Policy 3-006: Use of Electronic Signatures and Records

  1. Purpose & Scope
    1. This policy establishes when an electronic signature may replace a written signature and when an electronic record may replace a paper document in official University activities.
    2. This policy applies to all members of the University of Utah community, and governs all uses of electronic signatures and electronic records used to conduct the official business of the University of Utah. Such business shall include, but not be limited to electronic communications, transactions, contracts, grant applications and other official purposes.
  2. Definitions
    1. An "electronic signature" is an electronic sound, symbol, or process, attached to or logically associated with an electronic record and executed or adopted by a person with the intent to sign a record.
    2. An "electronic record" is a record created, generated, sent, communicated, received, or stored by electronic means.
    3. A "record" is information that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form. Financial and other documents or forms are records.
    4. An "electronic transaction" is a transaction conducted or performed, in whole or in part, by electronic means or electronic records.
    5. "Electronic" relates to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
    6. An approved electronic signature method is one that has been approved by the Vice President for Administrative Services, in accordance with this policy and all applicable state and federal laws, and which specifies the form of the electronic signature, the systems and Procedures used with the electronic signature, and the significance of the use of the electronic signature.
    7. A "certificate" is an electronic document used to identify an individual, server, a company, or some other entity and to associate that identity with a public key. A certificate provides generally recognized proof of a person's identity.
    8. "Public-key" infrastructure (PKI) is a form of information encryption that uses certificates to prevent individuals from impersonating those who are authorized to electronically sign an electronic document. A "public key" is a value provided by some designated authority as a key that, combined with a "private key" derived from the public key, can be used to effectively encrypt messages and digital signatures.
    9. A "private key" is an encryption/decryption key known only to the party or parties that exchange messages. In traditional private key cryptography, a key is shared by the communicators so that each can encrypt and decrypt messages.
  3. Policy
    1. Use of an Electronic Signature
      1. Signature required by University policy
        1. Where a University policy requires that a record have the signature of a responsible person, that requirement is met when the electronic record has associated with it an electronic signature using an approved electronic signature method.
        2. Where a University policy requires a written document, that requirement is met when an electronic record has associated with it an electronic signature using an approved electronic signature method.
      2. Signature required by law
        1. Where there is a legal requirement, beyond University policy, that a record have the signature of a responsible person, that signature requirement is met when the electronic record has associated with it an electronic signature using an approved electronic signature method which complies with Utah state law or Federal law.
        2. Where a legal requirement, beyond University policy, requires a written document, that requirement is met when an electronic record has associated with it an electronic signature using an approved electronic signature method, which complies with Utah state law or Federal law.
      3. The signing of a record using an approved electronic signature method does not mean that the record has been signed by a person authorized to sign or approve that record. Appropriate Procedures must be used to confirm that the person signing the record has the appropriate authority.
      4. This policy applies only to transactions between parties each of which has agreed to conduct transactions by electronic means.
      5. If parties have agreed to conduct a transaction by electronic means and a law requires a person to provide, send, or deliver information in writing to another person, the requirement is satisfied if the information is provided, sent, or delivered, as the case may be, in an electronic record capable of retention by the recipient at the time of receipt. An electronic record is not capable of retention by the recipient if the sender or its information processing system inhibits the ability of the recipient to print or store the electronic record.
    2. Approval of Electronic Signature Methods by the Vice President for Administrative Services
      1. The final approval of any electronic signature method will be by the Vice President for Administrative Services, with the recommendation of the cognizant vice president. In determining whether to approve an electronic signature method, consideration will be given to the systems and Procedures associated with using that electronic signature, and whether the use of the electronic signature is at least as reliable as the existing method being used. This determination will be made after a review of the electronic signature method by the Office of Information Technology, the Institutional Security Office, and University Legal Council.
      2. If approved electronic signature methods require the use of encryption technology that uses public or private key infrastructure and/or certificates, the Office of Information Technology will be responsible for the administration of such public or private keys and certificates.
      3. The approval of an electronic signature method can limit the use of that method to particular electronic records, particular classes of electronic records, or particular University organizations. An electronic signature used outside of its limitations will not be considered valid by the University.
      4. All approval of electronic signature methods will be available in electronic form to the University community and the public and will be deemed to be appendices to this policy.
      5. In the event that it is determined that an approved electronic signature method is no longer trustworthy, the Vice President for Administrative Services must revoke the approval of that electronic signature method. If there is continued significance for the electronic signatures, which used the revoked method, the Vice President for Administrative Services will take steps to see that any valid records signed with the revoked electronic signature method are signed again with an approved electronic signature method.
    3. Rules and Procedures
      1. The University of Utah may make rules that:
        1. Identify specific transactions that the University is willing to conduct by electronic means;
        2. Identify specific transactions that the University will never conduct by electronic means;
        3. Specify the manner and format in which electronic records must be created, generated, sent, communicated, received, and stored, and the systems established for those purposes;
        4. If law or rule requires that the electronic records must be signed by electronic means, specify the type of electronic signature required, the manner and format in which the electronic signature must be affixed to the electronic record, and the identity of, or criteria that must be met, by any third party used by a person filing a document to facilitate the process;
        5. Specify control processes and Procedures as appropriate to ensure adequate preservation, disposition, integrity, security, confidentiality, and auditability of electronic records; and
        6. Identify any other required attributes for electronic records that are specified for corresponding non-electronic records or that are reasonably necessary under the circumstances.
    4. Sanctions
      1. Any individual or party that makes inappropriate or illegal use of electronic signatures and/or records is subject to sanctions up to and including dismissal, suspension, and criminal prosecution as specified in published University policies and State laws, whether or not they are referenced in this policy.
  4. Rules, Procedures, Guidelines, Forms, and other related resources
    1. Rules [reserved]
    2. Procedures [reserved]
    3. Guidelines [reserved]
    4. Forms [reserved]
    5. Other related resource materials [reserved]
  5. References
    1. Utah Code Ann. ' 46-4-101: Uniform Electronic Transactions Act
    2. 18 U.S.C. ' 2510: Electronic Communications Privacy Act
    3. Utah Code Ann ' 76-6-703: Utah Computer Crimes Act
    4. Utah Code Ann ' 76-10-1801: Communications Fraud
    5. Utah Code Ann ' 63-2-101 et seq.: Government Records Access and Management Act (GRAMA)
    6. Policy 4-002: Information Resources Policy
    7. Policy 1-009: University Archives
    8. Policy 4-001: Institutional Data Management
  6. Contacts
  7. Acting as the Policy Owner, the Office of the Controller is responsible for answering questions and providing information regarding the application of this policy. Acting as the Policy Officer, the Chief Business Officer is responsible for representing the University's interests in enforcing this policy and authorizing any allowable exceptions.
  8. History
    1. Revision 0: Approved by Academic Senate 5/6/02
    2. Revision 0: Approved by Board of Trustees 5/20/02
    3. Revision 1: Reformatted, Renumbered, Owner and Officer updated 7/15/11
    4. Revision 1: Updated contacts, Added Chief Business Officer 11/3/14
Campus Fall

Policy: 3-006 Rev: 1
Date: November 3, 2014

Past Versions