Revision Responsibility: |
Executive Director of Information and Educational Technologies & Chief Information Officer |
Responsible Executive Officer: |
Vice President for Business & Finance |
Purpose
TBR Guideline B-095, Use of Electronic Signatures and Records, requires institutions to implement electronic signature policies. This policy establishes when an electronic signature may replace a written signature and when an electronic record may replace a paper document in official activities of the institution.
Policy
I. General
This policy provides guidance on electronic signature use and the acceptance of electronic signatures via such methods as electronic authentication, signature certificates, facsimile, email, and scanned signatures. The use of an electronic means of authentication/signature provides the institution, vendors, staff, and students with secure and practical methods to submit approvals electronically. The acceptance and use of electronic signatures should focus on security, convenience, and reasonable methods of verification based on the transaction being conducted.
II. Definitions
For the purposes of this policy:
- Authentication - To establish as genuine and verify the identity of a person providing an electronic signature.
- Credential - An object that is verified when presented to the verifier in an authentic transaction.
- Electronic record - A contract or other record created, generated, sent, communicated, received, or stored by electronic means.
- Electronic signature - An electronic signature/approval (e-signature) is defined as an electronic identifier that is created by a computer and is intended by the party using it to have the same intent, affect, and authority as the use of a manual (either written or facsimile) signature. An electronic signature can be the person’s typed name, their email address, or any other such identifying marker.
- Transaction - A discrete event between a user and system that supports a business or programmatic purpose.
III. Scope
To facilitate the use of paperless transaction a process for verifiable electronic signatures must exist. Electronic signatures may be implemented using various methodologies depending on the risks associated with the transaction.
Examples of transaction risks include: fraud, nonrepudiation, and financial loss. The quality and security of the electronic signature method should be commensurate with the risk and needed assurance of the authenticity of the signer. Authentication is a way to ensure that the user who attempts to perform the function of an electronic signature is the correct individual and is authorized to “sign”.
An electronic signature may be accepted in all situations if requirement of a signature/approval is stated or implied. This policy does not supersede situations where laws specifically require a written signature. This policy cannot limit the right or option to conduct the transaction on paper or in non-electronic form and the right to have documents provided or made available on paper at no charge. The e-signature must be protected by reasonable security measures as applicable to established computer functions of the institution.
IV. Establishing an Official Electronic Signature
- Identify the risks associated with using an electronic signature process and determine if the risks are manageable including impact on other processes,
- Develop procedures that include the following:
- Establish mutual agreement to use electronic signatures between the parties to the agreement
- Determine and document that the signature method conforms to TBR and institutional guidelines and (if applicable) federal and state law
- Develop specific signature authentication procedures
- Identify the form of electronic submission/approval that will be used, e.g. email, TSR, Luminis, Banner, SciQuest, Workflow.
- Identify who will be allowed to submit and approve the electronic transactions.
- Ensure procedures are in place to preserve and maintain the integrity and security of electronic records and approvals.
- Provide required processes, documentation, and procedures to the institutional internal auditor as requested
V. Approved Electronic Signature Methods
All acceptable electronic signature methods must be in accordance to this guideline and applicable state and federal laws, and which specifies the form of the electronic signature, the systems and procedures used with the electronic signature, and the significance of the use of the electronic signature.
- Faxed, Emailed, and Scanned Signatures
The electronic process expedites obtaining required contractual information. A faxed, scanned, or emailed signature shall be considered just as valid as an original written signature except when an actual original signature is required by state or federal law; when the faxed, scanned, or emailed signature cannot be verified; or when the other party desires original signatures. In order to accept a faxed, scanned, or emailed signature in lieu of an original written signature, the authenticity of such faxed, scanned, or emailed signature must be verified by the receiving party. Such means of verification shall include:
- The receipt of a faxed signature from a facsimile number verified as belonging to or traceable to the party that did so sign and transmit the document.
- The receipt of a scanned or emailed signature from an email address verified as belonging to the party that did so sign and transmit the document. Email access being based on unique credentials (username/password) will be accepted as the electronic record for the email and associated attachments from vendors. Electronic signature will be the scanned document containing the authorized written signature from the vendor/contractor.
Furthermore, in order for a faxed, scanned, or emailed signature to be considered valid, both parties must agree that a faxed, scanned, or emailed signature, or a copy of the same (including an electronic copy) may be used for any and all purposes for which the original signature may have been used.
- Online Approvals
Online approval expedites obtaining required approvals for internal processes and can be established by contract with other parties. Online approvals shall be accepted as valid when the online process requires authentication such as user name and password.
As appropriate, online approval systems should implement technologies in alignment with industry best practices including secure data transmission standards, password expiration and complexity policies, etc. 06/13; 09/17
|