Signature Definitions

Handwritten signature: "The scripted name or legal mark of an individual handwritten by that individual and executed or adopted with the present intention to authenticate a writing in a permanent form. The act of signing with a writing or marking instrument, such as a pen or stylus, is preserved. The scripted name or legal mark, while conventionally applied to paper, may also be applied to other devices that capture the name or mark" (21 CFR 11.3(b)(8)).

Electronic signature: a computer data compilation of any symbol or series of symbols executed, adopted, or authorized by an individual to be the legally binding equivalent of the individual's handwritten signature.

Digital signature: These are a subset of electronic signatures because they are also in electronic form. Digital signatures are a cryptographic mechanism often used to implement electronic signatures.  Digital signatures go much further in terms of providing security and trust services.  Components for a digital signature include:

Signer authentication: Proof of who actually signed the document. This links the digital signatures to an actual identifiable entity.

Data integrity: Proof that the document has not been tampered with since signing. The digital signature depends on every binary bit in the document and therefore can’t be re-attached to any other document.

Non-repudiation: The signer should not be able to falsely deny having signed their signature. That is, it should be possible to prove in a court that the signer in fact created the signature.

e-Sign Act: e-signature is defined as “an electronic sound, symbol, process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record and be legally bound.”

Types of electronic signatures:

• Electronic Signature
  • Examples of electronic signatures include a scanned image of the person’s ink signature, a mouse squiggle on a screen or a hand-signature created on a tablet using your finger or stylus, a signature at the bottom of your email, a typed name, a biometric hand-signature signed on a specialized signing hardware device, a video signature, a voice signature, an “I Agree” checkbox, etc. The list is endless.
  • Scribble Signature: Mobile Forms are increasingly being used on touch devices, and one common requirement is to support signatures. Scribing is becoming an accepted way of signing documents on mobile devices.  Think about when you get a package delivered, you now sign on a signature pad, not a piece of paper.  Once a Signature Scribble field has been added to the form and rendered, clicking or tapping on the field opens a dialog box. The user can scribble a signature in the draw area designated by a dotted rectangle, using a mouse, finger or stylus.

    • Actual image of the signature is captured

    • Has useful feature such as IP Address or Geographic location detection, date and time

    • Allows users to apply their pen signature on an electronic form on Mobile devices

    • Becoming an accepted way of signing forms on mobile devices

    • REDCap signature field is a scribble signature
  • REDCap authenticated username or name of individual signed into REDCap with appropriate REDCap functions enabled provides an electronic signature.  For example, in a text field that utilizes action tags @READ-ONLY (cannot be changed by user), @USERNAME (automatically captures individual authenticated into the software), or action tag with smart variable @DEFUALT='[user-fullname]' will automatically provide the individual authenticated into the software with a timestamp in the logging.
• Certificate-based Signatures:
  • A Digital Certificate - provided by a third-party Certificate Authority (CA) like Verisign/Symantec, Entrust, GlobalSign, etc.
    • Highly secure transactions (usually financial)
    • The digital certificate requires a password to authenticate
    • REDCap eConsent Framework provides a digital certificate using an IP address as the hash.
      
  • Signing Services
  • Adobe Self-Signed Signature – you create yourself with a copy of Adobe Acrobat
    • Day to day internal PDF form processes
    • Does not provide the non-repudiation as there is no CA (you are who you say you are)

Used to identify a person signing a document along with some ceremony information (date, time, reason…).  A certified certificate authority will go through a comprehensive process in order to determine a user’s identity before issuing a digital certificate as these are used in cases of law.  These types of “Digital Certificates” provide the highest level of security around signatures.  When a user applies their signature to a document, typically a hash of the document being signed (or a subset of it) is generated and encrypted with the private key from the digital certificate.   The recipient of a signed document can always query the certificate authority that was used to sign a document to determine who specifically signed the document, if the document has been tampered with since it was signed, and the intent of the signer. 

You can have multiple digital IDs that you use for different purposes, particularly if you sign documents in different roles or using different certification methods. Digital Certificates or IDs are usually password protected. They can be stored on your device (trust store), a USB key, or a Hardware Security Module (HSM). These all require a password in order to apply the signature to a document. It enhances security on your system so that if someone gets on your system, they need a special password to sign documents with your certificate.

In a PDF document, the signature can have any kind of appearance, but it’s not the appearance that is important but the fact that the password challenge was successful to put the appearance on the PDF. You can configure the appearance of a signature on your local copy of Adobe Reader/Acrobat which can include an image. 

• Digital Signatures to Certify Documents: Protect the integrity of forms by allowing people to use certificates to digitally sign forms. After the form is signed, the signed portion cannot be altered without invalidating the signature. The digital signature invokes a third-party signature handler that provides the required digital signature functionality.  Verifying the signature guarantees that no one tampered with the data after it was submitted. 
  • When and why to certify documents:

  • When it is a PDF document of record

    • To prove authenticity and integrity of the documents that are published

    • Sign a form on behalf of a public notary

    • Validate signatures on documents before moving to a document management system

REDCap eSignature

HOW THE e-CONSENT FRAMEWORK WORKS

The REDCap e-Consent Framework provides standardized tools to obtain consent and store consent documentation with a certification screen and a storage function which automatically generates a ‘hard-copy’ PDF of the signed form.

The ‘Auto-Archiver + e-Consent Framework’ survey option adds two things to the typical survey-taking process.

1. Before a participant completes the survey, an extra certification page is added to the end of the survey that displays an in-line PDF copy of the document in which they will be asked to confirm that all information in the document is correct.
   • The survey will not be considered complete until they fulfill the certification step.
2. Upon completion of the survey, a static copy of their responses in the form of a consent-specific PDF will be stored in the project’s File Repository.
   • The consent-specific PDF will have the values of the e-Consent Framework Options inserted at the bottom of each page in the PDF.
   • These values (i.e., name, date of birth, etc.) are added to the PDF as extra documentation of the identity of the person who is consenting.

SETTING UP e-CONSENT FRAMEWORK

1. Enable surveys on the “Project Setup” page.
2. Set up a survey instrument with the consent language as well as first, last, signature, and a date validated field. Optional fields may be included, such as ‘date of birth’.
3. Enable the consent instrument as a survey.
4. If it is already enabled go into survey settings and turn on “auto-archiver + e-Consent Framework”.
   • A pop up will appear requesting first and last name variables as well as version number. *Versioning of a form is a concept whereby you may give it a number or alpha-numeric designation to represent the current version.
   • If the form is modified AFTER data collection begins, then it is recommended that a new version be applied. For example, the first version might simply be ‘1’, and after collecting the consent of a few participants, a question is modified or added, which represents a new version of the form, so you might increment the version to ‘2’ (and so forth).
5. You can select the optional fields like date of birth or the e-consent type.
   *The e-Consent ‘type’ is another free-form text field that can be used to signify the type of e-Consent that this survey represents (e.g., pediatric). ‘Type’ is often used to distinguish between multiple e-Consent forms within a project.
6. Finish up by clicking the “Save Changes” button.

*Consent version and type are both free-form text fields whose value will be inserted at the footer of each page in the PDF.

HOW PARTICIPANTS USE e-CONSENT

The participant will open the survey and read through the consent form. When they get to the bottom, they will have the opportunity to fill in their information and sign their name if they agree to participate. They will select “Next Page” and a read only copy of the consent will be generated that they can review, download, and/or print. At the bottom of the page they will need to select “I certify that all the information in the document above is correct, and I understand that signing this form electronically is the equivalent of signing a physical document.” Once this is selected they will be able to submit the survey.

WHERE ARE COMPLETED PDFs STORED?

The completed PDFs are in the File Repository under “PDF Survey Archive.” Files can be downloaded as individual records or bundles in a ZIP file. Note: only users with ‘Full data set’ data export privileges will be able to download the archived files. The e-Consent Framework also records the IP address of the participant and displays this information in the file repository in order to help regulate potential duplicate forms from a single IP address.

Disclaimer: The article are based on the CCTST & CCHMC REDCap Instance.