Category Archives: Electronic Signature Regulations 2000

ESR 2000 Data Protection

Data Protection

5.—(1) A certification-service-provider who issues a certificate to the public and to whom this paragraph applies in accordance with paragraph (6) below—

(a)shall not obtain personal data for the purpose of issuing or maintaining that certificate otherwise than directly from the data subject or after the explicit consent of the data subject, and

(b)shall not process the personal data referred to in sub-paragraph (a) above—

(i)to a greater extent than is necessary for the purpose of issuing or maintaining that certificate, or

(ii)to a greater extent than is necessary for any other purpose to which the data subject has explicitly consented,

unless the processing is necessary for compliance with any legal obligation, to which the certification-service-provider is subject, other than an obligation imposed by contract.

(2) The obligation to comply with paragraph (1) above shall be a duty owed to any data subject who may be affected by a contravention of paragraph (1).

(3) Where a duty is owed by virtue of paragraph (2) above to any data subject, any breach of that duty which causes that data subject to sustain loss or damage shall be actionable by him.

(4) Compliance with paragraph (1) above shall also be enforceable by civil proceedings brought by the Crown for an injunction or for an interdict or for any other appropriate relief or remedy.

 (5) Paragraph (4) above shall not prejudice any right that a data subject may have by virtue of paragraph (3) above to bring civil proceedings for the contravention or apprehended contravention of paragraph (1) above.

(6) Paragraph (1) above applies to a certification-service-provider in respect of personal data only if the certification-service-provider is established in the United Kingdom and the personal data are processed in the context of that establishment.

(7) For the purposes of paragraph (6) above, each of the following is to be treated as established in the United Kingdom—

(a)an individual who is ordinarily resident in the United Kingdom,

(b)a body incorporated under the law of, or in any part of, the United Kingdom,

(c)a partnership or other unincorporated association formed under the law of any part of the United Kingdom, and

(d)any person who does not fall within sub-paragraph (a), (b) or (c) above but maintains in the United Kingdom—

(i)an office, branch or agency through which he carries on any activity, or

(ii)a regular practice.

(8) In this regulation—

“data subject” and “personal data” and “processing” shall have the same meanings as in section 1(1) of the Data Protection Act 1998(1), and

“obtain” shall bear the same interpretation as “obtaining” in section 1(2) of the Data Protection Act 1998.

ESR 2000 Interpretation (Original)

In the previous section we looked at the general introduction which gave us a good ides to what the regulations covered .This section will look at the original regulations and to see what the interpretations where back at the time of implementation which was the 8th march 2002.

In these Regulations

       “advanced electronic signature” means an electronic signature—

(a) which is uniquely linked to the signatory,

(b) which is capable of identifying the signatory,

(c)which is created using means that the signatory can maintain under his sole control, and(d)which is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable;

certificate” means an electronic attestation which links signature-verification data to a person and confirms the identity of that person;

certificationservice-provider” means a person who issues certificates or provides other services related to electronic signatures;

Directive” means Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures

“electronic signature” means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;

“qualified certificate” means a certificate which meets the requirements in Schedule 1 and is provided by a certification-service-provider who fulfils the requirements in Schedule 2;

“signatory” means a person who holds a signature-creation device and acts either on his own behalf or on behalf of the person he represents;

“signature-creation data” means unique data (including, but not limited to, codes or private cryptographic keys) which are used by the signatory to create an electronic signature;

“signature-creation device” means configured software or hardware used to implement the signature-creation data;

  • “signature-vertification data” means data (including, but not limited to, codes or public cryptographic keys) which are used for the purpose of verifying an electronic signature;
  • “signature-vertification device” means configured software or hardware used to implement the signature-verification data;
  • “voluntary accreditation” means any permission, setting out rights and obligations specific to the provision of certification services, to be granted upon request by the certification-service-provider concerned by the person charged with the elaboration of, and supervision of compliance with, such rights and obligations, where the certification-service-provider is not entitled to exercise the rights stemming from the permission until he has received the decision of that person.


The Electronic Signatures Regulations 2002 (Introduction)

Diagram illustrating how a simple digital sign...

Image via Wikipedia

The Electronic Signature Regulations where made under the Electronic Communications Act of 2000.

The Electronic Communications Act was passed in June 2000 and parts of it came into force the following month. The Act deals with the legal recognition of electronic signatures and the process under which they are verified, generated or communicated, and the removal of obstacles in other legislation to the use of electronic communication and storage in place of paper.

The Regulations are limited in scope, addressing only the supervision and liability of Certification Service Providers (CSPs) and certain issues of data protection.

CSPs are businesses that issue certificates in support of electronic signatures.

The certificate links signature verification data to a person and confirms the identity of that person. Under the regulations, the Secretary of State is given the duty of reviewing CSP activities and setting up a register of those CSPs that issue qualified certificates (a certificate meeting certain criteria) to the public.

The Regulations also impose liability on CSPs to the extent that they either issue or guarantee qualified certificates to the public. In such circumstances, a CSP is liable to anybody relying on the certificate for, among other things, the accuracy of the information contained within the certificate at the time of issue.

CSPs established in the UK are now bound by a data protection rule which provides that personal data may only be obtained directly from the data subject for the purpose of issuing or maintaining the certificate or, if obtained indirectly, only with the explicit consent of the data subject.

The personal data must only be processed insofar as it is absolutely necessary for the issuing and maintaining of the certificate or if the data subject has explicitly agreed other purposes than the purpose for which consent has been given.