When you have to be right

Checklist and Guidance Notes Regarding Cloud Storage of Trust Documents

White Paper May 2016

Cloud storage and software systems are an increasingly common alternative to in-house data storage and software storage. The advantages include flexibility and cost. However, these advantages must be balanced against privacy/confidentiality obligations and the need for certainty that stored documents will retain their original form and content.

The New Zealand Law Society’s Practice Briefing: Cloud Computing Guidelines for Lawyers examines how lawyers can use cloud computing while maintaining their professional obligations. The Practice Briefing does not endorse cloud computing and it is important to appreciate that while cloud storage may well be the new “norm” it is merely a tool.

Cloud storage does not change pre-existing obligations. These guidance notes suggest factors to consider and resources for further information.

As the term “cloud storage” covers a wide range of practices, technologies, contracts and regulatory regimes, there is currently no one best practice standard.

These notes offer guidance only in this dynamic legal and regulatory landscape. Appropriate due diligence is essential. See the Additional Resources and Guidance section for more information.

Checklist and Guidance Notes Regarding Cloud Storage of Trust DocumentsVicki AmmundsenPrincipal, Vicki Ammundsen Trust Law

How long must trust documents be retained?Trust documents should be retained, at a minimum, for the duration of the trust — see Law Commission Review of the Law of Trusts: A Trust Act for New Zealand (NZLC R130) at [5.39].

However, good practice can still require trust documents to be retained after a trust is wound up.

Limitation periods also require consideration. See Limitation Act 1950 and Limitation Act 2010.

What are trust documents?Before considering storage options, it is useful to determine what “trust documents” are. Trust documents are generally accepted to include (but are not limited to):

• trust deed• any deeds of variation or other amending

documents • deeds of appointment and retirement of

trustees• deeds of appointment and removal of

beneficiaries• gifting documents• memoranda of wishes (technically these

are normally trustee documents but for storage purposes they should be treated the same as trust documents)

• trustee resolutions (technically these are normally trustee documents but for storage purposes they should be treated the same as trust documents)

• schedule of trust assets

• transactional documents (including but not limited to contracts) — to be retained for the extent of any relevant limitation periods (including any longstop period pursuant to the Limitation Act 2010 if potentially relevant)

• accounting/tax records — to be retained for the statutory period or relevant limitation period (whichever is longer)

• where there is a corporate trustee, the following documents should also be retained:o any documents evidencing

Companies Act 1993 requirements in ss 189 (company records), 190 (form of records), 194 (accounting records must be kept), 195 (place accounting records to be kept), 215–218 (inspection of company records)

o constitutiono director and shareholder resolutionso accounting/tax recordso contracts and other transactional

documents subject to relevant limitation periods.

The trust deed and any deeds amending its provisions or appointing new trustees are required to be held by or on account of the trustees and must be stored safely. Increasing trust litigation, particularly where trustees are exercising decision-making powers, means that proper record retention is more essential than ever. While the Law Commission refers only to retaining documents for the duration of the trust, matters can arise many years after the original trust was settled and even after it is wound up. See, for example, Erceg v Erceg [2016] NZCA 7.

Trustees can also have record-keeping obligations under other legislation such as the Income Tax Act 2007 and the Tax Administration Act 1994.

A trust that carries on a business has the same record-keeping obligation as any other person: Tax Administration Act, s 22. In addition to this general obligation, if a trustee has had a debt forgiven in consideration of natural love and affection (Income Tax Act 2007, ss EW 44, EZ 39), the trustee must keep records of the amounts forgiven and any amounts distributed to beneficiaries: Tax Administration Act, s 22B(1).

Records of debt forgiveness must be stored safely and retained for the life of the trust: Tax Administration Act, s 22B(2).

Resident trustees of foreign trusts must keep and retain detailed records. See Taxation of Trusts (2nd ed, CCH New Zealand, 2011) at chapter 19.

In addition to trust documents, trustees should also retain:• records of dividend imputation credits

or resident withholding credits available for allocation, and details of how these were allocated, and

• all financial statements and tax returns.

Original documents

Whether or not original documents should be retained needs to be considered on a case–by-case basis. Prudence would dictate that unless or until the point is confirmed by the proposed new Trusts Act, or any other relevant legislation, original trust documents

should be retained where it is practicable to do so. In this regard it is noted that increasingly there may not be “original” hard copy documents in the conventional sense.

While the retention of original documents may seem increasingly unnecessary given the moves to electronic storage and other file-storing software, there are still instances where original documents or original certified copies of documents can be required (eg by banks and other financial institutions).

Ownership

With some exceptions, files belong to clients, even while in the care of an accountant or solicitor. Accordingly, before contracting with a cloud storage provider, it is important to consider the terms of the accountant’s or lawyer’s retainer. This may require review and amendment of client care agreements or letters of engagement.

Electronic Transactions Act 2002There are legislated provisions for the retention of electronic records. See, for example, s 32 of the Electronic Transactions Act, which provides that a legal requirement to compare a document with an original document may be met by comparing that document with an electronic form of the original document, if the electronic form reliably assures the maintenance of the integrity of the document.

However, original documents are still required in some cases (eg for probate of a will). Some banks and other institutions still require certified copies of original trust deeds.

Lawyers and Conveyancers Act (Lawyers: Conduct and Client Care) Rules 2008 Chapter 8 of the Rules sets down the duty to protect and hold in strict confidence all information concerning a client.

Use of a cloud storage provider service may mean that a third party can access client data. It is, therefore, important to contractually ensure that the cloud service will not compromise client confidentiality.

It is essential to engage a reputable provider. Consideration must be given to the procedures used by the cloud provider in hiring their personnel and the levels of access of those personnel to stored information. Access by third-party personnel (ie where the cloud provider subcontracts some operations that are key to the security of the operation) must also be considered.

Security and encryptionIt is much easier to corrupt electronic data, whether by accident or design, than paper documents. Systems must be in place to safeguard the authenticity, reliability, accessibility and security of all electronic material.

Proper consideration must be given to how a cloud provider addresses corruption risks.

Systems should be established and enforced to ensure the authenticity, accessibility and security of all material stored electronically.

AML/CFT and FATCA legislationAny trust, trustee or trust administrator (including legal and accounting advisers) that may be:

• reporting entities under Anti-Money Laundering/Combating the Financing of Terrorism (AML/CFT) legislation, or

• foreign financial institutions or passive non-financial foreign entities under the Foreign Account Tax Compliance Act (FATCA)

must ensure that the use of cloud storage does not negatively compromise any reporting obligations.

ChecklistClient:

Trust:

Date:

Author:√ When Completed

Check that your cloud provider can provide sufficient protection. See the “Information Assurance Framework” in the ENISA report Cloud Computing: Benefits, risks and recommendations for information security for questions that need to be asked.When considering the use of cloud storage, review such matters as:

• Data protection• Data security• Data transfer• Law enforcement access• Confidentiality and non-disclosure• Intellectual property• Risk allocation and limitation of liability• Change of control

Confirm the cloud provider’s retention policy.

What is the cloud provider’s policy on backing up data? In an emergency, how long will it take to restore data, and is there any hardware or software failure that can cause data loss?

Are there any jurisdictional considerations?

How will you access the information?

Can you access information from another location if required?

What happens in the event of a service outage?Does the provider have the ability to provide alternative access to the data (ie through another server in a different location)?

Is the pricing structure suitable for your usage?Are you charged for every file accessed, or just upload and download charges?

Have you advised the client where their documents will be held and obtained their written consent? Are your terms of engagement adequate to allow cloud storage?

Do you need to keep an original copy? The original copies of any wills must be retained as the High Court will not grant probate of an electronic copy of a will. See Re Crawford (deceased) [2014] 3 NZLR 38; [2014] NZHC 609.

What will you do with original copies?Should clients still be charged for off-site physical document storage and retrieval?

Do you need your client’s permission to destroy original documents?

Should these original documents be sent to a trustee for safe custody?

Ensure that the contract does not give the cloud provider ownership of the data stored in its services, and that it acknowledges the data is owned by the law firm and/or its client and not by the cloud provider.

How is your back-up data stored? As with local storage, it is essential that there are adequate data back-ups.

Do you need local storage as well as cloud storage?Remember that local storage provides instant access, even if there are network issues.

What liability does the cloud provider have in case of data loss?

What policies do you have in place to inform your clients about an incident affecting their data?

Does your insurer or the cloud provider provide “ransom” protection in the event of file hacking or other attack by hostile malware-generated events.

Other comments/matters to address:

Additional Resources and Guidance• European Network and Information Security Agency Cloud Computing: Benefits, risks and

recommendations for information security (ENISA, November 2009). The Information Assurance Framework in this report provides questions that organisations can ask a cloud provider to assure themselves that they are sufficiently protecting the information entrusted to them.

• New Zealand Cloudcode Cloud Computing Code of Practice (version 2, July 2013) <https://cloudcode.nz/>

• Electronic Transactions Act 2002

• Electronic Transactions Regulations 2003

• New Zealand Law Commission Review of the Law of Trusts: A Trusts Act for New Zealand (NZLC R130). The “Retaining Information” recommendation from this report is set out below:

RECOMMENDATIONR5 The new Trusts Act should provide that:

(1) In exercising the mandatory duties of a trustee, a current trustee is required, so far as is reasonable, to retain the following:(a) the trust deed;(b) any variations made to the trust deed or terms of the trust, including variations made to the

beneficiaries of the trust;(c) a list of all of the assets currently held as trust property and liabilities of the trust;(d) any records of trustee resolutions made during that trustee’s trusteeship;(e) any written contracts entered into during that trustee’s trusteeship;(f ) any accounting records and financial statements prepared during that trustee’s trusteeship;(g) deeds of appointment and retirement of trustees;(h) any expression of the intention or wishes of the settlor; and(i) any of the above documents retained by a former trustee during that trustee’s trusteeship and

passed on to the current trustee.(2) Where there is more than one trustee, it is not necessary for every trustee to hold a copy of the

documents, except for the documents in R5(1)(a) and (b). One trustee may hold the documents on behalf of the other trustees as long as the documents are available to the other trustees on request.

(3) A trustee is required, so far as is reasonable, to retain the documents for the duration of his or her trusteeship of the trust and, if the trust continues, to pass on the documents to at least one replacement or continuing trustee when he or she retires or is removed.

• Lawyers and Conveyancers Act (Lawyers: Conduct and Client Act) Rules 2008

• Privacy Act 1993

• Companies Act 1993 (applicable for corporate trustee). For example: ss 189, 215 and 216

• Income Tax Act 2007

• Tax Administration Act 1994

• New Zealand Law Society Practice Briefing: Cloud Computing Guidelines for Lawyers (June 2014)

• Deni Connor and Patrick Corrigan “Cloud storage best practices: A checklist for adopting storage services in the cloud” (28 March 2011) NetworkWorld <www.networkworld.com>

• V Winkler Securing the Cloud: Cloud Computer Security Techniques and Tactics (Syngress, 2011)

• The Law Society UK “File retention: trusts” (6 October 2011) <www.lawsociety.org.uk>

When you have to be right.

Request a demo Online: wolterskluwer.co.nz/trusts-estates/cch-itrust Email: gTaylor@cch.co.nz

Now end-to-end trust management has never been easier with CCH iTrust.

• Significantly minimises risk associated with trust management and compliance

• Improves productivity• Saves time and money• Remote access, anywhere, anytime

on any device • Every document and record

related to your trusts in one place

Is your internal trust management system losing you money?

Want to save time and money by streamlining your existing trusts processes?

Want to turn your trusts practice into a cash cow?

Are you unnecessarily exposed in your role as a professional trustee?