This Practice Directive will provide guidance to the campus on the appropriate use of electronic signatures. This guidance applies to all faculty and staff at San Francisco State University.
I. Appropriate Use of Electronic Signatures
San Francisco State University has elected to use electronic signatures for campus-approved University business processes. Per ICSUAM 8100.00, the campus has developed an Electronic Signature Risk Assessment procedure to identify, evaluate, and document where electronic signatures are permitted. Electronic signatures must only be used on documents that have been approved through the Electronic Signature Risk Assessment.
DocuSign is the approved campuswide electronic signature solution. All faculty and staff will have access to a DocuSign account. The account shall only be utilized for University business purposes and must not be used for personal transactions.
Electronic signatures shall not be used on forms containing Level 1 (Confidential) data.
Electronic signatures are not appropriate for documents that are external (involve parties other than San Francisco State University faculty and staff) or that are considered to be high risk (see section III of this Practice Directive).
II. Business Process Ownership
Business processes and associated documents are managed by campus process owners. The department that owns a particular business process is the only entity that may modify or upload the document for use in DocuSign. Department business process owners are responsible for initiating an Electronic Signature Risk Assessment (see section III of this Practice Directive) for the use of electronic signatures.
III. Electronic Signature Risk Assessments
The business process owner initiates and is directly involved with the Electronic Signature Risk Assessment process. During the Electronic Signature Risk Assessment, the following topics will be considered:
- The purpose and intent of the document;
- The parties involved;
- The routing of the document; and
- The contents of the document and any other associated attachments.
The Electronic Signature Risk Assessment will determine whether the process and associated documents in question are considered to be low, moderate, or high risk. Six risk impact categories, along with the likelihood of occurrence and potential mitigating factors, are used to assess each form:
CSU Electronic and Digital Signatures Standards and Procedures, 8100.S01, Section 6.0, Table 1 - Maximum Potential Impacts for Each Assurance Level.
The campus has determined that, because faculty and staff will authenticate their identity through single sign-on, there is a “Level 3: high confidence in the asserted identity’s validity.” See CSU Electronic and Digital Signatures Standards and Procedures, 8100.S01, Section 6.0. Therefore, should any of these risk impact categories receive a rating of high, the document will not be permitted to be used with electronic signatures. If all categories receive a risk rating of low to moderate, the document will be approved for use with electronic signatures. The campus may then begin utilizing electronic signatures on that particular document.
IV. Record Storage and Maintenance
Departments shall continue to maintain their records in accordance with the appropriate record retention policy and ITS-recommended file storage solutions. DocuSign shall not be used as a file storage solution.
Upon the completion of the transaction, the responsible department(s) should download both the completed document and any supporting documents for storage in accordance with best practices and in a way that is easily auditable. It is also recommended that the department download the accompanying certificate of completion, which will act as a supporting document and provide a digital audit trail.
V. Account Access and Management
San Francisco State University staff and faculty will be able to utilize electronic signatures through DocuSign by logging in with their SF State ID and password.
As a best practice, users should set up their signature the first time they log in and should not alter their defined signature once it has been created.
For consistency, users should utilize the same name used for University business purposes.
Noncompliance with applicable policies and/or practices may result in removal of DocuSign account access. In addition, disciplinary action may be applicable under other University policies, guidelines, implementing procedures, or collective bargaining agreements.
Please visit the DocuSign @ San Francisco State website for more information and help guides.
Electronic signature, DocuSign, Digital signature.