June 1999
June 24, 1999
Mr. Donald Arbuckle
Deputy Administrator and Acting Administrator
Office of Information and Regulatory Affairs
Information Policy and Technology Branch
Office of Management and Budget
New Executive Office Building, Room 10236
Washington, DC 20503
Re: Comments on Proposed OMB Procedures and Guidance on Implementing the Government Paperwork Elimination Act
Dear Mr. Arbuckle:
We appreciate this opportunity to comment on the Office of Management and Budget’s (“OMB”) Proposed Procedures and Guidance on Implementing the Government Paperwork Elimination Act, (“GPEA”), 64 Fed. Reg. 10,896 (Mar. 5, 1999) (“Proposed Procedures”).
The Department of Justice (“Department”) strongly supports the Administration’s efforts to ensure that government services are provided in an accessible and efficient way. The Department therefore supports the increased use of electronic-based processes by government agencies, but with an important caveat: adequate safeguards should exist to ensure that the government’s ability to enforce its agreements and programs is not impaired.
In particular, the Department is concerned that the Proposed Procedures do not adequately ensure that agencies evaluate the potential legal and other risks that they may face by accepting and relying upon electronically filed applications, forms, or other documents. The Department is also concerned that the Proposed Procedures do not include adequate information to guide agencies in taking targeted steps to minimize those risks. We therefore recommend that the final Procedures identify known risk areas and provide more specific guidance on how agencies can minimize those risks as they begin to implement electronic processes.
The enclosed comments provide more detailed guidance that we believe should be incorporated in the final Procedures. For example, the final Procedures should identify five specific risk areas that federal agencies should consider when implementing processes relating to electronic-based transactions: (1) the availability of the records (collecting, retaining, and making relevant data accessible in a secure and timely fashion); (2) the capability of the process to persuade (documenting the process so that it can be easily understood and will convince appropriate audiences); (3) the legal effectiveness of the process (meeting legal requirements necessary to ensure that the transactions or agreements at issue are enforceable); (4) legal requirements (meeting legal obligations under various federal statutes and under the requirements for pre-trial discovery); and (5) admissibility (collecting, preserving, and maintaining information in a way that permits it to be admitted in court in case of litigation).
As the enclosed comments further elaborate, these risk areas can be controlled by carefully establishing a system that ensures that electronic-based data comprising a transaction be maintained in a reliable, documented, and replicable fashion, with a chain of custody that is accurately preserved and documented. Agencies should carefully maintain, for example, the following types of information relating to electronic transactions: (1) the content of the transaction (records that comprise the substance of the transaction or filing); (2) processing records (how the transaction was processed, including changes or modifications that were made in records); (3) identities (the identity of all people who participated in the transaction both inside and outside the agency and the scope of each person’s participation); and (4) information relating to the intent of the parties (a means for establishing the intent of the participants entering into the transaction or agreement).
Although the Department intends to provide (as noted in the Proposed Procedures) specific guidance on legal considerations related to agency use of electronic-based filing and record keeping, we believe that the final Procedures will be significantly strengthened if the Proposed Procedures were amended to include a more substantial discussion of known risks and risk-minimizing considerations as outlined above and as detailed in the enclosed comments. By fully considering the costs, benefits, and risks of electronic-based filing, agencies will be in a more informed position to decide whether they should support electronic-based transactions and, if so, how to implement their processes electronically. We therefore urge OMB to amend the Proposed Procedures to articulate the broad scope of known risks that can arise from agency use of electronic-based filing. We would be pleased to work with you on specific language that would address our concerns.
Thank you for this opportunity to comment on the Proposed Procedures.
Please feel free to contact the co-chairs of the Department’s electronic
commerce working group, David Goldstone at (202) 514-1026 or Chris Kohn
at (202) 514-7450, to discuss this matter further.
June 1999
On March 5, 1999, the Office of Management and Budget (“OMB”) requested comments on its Proposed Procedures and Guidance on Implementing the Government Paperwork Elimination Act (“GPEA”), 64 Fed. Reg. 10,896 (“Proposed Procedures”). The Department of Justice believes that the Proposed Procedures may not adequately ensure that agencies evaluate the potential risks that they may face by accepting and relying upon electronically filed applications, forms, or other documents. For example, agencies may be subject to risks to the enforcement of their programs and contracts or to their ability to defend against court and administrative challenges. The Proposed Procedures also do not include adequate information to allow agencies to take targeted steps to minimize those risks. Therefore, we recommend that the final Procedures and Guidance include a discussion of the specific potential risks in the enforcement or implementation of their programs, as well as specific suggestions on minimizing those risks. [1]
I. RISKS OF USING ELECTRONIC-BASED PROCESSES
Agencies may face substantial risk to their ability to enforce or defend programs or agreements when they redesign their processes to permit information to be submitted, or transactions consummated, electronically. Although not all risks can be known in advance, some can be predicted. Only by taking the broad scope of known risks into account in analyzing whether or not to move toward electronic-based filing can a full and fair cost-benefit analysis be made. Furthermore, by focusing on obvious risks to the enforceability of their programs or transactions, agencies can establish electronic-based systems that avoid or at least minimize them.
Using electronic-based transactions is often tantamount to re-designing an agency’s processes. Agencies should, of course, endeavor to minimize risks that may result from any such re-designed processes. An agency that is unable to provide adequate evidence of its electronic-based agreements or electronic-based filings, for example, will suffer obvious monetary and programmatic consequences, which could jeopardize its mission. Accordingly, it is critical that agencies ensure the comprehensiveness, availability, veracity, and provability of all electronic-based documents that comprise their agreements or transactions. Unless care is taken in establishing the electronic-based system, an agency may not be able to support its actions if questioned or challenged. Persuasive electronic-based data is vital to the government’s ability to enforce and defend legal obligations and to successfully prosecute fraud cases and thereby discourage future fraud. If an agency action is challenged in court, the agency must be able to persuade a fact-finder that the information upon which it acted is accurate and reliable.
Federal agencies should consider at least five specific risk areas:
1. Availability of the records: How
will the relevant data be collected, retained, and made accessible in a
secure and timely fashion?
2. Capability of the process to persuade:
Will the information used to document the process be easily understood
and convince appropriate audiences?
3. Legal effectiveness of the process: Will the processes and the electronic-based data meet all legal requirements necessary to ensure that the associated transactions or agreements are enforceable?
4. Legal requirements: Will the electronic-based process allow the agency to meet its legal obligations under such statutes as the Federal Records Act, the Freedom of Information Act, the Privacy Act, the Rehabilitation Act, and the Trade Secrets Act, as well as judicial discovery?
5. Admissibility: Is the data collected, preserved and maintained in a way that ensures that it can be admitted in court in case of litigation?
A. Information Availability: Collection, Retention, and Accessibility
When an agency re-engineers its processes to use electronic-based methods, it should ensure the proper collection, retention, and accessibility of information. This means that all electronic-based information, forms, agreements and data should be: (i) collected properly; (ii) retained securely; and (iii) managed to permit timely retrieval.
1. Collection
Any important information that an agency would have routinely gathered in a paper-based transaction (whether or not reflected in the actual formal forms or applications submitted by a public customer) should also be gathered in the new electronic-based process being developed. In weighing the costs and benefits of an electronic-based system, agencies should consider the extent to which it will lose information — such as identity — simply because of the electronic-based form of the transaction.
Agencies often gather substantial valuable information not directly requested on a form or application. This information is used in processing the transaction, or even in determining whether or not to participate in the transaction in the first place. For example, for some processes, it is important to meet in person with an individual who is submitting a form and swearing to its truth. Many agencies retain the envelope in which a form is received, perhaps for fingerprint, handwriting or postmark information. Agencies should weigh the loss of such information when analyzing the benefits that it might receive in converting to an electronic-based process, and if possible, re-engineer that process to incorporate what would otherwise be lost using electronic-based methodologies.
Moreover, in collecting information on a written form, agencies have a ready means for correlating the answer to the specific question: the answer follows the question and is “locked” in place by its context on the form, i.e., the fact that it is written directly after the question on the form itself. It is no less important in electronic-based transactions that the electronically provided data or answer, be similarly directly and permanently correlated to the specific question to which it refers. That the figure “$10,000” was entered in an electronic tax form has meaning only in the context of a specific question or “line” to which the entry was responding, such as earned income, deductions, or total tax owed.
An extremely important aspect of any collection of information, whether in a paper-based or electronic-based transaction, is the signature line. In a paper-based process, the signature line is often immediately preceded by some text which specifically states that the person signing the document affirms the veracity of the information attested to by the signature. Thus, the signature serves not only to identify the person executing the document, but also, by its context, to establish that person’s intent to submit the form as a truthful statement of his or her answer to each question. In a paper-based document, the entire form is retained, making it easy to establish both the information which is being attested to, as well as the fact that the signatory saw the warning banner that made clear the significance of his or her signature. When converting to an electronic-based system, agencies should ensure that they can similarly establish that the electronic signature is associated with the specific information that was provided, and also that the individual giving his or her electronic “signature” did so with full knowledge of the significance of that electronic “signature.”
2. Retention
Significant risks may flow from an electronic-based process that does not sufficiently meet an agency’s retention needs. Any proposed electronic-based process should be evaluated to determine whether the information that relates to any agency transaction or activity will be stored in a secure and reliable manner which is consistent with all agency needs. Agencies remain subject to all record retention requirements even when their records are kept in an electronic-based format. See generally Federal Records Act, 44 U.S.C. § 3301 et seq.; 36 C.F.R. § 1234.32. All information that comprises a transaction should be securely retained for an appropriate period of time once it is collected. For example, electronic-based signatures that are collected for authenticity purposes comprise an essential part of the transaction and usually should be retained together with all other records comprising the transaction for the same amount of time. Likewise, agencies should have a retention plan to address common computer-specific concerns such as the fragility and corruptibility of electronically stored data and the rapidity with which electronic-based data formats and software which access data can become obsolete. For example, many agencies have found that information can be lost when older data sets are “migrated” to more up-to-date software applications or to different storage media.
3. Accessibility
Even when all appropriate information relating to any electronic-based process has been collected and safely stored, it may be ineffective or unusable if the electronic-based system has not been designed to allow easy, prompt, and efficient access to that information by program administrators. Such information should be no less readily and easily accessible upon demand as paper records are, and indeed, given the principal benefit of electronic-based commerce, it should be even more easily available. Agencies should also maintain sufficient personnel and technologies to ensure that stored information, which has been properly collected and retained, will in fact be accessible when needed in a timely and reliable fashion. Without easy accessibility, agencies may not be able to perform their mission effectively, and will be ill-equipped to resolve disputes or enforce their program either informally or, if necessary, through litigation.
B. Using Electronic-Based Information To Persuade
In disputes with others, whether informal disputes with citizens, in litigation, or in persuading other branches of government, agencies should be able to produce the electronic-based data that comprise any transaction in a way that is clear, meaningful, and persuasive. This concern is especially apt with regard to evidence of identity, because identity can be so easily obscured electronically. Yet system designs, particularly some technical solutions that seek to assure identity, may seem unduly complex. In designing a new electronic-based system for conducting agency business, agencies should consider the risk that the electronic-based data may be difficult to use to convince people. People may view electronic-based information as unfamiliar, boring, complex, vulnerable, easily fabricated, or error-prone. In designing systems, agencies should consider whether they would be able to reproduce electronic-based information in a persuasive manner.
C. Legality
In any proposed electronic-based transaction, agencies should ensure that records that comprise the transaction are legally sufficient for the purpose at hand. Some types of transactions may have legal requirements that must be met before they are effective. For example, under specific governing statutes or practice, certain types of contracts, or in some circumstances the consensual disclosure of private information, may require a writing or a signature. These legal requirements should be addressed by any agency proposing to implement an electronic-based process to replace one that was formerly conducted in writing. Although some of these concerns may be addressed to some extent by the GPEA or other laws, how courts will interpret the law in any given case remains uncertain. Thus, in any cost-benefit analysis, agencies should evaluate the risk that, notwithstanding the language of GPEA or other laws, specific transactions may be legally unenforceable absent a writing or a signature.
D. Legal Requirements for Processes and Records
All agencies are subject to various statutes dealing with their processes, such as information disclosure or privacy. Like paper-based processes, electronic-based processes are subject to these restrictions or obligations, including the Federal Records Act, the Freedom of Information Act, the Privacy Act, the Rehabilitation Act, and the Trade Secrets Act, as well as discovery in litigation. Agencies should take care not to neglect these requirements when they re-engineer processes to be performed electronically. With the easier flow of electronic-based information, agencies may be more likely to use and re-use electronic-based information than they would with paper-based information. This diffusion of information may make information harder for an agency to monitor and control in a way that is consistent with its legal obligations.
E. Using Electronic-Based Records as Evidence in Court
The Federal Rules of Evidence do not prohibit the admission of electronic-based evidence in court. Nevertheless, to be admissible, evidence must be authentic and reliable. Judges are familiar with paper evidence and understand how the evidentiary rules apply to paper documents. There is a risk that electronic-based information will not be admitted unless government agencies ensure that they can establish a clear foundation for their records – including a provable chain of custody and adequate means to show that the records are authentic and reliable.
II. ELECTRONIC-BASED RECORDS THAT SHOULD BE CAREFULLY MAINTAINED
The risk areas discussed above can be controlled by carefully establishing at the outset a system that ensures that all electronic-based data comprising a transaction be maintained in a reliable, documented, and replicable fashion with the chain of custody accurately preserved and documented. In particular, agencies should review their proposed electronic-based processes and ensure that they are developed in a way that results in legally enforceable transactions. Furthermore, steps should be taken to ensure that all documents that comprise the transaction are available in a provable and reliable fashion. In contrast to a paper form or submission which cannot be easily or transparently changed once created, digital information can be changed without a trace. The electronic-based system should provide mechanisms that deter unauthorized changes and memorialize all changes in the electronic-based data. With regard to every significant electronic-based communication and transaction, agencies should consider how they will prove that the information was not altered.
Specifically, for any transaction, agreement, or programmatic process that is conducted electronically, agencies should be careful to collect, securely preserve, and make accessible electronic-based information in a persuasive, legally sufficient, and admissible manner in at least the following four areas: (1) content; (2) records; (3) identities; and (4) intent.
A. Content of the Transaction
Agencies should ensure that the electronic-based submissions and data that comprise the substance of the transaction are completely collected, in addition to being accurately, thoroughly, and reliably maintained. It is critical that the specific terms and clauses that comprise the transaction be preserved in a way that will allow the agency to prove the nature of the legal obligation. In addition, certain information, such as the date on a form, can be important not only to establish the date the form was submitted, but also to establish the date that the representation purports to be made. Therefore, date information provided by the filer can be an important part of the content of the transaction, in contrast to a date-stamp that can be provided automatically. Other important parts of the transactions that agencies should take into account are any other content, such as attachments or exhibits, that may be included with the form.
B. Transaction Processing Records
In developing any electronic-based process, agencies should ensure that they are able to capture and retain information that relates to all aspects of the processing of a transaction through completion. Procedures for receiving forms, applications, or documents, such as stamping or signing for them, or for amending forms, such as initialing the amendments, are well-known and widely used in the paper context. Moreover, processes are often in place to monitor access to paper files and to monitor changes that are made to paper documents. Analogous processes are needed in the electronic-based context. Records that are generated in establishing and performing some electronically-based transaction, as well as documents that reflect the record upon which agency decisions were based, may need to be retained. Similarly, changes and modifications that are made in any electronic-based record should be controlled, and the reason, time, and identity of the individual making such changes may need to be recorded.
C. Identities of All Relevant Parties
It can be critical that an agency be able
to prove the identity of all parties who participated in any transaction,
both inside and outside the agency. The enforceability of many transactions
depends on proving who executed the document and whether he or she had
actual authority to bind the party he or she purports to represent.
In the paper-based world, the most common example of “identity” information
is a signature or a set of initials. These are easily understood,
commonly recognized, and widely believed to be difficult (although not
impossible) to forge. Signatures are highly persuasive to most Americans.
Similarly persuasive identifying techniques are necessary in the electronic
realm for some processes.
D. Intent of the Parties
To enforce many kinds of transactions, or to
carry out necessary law enforcement activities, the government must be
able to prove that all parties to a transaction intended to enter into
it or to submit specific electronic-based information to an agency.
This will require that agencies carefully design their systems to ensure
that the intent of the parties is provable. With regard to paper
forms, a variety of important indicia evidence “intent.” For example,
some transactions require multiple signatures (or a signature and multiple
sets of initials) to ensure that the person participating was in fact aware
of the important elements of the transaction. Other paper forms provide
“banners” that clearly state that by signing the document a party indicates
that the information provided is “true and correct.” All electronic-based
processes that involve transactions where intent may be important should
be designed in a way that establishes that the party electronically signing
a document or submitting information specifically intended to do so, and
to do so truthfully. This may require some way to show that critical
terms were conspicuous, that the party had an opportunity to review the
terms and that, by submission of the form or information, the parties acknowledge
that they are subject to those terms.
________________________________________
1 These
comments are not intended to provide any binding rules or standards for
the use of electronic information. Nothing herein is intended to
confer any right on any person or group. See United States v.
Caceres, 440 U.S. 741 (1979).
Go to . . . CCIPS Home Page || JusticeDepartment Home Pages