Implement and use digital signatures
Electronic or digital signatures are a method of authenticating a person as the source of a digital message and indicates their approval of the information contained in the message.
Digital signatures include:
- digitised signatures—a scanned handwritten signature inserted as an image; use of signature blocks (e.g. on emails)
- online forms—Adobe forms; workflow approvals in applications (e.g. timesheets)
- touch screens—signature on a touch screen using a stylus (e.g. Australia Post courier delivery)
- digital signatures—use of digital code and encryption technology to verify the contents of a digital document.
The Electronic Transactions (Queensland) Act 2001 provides for the use of digital signatures, as long as they meet 3 criteria:
- the signature identifies a person and indicates their intention (e.g. providing approval via an email)
- the signature is appropriate (reliable) for its purpose (noting that digital signatures offer greater security than digitised signatures)
- the person receiving the document consents to receiving a signature in electronic form.
Schedule 1 of the Act outlines exclusions regarding the use of digital signatures.
Implementing digital signatures
Your business may be subject to legislative provisions that require your records to be in a particular format.
In the absence of any specific legislative requirement, you should use a risk-based approach to deciding whether a digital or physical (wet) signature should be used.
If you are implementing digital signatures, you should:
- perform (and document) a risk assessment for the use of digital signatures—some records may require more robust forms of identification/authorisation than others (e.g. contractual documents over a certain value)
- undertake an environmental scan for business requirements or other legal or policy obligations that may require 'wet' signatures
- develop and document processes and/or any policies and related responsibilities regarding the use of digital signatures
- ensure any newly developed processes are understood so they can be implemented as standard business practice (for defensibility)
- ensure appropriate security measures are in place to prevent any unauthorised use of digital signatures
- appropriately manage the document to which the signature has been added as a record, to ensure it maintains its complete and reliable characteristics throughout its life.
See also the Queensland Audit Office's article on how to electronically approve documents and expenditure for an overview of their legal requirements, and their internal process when signing their independent auditor's opinions electronically.