Organizing training involves a lot of time spent printing and signing paperwork. Ideally, there would be no need to print documents and they would be signed directly in the software! Welcome to the world of electronic signatures! This is a topic of particular interest to Digiforma, which is why we now offer this functionality.
You have probably heard all kinds of things about electronic signatures. Are they legal? Your mailbox is probably full of spam from suppliers trying to sell you their solution. Now is the time to shed some light on the subject and help you see things more clearly.
Here is a 2022 guide to everything you need to know about electronic signatures! Don’t panic, it’s a lot simpler than you think.
1. What is an electronic signature?
An electronic signature attaches an encrypted mark to a document strictly authenticating the identity of the person ‘agreeing’ to the document. This signature bypasses the need for a handwritten signature and makes the conclusion of contracts a completely paperless process.
The value of the electronic signature resides in the encrypted mark. In other words, a handwritten signature inserted at the bottom of a Word template is NOT a true electronic signature.
This encrypted mark must comply with certain rules in order to be valid from a legal point of view.
- The mark identifies the signatory and it must not be possible for a counterfeiter to duplicate it.
- The mark contains a hash, or ‘fingerprint’, of the document; any modification of the document would change the hash and invalidate the signature.
- The signed document is stored for a number of years in a system guaranteeing it will not be tampered with.
Suppliers of electronic signature solutions propose a system that attaches such a mark to a PDF document and sometimes even stores the document in a digital safe for you.
2. Are electronic signatures legal?
The EU eIDAS Regulation recognizes the validity of digital signatures subject to certain strict conditions. Basically, there are three types of electronic signature:
- A qualified electronic signature, which has the same legal or ‘probative’ value as a handwritten signature. You sign in possession of a digital certificate issued by an accredited authority. Only in extremely rare cases do you possess such a certificate.
- An advanced electronic signature, which does not have the same legal value as a handwritten signature but which constitutes strong proof in a file if all the required conditions are met. During the signature process you must upload proof of identity, such as your national identity card or passport.
- A simple electronic signature, which has no real value whatsoever. No doubt you have already used one of these. It consists of a text message sent to you containing a code. Your identity is linked solely to your telephone number.
- A qualified electronic signature has full and indisputable legal value.
- The other types of electronic signature are accepted but open to challenge.
A qualified signature is only possible if you possess a digital certificate proving your identity. This is a cryptographic device issued to a natural person by a trusted third party. Some countries, like Belgium and Estonia, have integrated such certificates directly into their citizens’ national identity cards.
In order for an advanced electronic certificate to have real force two criteria must be met, which are not easy to achieve in practice:
- The signature must make it possible to identify the signatory and it must not be possible for a third party to produce it.
- The signed document must be unalterable and be reliably stored for a certain number of years.
Strong authentication of the signatory is a very delicate subject. In the absence of a digital identity certificate, we are forced to seek roundabout methods to give the signature some kind of legal value. Many electronic signature systems, for example, use a text message containing a code, thereby associating a telephone number with the person and creating proof of identity (albeit rather limited, as the telephone could be used by someone else). The higher the implications of the signature, the more secure the means used to identify the signatory must be. Do not, for example, use identification by text message for a master training contract for all the employees of a FTSE 100 company!
The signed document must be stored long-term, in an unalterable state, in a digital safe, for which various suppliers provide cheap online solutions.
Note: the specific case of electronic stamps. These are placed on a document by a server using a digital certificate identifying the training company (legal entity). These stamps enable you to sign documents unilaterally (such as attestations, for example).
Be aware that most electronic signature suppliers only provide simple electronic signatures but are careful not to admit it and try to imply otherwise using invented expressions like ‘semi-advanced’. These are not real advanced electronic signatures, however, let alone qualified electronic signatures. For any type of electronic signature other than qualified, the idea is to compile a body of evidence proving the real identity of the signatory as reliably as possible. Then, in the event of a dispute, this body of evidence can be used to refute an accusation of counterfeiting.
This is why simple electronic signatures often use two channels of communication with the signatory.
- The signature request is sent to their email address.
- The unique signature code is then sent by text message.
These two independent channels create a real, albeit lightweight, argument to support the claim that the signatory is really the person in question.
In practice, this simple electronic signature system is sufficient when the amount of the contract or agreement is relatively small. Herein lie the subtleties surrounding the legality of electronic signatures.
The degree of security offered by the signature must be commensurate with the financial risk associated with the signed document.
In the case of a large contract, however, it may be more appropriate to use a veritable advanced or qualified electronic signature system. This is what banks and insurance companies do when they have you sign important contracts, such as a life insurance policy.
3. Can’t we just paste an image of a signature to the bottom of document templates?
Nothing prevents you from doing this—it gives your contacts the ‘impression’ of a signature—but it has no legal value, of course. Such documents are simply not signed. An electronic signature is a cryptographic mark inserted into a document; it is not a scribble made with your mouse at the bottom of the last page.
4. How can we sign training documents electronically? Can an electronic signature replace a company stamp on attestations and certificates?
It is important to distinguish between agreements and attestations. Some documents do not need to have strong probative value. They do not carry significant legal or financial risks. This is typically true of attestations and certificates. Incidentally, such documents are often not signed by both parties and only contain the company’s signature or stamp.
- Digital stamps exist for this purpose, automatically placing an electronic signature on the document using a digital certificate identifying the training organization legal entity.
- This type of solution is practical and a lot less costly but must not be confused with a normal electronic signature binding a natural person.
Digitally signing agreements
The best solution, though not necessarily the simplest, is to use specialized online services. These almost always involve identification by text message:
- You upload the document to the website and sign it in the interface.
- A request is sent to your contact asking them to sign it, with along with a verification text message.
- The final PDF document is generated including the signatures (verifiable cryptographic mark) and sometimes stored long-term directly by the signature website.
- If long-term storage is not offered by the website, you must upload the PDF document to an online digital safe.
Digitally signing attestations
The same specialized websites sometimes offer a server stamp system for attestations. You buy the stamp from them and you can then upload documents to stamp them and store them long-term on the website.
Another option is to purchase a digital certificate from a trusted third party, install it on your computer then sign the documents yourself with specialized software that uses the certificate. Remember to upload the signed document to the digital safe.
5. Can attendance sheets also be signed digitally?
Of course, but be careful: no supplier provides electronic signatures with strong probative value. They are only simple electronic signatures within the meaning of the European eIDAS Regulation, generally a lot less probative than those produced by the sending of a text message for a contract. The accumulated body of evidence is even weaker, based solely on use of the email address.
If this system is closely integrated into the learner platform, the body of evidence is a slightly more consolidated by connection IP addresses, e-learning activities completed, etc.
Here again, specialized suppliers employ misleading sales tactics to create an illusion. In fact, they do not prove the real identity of the trainees—the only thing that really matters—any better than the others. They do, however, insert into this document collecting these non-probative signatures an electronic signature identifying their own company and use this argument to claim that the document constitutes proof of the signatures. This lie is couched in numerous eIDAS–type acronyms identifying them as so-called ‘trusted third parties’.
Again, be careful: the subject is simple but you must ask the right questions:
- What is the nature of the trainees’ signature?
- What proof of identity has been used?
6. Finally, should we switch to electronic signatures?
Except in the rare cases of proper advanced or qualified electronic signatures, the electronic signatures that you may be naturally inclined to use, pushed by suppliers, are simple electronic signatures.
That said, going paper–free offers a welcome simplification of administrative processes. It is important to be aware of the limitations of this system and to only use it for contracts representing reasonable amounts.
The question is trickier when it comes to signing attendance sheets. In reality, digitally signed attendance sheets provide almost no guarantee as to the trainee’s identity.
In a sector affected by the problem of attendance fraud, it may be a good idea to exercise caution and treat with suspicion sales reps trying to sell you their solution at any cost.
7. Is there any hope that the use of qualified electronic signatures will one day become standard practice?
This type of signature would completely solve the problem of probative value. To this end, the signatories would have to possess a strong and certified digital identity. Such individual digital passports already exist in some countries, associated with a national identity card, for example, as in Estonia. Europe is currently working on rolling out this system to all Member States, which raises the hope of forthcoming progress on this subject.
What is eIDAS?
Beware of suppliers stating that they are in line with ‘eIDAS standards’. This is meaningless: eIDAS is a European Regulation that recognizes the existence of the three types of electronic signature. The sales reps of electronic signature solution suppliers brandish the term eIDAS to impress customers but this does not magically transform their simple electronic signatures into qualified electronic signatures.