Office of the Chief Information Officer
This policy identifies University of Arizona (hereafter “the University”) requirements for the use of electronic signatures (hereafter “e-signatures”), electronic transactions (hereafter “e-transactions”), and electronic records (hereafter “e-records”) in conducting the University’s business operations in support of the institutional administration of the University’s teaching, research, and service operations (“University transactions”).
Under this policy, the University may require that members of the University community use e-signatures to conduct certain University transactions that previously had required handwritten signatures and approvals on paper documents. This policy codifies how the University will designate those University transactions for which e-signatures will be required and how the University recognizes e-signatures. This policy also requires that the University establish Security Procedures regarding the use of e-signatures, e-transactions, and e-records in connection with University transactions. This policy augments, and does not replace, University Information Security Office policies, which apply to all University services.
This policy applies to all individuals who are affiliated with the University, whether paid or unpaid, including but not limited to faculty, staff, students, affiliates, associates, and volunteers. This policy may require members of the University community to conduct University transactions electronically and to formally acknowledge their agreement to University transactions in which they are parties by affixing an e-signature.
"Agreement" means the bargain of the parties in fact, as found in their language or inferred from other circumstances and from rules, regulations, and procedures that are given the effect of agreements under laws otherwise applicable to a particular transaction. Rules, regulations, and procedures enacted by ABOR or the University authorizing electronic transactions or electronic signatures constitute such circumstances.
"Electronic" means relating to technology that has electrical, digital, magnetic, wireless, optical, or electromagnetic capabilities or similar capabilities.
"Electronic Record," or “E-record,” means a record of information that is created, generated, sent, communicated, received, or stored by electronic means.
"Electronic Signature," or E-signature,” means an electronic sound, symbol, or process that is attached to or logically associated with a record and that is executed or adopted with the intent to sign the record.
"Electronic Transaction," or “E-transaction,” means an action or set of actions that is conducted or performed, in whole or in part, by electronic means and/or via electronic records.
"Information" means data, text, images, sounds, codes, computer programs, software or databases, or similar items.
"Record" means Information that is inscribed on a tangible medium or that is stored in an electronic or other medium and that is retrievable in perceivable form.
"Security Procedure" means a procedure that is employed to verify that an electronic signature, record, or performance is that of a specific person, to determine that the person is authorized to sign the document, and to detect changes or errors in the information in an electronic record. This includes a procedure that requires the use of algorithms or other codes, identifying words or numbers or encryption, callback, or other acknowledgment procedures.
“University Community” means those people affiliated with the University, whether paid or unpaid, such as faculty, staff, students, affiliates, associates, and volunteers.
“User Authentication” is the process of securely verifying the identity of an individual prior to allowing access to an electronic University service.
“User Authorization” involves verifying that an authenticated user has permission to access specific electronic University services and/or perform certain operations.
Security Procedures and Unauthorized Use of Electronic Signatures
The University of Arizona will adopt Security Procedures for e-signatures, e-transactions, and e- records that are practical and secure, and that balance risk and cost. It is not the intent of this policy to eliminate all risk, but rather to provide a process for undertaking an appropriate analysis prior to approving the use of e-signatures, e-transactions, or e-records for specific University transactions; and, based on such analysis, to designate those University transactions in which e-signatures, e-transactions, and e-records will be required in place of handwritten documents. This policy also addresses implementation of User authentication and User authorization (defined above) at levels that are consistent with the security requirements for a University transaction, including but not limited to password guidelines, secure transmission standards, and access control policies.
Individuals who falsify e-records, e-transactions, or e-signatures are subject to disciplinary action, up to and including termination of employment and criminal prosecution, as specified in ABOR and University policies and under applicable federal and state laws. Individuals are required to report any suspect or fraudulent activities related to e-transactions, e-records, or e-signatures immediately to the University Information Security Office and to any manager or supervisor in the individual’s department, college, or division. Nothing in this policy is intended to authorize any individual to sign on behalf of the Arizona Board of Regents or the University of Arizona if he or she has not been granted such authority, and such signature authority continues to be governed by applicable ABOR and University policies.
Electronic Signatures and Handwritten Signature Requirements
To the fullest extent permitted by law, the University accepts e-signatures as legally binding and equivalent to handwritten signatures to signify an Agreement. When a University transaction has been identified and approved by the University under this policy for the use of e-signatures, and where University or ABOR policies, state or federal laws, regulations, or rules require a handwritten signature, that requirement is met if the document contains an e-signature, unless otherwise prohibited by such policies, laws, regulations, or rules.
This policy does not limit the University’s right or option to conduct a University transaction on paper or in non-electronic form, nor affect the University’s right or obligation to have documents be provided or made available on paper when required by applicable policies, laws, or regulations.
Designation of University Transactions Subject to Electronic Signatures
The University reserves the right to designate specific University transactions that are to be conducted as e-transactions or maintained as e-records, and that are to be fulfilled by e-signature under this policy.
A cross-functional team of data custodians, functional business owners, and enterprise application system owners will assess the potential for replacing a manual process/signature with an electronic process/signature (i.e., “Automation”) and propose joint recommendations for implementation of Automation, subject to executive approval. Joint recommendations under this paragraph are subject to formal authorization by the relevant executive data custodian. Once a process for a University transaction is approved and automated, it is automatically subject to the provisions of this policy.