In practice, questions about the implementation of GeBüV Art. 9 arise time and again. In particular, under which circumstances modifiable storage may be used in the archive. Here are the requirements for an archiving solution to be compatible with Art. 9 and for modifiable storage to be used.
Art. 9 Permissible information carriers
1 For the retention of records are permissible:
- unchangeable information carriers, namely paper, image carriers and unchangeable data carriers;
- changeable information carriers, if:
- technical procedures are used which guarantee the integrity of the stored information (e.g. digital signature procedures),
- the time at which the information is stored can be verified in an unforgeable manner (e.g. by means of a “time stamp”),
- the further regulations existing at the time of storage concerning the use of the technical procedures concerned are complied with, and4.the processes and procedures for their use are defined and documented, and the corresponding auxiliary information (such as logs and log files) is also retained.
2 Information carriers are deemed to be modifiable if the information stored on them can be changed or deleted without the change or deletion being detectable on the data carrier (such as magnetic tapes, magnetic or magneto-optical diskettes, fixed or removable disks, solid state memories).
Interpretation and practice for the implementation of Art. 9 para. 1 lit. 2. the following procedures are cumulatively required to meet the requirements:
- Integrity protection with combined crypto/hash methods (hash algorithms without signatures do not meet the requirements).
- Signatures with integration of the current time, preferably via a time stamping service. The proof of time integrity must be able to be guaranteed.
- Access control with restricted rights for administrators and logging of all system-relevant actions.
- Complete documentation of the procedures used (with history)
Conclusion: Integrity protection on modifiable storage is only recommended to customers who have to process very high archive volumes and have expertise in handling crypto procedures. Otherwise, it is recommended to rely on special storage hardware from established manufacturers.
This is only one requirement from the complete catalog. Over the last few years, a comprehensive compliance catalog has been developed, which serves as a benchmark for checking the legal compliance of archiving solutions. As an implementing regulation, the GeBüV serves as the legal basis for almost all areas of activity, both in the private and public law environment.
Do you want to know if your solution meets the Swiss requirements? Then contact us.