Substitute scanning under TR-RESISCAN is not a single action but a structured process with defined requirements. Each step builds on the previous one and contributes to ensuring the evidentiary value of the digital document. This checklist guides you through the 10 essential requirements, from document preparation to destruction of the paper original.
Checklist
TR-RESISCAN Checklist: 10 Requirements for Compliant Scanning
Step by step to legally compliant substitute scanning under BSI TR-03138
Requirements 1-5: Preparation and Scanning
The foundation for a compliant scanning process
1. Document Preparation
Before scanning, each document must be inspected and classified. Which protection category does the document belong to? Is it general business correspondence (normal protection), a contract (high protection) or a personnel file (very high protection)? The classification determines which security measures apply throughout the process.
Additionally, the document is checked for physical defects: are all pages present? Are there creases, tears or faded areas that could affect the scan result? Staples and paper clips are removed.
2. Scanner Qualification
Not every scanner is suitable for TR-RESISCAN-compliant scanning. The scanner used must be qualified, meaning its technical capabilities are documented and it is demonstrated that it delivers the required image quality. Qualification involves test scans with defined templates and documentation of the results.
Qualification must be repeated during initial commissioning, after repairs, after firmware updates and at regular intervals.
3. Scan Profile Configuration
For each protection category, a scan profile is configured that defines the technical parameters: resolution (minimum 300 dpi), colour depth (colour, greyscale or black and white), output format (PDF/A) and further settings. The scan profile ensures that all documents in the same category are processed with identical settings.
4. Visual Inspection
After scanning, the digital document is compared with the paper original. The visual inspection checks:
- Completeness: have all pages been captured?
- Legibility: is the text legible in all areas?
- Colour accuracy: do the colours match (for colour documents)?
- Alignment: is the document correctly aligned?
- Artefacts: are there scanning errors such as streaks, shadows or missing areas?
The result of the visual inspection is documented. If deficiencies are found, the document must be re-scanned.
5. Integrity Assurance (Hash Value)
Immediately after scanning, a cryptographic hash value of the digital document is calculated. This hash value is a unique digital fingerprint. Any subsequent change to the document, even altering a single pixel, would change the hash value and make the manipulation immediately detectable.
Requirements 6-10: Documentation and Archiving
Traceability and long-term retention
6. Transfer Note
The transfer note is the central documentation element of the TR-RESISCAN process. It is attached to the digital document as metadata or an appendix and contains:
- Date and time of the scan
- Identity of the scan operator
- Scan profile and settings used
- Result of the visual inspection
- Hash value of the document
- Scanner used (model, serial number)
The transfer note proves that the scanning process was properly conducted and makes the entire operation traceable.
7. Logging
Every step of the scanning process is recorded in a log. The log covers all actions, timestamps and user information. It serves as proof of proper execution and enables later reconstruction of the entire workflow. Logs must be stored in an audit-proof manner.
8. Traceability
The entire process must be traceable for third parties: auditors, regulatory authorities or courts must be able to determine, based on the documentation (transfer note, logs, procedural documentation), how a particular digital document was created. This requires seamless documentation from receipt of the paper document to archiving of the digital document.
9. Retention
The digital document must be stored in a format that ensures long-term readability and verifiability. TR-RESISCAN recommends PDF/A (preferably PDF/A-3, as the transfer note can be embedded as an attachment). Retention must take into account statutory retention periods: 6 years for business correspondence, 10 years for accounting documents and tax records.
10. Destruction of the Original
Only when all previous steps have been correctly executed and documented may the paper original be destroyed. The destruction should also be documented. Important: certain document types are exempt from destruction, including notarised deeds, wills, land registry entries and documents with special documentary quality.
Practical tip: Many of these steps can be automated with the right software. Docuflair TR-RESISCAN guides users through the entire process and automatically generates the transfer note, hash values and logs. This avoids errors and reduces the time required.
Meet All 10 Requirements with One Solution
Docuflair TR-RESISCAN automates the entire process: from authentication through visual inspection to the transfer note and digital signature. Schedule a free demo.
Frequently Asked Questions
Answers to the most important questions about the TR-RESISCAN checklist
Must all 10 requirements be met?
Yes, for fully TR-RESISCAN-compliant substitute scanning, all requirements of the base module must be fulfilled. Depending on the protection level of the documents, the integrity and confidentiality extension modules add further requirements.
Can I implement the checklist without specialised software?
In theory, manual implementation is possible, but it is not recommended in practice. Steps such as the automatic transfer note, digital signature and comprehensive logging require software support to avoid errors and make the process efficient.
How often must scanner qualification be repeated?
Scanner qualification should be performed during initial commissioning, after repairs, after firmware updates and at regular intervals (recommended: annually). The qualification is documented and forms part of the audit trail.
What happens if the visual inspection reveals deficiencies?
If deficiencies are found during the visual inspection — such as missing pages, illegible areas or incorrect colours — the document must be re-scanned. The deficiency and the re-scan are documented in the log.