Evidential weight and legal admissibility of information transferred electronically Evidential weight and legal admissibility of information transferred electronically Code of practice for the implementation of BS 0008 Peter Howes and Alan Shipman F i rst p u b l i sh e d S e co n d Th i rd e d i ti o n F o u rt h F i ft h 998 e d i ti o n e d i ti o n e d i ti o n 002 005 008 01 by B SI S ta n d a rd s Li m i t e d 89 C h i swi ck H i g h Lo n d o n © Th e Al l B ri t i s h S t a n d a rd s I n st i tu ti o n ri g h ts re se rve d p u b l i ca t i o n su ch B SI c a u se d , a t th e has no in t a ke n a b o ve e xcl u d e d and a made sys te m D e si g n s a n d and co m p i l i n g co n n e cti o n P a t e n t s Act 8 , o r tra n s m i tt e d – wi th o u t p ri o r p e rm i ssi o n d e ve l o p i n g in C o p yri g h t, re tri e va l in in wri t i n g a n y fo rm fro m th i s p u b l i c a t i o n , wi t h re l i a n ce on th e B SI no p a rt o f t h i s o r b y a n y m e a n s – e l e ctro n i c, p u b l i sh e r a cc e p ts no l i a b i l i t y fo r a n y l o ss o r i ts co n te n ts e xce p t to th e e xte n t th a t l a w to tra ce all co p yri g h t h o l d e rs, a n yo n e cl a i m i n g co p yri g h t s h o u l d g et i n t o u ch p e rs i st e n ce d o e s n o t g u a n te e o r a cc u cy o f U RLs fo r e xt e rn a l th a t a n y co n te n t o n su ch o r th i rd - p a rt y i n te rn e t we b si t e s we b si t e s i s, o r wi l l re m a i n , a ccu te re fe rre d or a p p ro p ri a t e Th e ri g h ts o f P e te r H o we s a n d th e m in a cco rd a n ce wi th Al a n se cti o n s Sh i pm a n 77 and 78 to G re a t B ri t a i n b y Le tt e rp a rt Li m i te d , P ri n t e d G re a t B ri t a i n b y B e rfo rts B ri ti sh Li b ry C a ta l o g u i n g A ca ta l o g u e I SB N 978 re co rd 580 in G ro u p , Pu b l i c a t i o n i d e n ti fi e d C o p yri g h t, a s th e www l e t te rp a rt co m D a ta fro m th e B ri t i sh a u th o rs D e si g n s a n d www b e rfo rts c o u k fo r th i s b o o k i s a va i l a b l e 8567 be o f th e Typ e se t i n in wi t h a d d re s s re s p o n s i b i l i ty fo r t h e th i s b o o k, in u n d e r th e in d i re ctl y o r i n d i re ctl y i n e ve ry e ffo rt h a s b e e n B SI s to re d o r o th e rwi se h a s been a ri si n g l i a b i l i ty m a y n o t b e Wh i l e th e re p ro d u ce d , re co rd i n g Wh i l st e ve ry c a re damage 01 E xce p t a s p e rm i tt e d m ay be p h o t o co p yi n g , to Roa d W4 4AL Li b ry o f t h i s Wo rk h a ve P a te n t s Act 8 been a ss e rte d by Con ten ts F o re wo rd vi i Ackn o wl e d g e m e n ts vi i i In trod u ction G e n e l Con text of th e org an ization 1 G e n e l I ssu e s Re q u i re m e n ts B o u n d a ri e s a n d a p p l i ca b i l i ty co m m i tm e n t 1 Lead ersh ip 2.1 1 Le a d e rs h i p and 2.2 P o l i cy s ta t e m e n t s 1 2.3 Rol e s a n d re s p o n s i b i l i ti e s o f wo rke rs 23 re g u l a to ry e n vi ro n m e n t 23 Le g a l and Plan n in g 24 3.1 Act i o n s to a d d re s s ri s ks a n d 3.2 O b j e ct i ve s a n d o p p o rtu n i ti e s a ch i e ve m e n ts 24 25 Su pport 27 R e s o u rc e s 27 C o m p e te n ce 27 Awa re n e s s 4 R e p o rti n g 27 and D o cu m e n te d co m m u n i ca ti o n s 27 i n fo rm a ti o n 28 Operation 37 5.1 M a n a g e m e n t o ve rvi e w 37 5.2 S ta n d a rd i z e d 5.3 Ve rs i o n Ch a n g e d o cu m e n t s 37 co n tro l 38 co n tro l 38 5.5 S to g e 5.6 Sen d i n g 38 5.7 P re p a ti o n d a ta to a rch i ve s 39 fo r tra n s fe r 40 5.8 I d e n ti t y a u th e n t i ca ti o n 51 5.9 Sen d er a n d 52 re ci p i e n t a u th e n t i ca ti o n 5.1 I d e n ti fi ca ti o n 5.1 Tra n s fe r 53 5.1 Re ce i p t o f tra n s fe r 54 5.1 D e s t ru cti o n 61 S ys te m o f i n fo rm a ti o n 52 m a i n te n a n ce 61 5.1 S e cu ri ty a n d p ro t e cti o n 5.1 Co n tra ct s 62 64 5.1 Th i rd - p a rti e s 65 5.1 Ti m e 5.1 E rro r h a n d l i n g co n s i d e ti o n s 67 p ro ce s s e s 67 Perform an ce evalu ation M o n i to ri n g , m e a s u re m e n t, 69 a n a l ys i s a n d e va l u a ti o n 69 v I n te rn a l M a n a g e m e n t re vi e w audit 69 71 Improvement 7.1 G e n e l 7.2 P re ve n ti ve 7.3 C o n ti n u a l 74 74 and co rre cti ve a cti o n s i m p ro ve m e n t 74 75 Annex A Unstructured message considerations 77 A G e n e l 77 A P o l i cy o b j e ct i ve s 77 A C re a t i o n 78 A S p a m m i n g , fi l te ri n g and vi ru s e s A C o p yri g h t a n d p e rs o n a l A R e te n ti o n d e s t ru cti o n and u se Annex B – Example electronic transfer policy statement Annex C References vi 79 80 81 84 88 Foreword Evidential weight and legal admissibility of information transferred electronically – Code of practice for the implementation of BS 0008 (referred to i n th i s d ocu m en t a s ‘th e Cod e’) i s pri m a ri l y cern ed wi th th e a u th en ti ci ty, i n teg ri ty a n d a va i l a bi l i ty of el ectron i ca l l y tra n sferred i n form a ti on , to th e d em on stra bl e l evel s of certa i n ty req u i red by a n org a n i za ti on I t i s pa rti cu l a rl y a ppl i ca bl e wh ere th i s tra n sferred i n form a ti on m a y be u sed a s evi d en ce i n d i spu tes i n si d e a n d ou tsi d e th e l eg a l system Th i s i s th e fi fth ed i ti on of th e Cod e, wh i ch wa s fi rst pu bl i sh ed i n 98 a s PD 000 Th i s ed i ti on i s a n ed i tori a l revi si on of th e fou rth ed i ti on (B I P 0008-2 (2 008) ) I t i s tech n i ca l l y si m i l a r, wi th a n exten si on of i ts scope to i n cl u d e th e tra n sfer of i n form a ti on stored i n d a ta ba ses a n d oth er el ectron i c system s I t h a s a l so been restru ctu red i n recog n i ti on of th e pu bl i ca ti on of B S 0008: 01 4, admissibility of electronic information — Specification , Evidential weight and legal a n d ca n be si d ered to be a g u i d e to th e i m pl em en ta ti on of th e B ri ti sh Sta n d a rd i n rel a ti on to i n form a ti on tra n sferred el ectron i ca l l y U sers of th e previ ou s ed i ti on s sh ou l d si d er th e a d va n ta g es of a ssessi n g th ei r i n form a ti on m a n a g em en t system s i n th e l i g h t of th i s n ew ed i ti on , a n d a m en d th ei r system s a n d /or d ocu m en ta ti on wh ere a ppropri a te Th i s pu bl i ca ti on i s th e secon d pa rt of B I P 0008, wh i ch i s m a d e u p of th e fol l owi n g : • • Evidential weight and legal admissibility of information stored electronically — Code of practice for the implementation of BS 0008; B I P 0008-3 (2 01 4) , Evidential weight and legal admissibility of linking electronic identity to information — Code of practice for the implementation of BS 0008 B I P 0008-1 (2 01 4) , Th e Cod e i s pu bl i sh ed by B SI i n recog n i ti on of th e l a rg e n u m ber of i m pl em en ta ti on s of el ectron i c i n form a ti on m a n a g em en t system s, a n d of th e ti n u i n g u n certa i n ty a bou t th e l eg a l a ccepta bi l i ty of i n form a ti on th a t h a s been tra n sferred el ectron i ca l l y I t provi d es g ood pra cti ce g u i d a n ce for th e tru stworth y el ectron i c tra n sfer of i n form a ti on vi i Acknowledgements The Editors would especially like to thank the BSI Legal Admissibility Editorial Board and Panel and committees IDT/1 , Document management applications and IDT/1 /-/5, Revisions of BS 0008 for their contribution to the current and previous editions of this publication, in particular for their business foresight and tireless reading of the manuscript Their suggestions for improvements added value to the final publications The members of IDT/1 are Martin Bailey, Ian Curington, Aandi Inston, Marc Fresko, Peter Howes, Philip Jones, Andrew Kenny, Bill Mayon-White, Roger S Poole, Nick Pope, Ian Walden, Leonie Watson, Andrew Pibworth, Neil Pitman, Alan Shipman and Tom Wilson The members of IDT/1 /-/5 are Elisabeth Belisle, Bernie Dyer, Peter Howes, Richard Jeffrey-Cook, Bill Mayon-White, Roger S Poole, Alan Shipman, Rod Stone and Tom Wilson In particular, we would like to thank Jennifer Carruth from BSI for her excellent advice and copy-editing work on BS 0008:201 Peter Howes Alan Shipman (Editors) Group Training Limited The Editors would also like to thank the following organizations for reviewing the previous editions of this publication: Association of Chief Police Officers (ACPO); Association for Payment Clearing Services (APACS); British Computer Society (BCS) – Information Risk Management & Audit (IRMA) specialist group; National Audit Office (NAO); Police Information Technology Organisation (PITO); The National Archives (TNA) The first edition of PD 5000, published in 998, was sponsored by Group 5, in association with the Electronic Original Initiative viii Annex A Unstructured message considerations A Cre a ti o n E m a i l , fa x, SM S a n d I M a re pa rti cu l a rl y i n form a l form s of el ectron i c tra n sfer, a n d a re cl a ssi fi ed a s ‘u n stru ctu red ’ Typi ca l l y, i n d i vi d u a l m em bers of sta ff a re a bl e to i n cl u d e ten t a n d d eci d e l a you t wi th ou t corpora te g u i d a n ce As su ch , a n d wi th ou t speci a l a tten ti on , th ese u n stru ctu red m essa g es ca n resu l t i n tra n sfer sta n d a rd s bel ow th ose n orm a l l y expected by th e org a n i za ti on I n ord er to m a n a g e th ese i ssu es, g u i d a n ce i s n eed ed i n h ow to crea te u n stru ctu red m essa g es Th u s, th e pol i cy sta tem en t sh ou l d i n cl u d e poi n ts on : • • h ow to a d d ress m essa g es, especi a l l y to i n d i vi d u a l s/org a n i za ti on s ou tsi d e th e org a n i za ti on ; th e i m porta n ce of cl ea r, si n g l e su bj ect i d en ti fi ca ti on , a s el ectron i c m essa g es a re often d ea l t wi th ba sed on th i s; • • • • • wri ti n g sta n d a rd s (sh ort, preci se a n d to th e poi n t) ; spel l i n g (often overl ooked ; spel l -ch eckers sh ou l d be u sed ) ; ci rcu l a ti on (often overd on e, sh ou l d be on l y on a n eed -to-kn ow ba si s) ; open /cl osed copyi n g (l a rg e l i sts of th ose copi ed m a y be u n n ecessa ry) ; i l l eg a l or poten ti a l l y d a m a g i n g el ectron i c m essa g e ten t (e g l i bel , d efa m a ti on , obscen en ess a n d copyri g h t brea ch i n g ) ; • • a tta ch m en ts (en su ri n g th ey ca n be rea d by reci pi en ts) ; tra cts (i f tra cts a re cl u d ed by el ectron i c tra n sfer, ta ke ca re: som e tra cts n eed to be i n pa per form to be en forcea bl e i n certa i n j u ri sd i cti on s Ta ke l eg a l a d vi ce I f i n d ou bt, sen d a pa per copy for ea ch pa rty to si g n ) ; a n d • el ectron i c bu si n ess Arra n g em en ts for el ectron i c bu si n ess n eed to be ca refu l l y si d ered As a ba sel i n e, th e fol l owi n g n eed to be ta ken i n to a ccou n t: – i n form a ti on reten ti on req u i rem en ts; – tra n sfer req u i rem en ts; – proof of i d en ti ty; a n d – pa ym en t, or com m i tm en t to pa y, for a speci fi c prod u ct or servi ce CO M M E N T I t i s i m porta n t to m a ke peopl e wh o h a ve a ccess to el ectron i c m essa g e system s a wa re of th e (l a ck of) fi d en ti a l i ty of m essa g es sen t i n a n u n en crypted form I t m a y be i l l eg a l to sen d som e types of el ectron i c m essa g e (e g th ose ta i n i n g porn og ph y) O th er ten ts m a y h a ve poten ti a l l y d a m a g i n g effects i f d i scl osed to/i n tercepted by a th i rd -pa rty (e g th ose ta i n i n g d efa m a tory sta tem en ts) As a g en era l ru l e, u n en crypted el ectron i c m essa g es sh ou l d on l y be sen t i f th e ten t wou l d a l so be a ppropri a te for a n open ‘postca rd ’ th rou g h ven ti on a l posta l system s; wi th u n en crypted m essa g es th ere i s n o eq u i va l en t to th e ph ysi ca l en vel ope th a t protects th e ten t from i n a ppropri a te d i scl osu re or from ta m peri n g I f a n el ectron i c m essa g e n eed s to be tra n sferred i n a fi d en ti a l m a n n er, th en en crypti on i s on e tech n i q u e th a t cou l d be u sed I n a d d i ti on , th e fol l owi n g i ssu es sh ou l d be a d d ressed i n th e pol i cy sta tem en t wh ere rel eva n t: • • person a l pa ssword s or a l tern a ti ve i d en ti ty a u th en ti ca ti on (e g bi om etri cs a n d i d en ti ty token s) ; en crypti on pol i cy – d efi n e wh en en crypti on sh ou l d be u sed a n d en su re th e i n ten d ed reci pi en t ca n d ecrypt; • • l od g i n g en crypti on keys or tra n sa cti on s wi th th i rd -pa rti es (see B I P 0008-3 ) ; i n tern a ti on a l si d era ti on s – respect d a te, ti m e of d a y a n d u n i t of m ea su rem en t of th e reci pi en t a n d be a wa re of l eg a l protecti on i ssu es (e g tra d em a rks) ; • • • 78 j a rg on – em a i l , SM S a n d I M u se th ei r own j a rg on Assess wh en a n d wh ere i t i s a ccepta bl e; sta ff tra i n i n g pol i cy – d eta i l tra i n i n g provi si on s; proced u res to be fol l owed i f a n i l l eg a l or i m proper el ectron i c tra n sfer i s fou n d A Sp a m m in g , filte rin g a n d viru se s KE Y I S S U E > Ru l es reg a rd i n g th e crea ti on of u n stru ctu red m essa g es sh ou l d be d evi sed a n d i m pl em en ted A S pa m m i n g , fi l te ri n g a n d vi ru ses Th e sen d i n g of u n sol i ci ted bu l k m essa g es by em a i l (so-ca l l ed ‘spa m ’) , SM S or I M (‘spi m ’) i s i l l eg a l i n certa i n j u ri sd i cti on s To g u a rd a g a i n st u n l a wfu l a cti vi ti es i n th i s a ren a , a ppropri a te pol i ci es sh ou l d be d evi sed a n d i m pl em en ted Pol i cy sta tem en ts sh ou l d i n cl u d e: • • • a d eq u a te sa feg u a rd s to en su re th a t u n wa n ted , u n sol i ci ted m essa g es d o n ot rea ch workers; a wa ren ess a n d a g reem en t by workers of a cti on s to be ta ken on recei pt of u n sol i ci ted m essa g es; a req u i rem en t for proced u res wh i ch en su re th a t i l l eg a l u n sol i ci ted m essa g es a re n ot g en era ted ; and • a req u i rem en t for proced u res to be a cti on ed i f u n sol i ci ted m essa g es h a ve been sen t or m a y be recei ved Fi l teri n g tech n i q u es a re d esi g n ed to stop u n wa n ted i n com i n g a n d /or ou tg oi n g m essa g es by fi l teri n g th ei r ten t Th ese tech n i q u es wi l l , for exa m pl e, i d en ti fy fou l or porn og ph i c l a n g u a g e a n d d el ete or q u a n ti n e su ch m essa g es Th ese tech n i q u es ca n a l so, h owever, i f too vi g orou sl y a ppl i ed , fi l ter ou t g en u i n e el ectron i c ten t Th e org a n i za ti on ’s workers a n d tra ctors sh ou l d be a wa re of th e u se of th ese tech n ol og i es a n d work wi th i n th e ru l es a ppl i ed Vi ru ses a re com pu ter softwa re th a t m a y ca u se m a j or d a m a g e to a n y com pu ti n g system th a t th ey com e i n to ta ct wi th Th ey a re often recei ved th rou g h i n com i n g m essa g es (em a i l i s cu rren tl y th e m a j or sou rce of su ch m a l i ci ou s softwa re, bu t i t i s sprea d i n g to oth er m essa g i n g form s l i ke I M , a n d to m obi l e ph on es, PD As a n d oth er su ch d evi ces) Th e org a n i za ti on ’s workers a n d tra ctors sh ou l d be m a d e a wa re of th e d a n g er from vi ru ses a n d oth er m a l wa re recei ved th rou g h el ectron i c m essa g es Th ey sh ou l d be req u i red to com pl y wi th th e org a n i za ti on ’s pol i cy for th e d etecti on a n d d efen ce a g a i n st m essa g e-born e vi ru ses a n d oth er m a l wa re Vi ru s a n d oth er m a l wa re trol softwa re wi l l n ot a u tom a ti ca l l y i d en ti fy a l l vi ru ses, a s n ew on es a re ti n u a l l y bei n g crea ted I t i s th u s i m porta n t to en su re th a t su ch system s a re reg u l a rl y u pd a ted Th e org a n i za ti on ’s workers a n d tra ctors sh ou l d : • • • be a wa re of th e ri sks from th e va ri ou s form s of spa m a n d m a l wa re; ta ke a ppropri a te preven ti ve a cti on wh ere n ecessa ry; a n d i m m ed i a tel y report a n y su spected spa m , vi ru s or oth er m a l wa re KE Y I S S U E > Protecti on a g a i n st th e va ri ou s form s of u n sol i ci ted m essa g es a n d m a l wa re sh ou l d be i m pl em en ted a n d kept u p to d a te 79 Annex A Unstructured message considerations A Co p yri g h t a n d A p e rso n a l u se Po l i cy Workers h a ve ri g h ts a n d respon si bi l i ti es cern i n g el ectron i c m essa g i n g a n d so d oes th e org a n i za ti on A pol i cy sh ou l d be d evel oped i n rel a ti on to th ese ri g h ts, to m eet org a n i za ti on a l n eed s Th i s pol i cy sh ou l d cl ea rl y d efi n e th e ri g h ts of th e org a n i za ti on a n d of th e i n d i vi d u a l , especi a l l y i n th e a rea of th e u se of th e org a n i za ti on ’s m essa g i n g resou rces for person a l m a tters Th i s pol i cy sh ou l d be ca refu l l y d fted a n d sh ou l d be i n a ccord a n ce wi th g en era l org a n i za ti on a l pol i ci es wi th reg a rd to workers, a s too ri g orou s a pol i cy m a y be u n en forcea bl e a n d m a y l ea d to worker u n rest, wh erea s too l en i en t a pol i cy m a y en cou g e a bu se Th e pol i cy sh ou l d be wri tten i n su ch a wa y th a t i t i s u n d erstood by a l l workers I t m a y be a ppropri a te to ta ke l eg a l a d vi ce wh en d wi n g u p th i s pol i cy I n ord er to en su re i m pl em en ta ti on of th e pol i cy, com pl i a n ce sh ou l d be a pa rt of th e worker’s tra ct of em pl oym en t Wh en su bcon tra ctors a n d oth er th i rd -pa rti es u se th e org a n i za ti on ’s m essa g i n g fa ci l i ti es, a n a g reem en t rel a ti n g to th ei r u se sh ou l d be pa rt of th e rel a ted tra ct A Co p yri g h t Copyri g h t of el ectron i c m essa g es typi ca l l y resi d es wi th th e sen d er of th e m essa g e u n l ess a g reed oth erwi se M ost org a n i za ti on s m a y wi sh to pl a ce own ersh i p u n d er th ei r own trol Th u s, a ppropri a te a g reem en ts on th i s i ssu e n eed to be i n cl u d ed i n th e worker’s tra ct of em pl oym en t, or oth er eq u i va l en t d ocu m en t A Pri va cy Pri va cy ri g h ts of th e i n d i vi d u a l sen d er a n d reci pi en t wi l l va ry from cou n try to cou n try Wi th i n th e U K, th ese a re typi ca l l y fou n d i n th e D a ta Protecti on Act 9 a n d th e RI PA E l ectron i c m essa g i n g system s opera ti n g a cross n a ti on a l bord ers m a y g i ve ri se to a d d i ti on a l pri va cy i ssu es rel a ti n g to th e d i fferen t cou n tri es i n vol ved I n th e a bsen ce of a n expl i ci tl y a ccepted pol i cy, u sers m a y h a ve a l eg a l ri g h t to a ssu m e th a t th ei r tra n sfers wi l l rem a i n pri va te To m eet corpora te req u i rem en ts, org a n i za ti on s wi l l typi ca l l y n eed to h a ve ri g h ts of a ccess to el ectron i c tra n sfers h a n d l ed by th ei r workers To en su re th a t th i s i s wi th i n th ei r l eg a l ri g h ts, th ey m a y n eed to g a i n expl i ci t pri or a g reem en t to th i s from th ei r workers a n d su bcon tra ctors A Pe rso n a l u se I t m a y be a ppropri a te to a l l ow l i m i ted person a l u se of el ectron i c m essa g i n g system s Su ch ri g h ts a n d respon si bi l i ti es sh ou l d be d efi n ed by th e i n cl u si on of a ppropri a te word s i n th e worker’s tra ct of em pl oym en t O rg a n i za ti on s sh ou l d be a wa re th a t, i f a n worker wi th person a l u se of h i s or h er el ectron i c m essa g i n g system becom es th e su bj ect of a n i n vesti g a ti on (e g cri m i n a l or ci vi l ) , th e org a n i za ti on m a y be req u i red to provi d e evi d en ce of th e worker’s u se of th e system a n d m a y be respon si bl e for th e effects of i ts worker’s a cti on s 80 A Re te n tio n a n d de stru ctio n A M o n i to ri n g Wi th in th e o wn e rs h i p th i s a re a and At o n e e xtre m e , e n s u re th a t i l l e g a l m o n i to ri n g , To an m e s s a g e s a re fo r e xa m p l e , in o f b u s i n e s s e s i n vo l ve d manage th e s e i ssu e s, and l eg a l and to s e n t ri s ks b e i n g in ta ke n o rg a n i z a ti o n s s h o u l d e a ch n eed h a ve a o rg a n i z a ti o n co n t ro l sh o u l d o t h e r e xtre m e , wi t h th e cl e a r, be fo r e xa m p l e , pu t i n th e to re g u l a t i o n s m a y p re cl u d e wo rke r’s tra d e s u n i o n co u n try m a y n e e d to a s s e s s i ts ri s ks p o l i cy m o n i to r e l e ctro n i c m e s s a g e s , At t h e co rre s p o n d e n ce s i tu a ti o n Th e m o n i to ri n g l e g a l l y re q u i re d p e rs o n a l th e re s p o n s i b i l i ti e s m essa g e n o t cre a te d th e m e ssa g i n g , re l a te d a p p ro p ri a te co m p a n i e s m a y b e F o r i n te rn a t i o n a l typ e o f co p yri g h t co m e fo rm u l a te to be re p re s e n t a ti ve re vi e we d F i n a l l y, th e b a l a n ce i m p l e m e n te d p o l i cy fo r th e m o n i to ri n g of e l e ctro n i c m e s s a g e s To e n s u re and To th a t wo rke rs a re t i n i n g a vo i d th e m in fri cti o n th e a bl e to u n d e rs ta n d th e p o l i cy i n a n d /o r o th e r a wa re n e s s m e th o d s s h o u l d wi th wo rke rs i n d e ve l o p m e n t o f th e co m p a n y m e s s a g i n g th e be d e ve l o p m e n t o f s u ch p o l i cy, and e n co u g e d e ta i l , a va i l a b l e a i t sh o u l d as and p o l i cy, be wh e n i t m a y be th e i r co n t ri b u ti o n to d fte d in si m pl e te rm s , re q u i re d a p p ro p ri a te cre a ti ve to i n cl u d e i d ea s i n th e u se of te ch n o l o g y A B re a ch e s, p ro ce d u re s a n d p e n a l ti e s Th e p o l i cy s h o u l d se t o u t th e wo rke r p o s i ti o n p e n a l ti e s th a t m a y e n s u e Typ i ca l sh o u l d be p o l i c y d o cu m e n t, wi t h i n th e i n cl u d e d in th e sh ou l d p e n a l ti e s n g e and a b re a ch fro m a sh o u l d o ccu r, si m p l e be th e ‘ ti cki n g a ppl i ed p ro ce d u re s to o ff’ to i rre s p e cti ve be d i sm i ssa l o f th e fo l l o we d S u ch and p e n a l ti e s wo rke r’s p o s i ti o n o rg a n i z a ti o n KE Y I S S U E > P o l i ci e s fo r t h e m o n i to ri n g u se i ssu e s, o f e l e ctro n i c m e s s a g i n g sh ou l d be i n cl u d e d in th e fo r p e rs o n a l p u rp o s e s , i n cl u d i n g co p yri g h t a n d p o l i cy d o cu m e n t A Reten ti on a n d d e stru cti o n M u ch e l e ctro n i c m e s s a g i n g ke e p i n g /a rch i vi n g minimum p e ri o d To th e e n s u re p u rp o s e s a cti vi ty i s i n fo rm a l , Som e a va i l a b i l i t y a n d m e ssa g e s, and wi l l h o we ve r, i n te g ri ty o f re ta i n e d n ot be re q u i re d m a y by l a w be m e ssa g e s, th e fo r l o n g - te rm re q u i re d re t e n ti o n to be sh o u l d re te n ti o n /re co rd ke p t fo r a be u n d e r th e te rm s of B I P 0008-1 Wh e re an o rg a n i z a ti o n th a t p o l i cy i n d i vi d u a l has a Th e y s h o u l d m e ssa g e s a n d co rp o te n ot be th e n i n cl u d e d a l l o ca t i n g re te n ti o n as a p o l i cy, s p e ci fi c, th e m an e l e ctro n i c m e s s a g e s s h o u l d si n g l e ‘ d o cu m e n t typ e ’ a p p ro p ri a t e re te n ti o n be i n cl u d e d A m e th o d p e ri o d sh o u l d wi th i n o f cl a s s i fyi n g be th e n o rm a l p ro ce s s 81 Annex A Unstructured message considerations EXAMPLE E l ectron i c m essa g e ca teg ori za ti on m a y best be m a n a g ed by en a bl i n g th e worker to i d en ti fy m essa g es th a t n eed to be kept beyon d a sh ort reten ti on peri od Th ose for l on g er stora g e sh ou l d th en be copi ed to a n el ectron i c stora g e system ou tsi d e th e m essa g i n g system Th i s process sh ou l d be a ‘m i rror’ of th e rel a ted pa per-ba sed system Wh en a m essa g e on pa per i s recei ved , i t i s ei th er d ea l t wi th a n d stored ‘on fi l e’, or i t i s d ea l t wi th a n d d i sca rd ed i m m ed i a tel y An exa m pl e of th e fi rst a cti on i s wh ere a n a ppl i ca ti on form for a servi ce i s recei ved Th e secon d a cti on cou l d be a ppropri a te for a n oti ce of a m eeti n g Th e fol l owi n g i ssu es sh ou l d be si d ered a n d , i f n ecessa ry, ri sk a ssessm en ts sh ou l d be m a d e before pol i ci es a re i m pl em en ted : • • • n orm a l reten ti on peri od s for el ectron i c m essa g es m a y be rel a ti vel y sh ort (3 0–9 d a ys) ; l on g er reten ti on peri od s cou l d possi bl y crea te h i g h er ri sks for th e org a n i za ti on ; versel y, l on g er reten ti on peri od s cou l d l ower ri sks by protecti n g th e org a n i za ti on a g a i n st cl a i m s th a t th e ten t wa s i n a ppropri a te or d efa m a tory – rem em ber, h owever, th a t th e sen d er or reci pi en t wh o wa s on ce tru sted m a y h a ve a copy of th e m essa g e a n d m a y n ow be a n a d versa ry’ • • som e el ectron i c m essa g es wi l l n eed l on g -term reten ti on /a rch i vi n g for l eg a l or reg u l a tory pu rposes’ th ese types of d ocu m en t/em a i l n eed to be cl ea rl y i d en ti fi ed , a n d sta ff n eed to be m a d e a wa re of th i s Th i s a ppl i es to both sen t a n d recei ved el ectron i c m essa g es, wh i ch sh ou l d be reta i n ed a ccord i n g to th e pol i cy; • d i scl osu re ord ers – be a wa re th a t a u th en ti ca ted copi es of a ppropri a te el ectron i c m essa g es m a y • d el eti on processes n eed to en su re th a t th e ori g i n a l , tog eth er wi th a l l copi es, ba cku ps a n d extern a l n eed to be d i scl osed i n cou rt (see B I P 0008-1 for d eta i l s of a u th en ti ca ti on m eth od s) ; copi es (e g on l a ptops, m obi l e ph on es a n d PD As) a re d el eted KEY ISSUE > Corpora te reten ti on pol i ci es sh ou l d be a ppl i ed to el ectron i c m essa g i n g system s A pol i cy of sh ort reten ti on peri od s for a l l m essa g es m a y n ot m eet l eg a l req u i rem en ts E l ectron i c m essa g es i n th e form of em a i l , fa x, SM S a n d /or I M l en d th em sel ves to pi d tra n sfer Sen d ers typi ca l l y expect a n i m m ed i a te repl y Th ey a ssu m e th a t d el i very h a s been a ch i eved a n d th a t th e m essa g e h a s been rea d , wi th i n a sh ort ti m e i n terva l from th ei r sen d ti m e Th i s m a y n ot be th e ca se, d u e to d el a ys i n tra n sm i ssi on or th e u n a va i l a bi l i ty of th e reci pi en t to d ea l wi th th e m essa g e M essa g es m a y n ot be d el i vered , d u e to a d d ressi n g errors, system fa i l u re or fi l teri n g m ech a n i sm s Som e m essa g i n g system s i n cl u d e a ‘proof of d el i very’ opti on , wh ereby th e reci pi en t i s a sked to fi rm recei pt Wh i l st th e recei pt of su ch a fi rm a ti on m essa g e m a y be tru stworth y, th e a bsen ce of su ch a recei pt m a y n ot be rel i a bl e evi d en ce a s to ei th er d el i very or n on -d el i very Pol i ci es for u se i n rel a ti on to recei ved el ectron i c m essa g es sh ou l d si d er recei pt from a cu stom er servi ce vi ewpoi n t, wi th typi ca l i ssu es to be covered i n cl u d i n g : • th e u se of fi l teri n g system s to excl u d e u n sol i ci ted m essa g es a n d m a l wa re from el ectron i c tra n sfers – over-fi l teri n g m a y, h owever, resu l t i n l ost ord ers; • • • • th e veri fi ca ti on of th e i d en ti ty of th e sen d er; th e veri fi ca ti on of recei pt a n d /or rea d i n g ; prom pt a n d cou rteou s repl i es (wh ere n eed ed ) ; referri n g to th e sen d er’s su bj ect or referen ce – d evel op pol i cy on sen d i n g i n com i n g el ectron i c m essa g es wi th repl i es, a s a ppropri a te; • i f n ecessa ry, forwa rd i n g to a ppropri a te pa rti es – i f n ecessa ry, seek perm i ssi on to forwa rd N ote th a t copyri g h t typi ca l l y resi d es wi th th e sen d er (a u th or) ; 82 A R e te n tio n • • a p ro d u cti vi ty p o l i cy – e l e ctro n i c m e s s a g i n g a sse ssi n g th e p ro d u ct i vi t y; • co n s i d e ri n g va l u e o f s u b j e c t p re vi e wi n g ca n be ve ry ti m e a n d /o r o rg a n i z i n g a n d de stru ctio n co n su m i n g ; s e t t i m e s fo r h a n d l i n g , to i m p ro ve and th e ro l e of a g a te ke e p e r t o m o n i to r/d i re ct i n co m i n g e l e ctro n i c m e s s a g e s KEY ISSUE > P o l i ci e s o n th e handling o f re ce i ve d m e ssa g e s sh o u l d bea r i n mind th e e xp e cta ti o n s o f th e s e n d e r 83 An n e x B – E xa m p l e e l e ct ro n i c tra n s fe r p o l i cy s ta t e m e n t Th i s a n n e x co n ta i n s a n wh i ch an e xa m p l e ‘ e l e c tro n i c t n s fe r p o l i cy s ta te m e n t’ o rg a n i z a t i o n ’s p o l i cy ca n be I t ca n be u se d as a d ft u p o n b a se d XYZABC Limited ABC project P o l i cy d o cu m e n t fo r co m p l i a n ce wi th th e re q u i re m e n ts o f B S weigh t a n d lega l a dm issib ility o f electro n ic in fo rm a tio n Ap p ro ve d N a m e: P o s i ti o n : D a te : 84 b y: 0 : 4, Sp ecifica tio n : Eviden tia l A nn ex B – Exa m p le e le ctro n ic tra n sfe r p o licy sta te m e n t S co p e Th i s d ocu m en t covers th e i n form a ti on tra n sfer pol i ci es i m pl em en ted wi th i n th e XYZAB C Li m i ted el ectron i c tra n sfer system s Th i s pol i cy form s to th e req u i rem en ts of B S 0008: 01 4, Sp e cifica tio n : Evide n tia l we ig h t a n d le ga l a dm issib ility o f e le ctro n ic in fo rm a tio n Th e el ectron i c tra n sfer system si sts of th e fol l owi n g : • • • • • H I J el ectron i c tra n sfer system ; KLM i n tern et web servi ce; PQ R a u tom a ted reporti n g system ; XYZAB C Li m i ted em a i l system ; XYZAB C Li m i ted fa csi m i l e server system a n d sta n d -a l on e fa csi m i l e m a ch i n es Th ese el ectron i c tra n sfer system s a re d escri bed i n a system d escri pti on m a n u a l (Ref: SD 02 ) Proced u res for th e u se of th e system s a re d escri bed i n a proced u res m a n u a l (Ref: PM 02 ) I n fo rm a ti o n co ve re d Tra n sferred i n form a ti on covered by th i s pol i cy d ocu m en t rel a tes to th ose m essa g es u sed i n rel a ti on to a l l a spects of el ectron i c tra n sfer for XYZAB C Li m i ted XYZAB C Li m i ted d oes n ot opera te a n i n form a ti on cl a ssi fi ca ti on system , a s a l l i n form a ti on i s reg a rd ed a s h a vi n g th e sa m e secu ri ty l evel Fi l e fo rm a ts Al l tra n sferred i n form a ti on (m essa g es, m essa g e m eta d a ta a n d m essa g e a tta ch m en ts) i s tra n sferred i n form a ts a g reed wi th th e reci pi en ts S ta n d a rd s Al l el ectron i c i n form a ti on tra n sfer wi th i n XYZAB C Li m i ted i s tra n sferred i n com pl i a n ce wi th B S 0008: 01 a n d B I P 0008-2 (2 01 4) , tog eth er wi th a n y referen ced n a ti on a l a n d /or i n tern a ti on a l sta n d a rd s Al l el ectron i c i n form a ti on tra n sfer wi th i n XYZAB C Li m i ted i s stored i n com pl i a n ce wi th B S 0008: 01 a n d B I P 0008-1 (2 01 4) D a ta fi l e a n d d o cu m e n t tra n s fe r Gen era l Th e tra n sfer pol i cy h a s been a g reed wi th i n XYZAB C Li m i ted to cover l eg a l a n d opera ti on a l req u i rem en ts si sten t wi th th e sta tu s of bei n g a pu bl i c l i m i ted com pa n y Al l tra n sfer system s u sed wi th i n XYZAB C Li m i ted a re th e property of XYZAB C Li m i ted a n d a re provi d ed to h el p m eet th e bu si n ess a i m s a n d respon si bi l i ti es of XYZAB C Li m i ted ; sta ff, tra ctors a n d oth ers u si n g th ese system s h a ve n o expecta ti on of pri va cy rel a ti n g to th ei r u se of th ese tra n sfer system s Structured Th i s secti on d ea l s wi th el ectron i c d ocu m en ts tra n sferred wi th th e: • • • H I J el ectron i c tra n sfer system ; KLM i n tern et web servi ce; a n d PQ R a u tom a ted reporti n g system For ea ch d ocu m en t type th e fol l owi n g wi l l be si d ered : 85 Annex B – Example electronic transfer policy statement • • • • • • • • • d a ta fi l e form a ts; com pressi on a n d en crypti on ; pre-tra n sm i ssi on processes; tra n sfer ch a n n el to be u sed ; post-tra n sm i ssi on processes; i n teg ri ty fi rm a ti on ; fi rm a ti on of i d en ti ty of sen d er/reci pi en t; form a ti on of d el i very/recei pt; respon si bi l i ty for m essa g e Un structured Th i s secti on d ea l s wi th tra n sfer m essa g es th a t a re sen t or recei ved on a n a d h oc ba si s Th i s i n cl u d es person -to-person em a i l a n d fa x tra n sfers N O TE : E m a i l a n d fa x tra n sfers g en era ted a u tom a ti ca l l y from th e PQ R a u tom a ted reporti n g system a re i n cl u d ed u n d er th e term s of th e previ ou s secti on E m a i l a n d fa x system s a re provi d ed to fa ci l i ta te effecti ve bu si n ess tra n sfers a n d m a y be u sed for l i m i ted person a l u se a s d efi n ed i n th e sta ff h a n d book I n a l l ca ses wh ere a d ocu m en t h a s been sen t or recei ved , i t wi l l be reta i n ed a n d , a t th e a ppropri a te ti m e, d estroyed i n com pl i a n ce wi th B S 0008: 01 a n d B I P 0008-1 (2 01 4) U n stru ctu red m essa g es by em a i l a n d fa x ca n be h i g h l y effecti ve, i f properl y u sed , or h i g h l y d a m a g i n g , i f i m properl y u sed G u i d el i n es for proper u se a n d sa n cti on s th a t wi l l be i m posed for i m proper u se a re d eta i l ed i n th e i n tern et a ccepta bl e u se pol i cy (Ref: I AU P02 ) Th ese g u i d el i n es i n cl u d e, bu t a re n ot restri cted to: • • • • • • • th e crea ti on of m essa g es; vi ru s a n d oth er m a l wa re protecti on ; u n sol i ci ted bu l k m essa g es; copyri g h t, own ersh i p a n d m on i tori n g ; recei pt of a n d repl y to m essa g es; stora g e a n d reten ti on of m essa g es (i n com pl i a n ce wi th B I P 0008-1 (2 01 4) ) ; a n d person a l u se I n a d d i ti on , oth er cri teri a to be a ppl i ed to speci fi c m essa g e types i n cl u d es bu t i s n ot restri cted to: • • • • • wh en a n d h ow en crypti on i s to be u sed ; wh en a n d h ow m essa g e i n teg ri ty i s to be fi rm ed ; wh en a n d h ow th e i d en ti ty of th e sen d er a n d reci pi en t a re to be ch ecked ; wh eth er proof of d el i very i s req u i red ; a n d wh a t pre- a n d post-tra n sm i ssi on ch ecks sh ou l d be perform ed U se of em a i l system s oth er th a n th ose provi d ed by XYZAB C Li m i ted i s n ot a l l owed a n d a n y u se of oth er em a i l system s on XYZAB C system s or prem i ses i s i n brea ch of th e term s d eta i l ed i n th e sta ff h a n d book th a t form pa rt of th e tra ct of em pl oym en t I n sta n t m essa g i n g , oth er th a n th a t of th e restri cted u sers of th e KLM system , i s n ot a l l owed a n d a n y u se on XYZAB C system s or prem i ses i s i n brea ch of th e term s d eta i l ed i n th e sta ff h a n d book th a t form pa rt of th e tra ct of em pl oym en t Re s p o n s i b i l i ti e s Th i s pol i cy d ocu m en t sh ou l d be revi ewed a n n u a l l y u n d er th e trol of th e com pa n y secreta ry Wh ere ch a n g es a re a g reed , th ey a re to be i m pl em en ted u si n g th e ch a n g e trol proced u res (Ref: CC01 ) 86 Annex B – Example electronic transfer policy statement Th i s p o l i cy, Li m i t e d Th e and a n y re vi s i o n s to p ri o r t o i t, sh o u l d be a p p ro ve d b y th e B o a rd o f D i re cto rs o f XYZ AB C i m p l e m e n ta ti o n m a i n te n a n ce o f co m p l i a n ce wi t h BS 0008: 01 i s th e re s p o n s i b i l i t y o f th e H ea d o f I n te rn a l Au d i t Le g a l a d vi ce s o u g h t XYZ AB C Li m i te d h a s so u g h t a n d o b ta i n e d a g re e m e n t fo r t h i s t n s fe r p o l i cy D u ty o f ca re XYZ AB C Li m i te d co p i e s o f th e m • • • • • has a d u t y to ke e p Th i s i s a ch i e ve d s e cu re and a ccu te o ri g i n a l d o cu m e n ta ti o n , o r a u th e n ti c b y: i m p l e m e n ti n g th i s p o l i cy d o cu m e n t; i m p l e m e n ti n g an i n fo rm a t i o n s e cu ri ty p o l i cy; e n s u ri n g t h a t o n l y t i n e d s ta ff h a ve e n s u ri n g t h a t a cce p ta b l e e n s u ri n g t h a t XYZ AB C Li m i te d ’s l e g a l a cce s s to q u a l i ty co n tro l th e s ys t e m ; p ro ce d u re s a re a d vi s e rs a re i m p l e m e n te d ; co n s u l te d , and and a p p ro p ri a t e a cti o n s ta ke n 87 An n ex C Referen ces BSI publications B ri ti sh Sta n d a rd s I n sti tu ti on , Lon d on B SI Pu bl i ca ti on s a re a va i l a bl e from Cu stom er Servi ces, Sa l es D epa rtm en t, 89 Ch i swi ck H i g h Roa d , Lon d on W4 4AL Tel : 02 0-89 6-9 001 ; Fa x: 02 0-89 6-7 001 Standards B S 6868: 87 (E N 887 : 9 0, I SO 887 9: 86) , Specification for Standard generalized markup language (SGML) for text and office systems (I SO ti tl e: Information Processing — Text and Office Systems — Standard Generalized Markup Language (SGML) ) B S 0008: 01 4, Evidential weight and legal admissibility of electronic information — Specification B S E N I SO 000, Quality management systems — Fundamentals and vocabulary B S I SO 000: 009 Risk management – Principles and guidelines Information technology — Security techniques — Information security management systems — Requirements B S I SO /I E C 001 : 01 , Information technology — Security techniques — Code of practice for information security management B S I SO /I E C 002 : 005 , Information technology — Security techniques — Guidelines for the use and management of Trusted Third Party services B S I SO /I E C TR 45 6: 002 , I SO /I E C 09 seri es, Information technology — Digital compression and coding of continuous-tone still images Guidance documents B I P 0008-1 (2 01 4) , Evidential weight and legal admissibility of information stored electronically — Code of practice for the implementation of BS 0008 B I P 0008-3 (2 01 4) , Evidential weight and legal admissibility of linking electronic identity to information — Code of practice for the implementation of BS 0008 B I P 0009 (2 01 4) , Evidential weight and legal admissibility of electronic information — Compliance workbook for use with BS 0008 PD 0006: 9 , Technical guide to JPEG — Digital compression of photographic images Other publications AN SI X9 : 01 , Tru sted Ti m e Sta m p M a n a g em en t a n d Secu ri ty Servi ces I n d u stry (rD SA) , N ew York: Am eri ca n N a ti on a l Sta n d a rd s I n sti tu te (AN SI ) Si g n a tu re Al g ori th m (E CD SA) , N ew York: Am eri ca n N a ti on a l Sta n d a rd s I n sti tu te (AN SI ) E TSI TS 02 02 (2 003 ) , E l ectron i c Si g n a tu res a n d I n fra stru ctu res (E SI ) ; Pol i cy req u i rem en ts for ti m e-sta m pi n g a u th ori ti es, Soph i a -An ti pol i s: E u ropea n Tel ecom m u n i ca ti on s Sta n d a rd s I n sti tu te (E TSI ) E TSI TS 01 03 XM L V1 (2 006-03 ) , XM L Ad va n ced E l ectron i c Si g n a tu res (XAd E S) , Soph i a -An ti pol i s: E u ropea n Tel ecom m u n i ca ti on s Sta n d a rd s I n sti tu te (E TSI ) 88 Annex C References Fed era l I n form a ti on Processi n g Sta n d a rd s Pu bl i ca ti on (FI PS PU B ) 80-2 (2 002 ) , Secu re H a sh Sta n d a rd (SH S) , G a i th ersbu rg : N a ti on a l I n sti tu te of Sta n d a rd s a n d Tech n ol og y (N I ST) Ava i l a bl e a t: h ttp: //csrc n i st g ov/pu bl i ca ti on s/Pu bsFI PS h tm l Fed era l I n form a ti on Processi n g Sta n d a rd s Pu bl i ca ti on (FI PS PU B ) (2 002 ) , Th e Keyed -H a sh M essa g e Au th en ti ca ti on Cod e (H M AC) , G a i th ersbu rg : N a ti on a l I n sti tu te of Sta n d a rd s a n d Tech n ol og y (N I ST) Ava i l a bl e a t: h ttp: //csrc n i st g ov/pu bl i ca ti on s/fi ps/fi ps1 98/fi ps-1 8a pd f An ti -terrori sm , Cri m e a n d Secu ri ty Act 001 , Lon d on : Th e Sta ti on ery O ffi ce Ava i l a bl e a t: www l eg i sl a ti on g ov u k/u kpg a /2 001 /2 4/con ten ts Reg u l a ti on of I n vesti g a tory Powers Act 000, Lon d on : Th e Sta ti on ery O ffi ce Ava i l a bl e a t: www l eg i sl a ti on g ov u k/u kpg a /2 000/2 /con ten ts D a ta Protecti on Act 9 8, Lon d on : Th e Sta ti on ery O ffi ce Ava i l a bl e a t: www l eg i sl a ti on g ov u k/u kpg a /1 9 8/2 /con ten ts RFC 04 (1 9 ) H M AC: Keyed -H a sh i n g for M essa g e Au th en ti ca ti on , I n tern et E n g i n eeri n g Ta sk Force (I E TF) See www i etf org /rfc/rfc2 04 txt?n u m ber=2 04 RFC 61 (2 001 ) I n tern et X 09 Pu bl i c Key I n fra stru ctu re Ti m e-Sta m p Protocol (TSP) , I n tern et E n g i n eeri n g Ta sk Force (I E TF) See www i etf org /rfc/rfc3 61 txt?n u m ber=3 61 RFC 85 (2 004) Secu re/M u l ti pu rpose I n tern et M a i l E xten si on s (S/M I M E ) Versi on M essa g e Speci fi ca ti on , I n tern et E n g i n eeri n g Ta sk Force (I E TF) See www i etf org /rfc/rfc3 85 txt?n u m ber=3 85 RFC 81 (2 01 0) E SSCertI D v2 U pd a te for RFC 61 , I n tern et E n g i n eeri n g Ta sk Force (I E TF) See www i etf org /rfc/rfc5 81 txt?n u m ber=5 81 RFC 61 (2 01 ) U pd a ted Secu ri ty Con si d era ti on s for th e M D M essa g e-D i g est a n d th e H M AC-M D Al g ori th m s, I n tern et E n g i n eeri n g Ta sk Force (I E TF) See www i etf org /rfc/rfc61 txt?n u m ber=61 89