Trustis Limited
Digital Certification Services
Privacy Charter
Trustis Limited strongly believes in an individual's rights to privacy. That is why we
augment our high quality certification services with appropriate data protection
commitments to safeguard our certificate holders' personal data from unauthorised access.
Trustis Limited complies with the European Union Directive and the UK law on Data
Protection. The European Union Directive establishes the most rigid legal framework in the
world for your protection. The UK Data Protection Act 1984 and the EU Data Protection
Directive 95/46/EC (which has been introduced into UK law as the new Data Protection Act
1998) provide for the protection and care of personal information. This Privacy Charter
explains how Trustis Limited protects the personal data that you may have supplied as part
of enrolling for your digital certificate.
Return to table of contents
- data held on you is accurately recorded as supplied
- data held on you is processed legally, fairly, securely and only for the purpose(s) for
which it was originally collected
- you are made aware of the purposes to which your data are put and with whom it is shared
- you are able to see a copy of data held on yourself (whether originally supplied by you
or by a third party) but not including PINs, passwords or passphrases and possibly certain
other information that might create a security risk
- you are entitled to object to: a) the processing to which your data is subjected and b)
any additional marketing uses to which your data is put
- if your data is sent to 'Third Countries' (i.e. outside the EU) then agreements are in
place which ensure that the level of protection is not diminished
This is necessarily an abbreviated list. An 'unofficial' copy of the EU Directive may
be found at http://europa.eu.int/comm/internal_market/en/dataprot/.
However, for the authoritative text of the Directive, reference should be made to the
Official Journal of the European Communities of 23 November 1995 No. L.281 p.31.
Return to table of contents
Consistent with the rules on Data Protection, you have rights established by law that
Trustis Limited fully observes, and consequently.
- We request your explicit consent for all the personal data you may submit. We collect no
personal data unless you submit it.
- We use the data that you submit, only to validate your identity in connection with
providing you with digital certification services.
- You have the right to review your personal data that we hold, and check it for
consistency.
- You have the right to correct data in the unlikely event that errors may be found in our
records.
- If you are not happy with us holding your data, you may request us to deactivate it,
thus making it unavailable for further use, (note that this may mean that we cannot
continue to provide you with digital certification services).
As an integral part of our commitment to respect privacy and to providing trusted
services, Trustis Limited offers enhanced protection over and above your statutory rights:
- If you subscribe with us, we will not use your personal data to compile user profiles.
- We will not store persistent cookies in your computer to keep track of you.
- Your business is not our business. We will not collect any data that you as a subscriber
of our digital certificates do not release or authorise us to have.
- Where credit card payments are involved, no credit card information that you submit is
used for any purposes other than payment of fees due. Whilst we may hold such credit card
information for the purpose of processing your payment, all credit card information will
be properly secured from unauthorised access.
- No data that you submit is for sale. We are not in the business of selling your personal
data.
- We extend this commitment to qualifying applicants from anywhere in the world.
- None of the statements made in this Charter affect any other applicable statutory rights
you may have.
Return to table of contents
Any personal information voluntarily supplied by the applicant as part of the enrolment
plus any additional information about that applicant supplied by any third party
'information source' at the request of Trustis Limited, but excluding PINs, password,
passphrases, challenge phrases and other information that may create a security risk if
divulged. 'Company' information is not covered by the legislation, although Trustis
Limited will apply the same criteria of protection to 'business data' as to 'personal
data' as part of its service. By 'company information' is meant information which
describes subscriber companies, other incorporated or non-incorporated bodies, but which
does not relate to an identifiable natural person.
Return to table of contents
We will use the information that you supply to us in the following ways:
- Bind some of the information into the certificate itself.
For example, a personal e-mail address or web server URL and personal names may form part
of the certificate and identify it to other parties.
- Use the information to establish certain facts about the individual or company.
For example, an individual's name, company name and/or department name supplied may be
used:
- to check with a third party agent that the individual, company and/or department is a
real entity, is eligible to receive a certificate and is still active.
- to check that the application for a certificate is legitimately made from the
individual, company and/or department.
Any processing carried out on this data will be at the instruction of Trustis Limited
and will be carried out under physically and electronically secure conditions. Processing
will be legal, fair and confidential.
Where data needs to be transported it will done so in a secure manner, including when
this is to authorised and trusted service providers.
Data will be retained by Trustis Limited for a period (see the Certificate Policy for
details). Due to the possible need to verify old documents signed with a private key that
corresponds to the public key in a certificate which may have lapsed some time before,
this retention period may be substantial.
In the course of validating the certificate application information, issuing the
certificate and publishing it to potential relying parties, Trustis Limited or
Registration Authorities acting on its behalf may need to communicate personal information
to one or more of:
- Authorised and trusted service providers intimately involved in the management of our
certificates
- Third party information providers, where external corroboration of applicant data is
required to provide adequate confidence in that data
All of these external agents are bound under contract to Trustis Limited to observe the
same or a substantially equivalent privacy policy. This means that, even though the data
protection legislation may not cover Company data, neither Trustis Limited nor any of the
agents or business partners used by Trustis Limited in providing this service will
disclose either personal or Company details to other companies except as specifically
authorised and where similar privacy obligations will be observed.
Return to table of contents.
We will provide, upon request, a copy of the personal data which is held by us.
Subscribers will be required to adequately identify themselves as the party entitled to
obtain this data before it is released by us.
For subscribers who are natural persons, this data will be e-mailed only to the
individual who corresponds to the e-mail address bound into the certificate. In the case
of Company subscribers, this data will be e-mailed only to the e-mail address of the
Organisational Contact which was supplied in the certificate application.
Return to table of contents.
We cannot update the information contained within a digital certificate without
destroying its integrity, since each digital certificate is digitally signed. If any
attempt is subsequently made to amend the information in the certificate, the digital
signature would no longer verify its content. The certificate would then no longer be
capable of being relied upon by someone else wishing to verify signatures created with the
private key portion related to the public key bound into that certificate. In such cases,
the existing certificate must be revoked and a new one issued that contains corrected
information.
We can update information which is on our records but which is not bound into the
certificate itself. If you would like to correct or update any such information please
contact the authority to whom you originally made your certificate application.
Return to table of contents.
In order that others may see the status of a given certificate at any time, all
certificates issued may be left physically present upon the repository for some
substantial time. During this time, physical deletion of information pertaining to the
certificate itself may not be not carried out, since this would prevent status checking by
parties wishing to look up another's certificate before relying upon it and would prevent
the verification of digital signatures made whilst the certificate was active. The
repository will however indicate the certificate as being invalid. Any personal data held
which is not absolutely required for these purposes however, will be removed or otherwise
made inaccessible.
Return to table of contents.
| 
