency managers should pay par-

ticular attention to changes in the cycles or patterns of

records creation that may occur when new technologies

are employed or when the administration of information

systems is decentralized.

Under the Federal and state rules of evidence, original

and duplicate records are admissible provided that a

proper foundation is laid. Reproductions of original

records must be produced in the regular course of busi-

ness by a process which accurately reproduces the content

of the records. Visible records produced with a computer

in the form of computer printouts or computer output

microfilm (COM) are considered originals if an appropri-

ate witness can convince the court that they accurately

reflect the information in the computer files. Common

information processing methods are more readily

accepted as reliable than newer information technologies

which generally are subject to greater scrutiny until their

rehabihty is established through experience and wide-

spread use.

Admissibility of pubhc records as evidence in New

York State is also covered under CPLR 4520 and CPLR

4540. Before a public document can be received into evi-

dence, it must be shown that the document is what it pur-

ports to be; that is, it must be properly authenticated. The

proper official seal or signature on a document affixed by

an officer of New York or of the Federal government is

sufficient proof of the authenticity of the document with-

out further identification.6 CPLR 4520 creates a hearsay

exception for certain records prepared by public officers.

To fall within CPLR 4520, the public record must meet

several requirements. The record must be

made by a public officer

in the form of a certificate or affidavit

required or authorized by special provision of

law

made in the course of the officer's official duty

a record of a fact ascertained or an act performed

by the officer

on file or on deposit in a public office of the State.

Assuming that all of the above requirements can be met,

the record will be prima facie evidence. Although this rule

is founded on the same principles as the common law

hearsay exception for business records, this statute is

much narrower than the common law rule. The common

law may also provide a basis for the admissibility of pub-

lic records that fail to meet the formalities of CPLR 4520.7

CPLR 4540 provides an exception to the best evidence

rule for copies of public records in New York State by

establishing a means to authenticate copies. In order to

free custodians of public records from the burden of testi-

fying in court that copies of records in their possession are

genuine copies, CPLR 4540 provides a means for making

such records "self-authenticating." To satisfy the "self-

authenticating" requirement, an officer or deputy of an

officer having legal custody of an official record must

attest that the copy is correct, and the copy must be

accompanied by a certificate signed by the presiding offi-

cer of that public body. There are numerous specific pro-

visions in the CPLR and in specific statutes which pertain

to the admissibility of specific types of records, such as

marriage certificates (CPLR 4526), certificates of popula-

tion (4530), hospital bills (CPLR 4518(b)), and to the self-

authentication of newspapers and general circulation

periodicals (4532).

In New York State, criminal proceedings are governed

by the rules of evidence applicable to civil proceedings,

unless some other rule is provided by statute or by judi-

cial precedent. The Criminal Procedure Law (CPL), Sec-

tion 60.10 states that the rules of evidence applicable to

civil cases are, where appropriate, also applicable to crim-

inal proceedings.

EVIDENCE FOR ADMINISTRATIVE HEARINGS

AND REGULATORY PROCEEDINGS

Federal and State regulatory authorities have different

procedural rules from courts. The rules of evidence for

trial-type administrative hearings in New York State are

contained in the State Administrative Procedure Act

(SAPA). This law does not require agencies that hold

administrative hearings to comply with the provisions of

CPLR and, therefore, SAPA gives agencies more discre-

tion in determining what evidence will or will not be

accepted in administrative proceedings.8 As rule-making

bodies, regulatory agencies have the authority to enact

formal and informal (pocket) regulations restricting the

content and format of records that are acceptable for the

hearings and regulatory proceedings they administer.

Pocket regulations may be more specific or more lenient

than the rules of evidence that apply to admissibility in

courts of law. Nonetheless, records must still be proven

accurate and reliable. Because administrative decisions

are generally subject to judicial review, agency managers

should use the provisions contained in the CPLR's Rules

of Evidence to make sure that evidence used in adminis-

trative proceedings will also be acceptable if needed for a

court challenge. Program managers should consult their

agency's legal counsel for advice on specific requirements

that may be applicable to records needed for administra-

tive hearings or regulatory proceedings.

EVIDENTIARY REQUIREMENTS FOR AUDITS

Accurate, reliable, and trustworthy records are the cor-

nerstones of effective programs for audit and accountabil-

ity. Audits are performed periodically by expert audit

professionals, who are independent and objective, to con-

firm that a system or process produces accurate results.

Audits are performed by persons other than those who

created the records or who have an interest in their con-

tent, such as agency internal audit staff, EDP auditors,

Federal auditors, the Office of State Comptroller (OSC), or

outside independent auditing firms.

Although many audits address financial and program

issues rather than the accuracy of information systems,

almost all audits use records that originate from informa-

tion systems. Because auditors must concern themselves

with the relevance, validity, and sufficiency of evidentiary

matters, the accuracy of records and the reliability of the

systems that produced them come into question during

the course of most audits. With the increasing complexity

of government operations and the introduction of new

technologies, the accuracy of information systems is

becoming a pervasive audit concern that is no longer lim-

ited to the special area of EDP audit. Guidelines for legal

acceptance of records are compatible with the evidentiary

requirements for many audits. Program managers are also

responsible for complying with any program, financial, or

performance audit requirements that rely on creation and

maintenance of accurate and trustworthy records.

Measures to Enhance

the Authenticity and Legal

Acceptance of Records

OVERVIEW

The rules of evidence contain special provisions for

establishing the authenticity and reliability of records

which stress the sources of information, method, and time

of preparation. With the safeguards that can be built into

today's modern information technology systems, the best

evidence is not dependent on a specifically sanctioned

technology used to create a record, but on showing that

the record was the result of a process or system that accu-

rately produced it. In establishing the authenticity of

records, program managers must demonstrate in court or

to administrative authorities the trustworthiness of the

system used to produce the records. They or a designated

records custodian may be required to testify about the

operation of the system. In some cases, the opposing par-

ties or the court may inspect the system.

In establishing the authenticity of records, agencies

should focus on the reliability and accuracy of the systems

and processes that produce the records rather than on any

innate characteristic of their format or medium. These

attributes are established by

1 the policies and procedures defining proper devel-

opment, maintenance, and use of the system

2 training and support programs that ensure staff

understand the policies and procedures

3 controls that monitor the accuracy and authenticity

of data, the reliability of hardware and software, and

the integrity and security of the system.

Systems that produce records must be shown to do so in

the normal course of agency business and in an accurate

and timely manner. Policies, procedures, training and

support programs, and controls must be documented to

demonstrate that the systems which produce records are

reliable. Documentation must be understandable, accu-

rate, and accessible. Measures taken to enhance legal

acceptance of records are consistent with the procedures

and controls necessary in any well-managed information

system.

Although the general principles described in these

guidelines are applicable to any recordkeeping system

and to any type of storage medium, not all systems merit

the same degree of monitoring and control. Development

of effective systems and procedures to ensure legal accep-

tance of records requires investments in systems analysis,

procedure development, software, and training. There-

fore, the stringency of controls should be commensurate

with the degree of risk and the benefits to be gained from

more effective systems management. Agencies should

concentrate first on mission-critical systems, systems that

produce records needed in legal proceedings and audits,

and systems that expose the agency to a high degree of

risk. Systems that use newer technologies, such as elec-

tronic filing, electronic document interchange (EDI), digi-

tal imaging, and electronic mail, warrant careful review

because practices for effective management of new tech-

nologies are still evolving. Courts will scrutinize untested

technologies more rigorously than established ones, espe-

cially where there is no legal precedent.

GENERAL CHARACTERISTICS OF A SYSTEM OR

PROCESS

Legal acceptance of records requires proof that the

process or system is reliable and hence capable of produc-

ing trustworthy records. Records will be more readily

accepted as trustworthy if an agency can demonstrate that

the system that produced them

operated to support a business function and pro-

duced the records as part of that function

created accurate records

produced records in a timely manner, or produced

records after the fact where the time lapse between

an event and the creation of a record had no effect on

its content.

Program managers, information managers, administra-

tive support staff, records custodians, and data processing

professionals can take the following measures to ensure

that records produced by automated information systems

are accurate and timely.

PRODUCE WRITTEN POLICIES AND PROCEDURES

The trustworthiness of an agency's records may be

judged by the adequacy of existing procedures and how

closely they are followed. Policies and procedures should

define normal operations for development, maintenance,

and use of information systems. Written policies and pro-

cedures for each system should

1 describe the methods used to create, modify, dupli-

cate, and destroy records

2 define the roles and responsibilities of the individu-

als involved in record creation, maintenance, and

destruction

3 provide for consistent quality control, problem reso-

lution, and other activities that might otherwise be

subject to inconsistent action or misinterpretation

4 demonstrate the purpose and uses of the system

be kept up-to-date and readily available.

Established procedures only show what an agency

intended to do in managing and controlling the process or

system. The trustworthiness of an agency's records also

depends on how closely procedures are followed. Courts

may scrutinize deviations from established procedures,

especially if deviations are from legally-required proce-

dures. Therefore, additional measures are necessary to

ensure that procedures are followed and deviations are

detected and remedied.

PROVIDE TRAINING AND SUPPORT

Formal training and support programs help ensure that

policies and procedures are understood and implemented

by staff. Instructions for data input, processing, and

retrieval support staff training and document the agency's

efforts to train staff. Documentation showing that the

agency provided sufficient supervision to oversee staff in

the proper use and maintenance of a system will also

strengthen the case that procedures were followed. Oper-

ation logs and help desk (trouble) reports can document

that problems were quickly identified, attended to, and

resolved. If an agency can demonstrate that staff knew

what procedures to follow and were overseen and sup-

ported by responsible staff, it can also show a court or

other outside parties that procedures were most likely fol-

lowed. It is advisable to keep records of attendance at

training sessions and certification of training.

DEVELOP ADEQUATE SYSTEM CONTROLS

Effective recordkeeping systems, whether manual or

automated, need mechanisms and controls to ensure the

quality and reliability of the records they produce. Con-

trols monitor input and output processes, hardware and

software performance, and security. These controls

should be an integral part of any well-managed system,

built into a system when it is developed, embedded in

operating policies and procedures, and implemented

through ongoing training and support.

DEVELOP AND IMPLEMENT SYSTEM AUDIT

TRAILS

Audit trails document who used the system, when they

used it, what they did, and what were the results. Effec-

tive audit trails can automatically detect who had access

to the system, whether staff followed certain procedures,

or whether fraud or unauthorized acts occurred or might

be suspected in the system. Properly implemented audit

trails track

any changes to data in a system, including the cre-

ation, modification, and deletion of records

the date and time of any changes

1 the source of any changes.

Information technology managers have an increasing

variety of tools at their disposal for maintaining system

audit trails. Software is available for keystroke monitor-

ing, time and date stamping, virus detection, and other

controls that can be built into the design of systems. Addi-

tional mechanisms should be established to document

any changes to data, and any changes to the software and

programs used to process the data that might not be

recorded by a system's on-line audit trail procedures (e.g.,

batch updates or migrations).

CONDUCT ROUTINE TESTS

OF SYSTEM PERFORMANCE

Automated information systems rely on system edits

and routine testing to verify the accuracy and validity of

data. System edits define the parameters of on-line system

processing. Tests of system performance, conducted on a

routine basis, provide necessary oversight to verify the

integrity of a system. The design and use of system edits

and performance tests should be documented, because

the reliability of records produced by the system depends

on the accuracy and reliability of the programs and proce-

dures used to create, modify, and retrieve them.

TEST AND DOCUMENT THE RELIABILITY OF

HARDWARE AND SOFTWARE

The reliability of hardware and software affects the

authenticity and admissibihty of records. Because equip-

ment which is not functioning properly can alter the con-

tent of computer records, the reliabihty of the data pro-

cessing equipment used to store and produce the records

may be challenged. Errors in computer records can also

result from errors in the computer programs used to cre-

ate the records. Agencies can enhance the acceptance of

computer-generated records, if they

routinely test hardware and software according to a

plan developed with the advice of the manufacturer

retain all documentation related to hardware and

software procurement, installation, and mainte-

nance

maintain operation logs and run schedules to docu-

ment the reliability of system operation and perfor-

mance.

System documentation, showing compliance with the

manufacturer's hardware maintenance requirements, evi-

dence of the development and testing of programs, and a

history of consistent use and rehability of hardware and

software, normally is sufficient to demonstrate the reha-

bility of systems. An agency may also be required to pro-

vide individuals who can testify about testing and

dependability of hardware and software.

PROVIDE ADEQUATE SECURITY

Secure automated systems furnish an ideal environ-

ment for creating and maintaining trustworthy records.

To provide for security, system developers need to

develop routines that limit access and update privileges to

the appropriate people and prevent unauthorized modifi-

cation of data. Such provisions must be documented so

they can be used to attest to the credibility and trustwor-

thiness of the system. Agencies can enhance security if the

duties of staff are divided so that individuals with an

interest in the contents of records are not responsible for

administering system security, quality control, audit, or

other tasks where the integrity of a system can be com-

promised or called into question. Disaster preparedness

plans and security backup procedures will ensure that

records are protected against inadvertent or accidental

loss or destruction. Agencies should document any use of

backup procedures to restore a system or recover records,

especially if backup procedures were used to generate a

record.

ESTABLISH CONTROLS FOR ACCURACY AND

TIMELINESS OF INPUT AND OUTPUT

The processes used for data input and output must

produce accurate and timely records. Input can be chal-

lenged on any of the following grounds:

the manner in which data were entered into the sys-

tem initially

whether the data were entered in the regular course

of operations

whether data were entered within a reasonable time

after the events recorded

the adequacy of measures taken to ensure accuracy

of the data.

Agencies can enhance the acceptance of records gener-

ated through processes that involve input and output, by

taking the following measures.

Develop and follow systematic procedures for data

entry.

2 Design, implement, and document quality control

procedures.

3 Identify all input and output documents and proce-

dures in the system documentation.

4 Attest to the accuracy and validity of records at the

time they are created or updated.

Document any delays in data entry by keeping

records of the date the original source documents

were created and the date the data were entered,

and keep records of any unusual delays in produc-

ing output.

5 Retain any specially written program used to extract

data from a system.

Produce labels for media containing electronic

records that identify the exact title (including the

name of the system), creating program unit, date,

purpose, source, and destination of records.

These measures will enhance the accuracy and reliability

of records for legal admissibility and other purposes.

CREATE AND MAINTAIN COMPREHENSIVE

SYSTEM DOCUMENTATION

Complete and accurate documentation of the system or

process that produced records is an essential ingredient

for demonstrating that the records are trustworthy. Docu-

mentation of a system provides verification of the

processes used to produce records. Proper documentation

preserves information, independent of the individuals

involved, on all aspects of system design, implementation,

maintenance, and oversight. It demonstrates the existence

and proper operation of system controls which ensure

that records are accurate, reliable, and authentic.

A knowledgeable person should prepare and maintain

documentation for the process or system used to produce

the records. Documentation should be produced during the

design of the system. If a system was implemented without

it, documentation should be prepared immediately. Docu-

mentation should be complete and up-to-date, although

documentation of all changes to a system must also be kept

for the full retention period of any records produced by the

system. No particular form, format, or amount of detail is

required to describe the process or system.

The following guidelines will help agencies produce

and maintain quality documentation that supports the

admissibility of records.

1 Documentation should be comprehensive, covering

all components of an information system, and

demonstrating all steps from the beginning to the

end of the process.

Documentation must be accurate and prepared and

maintained by knowledgeable staff.

Documentation should be clear and concise so that

current and future employees can testify on its

behalf.

4 Documentation should be current and immediately

available if needed for court proceedings or other

purposes.

In a proper case, documentation can be introduced into

evidence. Courts may request program documentation

that shows how the system operates; training documenta-

tion demonstrating the distribution of written instruc-

tions, course materials, attendance of individuals at train-

ing sessions, remedial or refresher training programs, and

certification of training completed; actual audit trail

records demonstrating the activities that occurred in the

system; and evidence that procedures were followed. In

addition, individuals familiar with the operation of the

system may be asked to testify.

RETAIN SUFFICIENT DOCUMENTATION

Agencies should retain documentation describing how

a system operated and delineating the meaning, purpose,

structure, logical relationships, and origins of data for at

least as long as any records produced by a system are

retained. When a system is modified or replaced, older

versions of the documentation should be kept for as long

as any records created by the system, and procedures

used for migration or conversion of records to a new sys-

tem should be fully documented. Destruction, deletion, or

other disposal of documentation must be conducted in

accordance with agency retention and disposition policies

and schedules. The State Archives and Records Adminis-

tration (SARA) has issued guidelines for the retention and

disposition of common types of hardware, software, sys-

tem, and data documentation? Adoption and use of these

guidelines, in conjunction with a systematic program for

records management, will help ensure that documenta-

tion and other data processing unit records are retained

for the legal minimum retention period necessary to meet

legal and administrative requirements.

Special Considerations for

Newer Technologies

Courts readily accept records produced by common

information processing methods and technologies, such

as writing, typing, photocopying, and microfilming. In

fact, many of the policies and guidelines that permit use

of reproductions of records are based on decades of

experience with micrographics technologies and estab-

lished standards for quality reproduction using micro-

film.11 Records produced or reproduced using newer

technologies, such as digital imaging and electronic doc-

ument interchange (EDI), may be subject to greater

scrutiny because standards and practices are not as well

established for effective use of these technologies. Agen-

cies should take special precautions when using newer

technologies that will enhance the reliability of their

recordkeeping systems and increase the likelihood that

records produced by such systems will be legally

acceptable.

ORIGINALS VERSUS DUPLICATES

Rules of evidence generally have no bias toward origi-

nals, duplicates, or any particular technology provided

that proper procedures are followed and safeguards are in

place to produce reliable and trustworthy records. Before

a court, an "original" of a record is the record itself. In the

case of electronic records stored on computer-readable

media, a strict interpretation of the term "original" is

impractical because a computer record can not be viewed

or read unless it is printed or displayed in a "human-read-

able" form. To deal with this problem, most courts con-

sider computer printouts and other eye-readable render-

ings of computer records to be originals, provided that

they accurately reflect the information in the original

recording? In the case of records that are reproduced by

scanning and stored as digital images, the digital image or

a printout of the image may serve as the best evidence, in

lieu of the original, if satisfactorily identified and repro-

duced by an accurate process and medium.

A "duplicate" is defined in the Federal Rules of Evi-

dence as "a counterpart produced by the same impression

as the original .... or by mechanical or electronic re-

recording .... or by other equivalent techniques which

accurately reproduce the original."13 Duplicate records

must accurately reproduce original records. Information

that is readable or recognizable on originals should be

readable and recognizable on duplicates. Similarly, if

image enhancement techniques are used, the information

that is readable or recognizable on duplicates must also be

readable or recognizable on originals, except that dupli-

cates may also contain production, control, indexing, cer-

tification, or other data not related to the informational

content of the records. This exception allows additional

data to be included on duplicates for administration of the

reproduction process if it does not adversely affect the

informational content of the record. Control and indexing

data stored with digital images, for example, may be nec-

essary to retrieve the images, but they do not affect the

content of the records themselves.

DIGITAL IMAGING

Digital imaging uses scanning technology to convert

documents to an electronic form. Digital images are stored

on magnetic or optical media from which they are

retrieved and displayed on computer screens or repro-

duced on paper. Special precautions should be taken to

ensure legal acceptance of digitally produced images

because imaging is a relatively new technology with new

potential for image enhancement and alteration.

Agencies using digital imaging technology should

implement the following measures as part of the normal

operation of an imaging system.

Verify that the system accurately reproduces all

originals so that any information which is readable

and recognizable in the original can be recognized

on the digital image. Some imaging applications

include utilities that automatically verify the accu-

racy of the image when it is written. Visual verifica-

tion of each image may be necessary if automated

verification is not provided by the system. The meth-

ods used for image verification should be described

in the documentation of the system's operating pro-

cedures.

If the image is compressed, use the standard com-

pression and decompression algorithms established

by the Consultative Committee on International

Telegraphy and Telephony (CC1TT) to ensure long-

term availability of the image in its original form. Pro-

prietary algorithms do not guarantee the same degree

of long-term readability and trustworthiness?

Image enhancement may be used to increase the leg-

ibility of documents in imaging applications. Never-

theless, use of CCITT compression standards to pre-

serve a record in its "originally captured form" is

recommended. CPLR 4539 permits use of an

enlargement or facsimile if the original is on hand

for inspection. The application of this requirement to

enhanced digital images has not been tested in court.

Any use of image enhancement must be part of nor-

mal operating procedures that are thoroughly

described in the system's documentation.

Institute special security provisions to prevent alter-

ation of digital images. This can be achieved with

proper oversight by an authorized system adminis-

trator or records custodian. System security features,

such as password-controlled access and update

privileges, operation logs, and audit trails deter

alterations and enable detection of unauthorized

modifications to records. The appropriate segrega-

tion of duties between system users and system

operators is important.

Use Write-Once-Read-Many (WORM) optical media

for imaging applications. WORM media can not be

modified after the initial recording, a feature which

enhances security. It combines the unalterable qual-

ities of microfilm, with the speed and accessibility of

electronic records.

ELECTRONIC DATA INTERCHANGE (EDI)

Electronic data interchange (EDI) is the computer-to-

computer exchange of business data in a standard format.

Most EDI applications include special measures to ensure

authenticity as a substitute for the signatures on paper

documents that have been used traditionally to authorize

business transactions. In order for EDI to work as an effec-

tive and reliable method of transacting business, the trad-

ing partners involved must reach agreement on a number

of technical and use standards that affect the meaning and

validity of the data exchanged. Technical issues include

provisions for the structure and format of data into trans-

actions sets (also called "documents"), the transmission of

formatted data, the standards for communications, and

security procedures. Trading partners must also agree on

what transactions sets will be exchanged, the meaning of

data elements in those transactions sets, and instructions

for how they are to be used. Issues related to contract for-

mation, validity, and enforceability have to be addressed

specifically within the context of each EDI relationship.

For example, the time and manner in which electronically

transmitted messages become effective, what constitutes

an electronic "signature," and the proper course of action

in the event of an unintelligible transmission need to be

established in contracts or memoranda of understanding

among the trading partners.

The American Bar Association has developed Model

EDI Trading Partner Agreements which provide a frame-

work for the parties to reach agreement on these issues

and confirm their mutual intent to give legal significance

to EDI transactions.15 Before the acceptance of industry

standard formats, these issues were generally handled

directly between the trading partners. In the private sec-

tor, the need for standard formats and the fact that many

of the issues relate to the business practices of specific

industries has led to a growing number of very specific

EDI standards for particular types of business transac-

tions.16 In the public sector, governments are only begin-

ning to develop standards for common types of EDI trans-

actions? Program managers are advised to consult their

agency's counsel on the full range of legal issues involved

with the use of EDI.

RETENTION OF RECORDS

Records should be retained, regardless of their storage

media, for the amount of time required by the agency for

legal, audit, administrative, historical, or other purposes.

In New York, retention of State government records is

governed by the Arts & Cultural Affairs Law 57.05 and

the State Government Archives and Records Management

Regulations (8 NYCRR, Part 188). The State Archives and

Records Administration, State Records Advisory Services

administers New York State government's program for

retention and legal disposition of records. Agencies must

have an approved records disposition authorization

(RDA) prior to destruction of any State government

records, including source documents for automated sys-

tems and documents that are converted to digital images.

The RDA gives the agency the legal authority to destroy

obsolete records and establishes a management plan for

orderly disposition of records in the normal course of

business?

SARA considers several factors when determining

whether to authorize destruction of source documents

that are stored electronically or original records that have

been converted to digital images. By following the guide-

lines in this booklet, agencies increase the likelihood that

records produced with today's technology will be legally

acceptable. Guaranteeing ongoing access to electronic

records in general, including digital imaging systems,

involves ensuring continuous readability and intelligibil-

ity. In an era of rapidly changing technology that utilizes

proprietary systems and methods, long-term access to

records may be difficult to ensure. Such factors as hard-

ware and software obsolescence, media longevity, vendor

stability, conformance with widely accepted standards,

and the length of the retention period for records must be

considered when determining whether retention of elec-

tronic or digital images is sufficient to meet minimum

retention requirements, or whether a paper or microform

backup should also be retained. Decisions about retention

of original records should be made in consultation with

the agency Records Management Officer and SARA.

FOR ADDITIONAL INFORMATION:

SARA works in partnership with State agencies to

develop records management programs that support pro-

gram operations and public service delivery and promote

economical and efficient management of information

resources. As part of its mission, SARA advises agencies

on designing and maintaining automated information

systems that produce and maintain records to ensure that

they meet legal and program requirements. This publica-

tion is part of a SARA initiative to help agencies achieve

this goal. For additional information, please contact:

State Records Advisory Services

State Archives and Records Administration (SARA)

9C71 Cultural Education Center

Albany, New York 12230

(518) 474-6771.

Notes

1. See Federal Rules of Evidence (Rev. Proc. 8146).

2. The Criminal Procedure Law (CPL) states that the rules of evidence

applicable to civil cases are, where appropriate, also applicable to

criminal proceedings. (CPL Section 60.10.)

3. U.S. Department of the Treasury, Internal Revenue Service, Revenue

Procedure 91-59, Automatic data processing systems: guidelines, 199143

I.R.B. at 23 (October 28, 1991).

4. American Bar Association, "Model Electronic Data Interchange Trad-

ing Partner Agreement and Commentary," The Business Lawyer 45

(June 1990), pp. 1717-1749.

5. The text of these New York State statutes appears in Appendix A.

6. Jerome Prince, Richardson on Evidence, �644:641.

7. Prince, Richardson on Evidence, �342:309. See also, People v. Nisonoff, 293

N.Y. 597, 59 N.E. 2d 420.

8. New York State Administrative Procedure Act, Article 3 Adjudicatory

proceedings, Section 306 Evidence, McKinney's Consolidated Laws of

New York Annotated 56A, St. Paul, Minnesota: West Publishing Co.,

1984 (Cumulative Annual Pocket Part, 1993).

9. Retention requirements for records that document the reliability of

hardware and software are contained in the "Electronic Data Process-

ing" section of the General Records Retention and Disposition Schedule for

Use by New York State Agencies issued by the State Archives and

Records Administration.

10. These guidelines are included in the "Electronic Data Processing" sec-

tion of the General Records Retention and Disposition Schedule for Use by

New York State Agencies.

11. State Government Archives and Records Management regulations

include specific requirements for duplicating or replacing agency

records by microfilming. See 8 NYCRR, Part 188.18.

12. Not all computer printouts accurately reflect the information in orig-

inal recordings. In a recent case involving Federal records, the U.S.

Court of Appeals upheld a lower court ruling that printouts of the

contents of electronic mail messages did not preserve a complete

record. The paper rendering may not include directories, distribution

lists, acknowledgements, and other data commonly held in computer

memory and necessary for establishing the trustworthiness of the

record. (Armstrong v. Executive Office of the President, United States

Court of Appeals in the District of Columbia Circuit, No. 93-5002,

August 13, 1993).

13. Federal Rules of Evidence 1001(4).

14. CCITt Recommendation T.4, "Standardization of Group 3 Facsimile

Apparatus and Document Transmission," (1984), and CCITt Recom-

mendation T.6, "Facsimile Coding Schemes and Coding Control

Functions for Group 4 Facsimile Apparatus for Document Transmis-

sion," (1984).

15. "Model Electronic Data Interchange Trading Partner Agreement and

Commentary," pp. 1660.

16. For examples, see the American National Standards Institute (ANSI),

Standards series X12 on Electronic Data Interchange.

17. See U.S. Department of Commerce, Technology Administration,

National Institute of Standards and Technology, Federal Information

Processing Standards Publication 161-1 Electronic Data Interchange (EDI)

(Gaithersburg, MD, April 19, 1993).

18. Retention disposition authorizations are issued by SARA in consulta-

tion with the Attorney General's office and the Office of the State

Comptroller. Program managers should contact their agency's

Records Management Officer for assistance in using the General

Records Retention and Disposition Schedule or in developing records

retention schedules for their records.

APPENDIX A

EXCERPTS OF RELEVANT NEW YORK STATE STATUTES

CPLR Rule 4518. Business Records Hearsay Exception.

(a) Generally. Any writing or record, whether in the form of an entry in a

book or otherwise, made as a memorandum or record of any act, transac-

tion, occurrence or event, shall be admissible in evidence in proof of that

act, transaction, occurrence or event, if the judge finds that it was made in

the regular course of any business and that it was the regular course of

such business to make it, at the time of the act, transaction, occurrence or

event, or within a reasonable time thereafter. All other circumstances of the

making of the memorandum or record, including lack of personal knowl-

edge by the maker, may be proved to affect its weight, but they shall not

affect its admissibility. The term business includes a business, profession,

occupation and calling of every kind.

CPLR Rule 4520. Certificate or Affidavit of Public Officer.

Where a public officer is required or authorized, by special provision of

law, to make a certificate or an affidavit to a fact ascertained, or an act per-

formed, by him in the course of his official duty, and to file or deposit it in

a public office of the state, the certificate or affidavit so filed or deposited is

prima facie evidence of the facts stated.

CPLR Rule 4539. Uniform Photographic Copies of Business

and Public Records as Evidence Act.

If any business, institution, or member of a profession or calling, in the reg-

ular course of business or activity has made, kept or recorded any writing,

entry, print or representation and in the regular course of business has

recorded, copied, or reproduced it by any process which accurately repro-

duces or forms a durable medium for reproducing the original, such repro-

duction, when satisfactorily identified, is as admissible in evidence as the

original, whether the original is in existence or not, and an enlargement or

facsimile of such reproduction is admissible in evidence if the original

reproduction is in existence and available for inspection under direction of

the court. The introduction of a reproduction does not preclude admission

of the original.

CPLR Rule 4540. Authentication of official record of court or

government office in the United States.

(a) Copies permitted. An official publication, or a copy attested as correct

by an officer or a deputy of an officer having legal custody of an official

record of the United States or of any state, territory or jurisdiction of the

United States, or of any of its courts, legislature, offices, public bodies or

boards is prima facie evidence of such record.

(b) Certificate of officer of the state. Where the copy is attested by an offi-

cer of the state, it shall be accompanied by a certificate signed by, or with a

facsimile of the signature of, the clerk of a court having legal custody of the

record, and, except where the copy is used in the same court or before one

of its officers, with the seal of the court affixed; or signed by, or with a fac-

simile of the signature of, the officer having legal custody of the original, or

his deputy or clerk, with his official seal affixed; or signed by, or with a fac-

simile of the signature of, the presiding officer, secretary or clerk of the

public body or board and, except where it is certified by the clerk or secre-

tary of either house of the legislature, with the seal of the body or board

affixed. If the certificate is made by a county clerk, the county seal shall be

affixed.

by an officer of another jurisdiction, it shall be accompanied by a certificate

that such officer has legal custody of the record, and that his signature is

believed to be genuine, which certificate shall be made by a judge of a court

of record of the district or political subdivision in which the record is kept,

with the seal of the court affixed; or by a public officer having a seal of

office and having official duties in that district or political subdivision with

respect to the subject matter of the record, with the seal of his office affixed.

(d) Printed tariff or classification subject to public service commission,

commissioner of transportation or interstate commerce commission. A

printed copy of a tariff or classification which shows a public service com-

mission or commissioner of transportation number of this state and an

effective date, or a printed copy of a tariff or classification which shows an

interstate commerce commission number and an effective date, is admissi-

ble in evidence, without certification, and is prima facie evidence of the

filed original tariff or classification.

CPLR Rule 4543. Proof of facts or writing by methods other

than those authorized in this article.

Nothing in this article prevents the proof of a fact or a writing by any

method authorized by any applicable statute or by the rules of evidence at

common law.

Criminal Procedure Law (CPL) Section 60.10 Rules of evi-

dence; in general.

Unless otherwise provided by statute or by judicially established rules of

evidence applicable to criminal cases, the rules of evidence applicable to

civil cases are, where appropriate, also applicable to criminal proceedings.

Arts and Cultural Affairs Law, Section 57.05.

[O]fficial records shall include all books, papers, photographs or other doc-

umentary material, regardless of physical form or characteristics, made or

received by any agency of the state or by the legislature or the judiciary in

pursuance of law or in connection with the transaction of public business

and preserved or appropriate for preservation by that agency or its legiti-

mate successor as evidence of the organization, function, policies, deci-

sions, procedures, operations, or other activities, or because of the infor-

mation contained therein.

Back to the Law Page

Page last updated March 1, 1999 Conctact Webmaster