ISO 15801 outlines operation and implementation processes for information management systems that store electronic images.
Scanning a piece of paper and creating an electronic image can be done in less than a second, with two clicks of a mouse and without a second thought. But to prove it is an exact and unaltered copy of the original can require countless, and very possibly fruitless, hours.
The International Organisation for Standardisation (ISO) has developed a standard (ISO 15801) which outlines operation and implementation processes for information management systems that store electronic images. It covers the entire document lifecycle so that companies can prove their trustworthiness, reliability, authenticity and integrity. South Africa has adopted this standard as SANS 15801 to provide guidance to companies looking to prove the authenticity of document images.
The standard's international evolution began with the need to facilitate electronic commerce. In South Africa, this demand resulted in the Electronic Communications and Transactions (ECT) Act. The ECT Act defines, broadly, what businesses must do to conduct business electronically. In theory, if the Act were enough, companies would get rid of paper and work electronically. But firstly, the Act is not clear enough in detailing exactly what companies must do. Secondly, no precedent has been set of a company using an electronic document as evidence, which means that companies simply do not know whether or not their electronic document images will bear legal scrutiny. Executives often ask if they can scan a piece of paper and then destroy the original. SANS 15801 evolved to fill the gap between the principle and the operation with the necessary detail.
While SANS 15801 appears to provide the final piece in the document image authenticity puzzle, it does not. Critically, it does not cover information authenticity before it is scanned. Unless that too can be proved, there may still be room for doubt as to the authenticity of the record. An overall records and information management programme is the third point in a total solution and ensures information authenticity before it enters the electronic process.
The standard does fulfil its intended purpose very well. In real terms, companies that have taken the imaging system seriously, that have been doing it for some time and that deal with greater volumes, will find that they are either compliant or almost compliant. The only missing components may be the procedure manual details and responsibility allocation and role separation. However, those only require minor fine-tuning of the overall programme.
To be compliant, companies will need all the necessary elements of SANS 15801: policies, duty of care, procedures, processes, enabling technologies, and audit trails.
Each of those should have related documentation. Companies must generate an overall information management policy document, a legal retention schedule, information security policy, business continuity plan, procedure manuals, quality control logs, system description manuals, maintenance logs, contracts between the company and its service providers, and audit trail documentation.
That extensive list of documentation is necessary to complete because, for example, if a scanner lamp fails and the scanner produces blank images, then the quality control log should pick that up. Then it needs a parallel process to alert someone to the fact that the images are worthless, halt the paper document destruction process, repair the scanner and rescan the images.
The last remaining piece of the puzzle that would allow companies to be truly comfortable is that there is no formal certification process yet. This means that companies will need to show their processes, and convince the judge that they comply with international best practice. This should be sufficient in most cases, as it will prove that companies have rigid policy, and have followed that policy in scanning and finally destroying images. To further lend credence to SANS 15801, steps are underway to create a certification body that will give companies a pre-approval certificate that will greatly speed up the process.
But until that is established and operational, organisations that combine a solid records management programme with all the elements of SANS 15801 can consider themselves to be among the best in the world.