Search 
Mallesons Stephen Jaques
Philip Argy  
Partner

Sydney
Patrick Gunning  

Melbourne
Cheng Lim  

Electronic Evidence, Document Retention and Privacy

Is a document worth the paper it is written on?

Many corporations are moving toward the “paperless office”. But can electronic records fulfil the same evidentiary requirements and provide the same benefits as their paper counterparts?

Evidentiary principles

Admissibility

Disputed facts can only be proven by admissible evidence. Admissible evidence is that evidence which is sufficiently relevant to the facts in issue. Any evidence which is irrelevant or which is not sufficiently relevant is inadmissible.

Weight

Even if a document is admissible a Court may attach little weight to the evidence. This may occur where the evidence has little probative value.

Best evidence rule

The common law “best evidence rule” states that no evidence is admissible unless it is “the best that the nature of the case will allow”. 1 Traditionally, the rule operated to exclude evidence which was not the best evidence, such as a “copy” of a document.

Now all that is left of the rule is the requirement that the original of a document must be produced to prove its contents unless its absence can be explained such as :

  • the original has been lost
  • it is impractical or unduly burdensome to produce the original
  • the original is in the possession of another party.

The best evidence rule can also operate in a way that copies, even if introduced in evidence, are given a lower weight. For example, a document which has been stored in an electronic form may be admissible in Court but the judge may attach little weight to it, as there may be no evidence to counter an allegation that the content of the document has been tampered with.

Unless there is confidence that electronic records have demonstrably been kept secure, and their integrity is assured, original documents should be retained.

Recent directions

Traditionally, the laws of evidence have been “exclusionary”. That is, judges have refused to admit evidence into judicial processes where a prohibition or restriction applied. In recent years, the trend has been toward allowing evidence to be admitted unless it is clearly irrelevant. As a result, more emphasis has been placed on the weight or probative value that should be attached to that piece of evidence.

Consequently, there is a far greater focus on the integrity of the process by which information is stored, recorded and reproduced. Therefore, companies need to keep audit trails and access logs such as meta data.

Challenges of electronic evidence

The introduction of electronic evidence has challenged the traditional laws of evidence, which required the production of original documents. The laws have had to be sufficiently adaptive and to account for the unique issues and questions that soft copy evidence can present.

“The law of evidence must be adapted to the realities of contemporary business practice. Mainframe computers, minicomputers and microcomputers play a pervasive role in our society. Often the only record of a transaction, which nobody can be expected to remember, will be in the memory of a computer. The versatility, power and frequency of use of computers will increase. “ R v Minors [1989] 2 All ER 208

Some specific challenges include:

  • hard copy and soft copy versions of a document may not be identical eg hidden information may only be visible during the examination of the electronic version
  • hard copy documents need only be viewed and read by the naked eye to be comprehended, whereas soft copy documents inevitably require appropriate hardware and software, not to mention expertise, to be accessed and “translated” into comprehensible form.
  • soft copy documents are vulnerable to tampering and forgery in an entirely different manner to hard copy documents.
  • soft copy documents are, generally speaking, both easier to copy and disseminate, and more difficult to destroy.

Evidence Act

Introduction

The Evidence Act 1995 (Cth) applies in all Federal Court proceedings. Additionally, it applies to all Commonwealth records.

(The Uniform Evidence Act has been adopted by the Commonwealth, New South Wales, Tasmania and the Australian Capital Territory. Other jurisdictions have promised but not yet enacted.)

Original document rule abolished

Section 51 of the Evidence Act abolishes the principles and rules of the common law that relate to the means of proving the contents of documents. Therefore original documents are no longer required. A copy of a document is as good as an original document.

In Victoria, Queensland and South Australia the Evidence Act specifically states that evidence derived from computer records will be admissible, subject to certain conditions of reliability. Although there is no express provision in the remaining jurisdictions, each of them recognise a “copy” of an original document as an “original document”, in respect of the contents of which it is sought to lead evidence. So long as the copy is identical to the original document in all relevant respects the Court will admit it into evidence. So, for example, where colour is not a relevant aspect of a document, then a black and white hard-copy version of a colour electronic record will be acceptable.

What about print outs of electronic records?

Section 48(1)(d) of the Evidence Act provides that “where a document in question is an article or thing on which information is stored in such a way that it cannot be used by the court unless a device is used to retrieve, produce or collate it − tendering a document that was or purports to have been produced by use of the device” is a permitted manner in which to adduce evidence of what was contained in the document.

As a result, the production of a print out of an electronic record is admissible.

Business record exception

In contemporary society it is accepted that companies make decisions on the basis of business records. Boards of companies are required to satisfy themselves that the record keeping of the company is sufficient to base their decisions upon. As a result, the law now assumes that business records have the appropriate trustworthiness to be used as evidence. Therefore, you no longer have to call the person that made the record to prove the contents of the record or prove the circumstances in which the record was made.

The rationale: if a record is good enough for directors to rely on, it is good enough for the Courts to rely on, unless you can impugn it.

Under section 69 of the Evidence Act, all documents comprising business records are admissible unless it is able to be bona fide impugned.

This rules applies to documents that are or were a record belonging to a business and contain previous representations made or recorded in the document in the course of or for the purpose of, the business.

Evidence produced by processes, machines and other devices

Section 146(2) states that “if it is reasonably open to find that the device or process is one that … if properly used, ordinarily produces that outcome, it is presumed (unless evidence sufficient to raise doubt about the presumption is adduced) that, in producing the document or thing on the occasion in question, the device or process produced that outcome.”

For example, it would not be necessary to call evidence to prove a photocopier normally produced complete copies of documents and that it was working properly when it was used to photocopy a particular document.

The same logic applies to other technologies for the storage and reproduction of records. However, you need to keep evidence of process integrity in case it is impugned.

Examples

It is presumed (in the absence of credible evidence to the contrary) that:

  • a laser printed copy from an optical disk is an authentic copy of the original
  • an EDI message log accurately records transactions between parties
  • an electronic signature is authentic
  • computer programs do what they are supposed to do
  • a time stamp is accurate
  • a fax is as good as an original.

Process integrity is more important than ever

Although under the Evidence Act there is a presumption that a copy of an original is admissible, there is no presumption that the evidence is reliable. Therefore, it is very important that proof of the system/record integrity of records are consciously generated and kept.

TQM (total quality management) and other standard process methodologies improve the probability that documents are accepted as having been captured or processed in the “normal course” of business.

Legal definition of “document”

A document is any record of information, and includes (as defined in the Act):

  • anything on which there is writing;
  • anything on which there are marks, figures, symbols or perforations having a meaning for persons qualified to interpret them;
  • anything from which sounds, images or writings can be reproduced with or without the aid of anything else; or
  • a map, plan, drawing or photograph.

This means not only that files recorded on electronic or optical media are documents but that the medium itself is a document. This means that a party can subpoena and demand discovery of the media as well as any document recorded on the media. It is equivalent to defining the filing cabinet as a document, which may not have been intended but it is the result of the drafting.

Good practice

  • The ability to retrieve archived materials is essential.
  • It is essential that when upgrading software and hardware you maintain the ability to recall the stored information. Therefore, you should not throw away the old systems if you haven’t ensured that you can read, retrieve and produce copies of the stored records.
  • Your options are either to retain the old hardware and software or to migrate all the stored information onto any new system adopted. If the latter course is adopted, it is critical to preserve the forensic chain so that there is a provable trail from the “original” to the latest version of it.
  • Software and hardware version changes need tracking.
  • Media longevity (non) issues.
  • The medium on which data is stored will generally last 20 to 30 years. But that is no use if the organisation has lost the hardware or software ability to read/retrieve the recorded information.
  • Maintenance of record integrity and supporting meta data.
  • An information document should be prepared detailing the electronic record-keeping procedure. The document should set out how the information is captured, stored, secured and reproduced. It should also indicate which person or team is responsible for the maintenance, operation and upgrade of the record-keeping system. A Court may later scrutinise the document to satisfy itself of the integrity and proper working of systems.
  • A log of all the activity on the computer used for electronic record-keeping should be maintained. Any down-time or system malfunction should be monitored and documented. It may prove essential at a later time to show to a Court that a computer was functioning properly at a given time or for a given period. It is obviously also important to be able to demonstrate whether the impugned record has been accessed or altered since it was created.

Document retention

What documents are you required to keep?

So far we have focused on whether electronic records are adequate for evidentiary purposes. The next part of the article focuses on the types of documents corporations are required to keep (whether that be electronically or in hard copy).

When can you destroy documents? When must you keep them?

Acts and regulations

All records, whether electronic or not, should be retained for at least the minimum period stated in any applicable statute or regulation. There are more than 80 Acts, regulations and rules specifying document retention requirements applicable to companies under Australian law.

Where there exists a category of documents for which there is no clear legal guidance as to the applicable retention period, the document should be kept for a reasonable period. This period will be determined by considering all the relevant facts and circumstances.

Litigation

Irrespective of whether a statutory retention period has expired, a document which is relevant to existing or anticipated legal proceedings or other processes (such as a subpoena) must be retained until it is no longer required for such proceedings or processes.

Discovery of electronic evidence

Traditionally, the obligations of parties subject to a discovery process have involved the production of a document, or an identical copy of that document. However, this may produce something of an anomaly in the context of electronically stored materials.

Evidence stored in electronic form raises interesting questions regarding the extent of a party’s obligations in the discovery process. For example:

  • if a document is stored on a computer which is password-protected must that party disclose the password?
  • if the evidence is encrypted, does the party have to provide the relevant decryption tools or is it sufficient to give the party the encrypted material “as is”?

Analogy: key to safe.

Although evidence may be stored electronically, normal obligations apply to that material. For example, you still have to produce a document which is confidential. However, the Courts are generally willing to accommodate restrictive disclosure regimes to protect legitimate commercial interests.

Electronic information is practically impossible to entirely eliminate. Deletion of electronically stored information results in digital footprints which may provide valuable information relating to facts in issue relevant to judicial proceedings. The question that then arises is whether there is an obligation to search for these digital footprints when you are required to discover documents?

  • In Sony Music Entertainment (Australia) Ltd v University of Tasmania [2003] FCA 532 it was held that electronic storage records such as CD Roms, computer databases and computer files used to store records were “documents” and therefore can be subject of an order for discovery.
  • In Kennedy v Baker [2004] FCA 562 it was held that a computer hard drive was a single source of data and therefore could be seized under the Crimes Act.
  • In BT (Australasia) Pty Ltd v State of New South Wales & Anor (No 9) [1998] 363 FCA it was held that a party obliged to discover documents is obliged to discover data or information stored or recorded by electronic means. The Federal Court Rules defines “document” to include any “material data or information stored by mechanical or electrical means” (FCR O1 r 4). As a result, Telstra (who was subject to an order for discovery) was required to restore back-up tapes to recover deleted emails and their attachments. This was despite the fact that such a task was very burdensome due to the vast amount of information kept on the back-up tapes.

Document destruction policy

In light of the above, it is prudent that a company adopt a document retention policy to ensure that documents are only discarded or destroyed in accordance with the law and in a systematic manner. The policy should also deal with the specific aspects of electronic document retention. Also, provisions for immediate cessation of destruction processes must be included in the policy so that documents required for legal reasons (including for actual or potential litigation) or business reasons can be preserved.

Income Tax Assessment Act

Requirements under section 262A

Under the Income Tax Assessment Act a person carrying on business must keep records that record and explain transactions and other acts engaged in that are relevant for any purpose under the Act.

Records are “to be readily accessible and convertible into writing in the English language” for five years after records were prepared or obtained, or the completion of the transactions or acts to which the records relate, whichever is the later.

The penalty for not keeping and maintaining records is a fine of $2,200 for each offence.

Tax rulings

A tax ruling is an authoritative statement by the Australian Taxation Office (ATO). They do not necessarily reflect the law but they state how the ATO will interpret the law. A tax ruling may be challenged. Compliance with a tax ruling is a defence to prosecution.

A draft ruling is a document for industry and professional comment which has not been finalised. It represents the preliminary, though considered, views of the ATO but may not be relied on by tax payers and practitioners as it is not a ruling for the purposes of Part IVAAA of the Taxation Administration Act 1953 (Cth).

There are three tax rulings relating to the keeping of electronic records. In essence, they require that electronic records be maintained in such a way that the integrity of the content at capture, storage and reproduction stages can be demonstrated. They also require that documentation relating to the operation of any software that creates or affects those records be kept so that the tax office can understand how that software works and whether it is operating correctly.

Corporations Act

Obligation to keep financial records

Under section 286(1) of the Corporations Act, a company must keep “written financial records that:

  • correctly record and explain its transactions and financial position and performance; and
  • would make true and fair financial statements able to be prepared and audited.”

How long must records be kept

Under section 286(2) of the Corporations Act, accounting records “must be retained for seven years after the transactions covered by the records are completed”.

Therefore, the records must be kept for seven years from the end of the transaction to which the document relates (not seven years from when the document was created!).

Language requirement

Under section 287 of the Corporations Act, records need not be kept in the English language. However, if the record is in another language, an English translation must be made available within a reasonable time.

Physical format

Under section 288 of the Corporations Act, if records are “kept in electronic form, they must be convertible into hard copy. Hard copy must be made available within a reasonable time”.

Where records are to be kept

Under section 289 of the Corporations Act, a company may decide where to keep records. However, if records are kept outside the jurisdiction, sufficient written records about those matters must be kept within the jurisdiction to enable a true and fair financial statement to be prepared. Additionally, a company must give the ASIC written notice of the place where the information is kept. Generally, electronic records are kept at the place where the server on which they are stored is located. A local ability to retrieve the record is not sufficient.

Australia Standards

Australian Standard for Records Management (AS ISO 15489)

Under AS ISO 15489, systems for electronic records should be designed so that records will remain accessible, authentic, reliable and useable through any kind of system change, for the entire period of retention. This includes migration to different software and hardware.

Where this occurs, evidence of the change in the documentation system should be kept, along with details of any variation in record design and format.

Electronic Transactions Act

Introduction

Traditionally, there have been requirements at law for certain documents to be in writing and to be signed. There were also legal impediments preventing electronic documents and digital signatures from meeting these requirements.

The Electronic Transactions Act 1999 (Cth) aims to remove some of these legal impediments.

The Act primarily relates to dealings between persons and Commonwealth government agencies, not dealings between private parties.

Section 11 - production of documents

Under section 11(1) of the Electronic Transactions Act, if, under a law of the Commonwealth a person is required to produce a document that is in the form of paper, an article or other material, the requirement is taken to have been met if the person produces, by means of an electronic communication, an electronic form of the document where:

  • having regard to all the relevant circumstances at the time of the communication, the method of generating the electronic form of the document provided a reliable means of assuring the maintenance of the integrity of the information contained in the document; and
  • at the time the communication was sent, it was reasonable to expect that the information contained in the electronic form of the document would be readily accessible so as to be useable for subsequent reference; and
  • the person to whom the document is to be produced consents to the production by means of an electronic communication, or an electric form of the document.

Record retention

Under section 12(2) of the Electronic Transactions Act, if, under the laws of the Commonwealth, a person is required to retain a document for a certain period, that requirement will be met if the person retains an electronic form of the document where:

  • there is a reliable means of ensuring integrity;
  • it is readily accessible and useable for subsequent reference; and
  • if a particular kind of storage device is required by regulations, that requirement has been met.

This means the Commonwealth entity can specify:

  • software/format constraints
  • acknowledgement of receipt
  • (Therefore the private sector needs to consider need for similar conditions to be imposed contractually, perhaps by way of conditional consent.)

Integrity of information

Under section 11(3) of the Act, the integrity of the information contained in a document is maintained if and only if the information has remained complete and unaltered, apart from:

  • the addition of any endorsement; or
  • any immaterial change

which arises in the normal course of communication, storage or display.

There is a risk that there will be loss of essential attributes when storing information in electronic form. As a result the document will undergo a material change. For example, the depth of an imprint of a signature on a cheque. This attribute is lost by two dimensional scanning. Section 11(3) of the Act means that the stored image of the document is not acceptable if the third dimension (eg handwritten signature attributes) is material.

Impact of the Electronic Transactions Act

  • Where, under a law of the Commonwealth, there is a requirement that records be kept, this is satisfied by keeping an electronic record.
  • Electronic records must be readily accessible/useable for subsequent reference.
  • Remember: longevity of storage medium is NOT the issue!

Privacy Act

Introduction

The Privacy Act (Cth) and the National Privacy Principles (NPPs) regulate the collection and subsequent use of personal information where the information is stored in a record by an organisation.

The National Privacy Principles apply to businesses with an annual turnover of more than $3 million. Businesses with an annual turnover of $3 million or less are exempt from complying with the National Privacy Principles unless one of the following statements is true for the business.

  • It is related to another business (for example its holding company or a subsidiary) that has an annual turn over of more than $3 million.
  • It discloses personal information for a benefit, service or advantage.
  • It provides someone else with a benefit, service or advantage to collect personal information.

Collecting personal information

An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities (NPP 1.1).

Under the National Privacy Principles, a company may only collect personal information about individuals by “lawful and fair means” (NPP 1.2) and not in an unreasonably intrusive way. At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual, the organisation must take reasonable steps to ensure that the individual is aware of:

  • the identity of the organisation and how to contact it;
  • the fact that he or she is able to gain access to the information; and
  • the purposes for which the information is collected and the organisation (or types of organisations) to which information of that kind is usually disclosed. Where the purpose for which the information is collected is obvious it need not be disclosed. However, any other purpose should be disclosed whether it is related or unrelated.

Under the Privacy Act, an organisation must take reasonable steps to destroy (or permanently de-identify) personal information if it is no longer needed for any purpose for which the information was used or disclosed.

Prohibitions

A company is prohibited from using and disclosing personal information other than as per consent.

Liability

Under the law of negligence, pure economic loss is no longer a bar to recovery. Therefore, if personal information about an individual is released without that person’s consent, and this causes the individual economic loss, this may result in damages being awarded in favour of the individual.

Take home messages

  • It may sometimes be necessary to keep or store the original document.
  • It is essential that you are able to retrieve archived information.
  • Track software and hardware changes.
  • Maintain a detailed documented record of the controls which maintains the system’s integrity.

Ultimate tests

  • What attributes of this record are critical to be kept?
  • Does my proposed storage solution faithfully capture, store and reproduce that attribute?
  • If not, the original needs to be kept.
  • If a statute requires retention of the original, it needs to be kept.
  • Otherwise, the electronic version will suffice and the original can be shredded.

This article is based on a paper presented at the Australian Corporate Lawyers’ Association (ACLA) NSW Annual Conference, Sydney, 30-31 March 2006.

Footnotes

1 Omychund v Barker.

This publication is only a general outline. It is not legal advice. You should seek professional advice before taking any action based on its contents.