Please Note
Only excerpts of this document are posted here. Please refer to the full document and the references for further information. Please note that this document considers the use of a stylus as for of e-signature.
DDF
15 July 2019
"# Government of Canada Guidance on Using Electronic Signatures
From Treasury Board of Canada Secretariat
1.0 - Initial publication - 15 July 2019
Notice
In September 2017, TBS provided guidance on e-signatures to all Departmental Security Officers via e-mail. That guidance still applies and should be considered an integral part of this document. This document complements and expands on that guidance. The guidance issued in September 2017 is provided at Annex D for ease of reference. This guidance document is intended for GC departments and agencies contemplating the use of electronic signatures in support of their day-to-day business activities. This is a “living” document that will evolve over time in response to lessons learned, changes in related legislative requirements or future technological advancements in the electronic signature area. It should be noted that nothing stated within this document is intended to replace or override existing legislation or policy. Any such discrepancies should be brought to the attention of the Treasury Board of Canada Secretariat’s Office of the Chief Information Officer at zzcybers@tbs-sct.gc.ca.
On this page
…
" 1.1. Background
In keeping with the objectives of the Government of Canada’s (GC’s) Digital Government initiative, the GC continues to:
- streamline its internal and external business processes
- improve how it delivers services to Canadians
The GC can achieve these goals, in part, by replacing paper-based processes with electronic practices that are more modern, faster and easier to use.
The concept of conducting business electronically is nothing new. A number of jurisdictions, including the GC and Canada’s provinces and territories, have developed laws, policies and standards for electronic documents and electronic signatures (e-signatures) since the mid-1990s.
…
The primary function of a signature is to provide evidence of the signatory’s:
- identity
- intent to sign
- agreement to be bound by the contents of the document
…
1.2. Purpose and scope
This document provides guidance on using e-signatures in support of the GC’s day-to-day business activities. It aims to clarify:
- what constitutes an e-signature
- what forms of e-signature are appropriate in the context of the business activity
This document is not intended to be:
- a substitute for legal advice (business owners should always consult with their legal counsel)
- a framework to protect sensitive information from unauthorized disclosure (this document does not address confidentiality requirements)
1.3. Intended audience
This guidance is for GC departmentsFootnote1 that are exploring the use of e-signatures in support of their day-to-day business activities.
…
The purpose of this Appendix is to provide examples of the types of business activities that may correspond to each assurance level. In general, as the importance and/or value of the business activity increases, so does the associated assurance level. However, it should be noted that the business activity examples provided here are for illustrative purposes only and in no way are meant to be prescriptive .
Individual departments should perform their own assessments in the context of their business needs and requirements. The overall objective should be to:
- leverage existing investments where feasible (departments should use what they already have where it makes sense)
- enhance the user experience
- implement cost-effective, sensible solutions commensurate with the assessed assurance level
Table C1: examples of business activities|Assurance level|Business activities (examples only)|
| — | — |
|Assurance Level 4|* Online financial transactions where existing legislation requires a digital signature or secure e-signature (for example, Electronic Payments Regulations and Payment and Settlements Requisitioning Regulations )
- PIPEDA Part 2 use cases where applicable
- Binding contracts with external entities that exceed a certain dollar value (based on risk tolerance as determined by departmental evaluation)|
|Assurance Level 3|* Managerial approvals of financial transactions that do not require a digital signature or secure e-signature (for example, approval of employee expense claims)
- Binding contracts with external entities that are below a certain dollar value (based on risk tolerance as determined by departmental evaluation)
- One or more of the business activity examples provided below under Assurance Level 2 may apply here (risk tolerance varies by department; some departments may elect to implement more stringent security controls for some of the business activities identified below under Assurance Level 2)|
|Assurance Level 2|* Leave submission and approvals
- Travel requests and approvals
- Time sheet submissions and approvals
- Expense claim submissions (but not approvals)
- Online submission of certain applications or forms from external users
- Intradepartmental memoranda of understanding|
|Assurance Level 1|* Everyday correspondence with little to no implied commitment on behalf of the sender or the GC|
For additional guidance, you may want to refer to the Canadian General Standard Board’s standard entitled Electronic Records as Documentary Evidence which provides information and guidance for developing policies, procedures, processes and documentation that support the reliability, accuracy and authenticity of electronic records. Additionally, the Directive on Identity Management and Standard on Identity and Credential Assurance provide guidance with respect to validating the identity of individuals which apply equally to the use of electronic signatures.
We trust this is of assistance. Please address any inquiries to SEC@tbs-sct.gc.ca.
Best regards,
Rita Whittle
Director General, Security and Identity Management Policy, Chief Information Officer Branch
Treasury Board of Canada Secretariat / Government of Canada
Rita.Whittle@tbs-sct.gc.ca / Tel: 613-369-9683 / TTY: 613-369-9371
Footnotes
Footnote 1
Throughout this document, “departments” denotes federal departments and agencies.
Return to footnote1referrer
Footnote 2
An exception to the opt in requirement is section 36 of PIPEDA.
Return to footnote2referrer
Footnote 3
Currently, there are over 20 federal acts and almost 30 regulations listed on the Department of Justice Canada website that include references to “electronic signature” (based on a search for the term “electronic signature” using the Department of Justice Canada advanced search tool).
Return to footnote3referrer
Footnote 4
The Secure Electronic Signature Regulations are annexed to both PIPEDA and the Canada Evidence Act .
Return to footnote4referrer
Footnote 5
Both the algorithm description and the recognition process are currently under review.
Return to footnote5referrer
Footnote 6
Note that assurance levels should not be confused with levels of authority.
Return to footnote6referrer
Footnote 7
Note that other tools such as the ITSG 33: Security Categorization Guide may also be used to assist in the assessment process.
Return to footnote7referrer
Footnote 8
A secure time-stamp is obtained from a trusted source. The integrity of the secure time-stamp is cryptographically protected.
Return to footnote8referrer
Footnote 9
Note that electronic signatures created using certificates issued by internal GC CAs such as the Internal Credential Management (ICM) CA are typically not capable of supporting interaction with external entities, as the issuing CA is not a recognized trust anchor outside the GC. (There are a limited number of exceptions where ICM issues certificates to external entities, but such exceptions do not offer a viable long-term solution.)
Return to footnote9referrer
Footnote 10
Based on a search for the term “electronic signature” using the Department of Justice Canada advanced search tool.
Return to footnote10referrer
Footnote 11
Signature electronic equivalents found in provincial and territorial electronic transaction laws do not apply to the GC.
Return to footnote11referrer
Footnote 12
The UECA states that authorities responsible for the legal signature requirement can make regulations where it is felt that the situation implies a degree of reliability of identification or association with the document to be signed. Similarly, signatures submitted to government (provincial and territorial) must conform to information technology requirements and to any rules on the method of making them or their reliability. See the Uniform Law Conference of Canada’s discussion of the Uniform Electronic Commerce Act .
Return to footnote12referrer
Footnote 13
The properties identified in the SES Regulations describe a digital signature based on the Rivet, Shamir, Adleman (RSA) algorithm. Other digital signature algorithms such as the Elliptic Curve Digital Signature Algorithm (ECDSA) are also valid but have different mathematical properties that do not precisely conform to the description from the SES Regulations.
Return to footnote13referrer
Footnote 14
As advancements in biometric technology continue to be made, this restriction may be revisited.
Return to footnote14referrer
Footnote 15
Note that multi-factor software cryptographic token (for example, a PKI-based soft token such as a myKEY soft token) is purposely omitted here because it is not considered to be an adequate multi-factor solution according to the guidance provided in ITSP.30.031. Furthermore, PKI-based soft tokens are not sufficient at Assurance Level 3 unless the authentication process is coupled with another appropriate Assurance Level 2 token (which is typically not supported with existing GC deployments).
Return to footnote15referrer
Report a problem or mistake on this page
Share this page >
SOURCE
https://www.canada.ca/en/government/system/digital-government/online-security-privacy/government-canada-guidance-using-electronic-signatures.html