What is BS 10008?
The British Standard on Evidential weight and legal admissibility of Electronically Stored Information (ESI)
BS 10008 is the British Standard on Evidential weight and legal admissibility of electronically stored information. Its main aim is to provide organisations with a means to prove their electronic records are trustworthy and therefore can be used as evidence to resolve a dispute.
Whether that proof of trustworthiness is needed in a legal dispute, requested by a statutory body or to settle an internal dispute between departments or divisions, an organisation certified to BS 10008 will be in a position to demonstrate that their electronic evidence is robust and can be trusted.
It is often confused with BIP 0008 which was the Code of Practice in previous versions of the standard. In the 2020 version, all Codes have been integrated into the main standard under Part 2.
This article is for those of you who want to find out what this standard is about, the types of organisations that should consider implementing it and how to go about it.
- Who it’s for and why you should implement it
- What it covers
- How to implement it
- The certification process
- Maintenance of compliance and continuous improvement
Reading time: 13 minutes
Who is it for and why should you embark on a BS 10008 implementation?
Most organisations implementing a management system standard like BS 10008 will do it for one, or more, of these reasons:
- They sometimes face disputes with other parties, where their electronic information forms part of their evidence, i.e. the electronic information is their “proof” that they are right. The robustness of their case relies on the trustworthiness of their evidence, the cost of losing the dispute is high and those organisations do not want to take the risk of losing. In this category we find NHS trusts and private hospitals, GP practices, legal firms, accounting firms, etc.
- The Lord Chancellor’s Code of Practice on the management of records issued under section 46 of the Freedom of Information Act 2000 stipulates that Authorities should follow BS 10008, as it is best practice. It also states that if Authorities fail to comply with the Code, they may be in breach of their statutory obligations. “Authorities” are government departments, legislative bodies, local authorities, NHS, schools, police, etc.
- Customers are asking for it – these organisations are often document scanning bureaux or software vendors selling to Authorities (e.g. selling document management systems or call centre voice recording systems).
In my experience, however, BS 10008 is much more than something you “have to” comply with. It is a risk management and quality management system. This means it can be used to ensure your electronically stored information is “of quality”, reducing the risk of poor quality.
We have all been subjected to poor quality scanned images – documents scanned in black and white at low resolution where half of the information cannot be seen.
We have all felt the frustration of poor indexing of electronic documents, whether scanned or born-digital – not being able to find what we’re looking for because the indexing tags attached to documents are poor or non-existent; or because the folder structure on shared drives is a mess; or because the Optical Character Recognition (OCR) is poor and the full text search doesn’t work.
We have all experienced that sinking feeling due to corrupt files – just when you think you’ve found it, you can’t open it!
Even if evidential weight and legal admissibility of your electronic records isn’t a concern for you, all organisations need their digital information to be reliable and available, simply to function and go about their daily business. Therefore, if you have issues with poor quality of digital information in your organisation, implementing BS 10008 is still an excellent solution to address those problems.
Top quality electronic information and low risk is what BS 10008 is all about.
What does it cover exactly?
90% of the people who ask me questions on BS 10008 believe that the standard is only about the scanning process, i.e. the conversion of paper documents to electronic files. That is not the case.
This information management system standard manages the risks to the authenticity, integrity, and availability of the electronic information in scope, for the whole of its lifecycle.
In plain English this means that it is applicable to any type of electronic information (not just scanned documents). It also means you decide which type of information you will include in your scope of compliance, based on your objectives and what you want to achieve. For example, you can include any of:
- Scanned documents
- CAD drawings
- Email messages
- Electronic Data Interchange (EDI) files
- Chat messages and SMS messages
- Video files
- Audio files
- Information held in databases
- Data streams from IoT devices
- Any other type of digital object stored on a file system
Even if protecting the evidential weight and legal admissibility of your scanned documents is all you wish to include in your scope, BS 10008 covers the whole of the lifecycle of the electronic record. It therefore also covers the storage of the scanned documents, whether simply stored on a shared drive or in a document management system. This means that if you outsource the scanning of your documents to a compliant organisation, you also need to comply yourself if you own the storage system.
BS 10008 also covers the transfer of the electronic record if its creation or capture is handled by an external party. For example, if you send video streams to a supplier for processing, prior to storing them within your own system, or if you outsource your mailroom function, the act of transferring the files back and forth will be part of the scope of compliance.
How to implement BS 10008
BS 10008 is implemented in a similar way to other management system standards, such as ISO 27001 (Information Security Management System or ISMS), ISO 9001 (Quality Management System or QMS), ISO 27701 & BS 10012 (Personal Information Management Systems or PIMS). BS 10008 is an Information Management System (IMS). If your organisation already complies or is certified to any of the above standards, there is a considerable overlap between those and BS 10008 – so be sure to integrate your implementations and management of those standards.
Management system standards all have the same building blocks and are implemented, at a high level, with a similar process. The pyramid below demonstrates what those building blocks are.
The Building Blocks of Compliance:
Step 1 - Objectives and Scope
Starting from the bottom, the first thing to decide is what your objectives are in your desire to implement BS 10008. What is it that you are trying to achieve? Common objectives are:
- We want to have top quality electronic information, that retains its integrity over time and is available to users when they need it.
- We want to be able to demonstrate our scanned documents are authentic copies of the original paperwork, so we can destroy the paper documents.
- We want to demonstrate to our stakeholders (clients, patients, suppliers, trustees, shareholders, etc.) that our electronic information can be trusted, and is of top quality.
- We want to maximise the evidential weight and assure the legal admissibility of our electronic records, so they stand up in court.
- We want to minimise our financial exposure linked to disputes or negligence claims.
- We want to have the confidence that the risks to our digital information are managed and reduced as much as possible.
Once you are clear on your objectives, determining exactly what information and systems you will include in your scope of compliance should be easy.
Step 2 – Risk Assessment
Next, make a list of all the risks to the authenticity, integrity and availability of the information. There are multiple approaches to doing risk assessments. If you are not used to doing these, an easy way is to start by mapping all the processes (e.g. capture, transfer, storage, retrieval, destruction) around the information and systems in your scope. Then for each step in each process, think of everything that can go wrong in relation to:
- Physical assets –hardware, software, servers, network, PCs, mobile devices
- Places – buildings, rooms and transport/transfer between those locations
- Sub-processes – backup, business continuity, malware
- People – access control, competency, security awareness
- Policies & procedures
This list will become your risk register. You will need to score each item on the list and determine how you will handle each risk. For example, will you try and mitigate the risk, change the way things are done to eliminate it, or accept it as it is?
Step 3 – Policies
Policies are high level documents that provide guidelines, principles and rules by which you wish people in your organisation to behave and work. They are not to be confused with procedures, which are specific methods employed by staff to act on the policies on a day-to-day basis.
In the context of BS 10008 compliance, policies are documents you put in place to directly manage the risks you have identified in step 2. The policies you will need are:
- Information security policy
- Information management policy
- Information storage policy
- Information transfer policy
- Risk management policy
- Retention policy
- Internal audit policy
Please note those policies do not have to be in separate documents. If you are a small business or charity and don’t normally have documented policies, you could have all policies required by the Standard all into one document.
On the other hand, if your organisation is larger, you will likely already have most of the policies above. In that case, you will need to do a gap analysis to identify gaps in your documentation. BS 10008 has over 350 compliance points.
While 350 compliance points may sound daunting, in reality most mature organisations with strong corporate governance in place, such as NHS trusts for example, will already have 70-80% of the points covered in existing documentation. Hence why identifying those not covered by your organisation is critical.
Step 4 – Procedures and Plans
As mentioned above, procedures are specific methods employed by staff to act on the policies on a day-to-day basis. BS 10008 demands that all procedures be documented. You will need the following procedures:
- Information security procedures
- Retention and disposal procedures
- Scanning procedures (or other operational capture/creation procedures, if no scanning takes place)
- Authenticated output procedures
- Internal audit schedule and procedures
- Backup and recovery procedures
- Business continuity plan
- Communication plan
- Training and development plans
Step 5 – Records
- Logs, emails, meeting minutes, reports confirming:
- Employees are aware of policies and procedures
- Employees are aware of changes in policies and procedures
- Employees are trained
- Quality checks are made
- Audit reports are produced, reviewed by management and acted upon
- Non-conformities and corrective actions are tracked, managed and addressed
- Backups are completed and failures investigated
- Employee access to systems is regulated and access no longer required is removed
As part of your implementation you will need to plan and put in place activities and systems to gather the records you need. These records will allow you to demonstrate the trustworthiness and evidential weight of your electronic records, and ultimately assure their legal admissibility. In other words, these records will allow you, your managers and directors to be confident that they have good quality digital information and that the risks to this quality are being managed. As the owner of a document scanning provider for 15 years, BS 10008 gave me confidence and peace of mind. I could sleep peacefully!
How do you get certified?
Depending on your objectives and what you wish to achieve, you might decide that you wish to obtain external certification. Certification by an external body is not necessary to comply with the Standard. In fact, the vast majority of standards published by the British Standards Institute (BSI) do not have a formal certification scheme. Only a few do, and luckily BS 10008 is one of those.
I say luckily because obtaining external certification by BSI brings compliance to a completely different level. It is all very well going through the implementation process, writing all the policies and procedures and rolling it out, but if no external body comes to scrutinise what you are doing, then it is very much like marking your own exam! With all the best intentions in the world, the level of rigour just isn’t the same.
The diagram below highlights the steps in the certification process.
The BS 10008 Certification Process:
The first three steps are about building up the first four layers of the pyramid above . At that point, BSI comes in for the Stage 1 audit. This audit is often referred to as a “desktop” audit, which means the BSI assessor will look at your documentation “from his/her desk” and will not interview staff. That will come later.
At Stage 1, the assessor is comparing your documentation to the Standard to make sure the 350 compliance points are covered.
If you pass this first stage audit, you will then have 3 months to gather evidence that you have implemented the policies and procedures, and staff are adhering to them.
The Stage 2 audit is a “process” audit. This means the assessor will interview staff at all levels to make sure they are aware of the BS 10008 objectives, the scope, understand the policies and are adhering to the procedures.
BSI audits in a nutshell:
- The Stage 1 audit is about making sure the documentation describing what your staff does complies with the Standard.
- The Stage 2 audit is about making sure your staff actually does what your documentation says they do.
The whole process generally takes 9-12 months, depending on the size of your organisation. The larger the organisation, the longer it takes. Be aware that BSI generally have a 3-6 months lead time between the time you contact them and the Stage 1 audit.
Maintenance of the compliance and continuous improvement
BS 10008 is a continuous improvement framework. In order to maintain certification, you must therefore continue to demonstrate that you are complying and improving the system on a continuous basis.
Again, this is where having external certification helps tremendously. The BSI assessor will come back annually. You will need to demonstrate that you have gathered evidence all year long, have performed your internal audits as planned and have acted on the non-conformities you have found.
Non-conformities are normal and acceptable because an information management system involves people and systems, both of which are fallible. What is not acceptable is not to deal with them.
At first glance, implementing BS 10008 probably looks like a tall order. However, once it has become part of the culture of your organisation, it becomes “just the way we do things around here”. That is when quality electronic information is produced time and time again.