PRO-3200.01: Choosing Best Practice: e-Approval or e-Signature

Intended Audience: All Students, Faculty, and Staff
Procedure Owner: Director of Enterprise Application Services

1. Definitions

e-Signature

An electronic signature is a legally binding, digital version of a handwritten signature.

Legally Binding
Document

A legally binding document is a document that can be upheld in court, e.g., a contract. A signature is crucial to a legally binding document since it proves that an agreement exists and shows both parties agreed to identical terms.

Approval

To consent officially or formally to a request, decision, or action.

e-Approval

An electronic approval is a process that enables Western to quickly authorize, sign, and approve non-legally binding documents and transactions.

Adobe Sign

An e-signature service that is certified compliant with ISO 27001, SSAE SOC 2 Type 2, FedRAMP Tailored, and PCI DSS. Adobe Sign can be configured to allow Western to meet the other compliance requirements listed in section 2, Acronyms.

DocuSign

Another e-signature service that is certified compliant with FedRAMP, HIPAA, SOC 2, and GDPR. DocuSign can be customized to allow Western to meet other compliance requirements.

2. Acronyms

FDA 21 CFR Part 11

U.S. Food and Drug Administration’s federal regulations for electronic documentation and electronic signatures. It outlines the administration of electronic records in a medical device company's quality management system.

FedRAMP / FedRAMP Tailored

Federal Risk and Authorization Management Program: A U.S. government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP Tailored will allow agencies to select a smaller set of controls, based on information types and use, allowing them to obtain authorization more easily for these types of services. This tailoring process is explicitly allowed within NIST SP 800-53 revision 4.

FERPA

Family Educational Rights and Privacy Act of 1974: A U.S. federal law that governs access to educational information and records by public entities such as potential employers, publicly funded educational institutions, and foreign governments.

GDPR

General Data Protection Regulation 2016/679: A regulation in European Union (EU) law on data protection and privacy in the EU and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

GLBA

Gramm–Leach–Bliley Act: Also known as the Financial Services Modernization Act of 1999 (U.S. Congress). It requires financial institutions—companies that offer consumers financial products or services like loans, financial or investment advice, or insurance—to explain their information-sharing practices to their customers and to safeguard sensitive data.

HIPAA

Health Insurance Portability and Accountability Act of 1996: A federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

ISO 27001

ISO/IEC 27001: An international standard on how to manage information security.

PCI DSS

Payment Card Industry Data Security Standard: An information security standard for organizations that handle branded credit cards from the major card schemes. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.

SSAE SOC 2 Type 2

Statement on Standards for Attestation Engagements No. 16, System and Organizations Controls Report 2, Type 2: Developed by the American Institute of Certified Public Accountants, this auditing report assesses how well organizations handle data security, system privacy, data confidentiality, and data processing processes.

 3. Review of Your Use Case

  1. If neither of the situations below exist, go to section 4, Obtaining e-Approval. Otherwise, continue with step 2.
  1. At least one party of the transaction is external to Western Washington University.
  2. Legal circumstances create the need to use e-signature.

Examples of documents requiring e-approval are requests to attend conferences, requests to pay an invoice to a vendor, and acknowledgement of risk and hold harmless agreements.

  1. If both of the situations below exist, go to section 5, Obtaining e-Signature. Otherwise, continue with step 3.
  1. At least one party of the transaction is external to Western Washington University.
  2. Legal circumstances create the need to use e-signature.

Examples of documents requiring an e-signature are contracts, medical documents, employment offers, and Western gift agreements.

  1. If you reviewed the situations in steps 1 and 2 above and still could not determine whether your use case needs e-approval or e-signature, contact the EAS Project Management Office at pmo@wwu.edu. A Project Manager will assist you in identifying which tool is needed.

4. Obtaining e-Approval

Based on your determination of use case in section 3, you may need e-approval only. Your use case may not meet the legal requirement for an e-signature.

  1. Contact the EAS Director at grp.ITS.ADMCS.Director@wwu.edu. An analyst will contact you and assist you in determining which tool to use. Western currently has several technologies for
    e-approval.

5. Obtaining e-Signature

Based on your determination of use case in section 3, you may need Adobe DC, Adobe Sign, or DocuSign for your process.

  1. Contact Software Services at software.services@wwu.edu for licensing and cost information of these two University options.

6. Authority

  1. University policy POL-U3000.06: Using Electronic Signatures
  2. Information Technology Services (ITS) standard STN-3200.01: Electronic Approvals and Signatures

Change Log

Revised

Version

Author

Approver

Change

06/18/2021

1.0

Wanna VanCuren

ITS Standards & Guidelines Committee

Original Version