Lesson 7: Key Decision 2 - Defining the Copy of Record (COR)
What the system defines as the COR determines:
- How the COR is Shown to be "True and Correct"
- The closer the COR is to the file received, the easier a "true and correct" showing may be, since there will be few or no transformations of that file to account for.
- For CORs that do not have an associated hash value, a "true and correct" showing will depend heavily on how their access is secured, controlled, and logged.
- If CORs can incorporate changes to their content—for example, to accommodate submitter corrections—then a "true and correct" showing will depend heavily on a chain of custody that documents all such changes and their circumstances.
- How Opportunity to Review is Provided
- The COR's format will determine what processing is needed for a "human-readable" version.
- The medium in which the COR is maintained (e.g. electronic or paper) will affect how it can be provided for review.
For example, consider the following ways a system can define the COR:
- A PDF capture of the on-screen appearance of the file submitted, associated with the signature, the date and time of submission, and a hash value of the file submitted
- The submitted data as stored in a database, associated with the signature and the date and time of submission
- A print-out of the submitted data, including the signature and the date and time of submission
Example Solutions | Solution A PDF Capture of the Submitted File |
Solution B Data in a Database |
Solution C A Paper Print-Out |
---|---|---|---|
Opportunity to Review the COR | Requires making the PDF available online or sending it to the signer or submitter—as an email attachment or by other means—assuming the PDF captures a human-readable format. | Requires: (1) system functions to put the data into a human-readable format; and (2) making the formatted data available online or sending it to the signer or submitter by other means, such as an email attachment. | Requires procedures to: (1) receive requests; (2) produce paper copies; and (3) deliver the copies. |
COR is Shown to be "True and Correct" | Requires a demonstration of the integrity of the PDF file, for example, by showing that it has been secured against tampering or that a hash value calculated from the file matches the hash calculated when it was received. | Requires a demonstration that: (1) the processing that placed the data in the database did not, in any way, affect its informational content; and (2) that the database has been secured against tampering and any undocumented changes. | Requires procedures to: (1) produce an accurate print-out of the submittal; (2) certify the print-out's accuracy; and (3) secure the print-out against any tampering or destruction. |