Critical. Authoritative. Strategic.


CBR is proudly produced & published
by Technews
Issue Date: December 2006

Prove authenticity of records

1 December 2006
Paul Mullon, information governance executive at Metrofile

ISO 15801 outlines operation and implementation processes for information management systems that store electronic images.
Scanning a piece of paper and creating an electronic image can be done in less than a second, with two clicks of a mouse and without a second thought. But to prove it is an exact and unaltered copy of the original can require countless, and very possibly fruitless, hours.
The International Organisation for Standardisation (ISO) has developed a standard (ISO 15801) which outlines operation and implementation processes for information management systems that store electronic images. It covers the entire document lifecycle so that companies can prove their trustworthiness, reliability, authenticity and integrity. South Africa has adopted this standard as SANS 15801 to provide guidance to companies looking to prove the authenticity of document images.
The standard's international evolution began with the need to facilitate electronic commerce. In South Africa, this demand resulted in the Electronic Communications and Transactions (ECT) Act. The ECT Act defines, broadly, what businesses must do to conduct business electronically. In theory, if the Act were enough, companies would get rid of paper and work electronically. But firstly, the Act is not clear enough in detailing exactly what companies must do. Secondly, no precedent has been set of a company using an electronic document as evidence, which means that companies simply do not know whether or not their electronic document images will bear legal scrutiny. Executives often ask if they can scan a piece of paper and then destroy the original. SANS 15801 evolved to fill the gap between the principle and the operation with the necessary detail.
While SANS 15801 appears to provide the final piece in the document image authenticity puzzle, it does not. Critically, it does not cover information authenticity before it is scanned. Unless that too can be proved, there may still be room for doubt as to the authenticity of the record. An overall records and information management programme is the third point in a total solution and ensures information authenticity before it enters the electronic process.
The standard does fulfil its intended purpose very well. In real terms, companies that have taken the imaging system seriously, that have been doing it for some time and that deal with greater volumes, will find that they are either compliant or almost compliant. The only missing components may be the procedure manual details and responsibility allocation and role separation. However, those only require minor fine-tuning of the overall programme.
Necessary elements
To be compliant, companies will need all the necessary elements of SANS 15801: policies, duty of care, procedures, processes, enabling technologies, and audit trails.
Each of those should have related documentation. Companies must generate an overall information management policy document, a legal retention schedule, information security policy, business continuity plan, procedure manuals, quality control logs, system description manuals, maintenance logs, contracts between the company and its service providers, and audit trail documentation.
That extensive list of documentation is necessary to complete because, for example, if a scanner lamp fails and the scanner produces blank images, then the quality control log should pick that up. Then it needs a parallel process to alert someone to the fact that the images are worthless, halt the paper document destruction process, repair the scanner and rescan the images.
The last remaining piece of the puzzle that would allow companies to be truly comfortable is that there is no formal certification process yet. This means that companies will need to show their processes, and convince the judge that they comply with international best practice. This should be sufficient in most cases, as it will prove that companies have rigid policy, and have followed that policy in scanning and finally destroying images. To further lend credence to SANS 15801, steps are underway to create a certification body that will give companies a pre-approval certificate that will greatly speed up the process.
But until that is established and operational, organisations that combine a solid records management programme with all the elements of SANS 15801 can consider themselves to be among the best in the world.
For more information contact Paul Mullon, Metrofile, +27 (0) 11 677 3000,

Others who read this also read these articles

  • Tips for content managers

    Seven tips for succeeding at the complex job of content management.

    [ August 2007 ]

  • Data master class

    Master data management (MDM) is an enterprise-wide approach that encompasses all corporate data, both operational and analytic, helping both IT and business to rationalise overlapping and conflicting data in disparate systems, driving data consistency and quality across functional business

    [ March 2007 ]

  • Corporate communication – why we cannot just ‘send and receive’ anymore

    Effective management of a business tool and compliant systems are essential aspects of the modern competitive business

    [ February 2007 ]

  • Mastering data management

    MDM is a process that requires a data model, supported by integration services and synchronisation functionality, not to mention a set of data quality tools

    [ October 2006 ]

  • Dishing the dirt

    What is needed is a more strategic investment in information quality that is backed by a lasting enterprise-wide commitment.

    [ October 2006 ]

  • MDM with an edge

    Enterprise dimension management (EDM) seeks to satisfy data consistency requirements by defeating costly multiple charts of accounts, supporting business performance management (BPM) initiatives and other associated problems

    [ October 2006 ]

  • Building an IT continuity framework

    Business continuity is the overall provision of measures aimed at ensuring that the rest of the business outside of IT can continue to function despite disruptions and disasters

    [ September 2006 ]

Others who read this also read these regulars

Search Site

Search Directory

  • Search for:


Previous Issues