Trustis Limited
Digital Certification Services
Privacy Charter

Introduction

Trustis Limited strongly believes in an individual's rights to privacy. That is why we augment our high quality certification services with appropriate data protection commitments to safeguard our certificate holders' personal data from unauthorised access.

Trustis Limited complies with the European Union Directive and the UK law on Data Protection. The European Union Directive establishes the most rigid legal framework in the world for your protection. The UK Data Protection Act 1984 and the EU Data Protection Directive 95/46/EC (which has been introduced into UK law as the new Data Protection Act 1998) provide for the protection and care of personal information. This Privacy Charter explains how Trustis Limited protects the personal data that you may have supplied as part of enrolling for your digital certificate.

Return to table of contents

Your Rights

• data held on you is accurately recorded as supplied
• data held on you is processed legally, fairly, securely and only for the purpose(s) for which it was originally collected
• you are made aware of the purposes to which your data are put and with whom it is shared
• you are able to see a copy of data held on yourself (whether originally supplied by you or by a third party) but not including PINs, passwords or passphrases and possibly certain other information that might create a security risk
• you are entitled to object to: a) the processing to which your data is subjected and b) any additional marketing uses to which your data is put
• if your data is sent to 'Third Countries' (i.e. outside the EU) then agreements are in place which ensure that the level of protection is not diminished

This is necessarily an abbreviated list. An 'unofficial' copy of the EU Directive may be found at http://europa.eu.int/comm/internal_market/en/dataprot/. However, for the authoritative text of the Directive, reference should be made to the Official Journal of the European Communities of 23 November 1995 No. L.281 p.31.

Return to table of contents

Our Commitment to You

Consistent with the rules on Data Protection, you have rights established by law that Trustis Limited fully observes, and consequently.

• We request your explicit consent for all the personal data you may submit. We collect no personal data unless you submit it.
• We use the data that you submit, only to validate your identity in connection with providing you with digital certification services.
• You have the right to review your personal data that we hold, and check it for consistency.
• You have the right to correct data in the unlikely event that errors may be found in our records.
• If you are not happy with us holding your data, you may request us to deactivate it, thus making it unavailable for further use, (note that this may mean that we cannot continue to provide you with digital certification services).

As an integral part of our commitment to respect privacy and to providing trusted services, Trustis Limited offers enhanced protection over and above your statutory rights:

• If you subscribe with us, we will not use your personal data to compile user profiles.
• We will not store persistent cookies in your computer to keep track of you.
• Your business is not our business. We will not collect any data that you as a subscriber of our digital certificates do not release or authorise us to have.
• Where credit card payments are involved, no credit card information that you submit is used for any purposes other than payment of fees due. Whilst we may hold such credit card information for the purpose of processing your payment, all credit card information will be properly secured from unauthorised access.
• No data that you submit is for sale. We are not in the business of selling your personal data.
• We extend this commitment to qualifying applicants from anywhere in the world.
• None of the statements made in this Charter affect any other applicable statutory rights you may have.

Return to table of contents

What information is covered by this Privacy Charter?

Any personal information voluntarily supplied by the applicant as part of the enrolment plus any additional information about that applicant supplied by any third party 'information source' at the request of Trustis Limited, but excluding PINs, password, passphrases, challenge phrases and other information that may create a security risk if divulged. 'Company' information is not covered by the legislation, although Trustis Limited will apply the same criteria of protection to 'business data' as to 'personal data' as part of its service. By 'company information' is meant information which describes subscriber companies, other incorporated or non-incorporated bodies, but which does not relate to an identifiable natural person.

Return to table of contents

Our Usage of your Personal Data

We will use the information that you supply to us in the following ways:

• Bind some of the information into the certificate itself.
  For example, a personal e-mail address or web server URL and personal names may form part of the certificate and identify it to other parties.
• Use the information to establish certain facts about the individual or company.
  For example, an individual's name, company name and/or department name supplied may be used:
  • to check with a third party agent that the individual, company and/or department is a real entity, is eligible to receive a certificate and is still active.
  • to check that the application for a certificate is legitimately made from the individual, company and/or department.

Any processing carried out on this data will be at the instruction of Trustis Limited and will be carried out under physically and electronically secure conditions. Processing will be legal, fair and confidential.

Where data needs to be transported it will done so in a secure manner, including when this is to authorised and trusted service providers.

Data will be retained by Trustis Limited for a period (see the Certificate Policy for details). Due to the possible need to verify old documents signed with a private key that corresponds to the public key in a certificate which may have lapsed some time before, this retention period may be substantial.

In the course of validating the certificate application information, issuing the certificate and publishing it to potential relying parties, Trustis Limited or Registration Authorities acting on its behalf may need to communicate personal information to one or more of:

• Authorised and trusted service providers intimately involved in the management of our certificates
• Third party information providers, where external corroboration of applicant data is required to provide adequate confidence in that data

All of these external agents are bound under contract to Trustis Limited to observe the same or a substantially equivalent privacy policy. This means that, even though the data protection legislation may not cover Company data, neither Trustis Limited nor any of the agents or business partners used by Trustis Limited in providing this service will disclose either personal or Company details to other companies except as specifically authorised and where similar privacy obligations will be observed.

Return to table of contents.

Your Access to Your Personal Data

We will provide, upon request, a copy of the personal data which is held by us. Subscribers will be required to adequately identify themselves as the party entitled to obtain this data before it is released by us.

For subscribers who are natural persons, this data will be e-mailed only to the individual who corresponds to the e-mail address bound into the certificate. In the case of Company subscribers, this data will be e-mailed only to the e-mail address of the Organisational Contact which was supplied in the certificate application.

Return to table of contents.

Corrections to Personal Data

We cannot update the information contained within a digital certificate without destroying its integrity, since each digital certificate is digitally signed. If any attempt is subsequently made to amend the information in the certificate, the digital signature would no longer verify its content. The certificate would then no longer be capable of being relied upon by someone else wishing to verify signatures created with the private key portion related to the public key bound into that certificate. In such cases, the existing certificate must be revoked and a new one issued that contains corrected information.

We can update information which is on our records but which is not bound into the certificate itself. If you would like to correct or update any such information please contact the authority to whom you originally made your certificate application.

Return to table of contents.

Deleting and/or Deactivating Certificate Information

In order that others may see the status of a given certificate at any time, all certificates issued may be left physically present upon the repository for some substantial time. During this time, physical deletion of information pertaining to the certificate itself may not be not carried out, since this would prevent status checking by parties wishing to look up another's certificate before relying upon it and would prevent the verification of digital signatures made whilst the certificate was active. The repository will however indicate the certificate as being invalid. Any personal data held which is not absolutely required for these purposes however, will be removed or otherwise made inaccessible.

Return to table of contents.

Copyright © Trustis Limited 2010.  All Rights Reserved
This document is licensed for use only in conjunction with the use of Trustis Trust Services