BS-7768-1994.pdf

BRITISH STANDARD BS 7768:1994 Recommendations for Management of optical disk (WORM) systems for the recording of documents that may be required as evidence Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:54:43 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7768:1994 This British Standard, having been prepared under the direction of the Information and Documentation Standards Policy Committee, was published under the authority of the Standards Board and comes into effect on 15 August 1994 © BSI 11-1998 The following BSI references relate to the work on this standard: Committee reference DOT/16 Draft for comment DD 206 ISBN 0 580 23459 2 Committees responsible for this British Standard The preparation of this British Standard was entrusted by the Information and Documentation Standards Policy Committee (DOT/-) to Technical Committee DOT/16, upon which the following bodies were represented: British Computer Society British Library British Office Technology Manufacturers Alliance British Photographic Association Computer Graphics Suppliers Association Cranfield Imaging and Document Management User Group Her Majestys Stationery Office Kodak Limited Library Association London Borough of Bromley Records Management Society National Centre for Information Media and Technology (Cimtech) United Kingdom Association for Information and Image Management The following bodies were also represented in the drafting of this standard, through subcommittees and panels: Bar Association for Commerce, Finance and Industry Civil Aviation Authority Crown Office Institute of Chartered Secretaries and Administrators Law Society Public Records Office Amendments issued since publication Amd. No.DateComments Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:54:43 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7768:1994 © BSI 11-1998i Contents Page Committees responsibleInside front cover Forewordii Introduction 1 1Scope1 2References1 3Establishing procedures1 4General recommendations2 5Legal status3 Annex A (informative) Bibliography4 List of referencesInside back cover Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:54:43 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7768:1994 ii © BSI 11-1998 Foreword This British Standard has been prepared under the direction of the Information and Documentation Standards Policy Committee. It supersedes DD 206:1991, which is withdrawn. This British Standard gives recommendations for the management of optical disk (WORM) systems for the recording of documents that may be required as evidence. A British Standard does not purport to include all the necessary provisions of a contract. Users of British Standards are responsible for their correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. Summary of pages This document comprises a front cover, an inside front cover, pages i and ii, pages 1 to 4, an inside back cover and a back cover. This standard has been updated (see copyright date) and may have had amendments incorporated. This will be indicated in the amendment table on the inside front cover. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:54:43 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7768:1994 © BSI 11-19981 Introduction Many organizations now use optical disk storage systems for managing records used or received in the normal course of business. Optical disk storage systems provide a particularly compact form of storage that facilitates an efficient method of retrieval, provided an index is maintained. Occasionally documents used in the normal course of business have to be produced in evidence, and at that stage the legal admissibility of electronic images of documents becomes important. Some organizations fail to take full advantage of the benefits of an optical disk storage system because they are reluctant to destroy originals that might be required as evidence in legal proceedings. Unless an organization is confident that originals may be destroyed once their images have been recorded, optical disk storage systems are unlikely to replace hard-copy files. This British Standard has been prepared to help organizations that are considering whether to transfer their records to an optical disk storage system and to help organizations that have transferred their records to ensure that properly planned and authorized procedures are introduced and followed. This standard makes no distinction between civil or criminal jurisdictions or the judicial system in which the optical disk storage system operates. Readers should note that it is for the courts to decide what is admissible and that no guarantee can be given that the electronic image of any document will be admissible. 1 Scope This British Standard makes recommendations to be followed in establishing procedures for the capture and storage of electronic images of documents that may be required as evidence, to ensure the preservation and integrity of the information on the original hard-copy documents. The standard applies only to optical disk storage systems of the Write-Once-Read-Many (WORM) type. It does not apply to systems that allow an image to be erased or altered after capture and storage. NOTEOther documents relevant to this subject are listed in the bibliography in annex A. 2 References 2.1 Normative references This British Standard incorporates, by dated reference, provisions from another publication. This normative reference is made at the appropriate place in the text and the cited publication is listed on the inside back cover. For this dated reference, only the edition cited applies; any subsequent amendments to or revisions of the cited publication apply to this British Standard only when incorporated in the reference by amendment or revision. 2.2 Informative references This British Standard refers to other publications that provide information or guidance. Editions of these publications current at the time of issue of this standard are listed on the inside back cover, but reference should be made to the latest editions. 3 Establishing procedures 3.1 Principles If an electronic image is produced in evidence instead of an original document, the organization responsible should be able to show that the image can be relied upon as being an authentic representation of the original. An organization that plans to destroy originals once their images have been captured should therefore establish procedures that include safeguards against falsification and error. A member of staff should be made responsible for ensuring that the procedures are followed. Documents or parts of documents can be electronically modified before they are committed to WORM optical disk storage. The content of an image stored on WORM optical disks cannot be altered, but reference to an image can be deleted from the file directory and reference to a new image substituted. Procedures and safeguards should be established to control the process to ensure the detection of modifications or alterations of images and corrections to the file directory. A comprehensive index is essential. Images of documents that have been captured on WORM optical disks but are not indexed or are incorrectly indexed can become virtually irretrievable. See also 4.2. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:54:43 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7768:1994 2 © BSI 11-1998 3.2 Procedures The organization should have an authorized policy for the capture, storage and management of records on optical storage media. It should issue written procedures for implementing that policy. The procedures, certificates and related documents should be stored in a safe place. The written procedures should include information about: a) the types of record stored; b) procedures for access and access levels; c) procedures for scanning; d) procedures for indexing; e) procedures for quality control; f) procedures for retrieval and printing; g) procedures for certification; h) procedures for destruction of originals and for recording destruction; i) procedures for storage and retention; j) procedures for making backups or duplicates of an optical disk or index information; k) procedures for ensuring the correct functioning and operation of the system; l) upgrades, software changes, repairs or alterations to system components or equipment systems; m) procedures for internal or external audit; n) authorization for issue, amendment and operation of procedures. The organizations policy should be reviewed periodically to take account of any changes in legislation, technology or other relevant matters. Details of the review and any change made should be recorded. All procedures should be regularly audited and audit results recorded so that they may be made available, if required, in establishing legal admissibility. Any change made to policy or procedures should be notified to relevant personnel by means of amended documents and any superseded document withdrawn. 3.3 Certificates 3.3.1 General The procedures recommended in 3.2 should include some or all of the example certificates given in 3.3.2 to 3.3.5, to be completed at appropriate stages depending on the needs of the organization. Certificates should be kept for the same length of time as the documents they certify, either in their original form as hard copy or on WORM disk. 3.3.2 Authorization certificate Before capture an authorization certificate giving formal approval for conversion should be completed. 3.3.3 Operators certificate After a batch of documents has been captured, the operator should complete a certificate giving the operators name, date of scanning and indexing details. The certificate need not be completed if the system automatically records the required information as part of the internal audit trail. 3.3.4 Certificate of acceptance After captured images have been checked, a certificate of acceptance should be completed, stating that the images are true and complete representations of the documents captured. If a certificate applies to a batch of documents, the number of images and the number of documents should be stated. 3.3.5 Certificate of destruction After the accuracy of captured images has been confirmed, a destruction certificate should be issued to authorize destruction of the originals. See also 4.7. 3.4 Bureaux The principles that apply to the owners of documents apply equally to bureaux (see 3.1). If an organization employs a bureau to record documents on optical disk, the organization should satisfy itself that the bureaus procedures will provide security for the documents and are adequate for certification, indexing and input. The bureaus procedures should be examined by a competent person appointed by the organization to confirm that they are satisfactory. The bureaus procedures should be reviewed from time to time and its operations inspected regularly. In these circumstances, information input by a bureau should have the same status as information input in-house. 4 General recommendations 4.1 Document preparation The organization should ensure that hard-copy documents produced within the organization will be of a quality to produce a legible image after scanning. Documents that are torn or crumpled may need repair before they are scanned, but the text should not be altered or retouched to improve legibility, because that might affect its integrity. Licensed Copy: London South Bank University, London South Bank University, Fri Dec 08 12:54:43 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS 7768:1994 © BSI 11-19983 4.2 Referencing and retrieval Stored information should be organized, identified and indexed in accordance with a system that facilitates the retrieval of a particular document or series of documents. The index should preferably be stored with the information to which it applies. 4.3 Corruption of the image Procedures should be established to guard against the corruption of the image before capture or after retrieval (see 4.6). 4.4 Backup Images kept on an optical disk storage system can be lost, as with any electronic computer system, if the disk or the equipment used to store and retrieve images is damaged. Particular care should be taken to safeguard the index and system software. Backup copies of images on optical disk should therefore be made as routine and procedures for backup should be set up when the system is introduced. At regular intervals, all images recorded since the last backup should be copied onto WORM disk. If necessary, backup may be carried out more frequently or additional copies made. Each time backup is performed, details of the backup and its content should be recorded for future reference. It is essential that backup copies of index information are also routinely made, whether the information is held on magnetic or WORM disk. Backup copies should be stored in their containers, in a secure place away from the masters. 4.5 Inspection and quality control There should be periodic inspection of images stored on optical disks to check that the image quality is not deteriorating. 4.6 Safeguards 4.6.1 Access to WORM disks To protect the information stored on optical disks from disclosure, misuse or destruction, access to the disks and the stored information should be restricted to authorized staff. 4.6.2 Access to information Access should be on the basis of unique identification and verification, e.g. password or magnetic card. Imaging systems with special requirements such as high levels of security, confidentiality or personal information may require more sophisticated automated access controls. 4.6.3 Audit trails An audit trail should record who used the system, when it was used, what was done while using the system and what were the results. Properly implemented, audit trails can automatically detect who had access to the system, whether staff followed specified procedures or whether fraud or other unauthorized acts occurred or might be suspected. An audit trail provides independent confirmation that specified procedures were followed. 4.7 Storage and retention Disks should be stored in accordance with the recommendations of BS 4783-6:1992. Conditions of storage should be designed to withstand the local climate and any special hazards, e.g. high risk of fire, extremes of temperature, flooding, chemicals. Recorded information should be copied on to new disks before the manufacturers recommended useful life of the original disks expires or when advised by the system software. If an optical disk storage system is to be replaced by a new system, information stored on the old system should be transferred to the new system, checked and certified before the old system is taken out of service. Decisions as to the length of retent