Electronic Signatures and Document Migration

A signature can lose its validity when documents are moved, for example when a new system is put into use. We explain the problem so you can take it into account.

An Electronic Signature

On Wikipedia you can find the following information about electronic signatures:

An electronic signature, or e-signature, refers to data in electronic form, which is logically associated with other data in electronic form and which is used by the signatory to sign.

And:

This type of signature provides the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation it was created under”

Last quote shows that treated correctly, an electronic signature has the same validity as a handwritten one.
The first quote means that the signature is data in electronic form, which is logically related to what is being signed – in our case the document. This implies for us, that:

An electronic signature is metadata about the document.

Moving a Signed Document

The signing is typically done concretely by the user entering login information as confirmation of signing, and this event is logged on the document itself or in a common event log.

This means that:

The document signature is only documentable by virtue of the system.

Then it stands to reason that this information is essential to get out of the old system and staple it to the document in some way so that the signing of the document can still be documented.
If the signature is to have general validity, it must be evident that the signature has not been corrupted in the migration. This can be interpreted a bit differently, but at a minimum it must mean:

  • It can be shown that the migration has been done under full control
  • The link between the document and the data representing the signature is intact
  • That there has been no possibility to tamper with it during the process.

It may be possible in some cases to migrate the raw signing data and attach it to the document as actual metadata in the new system. But we have yet to see a receiving system set up for that.

Log List and Signature Page

More often one goes a different way. Information about signatures – typically in a log – is extracted in a table which identifies the person and time of the signature and links it unambiguously to a document, e.g., by means of an ID. The list is archived for posterity so that evidence is in place. When importing documents into the new system, a reference is printed, e.g., as a version comment, that evidence for signing is found in the list.
It is a bit smarter if you can take the signing information that belongs to the document, put it visibly on a page, and put the extra page into the document. In fact, many electronic signing solutions do exactly that on their own with each signing. If that’s the case, we’re happy, because then we have our signature sitting inside the document and our worries are put to rest.

Where to Read More?

For pharmaceutical companies, FDA 21 CFR part 11 sets out what is required for a signature to be valid, and there is a more recent guidance document for data integrity, of which signature data is a part. Although other industries do not necessarily have to comply with these requirements, they are good to learn from, because it is basic common sense.
The ISO standard 13008, Information and documentation – Digital records conversion and migration process, is a best practice standard. It addresses migration, for example, in relation to. technology(s), requirements for a migration, planning and testing.

Digital Signatures

There are also digital signatures, which are not the same as electronic signatures. In Denmark, for example, we know digital signatures from NemID, where an external party authenticates that we are who we say we are.

A migration of documents signed with digital signatures is quite different from what is described above. The signature is then held externally and not in the document management system. This is not the kind of signatures this article is about.

Conclusion

An electronic signature is just one of many concrete problems in document migration. It is a really good example to illustrate the main challenge of a migration: preserving the integrity of documents!
Data integrity needs to be in focus and this needs to be supported with good processes and good tools.

Our experience and best advice for a controlled migration, where the documents are well afterwards, is gathered in our Guide to Document Migration.