Contents:
Introduction
Your Rights
Our Commitment to You
What information is covered by this Privacy Charter?
Our Usage of your Personal Data
Your Access to your Personal Data
Corrections to Personal Data
Deleting and/or Deactivating Certificate Information
Trustis strongly believes in an individual's rights to privacy. That is
why we augment our high quality certification services with appropriate data protection commitments to safeguard our
certificate holders' personal data from unauthorised access.
Trustis complies with the European Union Directive and the UK law on Data Protection.
The European Union Directive establishes the most rigid legal framework in the world for your protection. The UK Data Protection
Act 1984 and the EU Data Protection Directive 95/46/EC (which has been introduced into UK law as the new Data Protection Act 1998)
provide for the protection and care of personal information. This Privacy Charter explains how Trustis protects
the personal data that you may have supplied as part of enrolling for your digital certificates.
Return to table of contents
- data held on you is accurately recorded as supplied
- data held on you is processed legally, fairly, securely and only for the purpose(s) for which it was originally
collected
- you are made aware of the purposes to which your data are put and with whom it is shared
- you are able to see a copy of data held on yourself (whether originally supplied by you or by a third party) but
not including PINs, passwords or passphrases and possibly certain other information that might create a security risk
- you are entitled to object to: a) the processing to which your data is subjected and b) any additional marketing uses to
which your data is put
- if your data is sent to 'Third Countries' (i.e. outside the EU) then agreements are in place which ensure that the level
of protection is not diminished
This is necessarily an abbreviated list. An 'unofficial' PDF copy of the EU Directive may be found at
http://ec.europa.eu/justice_home/fsj/privacy/docs/guide/guide-ukingdom_en.pdf.
However, for the authoritative text of the Directive, reference should be made to the Official Journal of the European Communities
of 23 November 1995 No. L.281 p.31.
Return to table of contents
Consistent with the rules on Data Protection, you have rights established by law that Trustis fully observes, and
consequently:
- We request your explicit consent for all the personal data you may submit. We collect no personal data unless you submit
it.
- We use the data that you submit, only to validate your identity in connection with providing you with digital certification
services.
- You have the right to review your personal data that we hold, and check it for consistency.
- You have the right to correct data in the unlikely event that errors may be found in our records.
- If you are not happy with us holding your data, you may request us to deactivate it, thus making it unavailable for
further use, (note that this may mean that we cannot continue to provide you with digital certification services).
As an integral part of our commitment to respect privacy and to providing trusted services, Trustis offers enhanced protection
over and above your statutory rights:
- If you subscribe with us, we will not use your personal data to compile user profiles.
- We will not store persistent cookies in your computer to keep track of you.
- Your business is not our business. We will not collect any data that you as a subscriber of our digital certificates do not
release or authorise us to have.
- Where credit card payments are involved, no credit card information that you submit is used for any purposes other than
payment of fees due. Whilst we may hold such credit card information for the purpose of processing your payment, all credit
card information will be properly secured from unauthorised access.
- No data that you submit is for sale. We are not in the business of selling your personal data.
- We extend this commitment to qualifying applicants from anywhere in the world.
- None of the statements made in this Charter affect any other applicable statutory rights you may have.
Return to table of contents
Any personal information voluntarily supplied by the applicant as part of the enrolment plus any additional
information about that applicant supplied by any third party 'information source' at the request of Trustis, but excluding PINs,
password, passphrases, challenge phrases and other information that may create a security risk if divulged. 'Company' information
is not covered by the legislation, although Trustis will apply the same criteria of protection to 'business data' as to 'personal
data' as part of its service. By 'company information' is meant information which describes subscriber companies but which does not
relate to an identifiable natural person.
Return to table of contents
We will use the information that you supply to us in the following ways:
- Bind some of the information into the certificate itself.
For example, a personal e-mail address or web server URL and personal names may form part of the certificate and identify it
to other parties.
- Use the information to establish certain facts about the individual or company.
For example, an individual's name, company name and/or department name supplied may be used:
- to check with a third party agent that the individual, company and/or department is a real entity, is eligible to
receive a certificate and is still active.
- to check that the application for a certificate is legitimately made from the individual, company and/or department.
Any processing carried out on this data will be at the instruction of the Trustis and will be carried out under
physically and electronically secure conditions. Processing will be legal, fair and confidential.
Where data needs to be transported it will done so in a secure manner, including when this is to authorised and
trusted service providers.
Data will be retained by Trustis for a period (see the Certificate Policy for details). Due to the possible need
to verify old documents signed with a private key that corresponds to the public key in a certificate which may have lapsed some
time before, this retention period may be substantial.
In the course of validating the certificate application information, issuing the certificate and publishing it to
potential relying parties, Trustis may need to communicate personal information to one or more of:
- Authorised and trusted service providers intimately involved in the management of our certificates
- Third party information providers, where external corroboration of applicant data is required to provide adequate confidence
in that data
All of these external agents are bound under contract to Trustis to observe the same or a substantially equivalent
privacy policy. This means that, even though the data protection legislation may not cover Company data, neither Trustis nor any of
the agents or business partners used by Trustis in providing this service will disclose either personal or Company details to other
companies except as specifically authorised and where similar privacy obligations will be observed.
Return to table of contents.
We will provide, upon request, a copy of the personal data which is held by us. Subscribers will be required to
adequately identify themselves as the party entitled to obtain this data before it is released by us.
For subscribers who are natural persons, this data will be e-mailed only to the individual who corresponds to the
e-mail address bound into the certificate. In the case of Company subscribers, this data will be e-mailed only to the e-mail address
of the Organisational Contact which was supplied in the certificate application.
Return to table of contents.
We cannot update the information contained within a digital certificate without destroying its integrity, since
each digital certificate is digitally signed. If any attempt is subsequently made to amend the information in the certificate, the
digital signature would no longer verify its content. The certificate would then no longer be capable of being relied upon by someone
else wishing to verify signatures created with the private key portion related to the public key bound into that certificate. In
such cases, the existing certificate must be revoked and a new one issued that contains corrected information.
We can update information which is on our records but which is not bound into the certificate itself. If you would
like to correct or update any such information please contact the authority to whom you originally made your certificate application.
Return to table of contents.
In order that others may see the status of a given certificate at any time, all certificates issued may be left
physically present upon the repository for some substantial time. During this time, physical deletion of information pertaining to
the certificate itself may not be not carried out, since this would prevent status checking by parties wishing to look up another's
certificate before relying upon it and would prevent the verification of digital signatures made whilst the certificate was active.
The repository will however indicate the certificate as being invalid. Any personal data held which is not absolutely required for
these purposes however, will be removed or otherwise made inaccessible.
Return to table of contents.
|
