1. Policy Authority & Issuing Authority Contact Info:
- Policy Authority:
Trustis FPS Healthcare Certificate Policy Management Committee
Trustis Limited
Building 273
New Greenham Park
Greenham Common
Thatcham
Newbury
RG19 6HN
UK
Tel: +44 (0) 1865 736780
Fax: +44 (0) 1865 736782
email: policy.authority@trustis.com
- Issuing Authority:
Trustis FPS Healthcare Issuing Authority
Trustis Limited
Building 273
New Greenham Park
Greenham Common
Thatcham
Newbury
RG19 6HN
UK
Tel: +44 (0) 1865 736780
Fax: +44 (0) 1865 736782
email: issuing.authority@trustis.com
|
2. Certificate Type, validation procedures and usage:
The Digital Certification Services provided by Trustis FPS implement a closed public
key infrastructure in the sense that access and participation is only open to those who
both satisfy eligibility criteria and are approved by Trustis FPS. The only trust
service providers and end entities authorised and approved to issue, obtain, use, and/or
rely upon certificates that reference this Policy are clearly defined, conditional upon
their first agreeing to be bound by the terms of this Policy.
The Digital Certification Services provided by Trustis FPS under this Certificate
Policy support NHS secure operations in their interactions with the general public, agent
organisations and external contractors, in the direct pursuit of NHS business or in the
authorised usage of services provided by NHS. Certificates provided by this service,
are supported by the use of strong cryptography and highly robust registration mechanisms
to support a level of trust and security comparable with the highest level of certificate
available other commonly available schemes.
Certificates issued under this policy may only be used for the support of business
applications and services approved by Trustis FPS, requiring digital signatures,
authentication of identities, and the encrypting/decrypting of information, and in the
direct pursuit of NHS related business.
Applicants for certificates issued to individuals are required to submit to the
validation of identity credentials and their eligibility to hold such a certificate as
detailed in Enrolment Requirements.
Acceptable documentary evidence that can be provided in support of an application for a
certificate is detailed in Enrolment Requirements.
|
3. Reliance Limits:
Trustis FPS does not set reliance limits for certificates issued under this
policy. Reliance limits may be set by other policies, application controls,
applicable law or by agreement. See Limitation of Liability, below.
|
4. Obligations of Subscribers:
It is the responsibility of the Subscriber to:
- Review his/her issued certificate to confirm the accuracy of the subscriber information
contained within it before first use
- Use a trustworthy system for generating or obtaining a key pair and to prevent any loss,
disclosure, or unauthorised use of the private key
- Keep private keys confidential
- Keep confidential, any passwords, pass-phrases, PINs or other personal secrets used in
obtaining authenticated access to PKI facilities
- Make only true and accurate representations to the Registration Authority and/or Issuing
Authority as to the information required to determine eligibility for a certificate and
for information contained within the certificate
- In accordance with the Trustis FPS Certificate Policy, exclusively use their certificate
for legal purposes and restricted to those authorised purposes detailed by the Trustis FPS
Certificate Policy
- Immediately notify the Registration Authority of a suspected or known key compromise in
accordance with the procedures laid down in the Trustis FPS Certificate Policy
|
5. Certificate Status checking obligations of Relying Parties:
A relying party may justifiably rely upon a certificate only after:
- Ensuring that reliance on certificates issued under this policy is restricted to
appropriate uses (see "Certificate Type, validation procedures and usage", above
for a summary of approved usages).
- Ensuring that the certificate remains valid and has not been revoked or suspended by
accessing any and all relevant certificate status information
- Determining that such certificate provides adequate assurances for its intended use.
|
6. Limited Warranty & Disclaimer/Limitation of Liability:
By signing a certificate containing a policy identifier which indicates the use of this
policy, the Issuing Authority certifies to all who reasonably rely on the information
contained in the certificate, that the information in the certificate has been checked
according to the procedures laid down in this policy.
The Issuing Authority assumes no liability whatsoever in relation to the use of
certificates or associated public/private key pairs issued under this policy for any use
other than in accordance with this policy and any other agreements. Subscribers will
immediately indemnify the Issuing Authority from and against any such liability and costs
and claims arising therefrom.
The Issuing Authority shall not be liable for any consequential, indirect or incidental
damages, nor for any loss of business, loss of profit or loss of management time, whether
foreseeable or unforeseeable, arising out of breach of any express or implied warranty,
breach of contract, tort, misrepresentation, negligence, strict liability however arising,
or in any other way arising from or in relation to the use of or reliance on, any Digital
Certificate except only in the case of the Issuing Authority's negligence, wilful
misconduct, or where otherwise required by applicable law.
Nothing in this Certificate Policy excludes or restricts liability for death or
personal injury resulting from negligence or the negligence of its employees, agents or
contractors.
The Issuing Authority excludes all liability of any kind in respect of any transaction
into which an End-Entity may enter with any third party.
The Issuing Authority is not liable to End Entities either in contract, tort (including
negligence) or otherwise for the acts or omissions of other providers of
telecommunications or Internet services (including domain name registration authorities)
or for faults in or failures of their equipment.
Each provision of this Policy, excluding or limiting liability, operates separately. If
any part is held by a court to be unreasonable or inapplicable, the other parts shall
continue to apply.
|
7. Applicable Agreements, Certification Practice Statement, Certificate Policy:
|
8. Privacy Policy:
Trustis FPS and NHS strongly believe in an individual's rights to privacy, and operates
this Digital Certification Service according to an extensive Privacy Charter which can be
found at: http://www.trustis.com/pki/healthcare/privacy-charter.htm
|
9. Refund Policy:
No refunds will be made. All certificate purchases are final.
|
10. Applicable Law & Dispute Resolution:
Disputes shall be handled in accordance with the Trustis FPS complaints process,
documentation of which can be obtained by applying to the Issuing Authority contacts
listed in section 1 of this document.
The provision of Trustis FPS Digital Certification Services shall be governed by
English law and all parties shall submit to the exclusive jurisdiction of the courts of
England and Wales
|
11. CA & Repository Licences Trust Marks & Audit:
Certificates are manufactured under this policy through the use of a Trustis Limited
service which is both accredited to ISO17799 and has attained tScheme approval.
Audit shall be carried out on an annual basis. The following Auditors have been
approved under this policy:
- Audit resources of contracted Trust Service Providers
- A certified public accountant with demonstrated expertise in computer security or an
accredited computer security professional
|
12. Identification of this Certificate Policy:
This Policy has been registered with Trustis Limited and has been assigned an Object
Identifier (OID) of: 1.3.6.1.4.1.5237.111.1.1
|
13. Approved Registration Authorities
The following Registration Authorities have been approved by the Issuing Authority to
register subscribers under this policy:
- NHS Networking Address Registration Services
|
14. Approved Repositories
The following Repositories have been approved by the Issuing Authority under this
policy:
|
15. Eligible Subscribers
The following types of subscribers are eligible to be issued with certificates under
this policy:
- NHS-related Web sites approved by the Registration Authority
|
16. Eligible Relying Parties
The following types of Relying Parties are eligible to rely on certificates issued
under this policy:
- Anyone, in their direct interaction with subscribers of certificates issued under this
Certificate Policy, and only in the direct pursuit of NHS business.
|
17. Certificate Status Information
Certificate Revocation Lists (CRLs) shall be published at least every 24 hours.
|
