Final | July 2020 | v2.0.0 | PUBLIC | QGCDG
The purpose of this guide is to provide guidance on when electronic signatures are considered accepted means of validating the identity of a signer in Queensland Government department electronic documents and correspondence, and thus a substitute for traditional “wet” signatures, within the organisation. Because communication has become primarily electronic, the goal is to reduce confusion about when an electronic signature is trusted.
Electronic signatures (e-signatures) are the electronic version of manually handwritten signatures. This guideline provides guidance on:
- the use of e-signatures for government purposes
- compliance issues with relevant standards for Commonwealth and State laws.
The guideline covers various considerations for using e-signatures as an authentication mechanism in Queensland Government.
This guideline is not about:
- implementing a technology solution for e-signatures
- using e-signatures for implementing a security solution for ICT systems.
While relevant laws are referenced, this guideline is not a substitute for professional guidance on legal matters.
This guideline applies to all Queensland Government departments (as defined by the Public Service Act 2008). Accountable officers (not already in scope of the Public Service Act 2008) and statutory bodies under the Financial and Performance Management Standard 2019 must have regard to this guideline in the context of internal controls, financial information management systems and risk management. Please see the Applicability of the QGEA for further information.
What are e-signatures?
Like a manuscript signature (also called ‘wet signature’), the goal of e-signatures is to bind a signatory to a document in a way that makes later repudiation difficult (Foder, 2010). However, the validity of e-signatures under a law depends on the type of the e-signature and the purpose of its use.
By definition, an e-signature is “any letters, characters, or symbols manifested by electronic or similar means and executed or adopted by a party with an intent to authenticate a writing” or “a data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication” (Blythe, 2005).
Examples of e-signatures may include but are not limited to the following a (Ibid, p3):
- digitised version of a manuscript signature i.e. scanned image of the wet signature; signing on a touch screen
- digitised fingerprint i.e. digitised image of a fingerprint.
- biometric scan like a fingerprint, iris, vocal signature
- typed name at the end of an email message
- clicking or ticking of an ‘I Agree’ or ‘Purchase Now’ button or box on a computer screen
- digital signature which uses encryption and decryption technology alongside a Public Key Infrastructure (PKI).
Each type of e-signature will be useful at a certain security level. Each type will meet different success criteria in meeting the requirements for a valid signature at law (Christensen, Duncan, & Low, 2003).
Benefits of using e-signatures
E-signatures serve the same purposes as that of manuscript signatures (Christensen, Duncan, & Low, 2003).
- Identity – to prove that the document was signed by an identifiable person (authentication) and that the person cannot credibly deny their identity (non-repudiation)
- Consent or Approval – to prove that the person affixing the signature approves of the contents of the document and the person cannot deny so (non-repudiation)
- Integrity – to indicate that the document has not been altered since it was signed.
Different types of e-signatures have varying degrees of success in performing these functions. Their performance needs to be assessed against the purpose for which they are being used and their ability to withstand scrutiny under various applicable laws discussed below.
According to the Electronic Commerce Expert Group (Tyree, n.d.), the following are the primary uses for e-signatures:
- Evidentiary – to serve as admissible evidence in a court of law, such as the Statute of Frauds
- Cautionary – to attest a document and its significant legal consequences e.g. wills
- Reliance – to attest to the reader the veracity or truthfulness of the contents of a document
- Channelling – to categorise documents into more or less legal significance
- Recordkeeping – to abide by government regulations to safe keep documents such as taxation and customs.
Considerations for using e-signature
This section describes legal considerations for using e-signatures but should not be taken as a substitute for professional legal advice.
There are provisions in some legislation that allow for the use of e-signatures in transactions. The Commonwealth (1999) and Queensland Government, (2001) deal with the use of e-signatures in their respective Electronic Transactions Act (ETA). When necessitated by state law in Queensland, the requirement for a signature is purported to be met by electronic means when the following criteria are met, the:
- method used identifies the person and indicates the person's approval of information
- method used is as reliable and appropriate for the purpose for which the information is communicated
- person to whom the signature is provided consents to the requirement being met using the e-signature method.
There are some exemptions where e-signatures cannot be used as stipulated in the Queensland ETA’s Schedule 1. For example a requirement or permission for a:
- person to file a document with a court or tribunal for a proceeding.
- document to be served personally or by post.
- document to be attested, authenticated, verified or witnessed by a person other than the author of the document.
The Commonwealth ETA (1999) also has a list of laws and regulations that are exempt from the Act as stipulated in the Electronic Transactions Regulations 2000 (Australian Government, 2000)
The respective laws have both the aims of:
- confirming the effectiveness of a transaction that has been undertaken electronically
- specifying the requirements for an electronic communication to act as a signature when a law requires the signature of a person.
The laws also provide overarching regulatory framework that:
- recognise the importance of the information economy to the future economic and social prosperity of Queensland
- facilitates and promotes confidence to the use of electronic transactions in business, community, and the government.
The critical element in all cases is the signature indicates that the person ‘approves of something’ and hence is expressly or implicitly indicating the e-signature containing their name or initials is considered an expression of intention. Like a manuscript signature, an e-signature can be challenged for forgery or against the law’s criteria. Nonetheless, the ETA eliminates the need for wet signatures when the criteria are met in digital form.
E-signatures should apply to individuals only. E-signatures for roles, positions, or titles (e.g. the CFO) should not be considered valid. The CFO’s office should maintain an organisation-wide list of the types of documents and correspondence that are not to be used with e-signatures.
For more information please see Crown Law’s Please sign, electronically publication.
The Commonwealth and Queensland ETA are neutral on the technology to be used to support e-signatures if the ETA’s criteria for e-signatures are met. This provides flexibility for people and businesses to determine the signature technology that is most appropriate to their particular needs (Australian Government, 1999).
Different types of e-signatures meet legislative criteria at varying degrees. For example, a digitised wet signature to authenticate a person’s identity is less credible than encrypted digital signature certificates. The admissibility of these technologies in court and their ability to achieve compliance with existing standards will depend on meeting the criteria set by applicable laws and relevant standards.
Guidance also exists from the Australian Government Information Management Office (AGIMO, 2009) e-Authentication Framework regarding the use of e-signatures.
E-signature acceptance requires specific action on both the part of the employee signing the document or correspondence (hereafter the signer), and the employee receiving/reading the document or correspondence (hereafter the recipient).
Responsibilities when using public key infrastructure (PKI)
This section outlines suggested responsibilities for both signer and recipients when departments are using public key infrastructure (PKI).
- Signers should obtain a signing key pair from department’s identity management group or equivalent. This key pair will be generated using department’s public key
- Infrastructure (PKI) and the public key will be signed by the department’s certificate authority (CA).
- Signers should sign documents and correspondence using software approved by their department’s IT organisation.
- Signers should protect their private key and keep it secret.
- If a signer believes that the signer’s private key was stolen or otherwise compromised, the signer should contact department’s identity management group or equivalent immediately to have the signer’s digital key pair revoked.
- Recipients should read documents and correspondence using software approved by their department’s IT organisation.
- Recipients should verify that the signer’s public key was signed by their department’s CA, by viewing the details about the signed key using the software they are using to read the document or correspondence.
- If the signer’s digital signature does not appear valid, the recipient should not trust the source of the document or correspondence.
- If a recipient believes that a digital signature has been abused, the recipient should report the recipient’s concern to their department’s identity management group or equivalent.
In Queensland, the Public Records Act 2002 and Records governance policy apply to records in all formats, regardless of the technology used to create, transmit or authenticate the record.
COVID-19 temporary legislative changes
Queensland Government has passed the COVID Emergency Response Act 2020 providing for certain decision makers to make regulations modifying arrangements for witnessing and attestation of documents. This new legislation is effective until 31 December 2020. An example of a regulation made under this legislation is the Justice Legislation (COVID-19 Emergency Response—Wills and Enduring Documents) Regulation 2020.
Witnessing signatures remotely
There is a variety of Queensland legislation that requires documents to be signed in the physical presence of others. Given the current requirements relating to social distancing due to the COVID-19 pandemic, the use of digital technologies, in particular the use of e-signatures, provide us with alternative ways to sign documents that otherwise legally need to be done in person.
Departments are encouraged to investigate their current regulatory framework and consider what temporary changes would enable you to witness a signature remotely. For example, conduct a video meeting over Microsoft Teams/Skype to have someone witness your signature online and then forward the signed document to the witness to complete the witness signature at their end.
Further the use of electronic signatures may be permissible for contracts relating to the procurement of some goods and services. For more information please see the Office of the Chief Advisor – Procurement’s Advisory notice 13/2020 For buyers – Use of electronic signatures and witnessing documents.
For additional guidance relating to use of e-signatures in Queensland please see Crown Law’s Please sign, electronically publication (Government employees only).
Advantages and disadvantages of e-signatures
The organisation should weigh the advantages and disadvantages of using e-signatures to their organisational structure. Some of these considerations are below.
- Reduced costs from filing, printing, faxing or mailing
- Instant transmission by electronic means which can improve productivity and process efficiency
- Improved tamper-proofing by digital encryption and electronic storage
- Improved storage of documents by electronic means
- Can leverage existing electronic systems
- Reduces error from manual processes of handwriting signatures and dates.
- Can be difficult to implement due to technical challenges
- Need for electronic displays and systems which can be expensive if they do not already exist in the organisation
- Not all stakeholders may have the capacity to sign documents electronically due to lack of appropriate technology.
Any organisation considering the use of e-signatures is advised to perform a risk assessment of their transactional processes to carefully consider legal and technical implications. This ensures the functions and purposes for using e-signature is ‘reliable and appropriate’, provides greater advantage than disadvantage and is in accordance with the organisation’s goals and needs. See ICT risk management for more information on this topic.
The Queensland State Archives has published resources on assessing the implementation of e-signatures, including the need to undertake environmental scans of obligations which may require ‘wet’ signatures, and identifying processes and records that may need more robust forms of authentication.
The following are example implementations provided by Queensland Government departments:
- Approved documents are attached to an email. The email system authenticates the sender and the act of sending the email signifies approval and consent.
- Timesheets are authenticated and approved using the Electronic Documents and Records Management System (eDRMS). With this, they can track alterations to the timesheets using audit trails. The timesheet saved then becomes a record that cannot be altered.
- Some departments use third-party certified, digital signature solutions that are either in-house or cloud based.
E-signatures come in various forms and have the capacity to meet various purposes (authentication, approval, integrity) and various uses (evidentiary, recordkeeping, etc). In most cases a signature required under legislation can be met using a digital alternative and will be deemed equivalent to a manuscript signature provided it meets the criteria stipulated in the law (Commonwealth or Queensland).
To support the digitisation of services and internal processes Queensland Government departments are encouraged to consider their requirements for signatures and assess circumstances where digital alternatives would be suitable and/or efficient.
AGIMO. (2009). National e-Authentication Framework. Retrieved from Department of Finance and Deregulation: http://www.finance.gov.au/files/2012/04/NeAFFramework.pdf
Australian Government. (1999). Electronic Transactions Act. Retrieved 09 2015, from Attorney-General's Department: https://www.ag.gov.au/RightsAndProtections/ECommerce/Documents/ElectronicTransactionsAct1999infosheet.pdf
Australian Government. (2000). Electronic Transactions Regulations 2000. Retrieved from Australian Government ComLaw: https://www.comlaw.gov.au/Details/F2015C00665
Blythe, S. E. (2005). Digital Signature Law of the United Nations, European Union, United Kingdom and United States: Promotion of Growth in E-Commerce with Enhanced Security. Richmond Journal of Law and Technology, 11(2). Retrieved from http://law.richmond.edu/jolt/v11i2/article6.pdf
Bolam, P., & Choi, R. (n.d.). Electronic Signatures: When are they effective? Queensland, Australia. Retrieved 09 01, 2015, from http://www.qls.com.au/files/5420ee10-7cdc-466c-b050-a34000eea180/Electronic_signatures_when_effective.pdf
Christensen, S., Duncan, W., & Low, R. (2003, 12). The Statute of Frauds in the Digital Age - Maintaining the Integrity of Signatures. Murdoch University Electronic Journal of Law, 10(4). Retrieved 09 01, 2015, from http://eprints.qut.edu.au/4281/1/4281.pdf
Foder, J. (2010). The inadequate legislative responses to e-signatures. Computer law and security, 26(4), 418-426. Retrieved from http://epublications.bond.edu.au/law_pubs/333
ICA. (2008). International Council on Archives: Principles and Functional Requrements for Records in Electronic Office Environments. Retrieved 09 01, 2015, from http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/guidelines_functional_requirements.pdf
Law, U. N. (2020, 07 16). Electronic Commerce. Retrieved from United Nations Commissionon International Trade Law: https://uncitral.un.org/en/texts/ecommerce
Queensland Government. (2001). Electronic Transactions (Queensland) Act 2001. Queensland, Australia. Retrieved from https://www.legislation.qld.gov.au/legisltn/current/e/electrontrqa01.pdf
Queensland State Archives. (2009). Recordkeeping and digital signatures. Queensland, Autralia. Retrieved 09 01, 2015, from http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Public_Records_Briefs.pdf
Queensland State Archives. (2015, 10). Mythbusters - Signatures. Retrieved 10 25, 2015, from Queensland State Archives: http://www.archives.qld.gov.au/Recordkeeping/GRKDownloads/Documents/Mythbuster3-Signatures.pdf
S., Charles. (2019, July 17). How to electronically approved documents and expenditure. Retrieved from Queensland Audit Office: https://www.qao.qld.gov.au/blog/how-electronically-approve-documents-expenditure
Tyree, A. (n.d.). Electronic Signatures. Retrieved 09 01, 2015, from Australasian Legal Information Institute: http://austlii.edu.au/~alan/electronic-signatures.html