Lesson 7: Key Decision 2 - Defining the Copy of Record (COR)
What the system defines as the COR As defined in § 3.3 of CROMERR, a true and correct copy of an electronic document received by an electronic document receiving system, which copy can be viewed in a human-readable format that clearly and accurately associates all the information provided in the electronic document with descriptions or labeling of the information. A copy of record includes: 1) All electronic signatures contained in or logically associated with that document; 2) The date and time of receipt; and 3) Any other information used to record the meaning of the document or the circumstances of its receipt. determines:
How the COR is Shown to be "True and Correct"
- The closer the COR is to the file received, the easier a "true and correct" showing may be, since there will be few or no transformations of that file to account for.
- For CORs that do not have an associated hash value, a "true and correct" showing will depend heavily on how their access is secured, controlled, and logged.
- If CORs can incorporate changes to their content—for example, to accommodate submitter corrections—then a "true and correct" showing will depend heavily on a chain of custody that documents all such changes and their circumstances.
How Opportunity to Review is Provided
- The COR's format will determine what processing is needed for a "human-readable" version.
- The medium in which the COR is maintained (e.g. electronic or paper) will affect how it can be provided for review.
For example, consider the following ways a system can define the COR:
- A PDF capture of the on-screen appearance of the file submitted, associated with the signature, the date and time of submission, and a hash value of the file submitted
- The submitted data as stored in a database, associated with the signature and the date and time of submission
- A print-out of the submitted data, including the signature and the date and time of submission
| Example Solutions | Solution A PDF Capture of the Submitted File |
Solution B Data in a Database |
Solution C A Paper Print-Out |
|---|---|---|---|
| Opportunity to Review the COR | Requires making the PDF available online or sending it to the signer or submitter—as an email attachment or by other means—assuming the PDF captures a human-readable format. | Requires: (1) system functions to put the data into a human-readable format; and (2) making the formatted data available online or sending it to the signer or submitter by other means, such as an email attachment. | Requires procedures to: (1) receive requests; (2) produce paper copies; and (3) deliver the copies. |
| COR is Shown to be "True and Correct" | Requires a demonstration of the integrity of the PDF file, for example, by showing that it has been secured against tampering or that a hash value calculated from the file matches the hash calculated when it was received. | Requires a demonstration that: (1) the processing that placed the data in the database did not, in any way, affect its informational content; and (2) that the database has been secured against tampering and any undocumented changes. | Requires procedures to: (1) produce an accurate print-out of the submittal; (2) certify the print-out's accuracy; and (3) secure the print-out against any tampering or destruction. |