Policy 3-006: Use of Electronic Signatures and Records
Purpose & Scope
This policy establishes when an electronic signature may replace a written signature
and when an electronic record may replace a paper document in official University
activities.
This policy applies to all members of the University of Utah community, and governs
all uses of electronic signatures and electronic records used to conduct the official
business of the University of Utah. Such business shall include, but not be limited
to electronic communications, transactions, contracts, grant applications and other
official purposes.
Definitions
An "electronic signature" is an electronic sound, symbol, or process, attached to
or logically associated with an electronic record and executed or adopted by a person
with the intent to sign a record.
An "electronic record" is a record created, generated, sent, communicated, received,
or stored by electronic means.
A "record" is information that is inscribed on a tangible medium or that is stored
in an electronic or other medium and is retrievable in perceivable form. Financial
and other documents or forms are records.
An "electronic transaction" is a transaction conducted or performed, in whole or in
part, by electronic means or electronic records.
"Electronic" relates to technology having electrical, digital, magnetic, wireless,
optical, electromagnetic, or similar capabilities.
An approved electronic signature method is one that has been approved by the Vice
President for Administrative Services, in accordance with this policy and all applicable
state and federal laws, and which specifies the form of the electronic signature,
the systems and Procedures used with the electronic signature, and the significance
of the use of the electronic signature.
A "certificate" is an electronic document used to identify an individual, server,
a company, or some other entity and to associate that identity with a public key.
A certificate provides generally recognized proof of a person's identity.
"Public-key" infrastructure (PKI) is a form of information encryption that uses certificates
to prevent individuals from impersonating those who are authorized to electronically
sign an electronic document. A "public key" is a value provided by some designated
authority as a key that, combined with a "private key" derived from the public key,
can be used to effectively encrypt messages and digital signatures.
A "private key" is an encryption/decryption key known only to the party or parties
that exchange messages. In traditional private key cryptography, a key is shared by
the communicators so that each can encrypt and decrypt messages.
Policy
Use of an Electronic Signature
Signature required by University policy
Where a University policy requires that a record have the signature of a responsible
person, that requirement is met when the electronic record has associated with it
an electronic signature using an approved electronic signature method.
Where a University policy requires a written document, that requirement is met when
an electronic record has associated with it an electronic signature using an approved
electronic signature method.
Signature required by law
Where there is a legal requirement, beyond University policy, that a record have the
signature of a responsible person, that signature requirement is met when the electronic
record has associated with it an electronic signature using an approved electronic
signature method which complies with Utah state law or Federal law.
Where a legal requirement, beyond University policy, requires a written document,
that requirement is met when an electronic record has associated with it an electronic
signature using an approved electronic signature method, which complies with Utah
state law or Federal law.
The signing of a record using an approved electronic signature method does not mean
that the record has been signed by a person authorized to sign or approve that record.
Appropriate Procedures must be used to confirm that the person signing the record
has the appropriate authority.
This policy applies only to transactions between parties each of which has agreed
to conduct transactions by electronic means.
If parties have agreed to conduct a transaction by electronic means and a law requires
a person to provide, send, or deliver information in writing to another person, the
requirement is satisfied if the information is provided, sent, or delivered, as the
case may be, in an electronic record capable of retention by the recipient at the
time of receipt. An electronic record is not capable of retention by the recipient
if the sender or its information processing system inhibits the ability of the recipient
to print or store the electronic record.
Approval of Electronic Signature Methods by the Vice President for Administrative
Services
The final approval of any electronic signature method will be by the Vice President
for Administrative Services, with the recommendation of the cognizant vice president.
In determining whether to approve an electronic signature method, consideration will
be given to the systems and Procedures associated with using that electronic signature,
and whether the use of the electronic signature is at least as reliable as the existing
method being used. This determination will be made after a review of the electronic
signature method by the Office of Information Technology, the Institutional Security
Office, and University Legal Council.
If approved electronic signature methods require the use of encryption technology
that uses public or private key infrastructure and/or certificates, the Office of
Information Technology will be responsible for the administration of such public or
private keys and certificates.
The approval of an electronic signature method can limit the use of that method to
particular electronic records, particular classes of electronic records, or particular
University organizations. An electronic signature used outside of its limitations
will not be considered valid by the University.
All approval of electronic signature methods will be available in electronic form
to the University community and the public and will be deemed to be appendices to
this policy.
In the event that it is determined that an approved electronic signature method is
no longer trustworthy, the Vice President for Administrative Services must revoke
the approval of that electronic signature method. If there is continued significance
for the electronic signatures, which used the revoked method, the Vice President for
Administrative Services will take steps to see that any valid records signed with
the revoked electronic signature method are signed again with an approved electronic
signature method.
Rules and Procedures
The University of Utah may make rules that:
Identify specific transactions that the University is willing to conduct by electronic
means;
Identify specific transactions that the University will never conduct by electronic
means;
Specify the manner and format in which electronic records must be created, generated,
sent, communicated, received, and stored, and the systems established for those purposes;
If law or rule requires that the electronic records must be signed by electronic means,
specify the type of electronic signature required, the manner and format in which
the electronic signature must be affixed to the electronic record, and the identity
of, or criteria that must be met, by any third party used by a person filing a document
to facilitate the process;
Specify control processes and Procedures as appropriate to ensure adequate preservation,
disposition, integrity, security, confidentiality, and auditability of electronic
records; and
Identify any other required attributes for electronic records that are specified for
corresponding non-electronic records or that are reasonably necessary under the circumstances.
Sanctions
Any individual or party that makes inappropriate or illegal use of electronic signatures
and/or records is subject to sanctions up to and including dismissal, suspension,
and criminal prosecution as specified in published University policies and State laws,
whether or not they are referenced in this policy.
Rules, Procedures, Guidelines, Forms, and other related resources
Rules [reserved]
Procedures [reserved]
Guidelines [reserved]
Forms [reserved]
Other related resource materials [reserved]
References
Utah Code Ann. ' 46-4-101: Uniform Electronic Transactions Act
Acting as the Policy Owner, the Office of the Controller is responsible for answering questions and providing information regarding the application
of this policy. Acting as the Policy Officer, the Chief Business Officer is responsible for representing the University's interests in enforcing this policy
and authorizing any allowable exceptions.
History
Revision 0: Approved by Academic Senate 5/6/02
Revision 0: Approved by Board of Trustees 5/20/02
Revision 1: Reformatted, Renumbered, Owner and Officer updated 7/15/11
Revision 1: Updated contacts, Added Chief Business Officer 11/3/14