Trustis Limited
Digital Certification Services
Privacy Charter

Contents

Introduction

Your Rights

Our Commitment to You

What information is covered by this Privacy Charter?
Our Usage of your Personal Data
Your Access to your Personal Data
Corrections to Personal Data
Deleting and/or Deactivating Certificate Information

Introduction

Trustis Limited strongly believes in an individual's rights to privacy. That is why we augment our high quality certification services with appropriate data protection commitments to safeguard our certificate holders' personal data from unauthorised access.

Trustis Limited complies with the European Union Directive and the UK law on Data Protection. The European Union Directive establishes the most rigid legal framework in the world for your protection. The UK Data Protection Act 1984 and the EU Data Protection Directive 95/46/EC (which has been introduced into UK law as the new Data Protection Act 1998) provide for the protection and care of personal information. This Privacy Charter explains how Trustis Limited protects the personal data that you may have supplied as part of enrolling for your digital certificate.

Return to table of contents


Your Rights

This is necessarily an abbreviated list. An 'unofficial' copy of the EU Directive may be found at http://europa.eu.int/comm/internal_market/en/dataprot/. However, for the authoritative text of the Directive, reference should be made to the Official Journal of the European Communities of 23 November 1995 No. L.281 p.31.

Return to table of contents


Our Commitment to You

Consistent with the rules on Data Protection, you have rights established by law that Trustis Limited fully observes, and consequently.

As an integral part of our commitment to respect privacy and to providing trusted services, Trustis Limited offers enhanced protection over and above your statutory rights:

Return to table of contents


What information is covered by this Privacy Charter?

Any personal information voluntarily supplied by the applicant as part of the enrolment plus any additional information about that applicant supplied by any third party 'information source' at the request of Trustis Limited, but excluding PINs, password, passphrases, challenge phrases and other information that may create a security risk if divulged. 'Company' information is not covered by the legislation, although Trustis Limited will apply the same criteria of protection to 'business data' as to 'personal data' as part of its service. By 'company information' is meant information which describes subscriber companies, other incorporated or non-incorporated bodies, but which does not relate to an identifiable natural person.

Return to table of contents


Our Usage of your Personal Data

We will use the information that you supply to us in the following ways:

Any processing carried out on this data will be at the instruction of Trustis Limited and will be carried out under physically and electronically secure conditions. Processing will be legal, fair and confidential.

Where data needs to be transported it will done so in a secure manner, including when this is to authorised and trusted service providers.

Data will be retained by Trustis Limited for a period (see the Certificate Policy for details). Due to the possible need to verify old documents signed with a private key that corresponds to the public key in a certificate which may have lapsed some time before, this retention period may be substantial.

In the course of validating the certificate application information, issuing the certificate and publishing it to potential relying parties, Trustis Limited or Registration Authorities acting on its behalf may need to communicate personal information to one or more of:

All of these external agents are bound under contract to Trustis Limited to observe the same or a substantially equivalent privacy policy. This means that, even though the data protection legislation may not cover Company data, neither Trustis Limited nor any of the agents or business partners used by Trustis Limited in providing this service will disclose either personal or Company details to other companies except as specifically authorised and where similar privacy obligations will be observed.

Return to table of contents.


Your Access to Your Personal Data

We will provide, upon request, a copy of the personal data which is held by us. Subscribers will be required to adequately identify themselves as the party entitled to obtain this data before it is released by us.

For subscribers who are natural persons, this data will be e-mailed only to the individual who corresponds to the e-mail address bound into the certificate. In the case of Company subscribers, this data will be e-mailed only to the e-mail address of the Organisational Contact which was supplied in the certificate application.

Return to table of contents.


Corrections to Personal Data

We cannot update the information contained within a digital certificate without destroying its integrity, since each digital certificate is digitally signed. If any attempt is subsequently made to amend the information in the certificate, the digital signature would no longer verify its content. The certificate would then no longer be capable of being relied upon by someone else wishing to verify signatures created with the private key portion related to the public key bound into that certificate. In such cases, the existing certificate must be revoked and a new one issued that contains corrected information.

We can update information which is on our records but which is not bound into the certificate itself. If you would like to correct or update any such information please contact the authority to whom you originally made your certificate application.

Return to table of contents.


Deleting and/or Deactivating Certificate Information

In order that others may see the status of a given certificate at any time, all certificates issued may be left physically present upon the repository for some substantial time. During this time, physical deletion of information pertaining to the certificate itself may not be not carried out, since this would prevent status checking by parties wishing to look up another's certificate before relying upon it and would prevent the verification of digital signatures made whilst the certificate was active. The repository will however indicate the certificate as being invalid. Any personal data held which is not absolutely required for these purposes however, will be removed or otherwise made inaccessible.

Return to table of contents.