A recent article in Image and Data Manager highlighted the report of a Queensland Parliamentary Inquiry (QPI) into the public release of confidential Fitzgerald Inquiry documents.  During the Inquiry, the Crime and Misconduct Commission’s IT Manager, Cliff Horwood was grilled over his inability to retrieve certain information about internal emails requested under a summons.

This “grilling” of the IT Manager highlights the fundamental misunderstanding of the nature of electronic records, and how information is being archived and stored without capturing the “original” document, without all of its metadata intact.  Further, it highlights how IT Managers are being expected to deal with evidence, without any real guidance as to what they need to do.  

The email in question was a draft email that had been created by the CMC’s General Counsel in 2012. The version that was produced to the Inquiry was a printout, which meant the IT Manager was unable to determine if the printout came from TRIM, the CMC’s archive system, or from General Counsel’s Draft folder directly from their email repository.

The IT Manager attempted to retrieve the email from repositories restored from backup tapes, and was unable to retrieve the time stamp from the restored emails. During the Inquiry, the Member for Redlands, Peter Dowling MP, criticised the IT Manager for not obtaining the email directly from the General Counsel’s online email. Cliff Horwood responded that he did not have the right to do so, because he was not authorised to access the General Counsel’s email.  

The MP’s criticism was directed at the fact that a summons had been issued and that in itself gave the IT Manager the authority to access what he needed.  The IT Manager said if he had done so, it would have given him access to information outside the scope of the summons.  

The problem lies in that the rules surrounding digital evidence are unclear, there is very little judicial guidance on what constitutes a “document”, and exactly how records are to be kept and retrieved.  Further, summonses or other court orders that allow access to be gained to repositories of digital information, need to be clear about how to deal with documents that are not part of the summons.  This is the case whether it is private, confidential or privileged material, and is a common problem for regulatory bodies that seize computer hard drives and the like and then have to ensure privilege is preserved.

Under the Uniform Evidence legislation, a “document” is defined quite broadly and case law has confirmed that items such as CD-ROMs, hard drives, forensic images and the like can constitute a “document”.  

Therefore, if access can be obtained to a “document”  that is a hard drive, but in reality that hard drive contains hundreds of thousands of documents, how is the person trying to retrieve one document only, supposed to deal with the other documents, for which they are potentially not qualified to deal with?

In the Queensland Parliamentary Inquiry, reference was made to computer forensic specialists and whether such an expert should have been used to retrieve the email in 

question.  A computer forensic specialist would certainly be well qualified to deal with the evidence, and retrieve the document in question, however, if records were stored appropriately in the first place, and/or if the summons had made it clear how the person to whom the summons was directed was to handle information not relevant to the summons, then a computer forensic expert would not be required. As to the first point, it seems clear that the email in question had been entered into the CMS’s TRIM records management system.  Therefore, why wasn’t the email simply obtained from TRIM, rather than having to resort to backup tapes?  Further, if it was obtained from TRIM, then the document should have been archived in such as way as to preserve the integrity of the original metadata, thereby ensuring that the information required, that is, the date stamp, was visible.  If this information was not available, then the whole records management process should be called into question, as the original document has most likely been changed.  

As to the second point, IT Managers are too often required to perform the work of evidential experts, for which they have little or no training.  If they are required to search repositories under their management, then (a) the system needs to be such that information is stored properly and appropriately so retrieval is done in a correct manner and (b) the summons itself should clearly set out how information stored in a “system” is to be handled, when it is not relevant to the summons.

There is an urgent need for policy makers to think about digital records in a different light from paper records, in that digital records more often than not, reside in a system.  How records are stored and retrieved and viewed as evidence, should be considered in light of the system itself, not a “document” in isolation.

Allison Stanfield is the founder of e.law International, a niche legal technology company that specialises in providing computer forensics, electronic discovery and electronic court services, as well as hosting legal documents in the cloud.