Digital archiving – legal requirements

To many business managers, the sheer volume of paperwork involved in operating a business today might seem to threaten to bury the company under a landslide of accounting records, contracts and minutes of long forgotten meetings.

The management of a company's information stored in paper form can be an expensive administrative headache. Fortunately, the new Electronic Transactions Act (ETA) and recent improvements in information technology mean that electronic storage of important documents is now a viable and efficient method for companies to manage their information.

Storing information in electronic form and discarding original hard copies can result in significant cost savings and, potentially, could also allow more effective contract management and referencing of historical records.

There are two principal reasons why a company may retain information. First, it may be required by law to do so. Second, the company may wish to retain information as a record of its transactions, commitments and business generally. This article will briefly discuss the legal implications of electronic storage of information for each of these reasons, before setting out some very general guidelines for digital archiving.

Electronic storage and a company's statutory obligations

What statutes might apply?

Companies are required to retain information under a number of statutes. The two most common are the Income Tax Act and the Companies Act. However, when considering what records must be retained, a company should consider all of the statutes, rules and regulations governing that company's particular field of business as these statutes may impose specific requirements for storage of information. For example, the Medicines Act requires manufacturers of pharmaceuticals to retain information regarding the quality and testing of any medicines they distribute.

The ETA provides guidelines for companies wishing to retain electronically information that they are required to store. However, statutory or regulatory bodies such as the Inland Revenue Department (IRD) may also issue their own guidelines on electronic record retention. For example, the IRD has released an exposure draft setting out a number of requirements for retention of business records for tax purposes.

Storing paper based records in electronic form

Under the ETA, a legal requirement to retain information that is in non-electronic (i.e. paper) form is satisfied by retaining an electronic form of the information provided that:

1. the electronic form can reliably maintain the integrity of the information; and
   
   
2. the information can easily be accessed for subsequent reference.

To satisfy the first requirement, integrity of the information will be retained only if the information has remained complete and unchanged in any material way (the implementation of an audit trail as suggested below will help prove this requirement).

The second requirement will be satisfied if the information can be readily accessed using the information holder's equipment, or with equipment that could be easily obtained from a third party.

Storing electronic based records

Under the ETA, information originating in electronic form can be retained in that electronic form provided that its storage meets the standards of integrity and accessibility outlined above.

Otherwise, such electronic information can be converted into and stored as a hard copy so long as the information is not altered in the conversion.

Storing electronic communications

Where information that must be retained is in the form an electronic communication (e.g. an email), the ETA's standard requirements for electronic storage of information apply. In addition, however, further information relating to the origin, destination and time the communication was sent and received must also be retained. This additional information must also be retained even if the communication is stored in paper form.

Provision of electronic records

Obviously, at some point stored records will need to be reviewed or disclosed. The ETA provides guidance on when a company may perform its disclosure obligations by providing information in electronic form (e.g. by way of an email or on a disk).

A company may disclose data in electronic form if three conditions are met. These are that: the method used to supply the data reliably assures its integrity; the information supplied is readily accessible; and the person requesting the information consents to receiving the information in electronic form. If these criteria are not met then information will need to be provided in more traditional paper-based form.

Electronic storage of a company's non-statutory information

The ETA sets out how information required to be retained by statue may be validly stored. However, chances are that a business will want to archive much more information than merely its statutory requirements.

The main driver will be records of agreements reached so that should a dispute arise there is evidence of what was agreed (this may take the form of a formal contract, correspondence and/or business records).

There is little to be gained from retaining business records, contracts and correspondence if that information cannot be relied on should a dispute arise. Accordingly, it is important to look at the court's rules of evidence in determining what steps should be taken to ensure that information stored electronically can be relied on in a dispute.

The Evidence Amendment Act defines a document as including “Any information stored by means of any…computer”. Therefore, the evidence rules governing the admissibility of documents will be relevant to information in electronic form. The rules of evidence that may apply in determining the admissibility of electronic information are:

(a) Hearsay

(b) The best evidence rule

(c) Authentication

“Hearsay” is evidence of a fact given by a person who does not have first-hand knowledge of the fact. Hearsay evidence is usually inadmissible in a court because it is considered to be second-hand evidence and therefore unreliable. This rule may present problems for the admissibility of electronic information.

For example, where data is entered into a computer system by a person who does not have first-hand knowledge of the data's derivation or accuracy, that person cannot present the data as evidence in court.

However, there is an exception to the hearsay rule in respect of “business records” (as defined in the Evidence Amendment Act). Briefly, a business record is a document made from information supplied by a person with first-hand knowledge of the information where this document is made pursuant to a duty or in the course of business.

Where a document falls into this category, it may be admitted as evidence in court without the need for the person recording the information to testify as to the document's accuracy or derivation.

“Best Evidence” - the best evidence rule requires that a party to court proceedings produces the best evidence available. Traditionally, this rule has meant that where documentary evidence is relied on only the original document was admissible. The rationale for the rule was that any copied document may not be entirely accurate and copying errors could affect the content of the document.

Although the best evidence remains an original document, digitally scanned copies of the document are now admissible in court. This position recognises that copies can now be made inexpensively and accurately, with minimal potential for error or inaccuracy in the copy.

“Authentication” - the authenticity of a document must be established before that document will be admissible as evidence. Documents stored electronically are inherently more vulnerable to either accidental or intentional change than paper documents. For example, information stored electronically may be at risk of system failures, software corruption and unauthorised access (both internal and external).

Therefore, before electronically stored documents are produced as evidence in place of the original, additional evidence of the reliability of the copying and storage processes may also be required. (Some suggestions on implementing a reliable conversion and storage process are set out below).

Any business using or intending to implement a system for electronic storage of documents should consider their storage system and the process for capturing the relevant documents in light of these three rules of evidence. Otherwise, a business faces the risk that it will not be able to rely on important documents it stores in electronic form.

How long should information be stored?

There are a number of factors to take into account when deciding how long information should be retained.

We have already referred to the specific requirements for electronic storage of business records under the Income Tax Act. This Act also provides that all tax records must be kept for a minimum period of seven years. Obviously, business records stored electronically should be stored for at least this period or any longer period required by any other statute governing a company's business.

However, there are many situations where it would be prudent to retain information for significantly longer than seven years. For litigation purposes, there is generally a limitation period of six years from the date on which a cause of action arises (although this period can vary for different types of claims). That is, claims may be filed in court up to six years after the occurrence of the act resulting in a claim.

If this act was a breach of a ten-year contract in its tenth year, then the limitation period for litigation would not expire for a further six years, and the contract document might be required more than 16 years after it was created. Other documents related to the contract may also remain relevant for a similar period of time.

On a practical level, it would be extremely expensive to store all business information for an indefinite period of time. Therefore, in determining how long to retain its documents, a business should ensure that it complies with any statutory requirements and after this weigh the costs of storing a document for a certain period against the risk that such a document will be required outside of the period and the likely cost if that document were not available.

When should information not be stored?

While most statutes focus on a requirement to retain information for a certain period, there are some statutes that prohibit the storage of information for longer than is necessary. The most common example is the Privacy Act which provides that if information is held about identifiable individuals, under the Privacy Act this information should not be retained for longer than is necessary for the purposes it was collected for. Again, a company should consider what statutes govern its business and what requirements these have on ceasing to store information.

Basic guidelines for digital archiving

The ETA requires that where information is stored electronically the method of storage must preserve the integrity of the information. In a similar fashion, the court rules of evidence require that an electronic document must be authenticated as true and accurate before it can be relied on. The following suggestions provide a basic overview of how electronic archiving can be managed to preserve the integrity of information and make authentication of that information more simple.

• A process for capturing information on when and how information was copied, who authored the original document, who copied the document and how the information will be stored should be established. This will aid in authentication of any information produced in court.
  
  
• Strict controls and rules should be established covering the generation of documents, scanning of documents, storage of documents and retrieval of documents. Compliance with these controls should be monitored.
  
  
• Access to records should be controlled and tracked by use of an identification process – for example, use of individual access codes or digital signatures. This will aid in establishing reliability of information if it is ever brought into question.
  
  
• Information should be stored on a non-erasable optical disc to ensure that information cannot be altered or deleted. If this is not possible then ‘write privileges' to a storage database should be restricted.
  
  
• Records should be backed up and copies should be stored off site to prevent loss of records in the event of fire or system-wide equipment failure.
  
  
• Technology used to store information should be capable of storing the information for the designated life time of the document. If data degradation is a risk the data should be recopied before this occurs and information should be retained to provide evidence that the recopying did not prejudice the reliability of the information.
  
  
• Information should be managed over time to prevent stored data becoming inaccessible as a result of technology becoming obsolete. For example, if information is stored on a document retrieval system that is based on one platform and the business moves to another platform, provision should be made to ensure that the stored data can still be accessed.

The bottom line

• Significant cost and administrative advantages can be gained by electronic storage of data.
  
  
• Certain statutes require businesses to retain specific information. If certain guidelines are adhered to (especially those of the Electronic Transactions Act), this information can be stored and disclosed in electronic form.
  
  
• Business information stored electronically can be relied on in a dispute provided that the information complies with the court rules for admissibility of evidence.
  
  
• Technological, process and practical issues should be considered in establishing and maintaining an electronic information storage system.

Simon Martin
Partner

A version of this article was first published in IT Brief