Electronic vs. Digital Signatures - On the Road to eConsent
Do Electronic and Digital mean the same thing?
A common misconception in document, signature and identity verification is that these two terms are one-and-the-same. Here we will cover what the two types and touch on international requirements.
Many of the reasons we have switched to electronic signatures (eSignatures) and digital signatures include (i) ease of transfer (postage not being required), (ii) instantaneous sharing, and (iii) improved authenticity. Physical signatures are easy to copy and, whilst electronic and digital signatures can also be plagiarised and raise authenticity concerns, additional measures such as encryption and metadata capturing can help rack-up evidence to improve confidence in the signatory's identity.
Electronic Signatures
An electronic signature or eSignature is typically used to validate a document and can involve scanned-in names, hand-written, or finger/stylus signatures. They can be very useful in validating in some way that a document has been read, understood and signed-off, however, the signature itself cannot be fully validated in an eSignature format. Consequently, these signatures can be legally repudiated and can become difficult to audit. "What does this mean?"- you might ask. Without full identity validation, it is hard to provide any assurances that the signatory is who they said they were and that they signed when they said they did. In many research studies and even clinical trials, the level of assurance a signature must or should have can vary but eSignatures with these limitations are often sufficient enough. How we can overcome these confidence and assurance issues will be covered next.
Digital Signatures
To provide the necessary validation, digital signatures take centre stage here. These signatures provide encryption and algorithms in some shape or form to ensure both the signature and its authenticity and digital signatures can also be used to provide some additional security over the document. Some readers might be unfamiliar with the term digital signature since the terminology mostly comes into practice in the USA. Readers working within the UK/EU are more likely to be familiar with advanced and qualified eSignatures which we will cover in future posts. While we might struggle with overlap in this terminology, as long as the method of electronic or digital signature is covered comprehensively in the study and trials protocol documents and has gone to an ethical approval committee (if needed), any additional requirements or concerns will be highlighted quickly.
Which signature is relevant to my particular case?
If you're undertaking any human research, the format and integrity of your signatures require some careful consideration. Participants should not be burdened unnecessarily, however, protecting their identity and data is crucial. Providing sufficient protection with ease is a compromise that study designers must decide on together. What you should consider:
- Is my signature method reliable?
- Is my signature method accurate?
- How much effort is my signature method to implement?
- How much effort is my signature method to undertake by participants?
- Is the study high risk?
- Will I be able to trace an individual signatory in the event that they must be revealed?
"What legal implications are there for electronic and digital signatures?"
USA - General Signature Usage
In the United States, there are four major requirements for compliance in order to adhere to the United States Electronic Signatures in Global and National Commerce (ESIGN) Act, and the Uniform Electronic Transactions Act (UETA). These include:
- Intent to sign - Signatures are only valid if both signatories intended to sign.
- Consent to do business electronically - A consumer or signatory must (i) have received UETA Consumer Consent Disclosures before signing, (ii) have agreed to use electronic records, and (iii) have not withdrawn their consent to use electronic records.
- Association of signature with the record - To qualify as an eSignature under the ESIGN Act and UETA, any system used to capture the signature must be associated with some data which is reflective of the process of that signatures creation.
- Record retention - US laws require that eSignatures are retained for accurate reproduction of this process by all parties involved.
UETA guidelines are attached to this blog post.
USA - Life Sciences Regulations
If you are working in the life sciences or clinical trials space, some additional requirements of eSignatures come into play which are overseen by the Food and Drug Administration (FDA), namely, 21 CFR Part 11 (“Part 11”) which are sets of additional standards which must be adhered to. Here are some points covered by this documentation:
- eSignatures must be validated to ensure accuracy, reliability, consistent intended performance, and the ability to discern valid or altered records.
- eSignatures must be able to generate accurate, reliable and complete copies of records which are human readable in their electronic form so that they may be inspected, reviewed and/or copied by the FDA.
- eSignatures must be protected with two forms of unique identifiers (e.g. username or email address and password).
- eSignatures must have limited access only to authorised individuals (e.g. auto-logout of a platform after a period of inactivity).
- eSignatures must use time-stamps and additional data to identify the signatories and users involved at all stages for audit purposes. Creation, editing, or data manipulation must be fully traceable, documented and justifiable.
- Passwords must be entered uniquely at each point in signing - they cannot be auto-populated or bulked together in a single process.
- Auto-population of other metadata is permitted. This includes any comments or notes made by relevant persons.
- Your organisation must have a non-repudiation agreement with the FDA on file - more information here.
- eSignature platforms should allow multiple signatories to sign at once.
FDA Guidelines are attached to this blog post.
UK/EU, Brexit Implications and GDPR
The UK passed the European Union Withdrawal Act in 2018 which provides legal assurances for the continuation of EU laws under UK laws. This includes the electronic Identification, Authentication and Trust Services (eIDAS) law which governs electronic signatures in the European Single Market and eSignatures.
Both the UK Data Protection Act of 2018 and UK General Data Protection Regulation (GDPR) which outline legal guidelines for the protection of personally-identifiable data operate, practically speaking, under the same frameworks of EU GDPR and the UK Government has also stated that qualified signatures (which we will cover in a later blog post), will continue to be recognised under UK law.
The format and definitions of eSignatures in UK and EU markets, particularly in life sciences, depends on the particular use case. eSignatures can be basic, advanced or qualified. With greater security and stringency in advanced and qualified signatures, the lines between digital signature terminology become slightly blurred.
Use the contact form here or email us at hello@trialflare.com