Guideline No. B-095
Subject: Use of Electronic Signatures and Records
This guideline establishes when an electronic signature may replace a written signature and when an electronic record may replace a paper document in official activities of the Tennessee Board of Regents (TBR) and its institutions.
Tennessee Code Annotated § 47-10-101, et.seq. – Tennessee Uniform Electronic Transactions Act
Tennessee Code Annotated § 10-7-101, et.seq. – Tennessee Public Records Act
TBR Guideline G-070 – Disposal of Records-RDA 2161
TBR Policy 1:08:00:00 – Information Technology Resources
This guideline applies to the TBR Central Office and all TBR Institutions, and applies to all forms of electronic signatures and electronic records used to conduct the official business of the TBR and its institutions. Such business shall include, but not be limited to electronic communications, transactions, procurements, contracts, grant applications and other official purposes.
A. An "electronic signature" is defined as an electronic sound, symbol, or process, attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record. An electronic signature must be attributable (or traceable) to a person who has the intent to sign the record with the use of adequate security and authentication measures that are contained in the method of capturing the electronic transaction (e.g., use of personal identification number or personal log-in identification username and password), and the recipient of the transaction must be able to permanently retain an electronic record of the transaction at the time of receipt.
B. An "electronic record" is defined as any record created, used, or stored in a medium other than paper, such as: information processing systems, computer equipment and programs, electronic data interchanger, electronic mail, voice mail, text messages, information in PDAs and similar technologies. To the extent that facsimile, telex, and/or telecopying, and/or former hard copy documents are retained in electronic form, through a scanning process, they are also considered electronic records.
C. A "record" is information that is inscribed in a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form. Financial and other documents or forms are records.
D. An "electronic transaction" is a transaction conducted or performed, in whole or in part, by electronic means or electronic records.
E. "Electronic" relates to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
F. An “approved electronic signature method” is one that has been approved in accordance with this guideline and applicable state and federal laws, and which specifies the form of the electronic signature, the systems and procedures used with the electronic signature, and the significance of the use of the electronic signature.
G. A "certificate" is an electronic document used to identify an individual, server, a company, or some other entity and to associate that identity with a public key. A certificate provides generally recognized proof of an entity’s identity.
H. "Public-key" infrastructure (PKI) is a form of information encryption that uses certificates to prevent individuals from impersonating those who are authorized to electronically sign an electronic document. A "public key" is a value provided by some designated authority as a key that, combined with a "private key" derived from the public key, can be used to effectively encrypt messages and digital signatures.
I. A "private key" is an encryption/decryption key known only to the party or parties that exchange messages. In traditional private key cryptography, a key is shared by the parties so that each can encrypt and decrypt messages.
J. “Approval Authority", for purposes of this guideline, shall mean the Chancellor, the President of an institution or the Vice Chancellor for the Tennessee Technology Centers or designee. An electronic signature created through the use of Public Key Infrastructure (PKI) or any method that permanently encrypts a record must be approved by the TBR Chief Information Officer. The TBR Chief Information Officer shall forward information regarding the PKI signature method to the Office of Information Resources (OIR) for approval.
V. USE OF AN ELECTRONIC SIGNATURE
A. Mutual agreement by the parties
This guideline applies only to transactions between parties each of which has agreed to conduct transactions by electronic means. Whether the parties agreed to conduct a transaction by electronic means is determined from the context and surrounding circumstances, including the parties’ conduct.
B. Signature required by TBR or Institutional policy
1. When a TBR or Institutional policy requires that a record have the signature of an authorized person, that requirement is met when the electronic record has associated with it an electronic signature using an approved electronic signature method.
2. When a TBR or Institutional policy requires a written signature on a document, that requirement is met when an electronic document has associated with it an electronic signature using an approved electronic signature method.
C. Signature required by law
1. When there is a legal requirement, in addition to TBR or Institutional guideline, that a record have the signature of an authorized person, that signature requirement is met when the electronic record has associated with it an electronic signature using an approved electronic signature method which complies with applicable TBR/institutional policy, Tennessee law, and federal law.
2. When a legal requirement, in addition to TBR or Institutional policy, requires a written signature on a document, that requirement is met when an electronic document has associated with it an electronic signature using an approved electronic signature method, which complies with applicable TBR/institutional policy, Tennessee law, and federal law.
D. The signing of a record using an approved electronic signature method does not mean that the record has been signed by a person authorized to sign or approve that record. Appropriate procedures must be used to confirm that the person signing the record has the appropriate authority and intent to sign the record .
E. If parties have agreed to conduct a transaction by electronic means and a law requires a person to provide, send, or deliver a signed document to another person, the requirement is satisfied if the information is provided, sent, or delivered, as the case may be, in an electronic record capable of retention by the recipient at the time of receipt. An electronic record is not capable of retention by the recipient if the sender or its information processing system inhibits the ability of the recipient to permanently retain the electronic record containing the signature.
VI. APPROVAL OF ELECTRONIC SIGNATURE METHODS BY THE APPROVAL AUTHORITY
A. The final approval of any electronic signature method will be by the approval authority. In determining whether to approve an electronic signature method, consideration will be given to the systems and procedures associated with using that electronic signature, and whether the use of the electronic signature is at least as reliable as the existing method being used. This determination will be made after a review of the electronic signature method by the appropriate authorities.
B. If approved electronic signature methods require the use of encryption technology that uses public or private key infrastructure and/or certificates, the Information Technology Department at the Institution, will be responsible for the administration of such public or private keys and certificates, and information will be provided to TBR’s Information Technology Department.
C. An approved electronic signature method may limit the use of that method to particular electronic records, particular classes of electronic records, or particular TBR or institutional departments. An electronic signature used outside of its defined parameters will not be considered valid by TBR or the Institution.
D. In the event that it is determined that a previously approved electronic signature method is no longer trustworthy, the approval authority must revoke the approval of that electronic signature method. If there is an on-going need for electronic signatures, which were made by the revoked method, the approval authority will take steps to see that appropriate electronic signatures are obtained by an approved electronic signature method.
E. An inventory of all approved electronic signature methods shall be maintained by the TBR Office of Information Technology.
VII. RULES AND PROCEDURES
With respect to the use of electronic signatures or electronic transactions, the following requirements pertain to approved electronic signature methods:
A. Specific transactions that may be conducted by electronic means must be identified;
B. Specific transactions that may not be conducted by electronic means must be identified;
C. The manner and format in which electronic records must be created, generated, sent, communicated, received, and stored, and the systems established for those purposes must be specified;
D. The method must:
1. Comply with any law or regulation that requires electronic records which must be signed by electronic means;
2. Specify the type of electronic signature required, the manner and format in which the electronic signature must be affixed to the electronic record, and the identity of, or criteria that must be met, by any third party used by a person filing a document to facilitate the process;
E. Control processes and procedures must be developed to ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of electronic records;
F. Control processes and procedures must be developed for any other required attributes for electronic records that are specified for corresponding non-electronic records or that are reasonably necessary under the circumstances;
G. An inventory of all approved electronic signature methods must be maintained; and
H. Approval of an electronic signature method must be obtained as follows:
- An analysis of the nature of a transaction or process to determine the level of protection needed and the level of risk that can be tolerated. The analysis shall include:
- the full range of technological options and follow commercial trends where appropriate
- Identifying and documenting any potential costs, quantifiable and unquantifiable, direct and indirect, in performing a cost/benefit analysis;
- Developing a comprehensive plan for converting a traditional process to an electronic one; and
- Identifying all information relevant to the process.
- Comply with G-070 for the records produced by electronic processes, including long-term retention where necessary. Consider retaining an electronic document in paper-based form for important or sensitive contexts;
- Request legal review to verify that the electronic signature method complies with applicable laws governing the creation and use of electronic signatures
- Outline the steps of the electronic signature method so that you can demonstrate the reliability of your process;
- Submit to the approval authority;
- Implement upon approval; and
- Provide implemented method to the TBR Central Office.
Procedure to Authorize and Implement Electronic Signature Methods
Procedure for Email Transctions - Personal/Professional Service Contracts
Procedure for SciQuest Transactions
Procedure for Web Time Entry Transactions
Any individual or party that makes inappropriate or illegal use of electronic signatures, transactions and/or records is subject to sanctions up to and including dismissal, suspension, and criminal prosecution as specified in published TBR and institutional policies, Tennessee and federal laws.
Procedure to auth
Source: Presidents Meeting November 6, 2007; Presidents Meeting August 11, 2009