FIRST SCHEDULE
Regulations 2 and 10(1)
Compliance Criteria for Image Systems
Part i — General
Objective
1.  The objective of this Schedule is to provide a set of compliance criteria that will reasonably ensure that the computer output from an image system provides an accurate representation of the original document.
Definitions
2.  In this Schedule, unless the context otherwise requires —
“audit trail” means a computer record of changes to either the data enabling access to images or to the images themselves, where such changes affect the content or availability of images;
“capture” means the recording of the contents of a document by photographic, electronic or other means;
“committal” means the introduction of a captured image into the database environment of the image system.
General
3.—(1)  The criteria in this Schedule covers 3 fundamental issues —
(a)the ability of the image system, in the normal course of business, to provide an accurate representation of the contents of a document;
(b)the integrity of the physical process surrounding the capture, committal and output of images; and
(c)the integrity of the image system surrounding the capture, committal and output of images.
(2)  A given criterion must accordingly be satisfied, as appropriate, through a combination of both the technical capabilities of the image system, and the business procedures set in place to control all aspects of the process.
Requirements for Accurate Representation of Information
4.—(1)  The requirement to accurately represent the contents of a document is limited to the representation of the information contained in the document.
(2)  The image system is not required to accurately represent the information that can be intrinsically conveyed by a physical document medium such as forensic information.
(3)  The overriding concern is accordingly to ensure that any information (be it graphical, textual or of some other form) that may reasonably be expected to be required in the business process of the person or organisation seeking certification can be accurately reproduced to be admissible in evidence in court proceedings.
Document Capture
5.  The following criteria must be met in relation to document capture:
(a)Image Quality. All information contained in the document (be it graphical, textual, hand written or otherwise) must be capable of being captured in its entirety (except gridlines printed in drop-out ink for image recognition of data) and with a level of accuracy that ensures that no information that can reasonably be expected to form part of any subsequent business processes is lost or altered in any way. Quality assurance procedures consistent with document volumes, the quality of original documents or any other relevant factor, must be put into place to ensure image quality.
(b)Image Enhancement. Any technique of image enhancement must be very closely examined by the certifying authority. Where there is any doubt that the accuracy of the relevant contents of an original document may be affected by the enhancement technique, then an original, un-enhanced version of the image must be retained.
(c)Image Editing. The image system must not allow erroneous alterations to be made to the image of an original document, whether through the editing of an image, the introduction of new images from another source or the deletion of one or more images. Where image editing forms a part of the normal business process prior to committal, a full audit trail must be maintained. Where there is any doubt that the accuracy of the relevant contents of the original document may be affected by the editing, then, an original un-edited version of the image must be retained.
(d)Image Indexing. Where information is required to be assigned to individual images or groups of images in order to facilitate future retrievals, reasonable steps must be taken to ensure that such information is accurate.
(e)Partial Image Capture. Where partial images are captured by the image system for efficiency reasons (e.g. only the data on a standard form, omitting background elements such as pre-printed logos, instructions, lines, shading, etc.) then the process must be capable of maintaining a record of the separate image elements of a document and their relationships.
(f)Committal. The process must ensure that all valid images that are captured are correctly committed to the imaging system.
(g)Completeness. The person or organisation seeking certification must put in place measures to ensure that all documents are captured in the event of a system disruption.
(h)Additions. Where, as part of a business process, information is added to a document or an image thereof (either physically or electronically) and the original information and the new information must be distinguished for the life of the document or the image thereof, then, the new information must be clearly distinguishable from the original information. This may be achieved by the content or context of the new information, its placement, colour (in the case of colour imaging) or any other relevant method.
Image Storage and Management
6.  Irrespective of the physical medium utilised to store images or the physical location of an image in the image system (both of which may change from time to time), the following criteria must be met:
(a)Image Integrity. From the time that committal of an image commences until the time that an image is no longer required to be retained, the image system must ensure that the image and any other data associated with that image can be retrieved. Therefore, reasonable image and data security, backup and recovery measures must be in place.
(b)Image Update. The image system must not allow changes to be made to the images after the committal of that image.
(c)Image Index Update. In the event of a change to the image index which may affect the retrieval of the images, a full audit trail must be maintained and a previous unamended version of the image or group of images should be retained.
Image Output
7.  Irrespective of the physical medium employed, the following criteria must be met in relation to image output:
(a)Image Integrity. Reasonable measures must be in place to ensure that, once output by the image system (i.e. when the image is no longer under the control of the image system database environment), the images cannot be tampered with (e.g. in the case of printed output, the print spool must be secure).
(b)Completeness. Where data has been captured during the life of the image, which may reasonably be expected to form a part of the information relating to that document (e.g. annotations, notes, overlays, etc.) then the image system must be capable of accurately reproducing that information together with the output images.
(c)Changed Images. Where an image or group of images have been amended or erroneously tampered with, the system must be capable of producing an audit trail together with the image system output.
(d)Composite Images. Where an image system output is generated as a result of the combination of 2 or more separate images (through techniques such as overlaying) particularly when one or more of these separate images were not directly generated from the original document, then adequate procedures must be in place to ensure that the combined output accurately represents the original document.
Computer Applications
8.  Where computer applications or programs are developed to automate any of the document capture, storage and management or output procedures, they must not contravene any of the compliance criteria specified in this Schedule.
Physical and Environmental Security
9.  Reasonable physical and environmental measures must be in place to protect the equipment and storage media from unauthorised access and excessive environmental levels.
System and Application Security
10.—(1)  Security controls must be implemented to prevent unauthorised access and modifications to the image file, the index file containing descriptive information about the image file as well as the audit trail.
(2)  Physical security of the data including backup and recovery must be addressed.
Image System Certification
11.  An image system must be certified to comply with the criteria in this Schedule. Certification will involve the following steps:
(a)initial certification; and
(b)periodic certification.
Requirements for Certification
12.  Certification must involve a comprehensive audit of the process and surrounding procedures and include the following steps:
(a)a detailed examination of the physical procedures surrounding document capture and output;
(b)the conduct of tests that include both American National Standards Institute (ANSI) standard test targets (or other standard targets as may be deemed acceptable from time to time) and a representative cross section of business documents to be managed by the image system, to validate the technical capability of the system to accurately reproduce the contents of documents;
(c)an audit of the software capabilities of the image system;
(d)a review of audit trails and their protection;
(e)a review of the image system mechanisms to preserve the security and integrity of information stored;
(f)a security, backup and recovery assessment of the image system including availability of the image system;
(g)a review of the hardware capabilities of the image system; and
(h)any other procedures or tests that may be necessary to verify the image system’s ability to meet the compliance criteria.
Part II
Additional Criteria
Regulation 10(2)
13.  If a process of the Government or statutory corporation is specified in the Second Schedule, the process shall, in addition to the criteria set out in Part I, ensure that a copy of each image is kept by an independent record keeper approved by the Minister.