Guidelines for digital signatures
These guidelines are for all KI employees and are intended to be a support in the choice of digital signature service and for the validation of a digital signature in a document.
- Diary number: 1-638/2022
- Decision date:
- Validity period: Until further notice
- Decision: University director
- Document type: Guidelines
- Handled by department/unit: Juridiska avdelningen
- Preparation with: Department for IT
Summary of the guidelines
Karolinska Institutet (KI) is committed to transitioning, to the greatest extent possible, to digital administration. Part of this move is the use of digital signatures (e-signatures). There are numerous signing services available, but none that has been produced for the specific and common use of public administration in Sweden or the EU. Common EU rules have, however, been set out in eIDAS regulation1 , which includes solutions for e-signatures (“trust services”).
KI and other higher education institutions offer a service called eduSign, which has been produced by Sunet (Swedish University Computer Network) and which complies with the Agency for Digital Government’s (DIGG) framework for digital signatures for public authorities. Some administrative systems (e.g. Agresso and Primula) have integrated e-signature solutions.
When you receive a document that contains an e-signature, you must decide if it is trustworthy, i.e. that the signature is genuine and that the document has not been altered since signing. This is referred to as validating the signature. You must also assess if the form of the document meets the needs of your department and decide how the document is to be archived.
An e-signature generally takes the form of a service that gives the user a verification code or requests e-identification. An e-signature is legally binding in the same way a handwritten signature is. Inserting a scanned signature into a document as an image file or verifying a document by email is not the same as an e-signature. Such methods are easy to forge and cannot be tied to the signatory and must therefore not be used at KI.