Skip to main content

Guidance on the Sensitivity and Use of Digitized Signatures

Guidance on the Sensitivity and Use of Digitized Signatures  

By default, the University treats signatures as Tier 2. This is because signatures can be used to access financial accounts or to authenticate documents, and they are “Personally Identifying Information” in those contexts. Signatures can be used in many other ways though (reports, proclamations, memorandum, athletics memorabilia, and many other items) that may be published on websites, printed and distributed publicly, or displayed for the public to see. Applying all Tier 2 sensitive information protections to signatures in every context they’re used isn’t practical or appropriate and would prevent their use. It is possible to both protect signatures and still use them.   

The best ways to address the risk associated with digitized images of signatures are to pursue alternatives for signatures when possible, manage expectations for individuals providing signatures, and consider the context in which the signature will be seen.   

One of the best ways to reduce risk is by not using a signature. Wet-ink signatures may be more of a habit than a necessary, and other options may fit the need. Some alternatives are:   

  • A checkbox on a form that can only be submitted after SSO authentication   
  • Accepting an email from the person you’d ask for a signature (users must authenticate in order to send an email)   
  • Allowing the typed “/s/Name” format rather than expecting your signer to print, sign, and scan a document or apply an already uploaded image of their signature   
  • If using a signature is entirely unavoidable, consider using a digital signature system instead.   

If the document (or signed jersey) is meant to be published or shared in an uncontrolled way, and the signature is a traditional (or required) element, the University accepts that risk. The best practice is to not surprise anyone with that outcome. When creating a document, if people are expected to sign it, ensure that they know what it will be used for, how public it will be, and how its release will be controlled.   

If you are responsible for documents with digitized images of signatures, we expect you to consider all the context. Some good questions to ask yourself to be sure you’ve thought of important considerations for your situation are:   

  • What does the signer think will happen? Are they aware of how their signature will be used and what the risks are?   
  • Does the university have obligations to other kinds of information on the document? Due to other data elements that are present, a signed document may be covered by some other data protection law.   
  • What is the purpose of the signature in this context? Signatures used for accessing financial accounts or authenticating documents should be treated with different sensitivity than signatures used for athletic memorabilia, for example.   
  • Will the document with the signature be released in a digital or print format? A digitized image of a signature released on a printed document is harder to use for forgery. 
  • If copies will be made and distributed that don’t need the signature, consider redacting it on those copies.