This is a new rule.
All State Agencies.
Public Records Act 14-3-4 NMSA 1978.
Admissibility into evidence of records produced by information technology systems employing media such as magnetic tape or magnetic disk (and, by implication optical disk) has been addressed at the federal level by statutes and by the rules of evidence as adopted by the New Mexico Supreme Court.
Reported decisions indicate that the courts are quite lenient in interpreting these statutes and rules as applicable to records produced by information technology systems (analog or digital). However, problems arise if appropriate procedures are not followed in creating and maintaining such records, making it difficult to lay a proper foundation for admissibility. The court must be convinced that the process or system used is trustworthy in producing accurate records, i.e., the records reflect the source data used to create them. (Whether the source data are correct is a separate issue.)
The purpose of these guidelines is to provide direction for state agencies in the design, management, and operation of their information technology systems to improve the possibility of the admissibility into evidence of their records. The guidelines have been adapted for New Mexico by the Commission of Public Records' Legality of Electronic Records Advisory Committee composed of representatives from the Supreme Court Law Library, the Office of the Attorney General, the State Bar of New Mexico, the General Services Department, and the State Records Center and Archives. The Guidelines were adapted from the Association for Information and Image Management's (AIIM) Technical Report: Performance Guideline for the Legal Acceptance of Records Produced by Information Technology Systems (AIIM TR31-1992).
5.1 Traditional rules of evidence:
Courts have traditionally classified records as "hearsay". Hearsay is a statement offered to show the truth of the matter asserted when the person who made the statement is not available for cross-examination. SCRA 11-801(C). Such records were initially excluded from evidence because they depended upon the veracity and competence of the out-of-court declarant. Later, through exceptions to the hearsay rule, courts admitted these records into evidence, when the records met the other established criteria for admissibility. These exceptions to the hearsay rule were based on the presumption that the public records reflected accurate information produced by trustworthy procedures. These exceptions were at first restricted to "original writings" but were later modified to accommodate impact printing and other duplication technologies (e.g., micrographics and photocopying machines) as they became common tools.
5.1.2 The best evidence rule:
The courts also developed the "best evidence rule". The rule generally states that only the best form of the evidence is admissible. Initially, only original documents were admissible. As the rule evolved, the courts allowed secondary evidence if it was shown that the original was unavailable without fault of the offering party. Early duplicate records were probably not admissible since they were made using the transcription process - the copying of records by hand involving human intervention. Due to the high likelihood of error, transcription could not produce trustworthy results.
Over time, courts allowed true duplicate records - duplicates produced by mechanical or other non-human processes - to be admitted in evidence in limited circumstances when the originals were not available because: (1) they were public records; (2) the originals had been destroyed; (3) the originals were in the possession of an adverse party who refused to cooperate; or (4) the originals simply could not be found with reasonable effort. Once these situations were adequately proven to the court, reproductions could then be admitted.
Besides the historical basis for the best evidence rule, the preference for original records serves to reduce forgeries or other fraud in duplicates. Alterations can readily be detected in original documents while similar detection is difficult if not impossible in duplicates. Handwriting analysts can more accurately analyze signatures from original records than from duplicates.
In New Mexico case law the relation between computer printouts and the best evidence rule is discussed in Sierra Life Ins. Co. v. First National Life Ins. Co. 85 NM 409, 412, 512 P.2d 1245, 1248 (1973).
5.2 Modern rules of evidence:
The federal government follows the Federal Rules of Evidence while most states have adopted one or more uniform laws that establish the admissibility of records in evidence. New Mexico has adopted the Uniform Rules of Evidence with few changes. New Mexico's rules of evidence permit original and duplicate records to be admitted into evidence provided that a proper foundation is laid. For example, visible records produced with a computer in the form of computer printouts or computer output microfilm (COM) are considered originals if an appropriate witness can convince the court that they accurately reflect the information in the computer files. Information processing methods commonly employed in the business world are more readily accepted as reliable, while new information system technologies are subject to greater scrutiny.
5.3 Problems with rules of evidence:
Based upon the traditional position of courts and regulatory agencies, original, paper records are the best evidence, and duplicate records are considered secondary evidence. Modern rules of evidence perpetuate this concept but provide exceptions for properly made duplicate records.
The basic legal principle behind the Best Evidence Rule is seldom applicable in the world of information technology. Paper records systems are often inferior to automated systems in terms of preserving evidence for the following reasons:
Alternatively, original paper records can inappropriately be destroyed. These records may then be unavailable for any purpose including evidence and regulation. Unless the fraud related to the destruction is detected, the omission as well as the contents of the records will effectively be excluded from consideration.
Modern information technology systems often differ from paper-based systems through the establishment of processes or systems that reliably produce accurate results. Modern reproduction systems such as microfilm or optical disk, and even data processing systems, offer the following characteristics that generally provide for more accurate and trustworthy records than are possible with paper records systems:
In sum, properly designed, implemented and maintained information technology systems are capable of producing records that are more reliable and accurate than paper-based systems.
It should be noted, however, that although paper-based systems are more susceptible to irretrievable loss or destruction of records and undetectable omissions, without the safeguards stated above, disasters and fraud can be much more costly and damaging to an agency dependent on an information technology system.
5.4 Further challenges:
With the safeguards that can be built into today's modern information technology systems, the best evidence of a record should not be dependent on a specifically sanctioned technology, but on a showing that the record was the result of a process or system that accurately produced it.
Rule 901(b) of the New Mexico Rules of Evidence lists examples that conform with the requirement of authentication or identification as a condition precedent to admissibility of evidence, i.e., "evidence sufficient to support a finding that the matter in question is what its proponent claims." Example (9) of Rule 901(b) reflects what should be the criteria for introducing records produced by information technology systems into evidence in all jurisdictions.
Example (9) of Rule 901(b) provides for authentication or identification by "evidence describing a process or system used to produce a result and showing that the process or system produces an accurate result." This example was designed for evidence such as X-rays and computer printouts where accuracy of the evidence is dependent upon the process or system that produces it.
When applied to records produced by information technology systems, this provision has no bias towards originals, duplicates, or any particular technology. The accuracy of the process or system used to produce the result will determine the authenticity or identification, and hence the admissibility of the evidence.
As new information technologies evolve, such as electronic imaging and optical disk systems, some jurisdictions feel compelled to modify existing laws or establish additional criteria for legal acceptance in evidence. It is important that New Mexico develop realistic and non-conflicting requirements.
The performance guidelines represent reasonable criteria to provide for designing and operating information technology systems that insure accuracy, reliability, and ultimately, the trustworthiness of information. Once implemented, the guidelines can apply to future technologies.
The guidelines relate to the functional or performance criteria for the system used to produce the records rather than to the media or specific technology involved. The trustworthiness of the process or system determines the legal admissibility of records in evidence, not the type of media or technology utilized.
The following definitions apply to the process or system assessment criteria set forth below:
Information preserved by any technique in any medium, now known, or later developed, that can be recognized by ordinary human sensory capabilities either directly or with the aid of technology.
6.2 Original record:
A record prepared in the first instance or any counterpart intended to have the same effect by a person executing or issuing it. If data are stored in a computer or similar device, any printout or other output readable by sight shown to reflect the data accurately is an "original."
6.3 Duplicate records:
A record that is produced by the same impression as the original, or from the same matrix, or by any other technological device for producing or reproducing records.
6.4 Information technology system:
Any process or system that employs a mechanical, photo- optical, magnetic, electronic or other technological device for producing or reproducing records.
6.5 Records custodian:
The statutory head of the agency utilizing or maintaining the information system, or their designate.
The guidelines apply to records produced by information technology systems regardless of the physical characteristics of the record media or technology employed. This includes records produced by any technique employing an information technology system as defined above.
Following are criteria for designing and operating an information technology system to improve the admissibility of records into evidence.
Quality relates to ability of the information technology system to reliably produce and preserve records so that they can be used or recognized by the intended audience.
8.1.1 General requirements:
The following should appear with sufficient clarity so that each can be recognized:
8.1.2 Original records:
Original records preserve information over time in the identical or functionally equivalent form to the original information.
Original records may present information in a form different from the original information without affecting its quality. For example, information preserved in digital format may be printed on paper using different print fonts at different times.
8.1.3 Duplicate records:
Duplicate records accurately reproduce original records. Information that is readable or recognizable on originals should be readable or recognizable on duplicates. Similarly, information that is readable or recognizable on duplicates must be readable or recognizable on originals, except that duplicates may contain production, control, indexing, certification or other data not related to informational content of the records.
The exception allows additional data to be included on duplicates for administration of the reproduction process if it does not adversely affect the informational content of the record. For example, control and indexing data stored with digital images may be necessary to retrieve the images, but does not affect the content of the records themselves.
Image enhancement techniques may be used provided that they do not change the information content of the records.
When duplication processes change informational content of the records, the resulting records will be new originals.
8.2 Records retention versus life expectancy of data on media:
Records should be retained, regardless of media, for the period required by the agency's records retention program for any legal, user, historical or other purpose. The life expectancy of the media per se has no bearing on the admissibility of the records.
The information maintained on the media and the ability of the system to produce records from the information must achieve the required retention period. This means that for some technologies it may be necessary to periodically convert, regenerate, copy or transfer the information from one medium or technology to another to preserve the information for the required period.
Regardless of the retention period or life expectancy of the media, records must continue to exist when litigation, government investigation or audit is pending, imminent or, in some cases, merely foreseeable. In some instances, a court order will issue prohibiting specified records from being destroyed or otherwise rendered unavailable.
The life expectancy of the data on the media must be at least as long as the retention period established for the original record by the Commission of Public Records, or there needs to be a provision in the system for the periodic reproduction of the data, or the periodic revitalization of the data on the media. (also see Section 8.5.3 b.)
8.3 Conversion of records:
Procedures followed to convert records from one medium or technology to another should be carefully documented. Conversion of the records should not affect their legal status provided that quality and accuracy does not functionally change during conversion.
8.4 Form of evidence:
8.4.1 Records should be presented in a readable or recognizable form acceptable to the court. For written records, the records may be readable without any equipment or readable using equipment available to the court. The court may also accept records in other forms when equipment for their retrieval and use is also provided.
8.4.2 The form of records acceptable in evidence will vary based upon the nature of the information. For example, digitized voice information must be presented in an audible, understandable form while digitized video information must be presented in a readable or recognizable form. Records that contain information that relates to multiple human senses such as video records that must be both seen and heard to be complete must be presented in a form that provides all the necessary sensory information to the court.
8.4.3 Records systems should be able to produce readable (by either visual or tactile means) or audible records regardless of the technology used.
8.5 Process or system used to produce records:
8.5.1 Characteristics of a process or system:
Characteristics of the process or system used to produce the information facilitate the accuracy of the information. A description of these characteristics in simple terms facilitates the showing that the process or system is reliable and accurate, and hence capable of producing trustworthy records. Each records system should regularly maintain and update complete documentation of both the collection (input) process and the output process.
(a) Records produced as part of a regularly conducted activity:
Records produced as part of a regularly conducted activity such as those produced in the regular course of operations are more inherently reliable than those produced for a special purpose or for litigation. A regularly conducted activity may include a regular pattern of activity to produce the records on a daily, weekly, monthly, yearly or other cyclical schedule.
A regularly conducted activity may also include records created as part of a regular program of the agency, but at irregular times. For example, records created as part of a retro-conversion project may still, in appropriate circumstances, be regarded as converted in the regular course of operations, even though it only occurred once.
Accuracy may be increased by systematic quality control and audit procedures, as well as operational oversight by persons with detailed knowledge of the process or system used to produce the records.
Records produced within a short period after the event or activity occurs tend to be more readily acceptable as accurate than records produced long after the event or activity. However, a challenge to admissibility of a later-produced record can be overcome by a showing that the time lapse had no effect on the record's contents. For example, a computer printout of a statistical report produced annually in the regular course of operations can be shown to accurately consolidate data compiled over the course of a year.
8.5.2 Components of a process or system:
The records program depends upon both the system's components and the processes used in preparing them. The records are more trustworthy if the program under which they were produced included adequate procedures, training programs, audit trails and audits.
Procedures reflect the detailed steps to be followed when creating, modifying, duplicating, destroying or otherwise managing records. They provide for consistent quality control, problem resolution and other activities that might otherwise be subject to inconsistent action, multiple interpretation or misinterpretation.
Established procedures only show what an agency intended to do in managing and controlling the process or system. The trustworthiness of an agency's records depends not only upon established procedures but depend also on how closely they are followed. Deviations from established procedures will be scrutinized, and such deviations might result in the records being inadmissible.
(b) Training programs:
Formal training programs for staff on details of the system procedures help insure that the procedures were correctly followed. When an agency can demonstrate that staff understood the required procedures, the court will tend to find that the procedures were in fact followed. It may be advisable to provide certification of training for certain staff members prior to the staff members' assumption of responsibility for those procedures, especially for those who are likely to testify in court.
(c) Access and audit trails:
Audit trails document who used the system, when they used it, what they did while using the system, and what were the results. Properly implemented audit trails can automatically detect who had access to the system, whether staff followed standard procedures or whether fraud or other unauthorized acts occurred or might be suspected. They provide independent confirmation that proper procedures were in fact followed. It may be advisable to provide various levels of access security.
The term "audits" as used in this section is different than quality control specified in most system procedures. Audits performed periodically can confirm that the process or system produces accurate results. Audits should compare the procedures stated in the procedure's documentation with procedures actually followed. They provide verification that the system adheres to these guidelines.
For purposes of establishing the credibility of the records, audits should be performed by an independent source, i.e., persons other than those who created the records or persons without an interest in the content of the records. Trained auditors with agency-wide audit responsibilities provide an acceptable level of independence.
No particular method of auditing is required. For purposes of original records, audits should focus on whether the records accurately incorporate information of the acts, events, or activities leading to the record. For duplicates and other forms of information transfer, audits should confirm that the duplicates accurately reproduce the original information. Such audits must be accomplished prior to destruction of the originals. The destruction must be conducted in accordance with existing agency retention and disposition schedules.
8.5.3 Documentation of a process or system:
Documentation of the process or system provides verification of the process or system followed to produce the records. Without documentation, witnesses must rely solely on memory -- which over time becomes less trustworthy and more susceptible to contradiction. Documentation preserves the information about the process or system independent of the individuals involved. The documentation should always be reviewed by the agency witness prior to giving testimony. In a proper case, the documentation can be introduced into evidence.
A knowledgeable person should prepare and maintain documentation for the process or system used to produce the records. Documentation should be prepared during the design of the system. If the system was implemented without documentation, documentation should be prepared immediately. Documentation should be kept of all changes in the system. All documentation of changes should be kept for the full retention period of the data. Documentation should be complete and up-to-date. This enables staff to know and follow the most current procedures. It also ensures that reliable system documentation is immediately available if needed for court proceedings. Documentation of a system prepared for purposes of litigation is subject to greater challenge.
No particular form or level of detail is required for describing the process or system, although visual aids outlining the documentation can be helpful. Documentation should be sufficient to demonstrate the steps required to get from the beginning to the end of the process. Documentation should be understandable to non-technical personnel. Detailed documentation may be required by the courts. An agency may be required to introduce evidence that any equipment or software involved operated properly at the time the records were produced.
Program documentation should state the control methods in force and how they are to be applied and should also state the times at which each part of a process is to be completed.
Training documentation should record the distribution of written procedures, course materials, attendance of individuals at training sessions, remedial or refresher training programs, certifications of training completion and other relevant information.
The actual audit trail records demonstrate what activities actually took place as part of the process or system. The actual audit reports indicate whether the records were accurately produced. Where audit reports have revealed inaccuracies, the documentation should reflect what remedial procedures were applied. The documentation should state who (by individual or job class) has access to the system at each level of access and should indicate how audit trails are maintained.
Evidence of the actual system procedures followed during the period the records in question were produced should be maintained in sufficient detail to enable the records custodian to describe the process or system to the court.
When the documentation changes, the old versions should continue to be maintained for the requisite period. The agency should establish procedures to insure that the Records Custodian is notified whenever a record needs to be maintained longer than its retention period.
The courts encourage pretrial discovery of computer programs and related materials in order to facilitate effective cross examination when computer produced data are introduced into evidence. These guidelines apply this principle to records produced by any information systems technology.
The process or system used to produce records introduced into evidence is subject to outside inspection by opposing parties and the court. Outside inspection may include review of procedures documentation, review of system operation, independent audits and quality control tests, independent audit, testing of process or system operation, review of equipment design and software documentation, review of training programs or any other matter related to the operation of the process or system.
If the records were produced on the current or substantially similar system, access to the system may be required. Outside parties may request to process their own test data on the agency's system. If the system used to produce the records no longer exists, the court may require that all existing documentation be made available. Lack of pertinent documentation because it no longer exists may jeopardize admissibility of the records if their trustworthiness cannot otherwise be established.
In sum, any relevant step of the process or system can be reviewed by the outside party.
The destruction of the original copy of a public record, after reproduction, will not affect the legal status of such reproduction as a public record.
An agency's ability to show that the process or system used to store and reproduce a public record is trustworthy in terms of producing an accurate result, will normally be sufficient to insure reliability.
The records custodian is the statutory head of the agency that utilizes or maintains the information system. This responsibility may be delegated in appropriate circumstances down to the level of clerk. However, it is customary to have the individual who is responsible for the management of the information system documentation and operation provide testimony about the system. In some circumstances, it might be necessary to have the testimony of the individual who actually prepared the record.
11.1 Appearing in court:
When records from an information system are required to be introduced in court, the level of proof may vary from simply certifying a record produced by the system to providing expert testimony about the operations of the system. When confronted with testifying in court, it is usually sufficient for a records custodian to provide for the following:
11.2 Certification of records
11.2.1 Recommended form of certification
The following is a recommended form of certification:
As a custodian of this record, I certify that it is a copy accurately produced, maintained, and reproduced by this agency in accordance with the procedures attached hereto. This is page ___ of ___ pages of certified document. This is certified on this _____ day of ______________. Records Custodian
11.2.2 Sample certification procedure
The following is a sample certification procedure, it is meant to be suggestive only. An agency's certification procedure will vary according to the type and complexity of the system.
The ____(agency name)____ of the State of New Mexico has produced the attached document using the following produced the attached document using the following produced the attached document using the following procedures: 1. The original document containing the information requested was received in this office in the normal course of operations of the ____(agency name)_____ carrying out its duties pursuant to the laws of the State of New Mexico. It was then ____(method of conversion/input)____ and placed onto ____(method of storage)____. 2. The accuracy of this production was verified at the time of conversion/input by comparison. The storage procedure allows the agency to determine whether the stored data was altered from the time of this document's conversion/input to the production of the attached (printout). 3. Documents are converted/input from the original within ____ days after the original is received for official recordation or filing. 4. Specifically as to the attached (printout), the following deviations from the above procedure are noted as follows: (none). Signature by Records Custodian of agency
11.3 Challenges to testimony:
The testimony offered by the records custodian will vary based upon their own expertise, level of responsibility, and most especially any challenge offered to the introduction of the record. In appropriate cases and based on the nature of the challenge, it may be necessary to introduce expert witnesses. Information system records can be challenged on many grounds, a discussion of the most common grounds follow.
11.3.1 Challenges to hardware:
Because equipment which is not functioning properly can alter the content of computerized information, the reliability of the data processing equipment used to store and produce the records may be challenged. The information contained in the systems documentation should be sufficient to overcome this. However, if the hardware is challenged, it may be necessary to present evidence that the equipment operated reliably the day the data were initially entered and on the day the computer record was produced. A log of computer operations indicating the absence, or presence, of any malfunction that did or did not affect the data is generally adequate. The agency may also be required to produce a person who has actually tested the equipment.
11.3.2 Challenges to software:
(a) Errors in computer records can result from errors in the computer programs. Consequently, the reliability of the computer programs and formulas used to process the data may be challenged. Normally, introduction of the systems documentation will be sufficient to demonstrate the reliability of the programs and formulas. However, evidence about the development and testing of the programs may also be required, as well as expert testimony from the creator of the software or from individuals who have run validation tests on the software.
(b) A records custodian may also be required to present the specific version of the computer program used to process the data on the date the information entered into evidence was created. A different version of the program may be considered, if it is the only one available, but the absence of the exact version of the program may raise some serious questions about the trustworthiness of the computer records.
(c) The measures taken to verify the proper operation and accuracy of these programs and formulas may be challenged. Normally, introduction of the systems documentation will be sufficient to demonstrate the verification of the programs and formulas. However, expert testimony from the creator of the software or from individuals who have run validation tests on the software may be required.
11.3.3 Challenges to input:
(a) The manner in which the basic data were initially entered into the system may be challenged. The information contained in the systems documentation should be sufficient to demonstrate how the data were entered. However, if it is challenged, it may be necessary to produce a person who actually does data entry.
(b) Whether the data were entered in the regular course of operations may be challenged. The information contained in the systems documentation should be sufficient to overcome this. However, if it is challenged, it may be necessary to produce a person who actually does data entry, or who has audited the system.
(c) Whether the data were entered within a reasonable time after the events recorded by persons having knowledge of the events may be challenged. The procedures outlined in paragraphs a. and b. above should be sufficient to overcome this. However, where the data are entered at a different time, then the agency's records should not only reflect the date the original data were created, but also the date they were entered.
(d) The measures taken to insure the accuracy of the data entered may be challenged. Normally, introduction of the systems documentation will be sufficient to demonstrate the accuracy of the data. However, it may be necessary to have expert testimony on verification, proof reading, internal audit trails, or computer security in general. It may be necessary as well to introduce the training records of the data entry staff.
11.3.4 Challenges to output:
Computer printouts prepared in the regular course of operations are considered more trustworthy than similar computer printouts prepared for trial. Consequently, the time and mode of preparation of printouts may be challenged. Normally, introduction of the systems documentation will be sufficient. However, where the printout is not created in the normal course of operations, an audit trail leading to the creation of the data may be required. If a specially written search or program was used to extract the data (as, for example, from a screen) the search or program should be included as well.
11.3.5 Challenges to security:
The method of storing the data (for example, magnetic tape) and the safety precautions taken to prevent loss of the data while in storage may be challenged. Backup only becomes an issue if it was used to generate the record. Where an agency is certifying that it does not have any record with regard to a transaction, it will usually be required to search not only the current systems but also the oldest backup that would be likely to contain such a record. Normally, introduction of the systems documentation will be sufficient to demonstrate the method of backup and storage. However, it may be necessary to obtain testimony concerning access to the system, what procedures were in place to prevent unauthorized access, and whether these procedures were carried out with respect to the records in question.
Please send any comments, suggestions or corrections to:John Muchmore
or electronically to:Thaddeus P. Bejnar
Deadline for public comment is September 15, 1993.