acts supplementno.418thmarch,2011. actssupplement · act7 electronicsignaturesact 2011...
TRANSCRIPT
ACTSSUPPLEMENTNo.418thMarch,2011.
ACTSSUPPLEMENTtoTheUgandaGazetteNo.19VolumeCIVdated18thMarch,2011.
PrintedbyUPPC,Entebbe,byOrderoftheGovernment.
Act7
Section.
ElectronicSignaturesAct2011THE
ELECTRONICSIGNATURESACT,2011.ARRANGEMENTOFSECTIONS
PARTI—PRELIMINARY
1. Commencement2. Interpretation
3. Equaltreatmentofsignaturetechnologies
PARTII—ELECTRONICSIGNATURES
4. Compliancewitharequirementforasignature.5. Conductofthesignatory.
6. Variationbyagreement.
7. Conductoftherelyingparty.8. Trustworthiness.9. Conductofthecertificationservice
provider.10. Advancedsignatures.
11. Secureelectronicsignature.12. Presumptionsrelatingtosecureandadvancedelectronic
signatures.PARTIII—SECUREDIGITALSIGNATURES13. Securedigitalsignatures.
14. Satisfactionofsignaturerequirements.
15. Unreliabledigitalsignatures.
16. Digitallysigneddocumenttakentobewrittendocument.17. Digitallysigneddocumentdeemedtobeoriginaldocument.
18. Authenticationofdigitalsignatures.
19. Presumptionsinadjudicatingdisputes.
PARTIV—PUBLICKEYINFRASTRUCTURE
20. Sphereofapplication.
21. DesignationofController.22. certificationserviceproviderstobe
licensed.23. Qualificationsofcertificationserviceproviders.24. Functionsoflicensedcertificationserviceproviders.
1
Act7
ElectronicSignaturesAct2011
Section.
25. Applicationforlicence.
26. Grantorrefusaloflicence.27. Revocationoflicence.28. Appeal.29. Surrenderoflicence.30. Effectofrevocation,surrenderorexpiryoflicence.31. Effectoflackoflicence.32. Returnoflicence.33. Restrictedlicence.34. Restrictiononuseofexpression“certificationservice
provider”.35. Renewaloflicence.36. Lostlicence.37. Recognitionofotherlicenses.38. Performanceaudit.39. Activitiesofcertificationserviceproviders.40. Requirementtodisplaylicence.41. Requirementtosubmitinformationonbusinessoperations.42. Notificationofchangeofinformation.43. Useoftrustworthysystems.44. Disclosuresoninquiry.45. Prerequisitestoissueofcertificatetosubscriber.46. Publicationofissuedandacceptedcertificate.47. Adoptionofmorerigorousrequirementspermitted.48. Suspensionorrevocationofcertificateforfacultyissuance.49. Suspensionorrevocationofcertificatebyorder.50. Warrantiestosubscriber.51. Continuingobligationstosubscriber.52. Representationsuponissuance.53. Representationsuponpublications.54. Impliedrepresentationsbysubscriber.55. Representationsbyagentofsubscriber.56. Disclaimerorindemnitylimited.57. Indemnificationofcertificationserviceproviderby
subscriber58. Certificationofaccuracyofinformationgiven59. Dutyofsubscribertokeepprivatekeysecure60. Propertyinprivatekey61. Fiduciarydutyofacertificationserviceprovider62. Suspensionofcertificatecertificationserviceprovider63. SuspensionofcertificatebyController64. Noticeofsuspension65. Terminationofsuspensioninitiatedbyrequest
2
Act7
Section
66.67.68.69.70.71.72.73.74.75.76.77.78.79.
80.81.82.83.84.85.86.87.88.89.90.91.92.93.94.95.96.97.9
ElectronicSignaturesAct
AlternatecontractualproceduresEffect of suspension ofcertificateRevocationofrequestRevocation on subscriber’sdemiseRevocationofunreliablecertificatesNoticeofrevocationEffectofrevocationrequestonsubscriberEffectofnotificationoncertificationserviceproviderExpirationofcertificateReliancelimitLiabilitylimitsforcertificationserviceprovidersRecognitionofrepositoriesLiabilityofrepositoriesRecognitionofdate/timestampservices
PARTV—MISCELLANEOUS
ProhibitionagainstdangerousactivitiesobligationofconfidentialityFalseinformationOffencesbybodycorporateAuthorisedofficerPowertoinvestigateSearchbywarrantSearchandseizurewithoutwarrantAccesstocomputeriseddataListofthingsseizedObstructionofauthorisedofficerAdditionalpowersGeneralpenaltyInstructionandconductofprosecutionJurisdictiontotryoffencesProsecutionofofficersLimitationondisclaimingorlimitingapplicationoftheActRegulationsCompensationPowerofMinistertoamendFirstSchedule.Savingsandtransitionalprovisions.
SCHEDULE
Currency
point.
3
2011
Act7 ElectronicSignaturesAct 2011
THEELECTRONICSIGNATURESACT,2011.AnActtomakeprovisionforandtoregulatetheuseofelectronic
signaturesandtoprovideforotherrelatedmatters.
DATEOFASSENT:17thFebruary,2011.
DateofCommencement:Seesection1.
BEITENACTEDbyParliamentasfollows:
PARTI—PRELIMINARY
1. Commencement
ThisActshallcomeintoforceonadateappointedbytheMinisterby
statutoryinstrument.
2. Interpretation
InthisAct,unlessthecontextotherwiserequires—
“acceptacertificate”means—
(a) tomanifestapprovalofacertificate,whileknowingor
havingnoticeofitscontents;or
(b) toapplytoacertificationserviceproviderforacertificate,
withoutrevokingtheapplicationbydeliveringnoticeof
the revocation to the licensed certification service
providerandobtainingasigned,writtenreceiptfrom the
certificationserviceprovider,ifthecertificationservice
providersubsequentlyissuesacertificatebasedonthe
application;
4
Act7 ElectronicSignaturesAct 2011
advancedelectronicsignature”meansanelectronicsignature,
whichis—
(a) uniquelylinkedtothesignatory;
(b) reliablycapableofidentifyingthesignatory;
(c) createdusingsecuresignaturecreationdevicethatthe
signatorycanmaintain;and
(d) linkedtothedatatowhichitrelatesinsuchamanner
that any subsequent change of the data or the
connectionsbetweenthedataandthesignatureare
detectable;
asymmetric cryptosystem”means an algorithm orseries of
algorithms,whichprovideasecurekeypair;
authorisedofficer”meanstheControllerorapoliceofficerora
publicofficerperforminganyfunctionsunderthisAct;and
includesanypublicofficerauthorisedbytheMinisterorbythe
controllertoperform anyfunctionsunderthisAct;
certificate”meansadatamessageorotherrecordsconfirming
thelinkbetweenasignatoryandasignaturecreationdata;
certificationserviceproviderdisclosurerecord”meansanon¬line
and publiclyaccessible record thatconcerns a licensed
certificationserviceprovider,whichiskeptbytheController
undersubsection21(5);
certification practice statement”means a declaration ofthe
practices,whichacertificationserviceprovideremploysin
issuing certificates generally or employs in issuing a
particularcertificate;
certification service provider”means a person thatissues
certificates and may provide otherservices related to
electronicsignatures;
5
Act7 ElectronicSignaturesAct 2011
certify”meanstodeclarewithreferencetoacertificate,with
ample opportunityto reflectand with a dutyto apprise
oneselfofallmaterialfacts;
confirm” means to ascertain through diligent inquiry and
investigation;
Controller”meansNationalInformationTechnologyAuthority-
Uganda;
correspond”,withreferencetokeys,meanstobelongtothesame
keypair;
currencypoint”hasthemeaningassignedtoitintheSchedulein
thisAct;
digitalsignature”meansatransformationofamessageusingan
asymmetriccryptosystem suchthatapersonhaving the
initialmessageandthesigner’spublickeycanaccurately
determine—
(a) whetherthe transformation was created using the
privatekeythatcorrespondstothesigner’spublickey;
and
(b) whetherthe message has been altered since the
transformationwasmade;
electronicsignature”meansdatainelectronicform affixedtoor
logicallyassociatedwithadatamessage,whichmaybeused
toidentifythesignatoryinrelationtothedatamessageand
indicatethesignatory’sapprovaloftheinformationcontained
inthedatamessage;andincludesanadvanceelectronic
signatureandthesecuresignature;
electronic signature product”means configured hardware or
softwareorrelevantcomponentsofit,whichareintendedto
beusedbyacertificationserviceproviderfortheprovisionof
electronicsignatureservicesorareintendedtobeusedfor
thecreationorverificationofelectronicsignatures;
6
Act7 ElectronicSignaturesAct
“forgeadigitalsignature”means—
2011
(a) tocreateadigitalsignaturewithouttheauthorisationof
therightfulholderoftheprivatekey;or
(b) tocreateadigitalsignatureverifiablebyacertificate
listingassubscriberapersonwhoeitherdoesnotexist
ordoesnotholdtheprivatekeycorrespondingtothe
publickeylistedinthecertificate;
“holdaprivatekey”meanstobeabletoutiliseaprivatekey;
“incorporatebyreference”meanstomakeonemessageapartof
another message by identifying the message to be
incorporated and expressing the intention that it be
incorporated;
“issue a certificate”means the actofa certification service
providerincreatingacertificateandnotifyingthesubscriber
listedinthecertificateofthecontentsofthecertificate;
“keypair”meansaprivatekeyanditscorrespondingpublickeyin
anasymmetriccryptosystem,wherethepublickeycanverify
adigitalsignaturethattheprivatekeycreates;
“licensed certification service provider”means a certification
serviceprovidertowhom alicencehasbeenissuedbythe
Controllerandwhoselicenceisineffect;
“message”meansadigitalrepresentationofinformation;
“Minister”meanstheMinisterresponsibleforinformationand
communicationtechnology;
“notify”meanstocommunicateafacttoanotherpersonina
mannerreasonablylikelyunderthecircumstancestoimpart
knowledgeoftheinformationtotheotherperson;
“person”includesanycompanyorassociationorbodyofpersons
corporateorunincorporate;
7
Act7 ElectronicSignaturesAct 2011
“prescribed”means prescribed by orunderthis Actorany
regulationsmadeunderthisAct;
“privatekey”meansthekeyofakeypairusedtocreateadigital
signature;
“publickey”meansthekeyofakeypairusedtoverifyadigital
signatureandlistedinthedigitalsignaturecertificate;
“publickeyinfrastructure”meansa frameworkforcreating a
securemethodforexchanginginformationbasedonpublic
keycryptography;
“publish”meanstorecordorfileinarepository;
“qualified certification service provider”means a certification
serviceproviderthatsatisfiestherequirementsundersection
23;
“recipient”meansapersonwhoreceivesorhasadigitalsignature
andisinapositiontorelyonit;
“recogniseddateortimestampservice”meansadate/timestamp
servicerecognisedbytheControllerundersection79;
“recognised repository”meansarepositoryrecognised bythe
Controllerundersection77;
“recommended reliance limit” means the monetary amount
recommendedforrelianceonacertificateundersection76;
“relyingparty”meansapersonthatmayactonthebasisofa
certificateoranelectronicsignature;
“repository”meansasystem forstoringandretrievingcertificates
andotherinformationrelevanttodigitalsignatures;
“revokea certificate”meansto makea certificateineffective
permanentlyfrom aspecifiedtimeforward;
“rightfullyholdaprivatekey”meanstobeabletoutiliseaprivate
key—
8
Act7 ElectronicSignaturesAct 2011
(a) which the holderorthe holder’s agents have not
disclosedtoanypersonincontraventionofthisact;and
(b) whichtheholderhasnotobtainedthroughtheft,deceit,
eavesdroppingorotherunlawfulmeans;
securityprocedure”meansaprocedureforthepurposeof—
(a) verifyingthatanelectronicrecordisthatofaspecific
person;or
(b) detecting errororalteration in the communication,
contentorstorage ofan electronic record since a
specificpointintime,whichmayrequiretheuseof
algorithms orcodes,identifying words ornumbers,
encryption, answer back or acknowledgement
proceduresorsimilarsecuritydevices;
securesignaturecreationdevice”meansasignaturecreation
devicewhichmeetstherequirementslaiddowninsection4;
signatory”meansapersonthatholdssignaturecreationdataand
actseitheronitsownbehalforonbehalfofthepersonit
represents
signature creation device” means configured software or
hardware,used bythe signatoryto create an electronic
signature;
signatureverificationdata”meansuniquedatasuchascodesor
publiccryptographickeys,usedforthepurposeofverifying
anelectronicsignature;
signature verification device”means configured software or
hardware,usedforthepurposeofverifyinganelectronic
signature;
9
Act7 ElectronicSignaturesAct 2011
signed”or“signature”anditsgrammaticalvariationsincludesany
symbol executed or adapted or any methodology or
procedure employed oradapted,by a person with the
intentionofauthenticatingarecord,includinganelectronicor
digitalmethod;
subscriber”meansapersonwho—
(a) isthesubjectlistedinacertificate;
(b) acceptsthecertificate;and
(c) holdsaprivatekeywhichcorrespondstoapublickey
listedinthatcertificate;
suspendacertificate”meanstomakeacertificateineffective
temporarilyforaspecifiedtimeforward;
thisAct”includesanyregulationsmadeunderthisAct;
time-stamp”means—
(a) toappendorattachtoamessage,digitalsignatureor
certificateadigitallysignednotationindicatingatleast
thedate,timeandidentityofthepersonappendingor
attachingthenotation;or
(b) thenotationappendedorattached;
transactionalcertificate”meansacertificate,incorporatingby
referenceoneormoredigitalsignatures,issuedandvalidfor
aspecifictransaction;
trustworthysystem”meanscomputerhardwareandsoftware
which—
(a) arereasonablysecurefrom intrusionandmisuse;
(b) provideareasonablelevelofavailability,reliabilityand
correctoperation;and
(c) are reasonably suited to performing theirintended
functions;
10
Act7 ElectronicSignaturesAct 2011
“validcertificate”meansacertificatewhich—
(a) alicensedcertificationserviceproviderhasissued;
(b) hasbeenacceptedbythesubscriberlistedinit;
(c) hasnotbeenrevokedorsuspended;and
(d) hasnotexpired,
butatransactionalcertificateisavalidcertificateonlyinrelationtothe
digitalsignatureincorporatedinitbyreference;
“verifyadigitalsignature”means,inrelationtoagivendigital
signature,messageandpublickey,todetermineaccurately
that—
(a) thedigitalsignaturewascreatedbytheprivatekey
correspondingtothepublickey;and
(b) themessagehasnotbeenalteredsinceitsdigital
signaturewascreated;
“writing”or“written”includesanyhandwriting,typewriting,printing,
electronicstorageortransmissionoranyothermethodof
recordinginformationorfixinginformationinaform capable
ofbeingpreserved.
(2)ForthepurposesofthisAct,acertificateshallberevokedby
makinganotationtothateffectonthecertificateorbyincludingthe
certificateinasetofrevokedcertificates.
(3)The revocation ofa certificate does notmean thatitis
destroyedormadeillegible.
3. Equaltreatmentofsignaturetechnologies.
NothinginthisActshallbeappliedsoastoexclude,restrictordepriveof
legaleffectanymethodofcreatinganelectronicsignaturethatsatisfies
therequirementsforasignatureinthisActorotherwisemeetswiththe
requirementsofanyotherapplicablelaw.
11
Act7ElectronicSignaturesAct
PartII—ElectronicSignatures.
2011
4. Compliancewitharequirementforasignature.
(1) Where the law requires a signature ofa person,that
requirementismetinrelationto adatamessageifanelectronic
signatureisusedwhichisasreliableaswasappropriateforthepurpose
forwhichthedatamessagewasgeneratedorcommunicated,inlightof
allthecircumstances,includinganyrelevantagreement.
(2)Subsection(1)applieswhethertherequirementreferredtoin
thatsubsectionintheform ofanobligationorwhetherthelawsimply
providesconsequencesfortheabsenceofasignature.
(3)Anelectronicsignatureisconsideredtobereliableforthe
purposeofsatisfyingtherequirementreferredtoinsubsection(1)if—
(a) thesignaturecreationdataare,withinthecontextinwhich
theyareused,linkedtothesignatoryandtonootherperson;
(b) thesignaturecreationdatawere,atthetimeofsigning,under
thecontrolofthesignatoryandofnootherperson;
(c) anyalterationtotheelectronicsignature,madeafterthetime
ofsigning,isdetectable;and
(d) whereapurposeoflegalrequirementforasignatureisto
provideassuranceastotheintegrityoftheinformationto
whichitrelates,anyalterationmadetothatinformationafter
thetimeofsigningisdetectable.
(4)Subsection(3)doesnotlimittheliabilityofanyperson—
(a) toestablishinanyotherway,forthepurposeofsatisfyingthe
requirementreferredtoinsubsection(1),thereliabilityofan
electronicsignature;or
(b) toadduceevidenceofthenon-reliabilityofanelectronic
signature.
12
Act7 ElectronicSignaturesAct 2011
5. Conductofthesignatory.
(1)Wheresignaturecreationdatacanbeusedtocreateasignature
thathaslegaleffect,eachsignatoryshall—
(a) exercisereasonablecaretoavoidunauthoriseduseofits
signaturecreationdata;
(b) withoutunduedelay,notifyanypersonthatmayreasonably
beexpectedbythesignatorytorelyonortoprovideservices
insupportoftheelectronicsignatureif—
(i) thesignatoryknowsthatthesignaturecreationdata
havebeencompromised;or
(ii) thecircumstancesknowntothesignatorygiverisetoa
substantialriskthatthesignaturecreationdatamay
havebeencompromised;
(c) whereacertificateisusedtosupporttheelectronicsignature,
exercise reasonable care to ensure the accuracy and
completenessofallmaterialrepresentationsmadebythe
signatorywhicharerelevanttothecertificatethroughoutits
life-cycleorwhicharetobeincludedinthecertificate.
6. Variationbyagreement.
TheprovisionsofthisActmaybederogatedfrom ortheireffectmaybe
varied byagreementunlessthatagreementwould notbevalid or
effectiveunderanylaw.
7. Conductoftherelyingparty.
Arelyingpartyshallbearthelegalconsequencesofhisorherfailureto—
(a) takereasonablestepstoverifythereliabilityofanelectronic
signature;or
(b) whereanelectronicsignatureissupportedbyacertificate,
takereasonablesteps—
13
Act7 ElectronicSignaturesAct 2011
(i) toverifythevalidity,suspensionorrevocationofthe
certificate;and
(ii) toobserveanylimitationwithrespecttothecertificate.
8. Trustworthiness.
Whendeterminingwhetherortowhatextentanysystemsprocedures
andhumanresourcesutilisedbyacertificationserviceproviderare
trustworthy,regardmaybehadtothefollowingfactors—
(a) financialandhumanresources,includingexistenceofassets;
(b) qualityofhardwareandsoftwaresystems;
(c) procedureforprocessingofcertificatesandapplicationsfor
certificatesandretentionofrecords;
(d) availability of information to signatories identified in
certificatesandtopotentialrelyingparties;
(e) regularityandextentofauditbyanindependentbody;
(f) theexistenceofadeclarationbythestate,anaccreditation
body or the certification service provider regarding
compliancewithorexistenceoftheforegoing;or
(g) anyotherrelevantfactor.
9. Conductofthecertificationserviceprovider.
(1)Whereacertificationserviceproviderprovidesservicesto
supportanelectronicsignaturethatmaybeusedforlegaleffectasa
signature,thatcertificationserviceprovidershall—
(a) actin accordance with representations made byitwith
respecttoitspoliciesandpractices;
(b) exercise reasonable care to ensure the accuracy and
completenessofallmaterialrepresentationsmadebyitthat
arerelevanttothecertificatethroughoutitslife-cycleorwhich
areincludedinthecertificate;
14
Act7 ElectronicSignaturesAct 2011
(c) providereasonablyaccessiblemeanswhichenablearelying
partytoascertainfrom thecertificate—
(i) theidentityofthecertificationserviceprovider;
(ii) thatthesignatorythatisidentifiedinthecertificatehad
controlofthesignaturecreationdataatthetimewhen
thecertificatewasissued;
(iii) thatsignaturecreationdatawerevalidatorbeforethe
timewhenthecertificatewasissued;
(d) providereasonablyaccessiblemeanswhichenablearelying
partytoascertain,whererelevant,from thecertificateor
otherwise—
(i) themethodusedtoidentifythesignatory;
(ii) anylimitationonthepurposeorvalueforwhichthe
signaturecreationdataorthecertificatemaybeused;
(iii) thatthesignaturecreationdataarevalidandhavenot
beencompromised;
(iv) any limitation on the scope or extentof liability
stipulatedbythecertificationserviceprovider;
(v) whethermeansexistforthesignatorytogivenotice
undersection4(1);
(vi) whetheratimelyrevocationserviceisoffered;
(e) whereservicesunderparagraph(d)(v)areoffered,providea
meansforasignatorytogivenoticeundersection4(1)(b)and,
whereservicesunderparagraphd(vi)areoffered,ensurethe
availabilityofatimelyrevocationservice;
(f) utilize trustworthy systems, procedures and human
resourcesinperformingitsservices.
(2)Acertificationserviceprovidershallbeliableforitsfailureto
satisfytherequirementsofsubsection(1).
15
Act7 ElectronicSignaturesAct 2011
10.Advancedsignatures.
(1)Anadvanced electronicsignature,verified withaqualified
certificate,isequaltoanautographicsignatureinrelationtodatain
electronic form and has therefore equallegaleffectiveness and
admissibilityasevidence.
(2)The advanced signature verification process shallensure
that—
(a) the data used for verifying the electronic signature
correspondtothedatadisplayedtotheverifier;
(b) the signature is reliably verified and the resultofthe
verificationandidentityofthecertificateholderiscorrectly
displayedtotheverifier;
(c) theverifiercanreliablyestablishthecontentsofthesigned
data;
(d) theauthenticityandvalidityofthecertificaterequiredatthe
timeofsignatureverificationareverified;
(e) theuseofapseudonym isclearlyindicated;
(f) anysecurity-relevantchangescanbedetected.
11. Secureelectronicsignature.
Where,throughtheapplicationofaprescribedsecurityprocedureora
commerciallyreasonablesecurityprocedureagreedtobytheparties
involved,anelectronicsignatureisexecutedinatrustworthymanner,
reasonablyandingoodfaithrelieduponbytherelyingparty,that
signatureshallbetreatedasasecureelectronicsignatureatthetimeof
verificationtotheextentthatitcanbeverifiedthattheelectronic
signaturesatisfied,atthetimeitwasmade,thefollowingcriteria—
(a) thesignaturecreationdatausedforsignaturecreationis
uniqueanditssecrecyisreasonablyassured;
(b) itwascapableofbeing used to objectivelyidentifythat
person;
16
Act7 ElectronicSignaturesAct 2011
(c) itwascreatedinamannerorusingameansunderthesole
controlofthe person using it,thatcannotbe readily
duplicatedorcompromised;
(d) itislinkedtotheelectronicrecordtowhichitrelatesinsucha
mannerthatiftherecordwaschangedtoelectronicsignature
wouldbeinvalidated;
(e) thesignatorycanreliablyprotecthisorhersignaturecreation
datafrom unauthorisedaccess.
12. Presumptionsrelatingtosecureandadvancedelectronic
signatures.
(1)Inanycivilproceedingsinvolvingasecureelectronicrecord,it
shallbepresumed,unlessthecontraryisproved,thatthesecureor
advancedelectronicrecordhasnotbeenalteredsincethespecificpoint
intimetowhichthesecurestatusrelates.
(2)In any civilproceedings involving a secure oradvanced
electronic signature,the following shallbe presumed unless the
contraryisproved—
(a) thesecureoradvancedelectronicsignatureisthesignature
ofthepersontowhom itcorrelates;and
(b) thesecureoradvancedelectronicsignaturewasaffixedby
thatpersonwiththeintentionofsigningorapprovingthe
electronicrecord.
(3)Intheabsenceofasecureoradvancedelectronicsignature,
nothing in this Partshallcreate anypresumption relating to the
authenticityand integrityofthe electronicrecord oran electronic
signature.
(4)Theeffectofpresumptionsprovidedinthissectionistoplace
onthepartychallengingthegenuinenessofasecureoradvanced
electronicsignatureboththeburdenofgoingforwardwithevidenceto
rebutthepresumptionandtheburdenofpersuadingthecourtofthe
factthatthenon-existenceofthepresumedfactismore.
17
Act7 ElectronicSignaturesAct 2011
PARTIII—SECUREDIGITALSIGNATURES
13. Securedigitalsignatures.
Whenaportionofanelectronicrecordissignedwithadigitalsignature
thedigitalsignatureshallbetreatedasasecureelectronicsignaturein
respectofthatportionoftherecord,if—
(a) the digitalsignature was created during the operational
periodofavalidcertificateandisverifiedbyreferencetoa
publickeylistedinthecertificate;and
(b) the certificate isconsidered trustworthy,in thatitisan
accurate binding ofa public key to a person’s identity
because—
(i) the certificate was issued bya certification service
provideroperatingincompliancewithregulationsmade
underthisAct;
(ii) the certificate was issued bya certification service
provideroutsideUgandarecognisedforthepurposeby
thecontrollerpursuanttoregulationsmadeunderthis
Act;
(iii) thecertificatewasissuedbyadepartmentorministryof
the Government,an organ of state of statutory
corporation approved by the ministerto actas a
certificationserviceprovideronsuchconditionsasthe
regulationsmayspecify;or
(iv) thepartieshaveexpresslyagreedbetweenthemselves
tousedigitalsignaturesasasecurityprocedureandthe
digitalsignaturewasproperlyverifiedbyreferencetothe
sender’spublickey.
14. Satisfactionofsignaturerequirements.
(1)Wherearuleoflawrequiresasignatureorprovidesforcertain
consequencesintheabsenceofasignature,thatruleshallbesatisfied
byadigitalsignaturewhere—
18
ElectronicSignaturesAct 2011
thatdigitalsignatureisverifiedbyreferencetothepublic
keylistedinavalidcertificateissuedbyalicensed
certificationserviceprovider;
thatdigitalsignaturewasaffixedbythesignerwiththe
intentionofsigningthemessage;and
therecipienthasnoknowledgeornoticethatthesigner—
(i) hasbreachedadutyasasubscriber;or
(ii) doesnotrightfullyholdtheprivatekeyusedtoaffixthe
digitalsignature.
(2)Notwithstandinganywrittenlawtothecontrary—
(a) adocumentsignedwithadigitalsignatureinaccordancewith
thisActshallbeaslegallybindingasadocumentsignedwith
ahandwrittensignature,anaffixedthumbprintoranyother
mark;and
(b) adigitalsignaturecreatedinaccordancewiththisActshallbe
takentobealegallybindingsignature.
(3)NothinginthisActshallprecludeasymbolfrombeingvalidasa
signatureunderanyotherapplicablelaw.
15. Unreliabledigitalsignatures.
(1)Unlessotherwiseprovidedbylaworcontract,therecipientofa
digitalsignatureassumestheriskthatadigitalsignatureisforged,if
reliance on the digitalsignature is not reasonable under the
circumstances.
(2)Wheretherecipientdecidesnottorelyonadigitalsignature
underthissection,therecipientshallpromptlynotifythesignerofits
determinationnottorelyonadigitalsignatureandthegroundsforthat
determination.
Act7
(a)
(a)
(
c)
19
Act7 ElectronicSignaturesAct 2011
16.Digitallysigneddocumenttakentobewrittendocument.
(1)Amessageshallbeasvalid,enforceableandeffectiveasifit
hadbeenwrittenonpaperif—
(a) itbearsinitsentiretyadigitalsignature;and
(b) thatdigitalsignatureisverifiedbythepublickeylistedina
certificatewhich—
(i) wasissuedbyalicensedcertificationserviceprovider;
and
(ii) wasvalidatthetimethedigitalsignaturewascreated.
(2)NothinginthisActshallprecludeanymessage,documentor
recordfrom beingconsideredwrittenorinwritingunderanyother
applicablelaw.
17. Digitallysigneddocumentdeemedtobeoriginaldocument.
Acopyofadigitallysignedmessageshallbeasvalid,enforceableand
effectiveastheoriginalofthemessageunlessitisevidentthatthe
signerdesignatedaninstanceofthedigitallysignedmessagetobea
uniqueoriginal,inwhichcaseonlythatinstanceconstitutesthevalid,
enforceableandeffectivemessage.
18.Authenticationofdigitalsignatures.
Acertificateissuedbyalicensedcertificationserviceprovidershallbe
anacknowledgementofadigitalsignatureverifiedbyreferencetothe
publickeylistedinthecertificate,regardlessofwhetherwordsofan
express acknowledgementappearwith the digitalsignature and
regardlessofwhetherthesignerphysicallyappearedbeforethelicensed
certificationserviceproviderwhenthedigitalsignaturewascreated,if
thatdigitalsignatureis—
(a) verifiablebythatcertificate;and
(b) wasaffixedwhenthatcertificatewasvalid.
20
Act7 ElectronicSignaturesAct 2011
19.Presumptionsinadjudicatingdisputes.
Inadjudicatingadisputeinvolvingadigitalsignature,acourtshall
presume—
(a) thatacertificatedigitallysignedbyalicensedcertification
serviceproviderand—
(i) publishedinarecognisedrepository;or
(ii) made available bythe issuing licensed certification
service providerorby the subscriberlisted in the
certificate,isissuedbythelicensedcertificationservice
providerwhichdigitallysigneditandisacceptedbythe
subscriberlistedinit;
(b) thattheinformationlistedinavalidcertificateandconfirmed
by a licensed certification service providerissuing the
certificateisaccurate;
(c) thatwherethepublickeyverifiesadigitalsignaturelistedina
validcertificateissuedbyalicensedcertificationservice
provider—
(i) thatdigitalsignature is the digitalsignature ofthe
subscriberlistedinthatcertificate;
(ii) thatdigitalsignaturewasaffixedbythatsubscriberwith
theintentionofsigningthemessage;and
(iii) therecipientofthatdigitalsignaturehasnoknowledge
ornoticethatthesigner—
(aa)hasbreachedadutyasasubscriber;or
(ab)doesnotrightfullyholdtheprivatekeyusedtoaffix
thedigitalsignature;and
(d) thata digitalsignature wascreated before itwastime-
stampedbyarecogniseddateortimestampserviceutilising
atrustworthysystem.
21
Act7 ElectronicSignaturesAct 2011
PARTIV—PUBLICKEYINFRASTRUCTURE(PKI)
20. Sphereofapplication.
ThisPartappliestodigitalsignaturesorsignaturesthatareabletouse
thepublickeyinfrastructure(PKI).
21. Controller.
(1)Thecontrollershall,inparticularberesponsibleformonitoring
andoverseeingtheactivitiesofcertificationserviceprovidersandshall
perform thefunctionsconferredonthecontrollerunderthisAct.
(2)The controllershallexercise its functions underthis Act
subjecttosuchdirectionsastothegeneralpolicyguidelinesasmaybe
givenbytheMinister.
(3)TheControllershallmaintainapubliclyaccessibledatabase
containingacertificationserviceproviderdisclosurerecordforeach
certificationserviceprovider,whichshallcontainalltheparticulars
requiredunderregulationsmadeunderthisAct.
(4)TheControllershallpublishthecontentsofthedatabaseinat
leastonerecognisedrepository.
22. Certificationserviceproviderstobelicensed.
(1)Apersonshallnotcarryonoroperateorholdhimselfoutas
carryingonoroperating,asacertificationserviceproviderunlessthat
personhasavalidlicenceissuedunderthisAct.
(2)Apersonwhocontravenessubsection(1)commitsanoffence
andisliable,onconviction,toafinenotexceedingtwohundredandforty
currencypointsorimprisonmentnotexceedingtenyearsorboth;andin
thecaseofacontinuingoffenceisinadditionliabletoadailyfinenot
exceedingtencurrencypointsforeachdaytheoffencecontinues.
(3)TheMinistermay,onanapplicationinwritingbeingmadein
accordancewiththisAct,exemptapersonoperatingasacertification
serviceproviderwithinanorganisationfromtherequirementofalicence
underthis section where certificates and keypairs are issued to
membersoftheorganisationforinternaluseonly;buttheMinistershall
notdelegatethatpowertotheController.
22
Act7 ElectronicSignaturesAct 2011
(4)TheliabilitylimitsspecifiedinPartIVshallnotapplytoan
exemptedcertificationserviceproviderandPartVshallnotapplyin
relationtoadigitalsignatureverifiedbyacertificateissuedbyan
exemptedcertificationserviceprovider.
23. Qualificationsofcertificationaserviceproviders.
(1) The Minister in consultation with NationalInformation
TechnolologyAuthority-ugandashall,byregulationsmadeunderthis
Act,prescribe the qualifications required forcertification service
providers.
(2) The Minister in consultation with NationalInformation
TechnolologyAuthority-ugandamayvaryoramendthequalifications
prescribedundersubsection(1)butanysuchvariationoramendment
shallnotbeappliedtoacertificationserviceproviderholdingavalid
licenceunderthisActuntiltheexpiryofthatlicence.
24. Functionsoflicensedcertificationserviceproviders.
(1)Thefunctionofacertificationserviceprovidershallbetoissue
acertificatetoasubscriberuponapplicationanduponsatisfactionof
thecertificationserviceprovidersrequirementsastotheidentityofthe
subscribertobelistedinthecertificateanduponpaymentofthe
prescribedfeesandcharges.
(2)The certification service providershall,before issuing a
certificateunderthisAct,takeallreasonablemeasurestocheckfor
properidentificationofthesubscribertobelistedinthecertificate.
25. Applicationforlicence.
(1)AnapplicationforalicenceunderthisActshallbemadein
writingtotheControllerinsuchform asmaybeprescribed.
(2)Anapplicationundersubsection(1)shallbeaccompaniedby
suchdocumentsorinformationasmaybeprescribedandthecontroller
may,atanytime afterreceiving the application and before itis
determined,requiretheapplicanttoprovidesuchadditionaldocuments
orinformationasmaybeconsiderednecessarybythecontrollerforthe
purposesofdeterminingthesuitabilityoftheapplicantforthelicence.
23
Act7 ElectronicSignaturesAct 2011
(3)Whereanyadditionaldocumentorinformationrequiredunder
subsection(2)isnotprovidedbytheapplicantwithinthetimespecified
intherequirementoranyextensiongranted bytheController,the
applicationshallbetakentobewithdrawnandshallnotbefurther
proceededwith,withoutprejudicetoafreshapplicationbeingmadeby
theapplicant.
26. Grantorrefusaloflicence.
(1)TheControllershall,onanapplicationhavingbeendulymade
inaccordancewithsection25andafterbeingprovidedwithallthe
documentsandinformationashemayrequire,considertheapplication
and when he orshe is satisfied thatthe applicantis a qualified
certificationserviceproviderandasuitablelicenseeanduponpayment
oftheprescribedfee,grantthelicencewithorwithoutconditionsor
refusetograntalicence.
(2)A licence granted undersubsection (1)shallsetoutthe
durationofthelicenceandthelicencenumber.
(3)Thetermsandconditionsimposedunderthelicencemayat
anytimebevariedforjustcauseoramendedbytheControllerbutthe
licenseeshallbegivenareasonableopportunityofbeingheard.
(4)TheControllershallnotifytheapplicantinwritingofhisorher
decisiontograntorrefusetograntalicencewithinthirtydaysof
receivingtheapplication.
27. Revocationoflicence.
(1)TheControllermayrevokealicencegrantedundersection26if
satisfiedthat—
(a) thecertificationserviceproviderhasfailedtocomplywithan
obligationimposeduponitbyorunderthisAct;
(b) the certification service provider has contravened any
conditionimposedunderthelicence,anyprovisionofthisAct
oranyotherwrittenlaw;
24
Act7 ElectronicSignaturesAct 2011
(c) thecertificationserviceproviderhas,eitherinconnectionwith
theapplicationforthelicenceoratanytimeafterthegrantof
thelicence,providedthecontrollerwithfalse,misleadingor
inaccurateinformationoradocumentordeclarationmadeby
oronbehalfofthecertificationserviceproviderorbyoron
behalfofapersonwhoisoristobeadirector,controlleror
managerofthelicensedcertificationserviceproviderwhich
isfalse,misleadingorinaccurate;
(d) thecertificationserviceprovideriscarryingonitsbusinessin
amannerwhichisprejudicialtotheinterestofthepublicorto
thenationaleconomy;
(e) thecertificationserviceproviderhasinsufficientassetsto
meetitsliabilities;
(f) awindinguporderhasbeenmadeagainstthelicensed
certificationserviceprovideroraresolutionforitsvoluntary
winding-uphasbeenpassed;
(g) thecertificationserviceprovideroritsdirector,controlleror
managerhasbeenconvictedofanoffenceunderthisActin
hisorhercapacityas;or
(h) thecertificationserviceproviderhasceasedtobeaqualified
certificationserviceprovider.
(2)Beforerevokingalicence,theControllershallgivethelicensed
certificationserviceprovideranoticeinwritingofhisorherintentionto
revokethelicenceandrequirethelicensedcertificationserviceprovider
toshow causewithinthirtydaysastowhythelicenceshouldnotbe
revoked.
(3)WheretheControllerdecidestorevokethelicence,heorshe
shallnotifythecertificationserviceproviderofhisorherdecisionbya
noticeinwritingwithin48hoursofmakingthedecision.
25
Act7 ElectronicSignaturesAct 2011
(4)Therevocationofalicenceshalltakeeffectwherethereisno
appealagainsttherevocation,ontheexpirationofthirtydaysfrom the
dateon which thenoticeofrevocation isserved on thelicensed
certificationserviceprovider.
(5)Whereanappealhasbeenmadeagainsttherevocationofa
licence,the certification service providerwhose licence has been
revoked shallnotissueanycertificatesuntiltheappealhasbeen
disposedofandtherevocationhasbeensetasidebytheMinisterbut
nothinginthissubsectionshallpreventthecertificationserviceprovider
from fulfillingitsotherobligationstoitssubscribersduringthatperiod.
(6) Apersonwhocontravenessubsection(5)commitsanoffence
andisliable,onconviction,toafinenotexceedingtwohundredandforty
currencypointsortoimprisonmentnotexceedingtenyearsorboth.
(7)Where the revocation ofa licence has taken effect,the
Controllershall,assoonaspracticable,causetherevocationtobe
publishedinthecertificationserviceproviderdisclosurerecordheorshe
maintains for the certification service provider concerned and
advertisedinatleasttwoEnglishlanguagenationaldailynewspapers
foratleastthreeconsecutivedays.
28. Appeal.
(1)Apersonwhoisaggrievedby—
(a) therefusaloftheControllertolicenseacertificationservice
providerundersection26ortorenewalicenceundersection
35;or
(b) therevocationofalicenceundersection27,
mayappealinwritingtotheMinisterwithinthirtydaysfrom thedateon
whichthenoticeofrefusalorrevocationisservedonthatperson.
(2)TheMinistershall,uponreceiptoftheappealrespondwithin
thirtydays.
26
Act7 ElectronicSignaturesAct 2011
(3)ApersonnotsatisfiedwiththeMinister’sdecisionmayappeal
totheHighCourt.
29. Surrenderoflicence.
(1)Acertificationserviceprovidermaysurrenderitslicenceby
forwardingittotheControllerwithawrittennoticeofitssurrender.
(2)ThesurrendershalltakeeffectonthedatetheController
receivesthelicenceandthenoticeundersubsection(1)orwherealater
dateisspecifiedinthenotice,onthatdate.
(3)Thelicensedcertificationserviceprovidershall,notlaterthan
fourteendaysafterthedatereferredtoinsubsection(2),causethe
surrendertobepublishedinthecertificationserviceproviderdisclosure
recordofthecertificationserviceproviderconcernedandadvertisedin
atleasttwoEnglishlanguagenationaldailynewspapersforatleast
threedaysconsecutive.
30. Effectofrevocation,surrenderorexpiryoflicence.
(1)Wheretherevocationofalicenceundersection27orits
surrenderundersection29hastakeneffectorwherethelicencehas
expired,thelicensedcertificationserviceprovidershallimmediately
ceasetocarryonoroperateanybusinessinrespectofwhichthelicence
wasgranted.
(2)Notwithstanding subsection (1),the Ministermay,on the
recommendationoftheController,authorisethelicensedcertification
serviceproviderinwritingtocarryonitsbusinessforsuchdurationas
theMinistermayspecifyintheauthorisationforthepurposeofwinding
upitsaffairs.
(3)Notwithstandingsubsection(1),alicensedcertificationservice
providerwhoselicencehasexpiredshallbeentitledtocarryonits
businessasifitslicencehadnotexpireduponproofbeingsubmittedto
theControllerthatthelicensedcertificationserviceproviderhasapplied
forarenewalofthelicenceand thatsuchapplicationispending
determination.
27
Act7 ElectronicSignaturesAct 2011
(4)Apersonwhocontravenessubsection(1)commitsanoffence
andisliable,onconviction,toafinenotexceedingseventytwocurrency
pointsortoimprisonmentnotexceedingtenyearsorbothandinthe
caseofacontinuingoffenceshallinadditionbeliabletoadailyfinenot
exceedingfivecurrencypointsforeachdaytheoffencecontinues.
(5) Withoutprejudice to the Controller’s powers under
section
26,therevocationofalicenceundersection27oritssurrenderunder
section29oritsexpiryshallnotaffectthevalidityoreffectofany
certificateissuedbythecertificationserviceproviderconcernedbefore
suchrevocation,surrenderorexpiry.
(6)Forthepurposesofsubsection(5),theControllershallappoint
another licensed certification service provider to take over the
certificatesissuedbythecertificationserviceproviderwhoselicence
hasbeenrevokedorsurrenderedorhasexpiredandthecertificateshall,
totheextentthattheycomplywiththerequirementsoftheappointed
licensedcertificationserviceprovider,bedeemedtohavebeenissued
bythatlicensedcertificationserviceprovider.
(7)subsection (6)shallnotpreclude the appointed licensed
certificationserviceproviderfrom requiringthesubscribertocomply
withitsrequirementsinrelationtotheissueofcertificatesorfrom
issuinganewcertificatetothesubscriberfortheunexpiredperiodofthe
originalcertificateexceptthatanyadditionalfeesorchargestobe
imposedshallonlybeimposedwiththepriorwrittenapprovalofthe
Controller.
31. Effectoflackoflicence.
(1)The liabilitylimits specified in PartIV shallnotapplyto
unlicensedcertificationserviceproviders.
(2)PartVshallnotapplyinrelationtoanelectronicsignature,
which cannotbe verified by a certificate issued by a licensed
certificationserviceprovider.
(3) In any othercase,unless the parties expressly provide
otherwisebycontractbetweenthemselves,thelicensingrequirements
underthisActshallnotaffecttheeffectiveness,enforceabilityorvalidity
ofanydigitalsignature.28
Act7 ElectronicSignaturesAct 2011
32. Returnoflicence.
(1)Wheretherevocationofalicenceundersection27hastaken
effectorwherethelicencehasexpiredandnoapplicationforitsrenewal
hasbeensubmittedwithintheperiodspecifiedorwhereanapplication
forrenewalhasbeenrefusedundersection35,thelicensedcertification
serviceprovidershallwithinfourteendaysreturnthelicencetothe
Controller.
(2) Apersonwhocontravenessubsection(1)commitsanoffence
andisliable,onconviction,toafinenotexceedingseventytwoeight
currencypointsortoimprisonmentnotexceedingthreeyearsortoboth
andinthecaseofacontinuingoffenceshallinadditionbeliabletoa
dailyfinenotexceedingfivecurrencypointsforeachdaytheoffence
continuesandthecourtshallretainthelicenceandforwardittothe
Controller.
33. Restrictedlicence.
(1)TheControllermayclassifylicencesaccordingtospecified
limitationsincluding—
(a) maximum numberofoutstandingcertificates;
(b) cumulative maximum ofrecommended reliance limits in
certificates issued by the licensed certification service
provider;and
(c) issuanceonlywithinasinglefirm ororganisation.
(2)TheControllermayissuelicencesrestrictedaccordingtothe
limitsofeachclassification.
(3) A licensed certification service provider that issues a
certificateexceedingtherestrictionsofitslicencecommitsanoffence.
(4)Where a licensed certification service providerissues a
certificateexceedingtherestrictionsofitslicence,theliabilitylimits
specifiedinPartIVshallnotapplytothelicensedcertificationservice
providerinrelationtothatcertificate.
29
Act7 ElectronicSignaturesAct 2011
(5)Nothinginsubsection(3)or(4)shallaffectthevalidityoreffect
oftheissuedcertificate.
34. Restrictiononuseofexpression“certificationserviceprovider”.
(1)ExceptwiththewrittenconsentoftheController,apersonshall
notbeingalicensedcertificationserviceprovider,assumeorusethe
expressions“certificationserviceprovider”or“licensedcertification
service provider”,as the case maybe oranyderivative ofthose
expressionsinanylanguageoranyotherwordsinanylanguagecapable
ofbeingconstruedasindicatingthecarryingonoroperationofsuch
business,inrelationtothebusinessoranypartofthebusinesscarried
onbythatpersonormakeanyrepresentationtothateffectinanybill
head,letter,paper,notice,advertisementorinanyothermanner.
(2) Apersonwhocontravenessubsection(1)commitsanoffence
andisliable,onconviction,toafinenotexceedingonehundredsixty
eightcurrencypointsortoimprisonmentnotexceedingsevenyearsor
toboth.
35. Renewaloflicence.
(1)A licensed certification service providershallsubmitan
applicationtotheControllerinsuchform asmaybeprescribedforthe
renewalofitslicenceatleastthirtydaysbeforethedateofexpiryofthe
licenceandtheapplicationshallbeaccompaniedbysuchdocuments
andinformationasmayberequiredbytheController.
(2)Theprescribedfeeshallbepayableuponapprovalofthe
application.
(3) Where a licensed certification service provider has no
intention ofrenewing its licence,the licensed certification service
providershall,atleastthirtydaysbeforetheexpiryofthelicence,publish
theintentioninthecertificationserviceproviderdisclosurerecordofthe
certificationserviceproviderconcernedandadvertisesuchintentionin
atleasttwoEnglishlanguagenationaldailynewspapersforatleastfive
consecutivedays.
30
Act7 ElectronicSignaturesAct 2011
(4)Withoutprejudicetoanyothergrounds,theControllermay
refusetorenewalicencewheretherequirementsofsubsection(1)have
notbeencompliedwith.
36. Lostlicense.
(1)Whereacertificationserviceproviderhaslostitslicense,it
shallimmediatelynotifytheControllerinwritingoftheloss.
(2) Thecertificationserviceprovidershall,assoonaspracticable,
submitanapplicationforareplacementlicenseaccompaniedbyall
suchinformationanddocumentsasmayberequiredbytheController
togetherwiththeprescribedfee.
37. Recognitionofotherlicenses.
(1)The Controllermay recognise,by orderpublished in the
Gazette,certificationserviceproviderslicensedorotherwiseauthorised
byentitiesoutsideUgandathatsatisfytheprescribedrequirements.
(2) Where a license orotherauthorisation ofan entity is
recognisedundersubsection(1)—
(a) the recommended reliance limit,ifany,specified in a
certificate issued by the certification service provider
licensedorotherwiseauthorisedbysuchanentityshallhave
effectinthesamemannerasarecommendedreliancelimit
specifiedinacertificateissuedbyacertificationservice
providerofUganda;and
(b) Part IV shallapply to the certificates issued by the
certificationserviceproviderlicensedorotherwiseauthorised
bysuchentityinthesamemannerasitappliestoacertificate
issuedbyacertificationserviceproviderofUganda.
38. Performanceaudit.
(1)Theoperationsofacertificationserviceprovidershallbe
auditedaleastonceayeartoevaluateitscompliancewiththisAct.
31
Act7 ElectronicSignaturesAct 2011
(2) Theauditshallbecarriedoutbyaninternationallyrecognised
computersecurityprofessionaloracertifiedpublicaccountanthaving
expertiseintherelevantfield.
(3)Thequalificationsoftheauditorsandtheprocedureforan
auditshallbeasmaybeprescribedbyregulationsmadeunderthisAct.
(4)TheControllershallmaintainandpublish,thedateandresultof
theauditinthecertificationserviceproviderdisclosurerecordheorshe
maintainsforthecertificationserviceproviderconcerned.
39. Activitiesofcertificationserviceproviders.
(1)A certification service providershallonly carry on such
activitiesasmaybespecifiedinitslicense.
(2)Acertificationserviceprovidershallcarryonitsactivitiesin
accordancewiththisActandanyregulationsmadeunderthisAct.
40. Requirementtodisplaylicense.
Acertificationserviceprovidershallatalltimesdisplayitslicenseina
conspicuousplaceatitsplaceofbusinessandonitswebsite.
41. Requirementtosubmitinformationonbusinessoperations.
(1)A licensedcertificationserviceprovidershallsubmittothe
Controller such information and particulars including financial
statements,audited balance sheets and profitand loss accounts
relatingtoitsentirebusinessoperationsasmayberequiredbythe
Controllerwithinthetimeheorshemaydetermine.
(2)Apersonwhocontravenessubsection(1)commitsanoffence
andisliable,onconviction,toafinenotexceedingtwentyfourcurrency
pointsorimprisonmentnotexceedingoneyearorbothandinthecaseof
acontinuingoffenceshallinadditionbeliableto adailyfinenot
exceedingtwocurrencypointsforeachdaytheoffencecontinues.
32
Act7 ElectronicSignaturesAct 2011
42. Notificationofchangeofinformation.
(1)A certification service providershall,before making an
amendmentoralterationtoanyofitsconstituentdocumentsorbefore
any change in its directororchiefexecutive officer,furnish the
Controllerparticularsinwritingofanyproposedamendment,alteration
orchange.
(2)A licensed certification service providershallimmediately
notifytheControllerofanyamendmentoralterationtoanyinformation
ordocumentwhichhasbeenfurnishedtotheControllerinconnection
withthelicence.
43. Useoftrustworthysystems.
(1)A certificationserviceprovidershallonlyuseatrustworthy
system—
(a) toissue,suspendorrevokeacertificate;
(b) topublishorgivenoticeoftheissuance,suspensionor
revocationofacertificate;and
(c) tocreateaprivatekey,whetherforitselforforasubscriber.
(2)Asubscribershallonlyuseatrustworthysystem tocreatea
privatekey.
44. Disclosuresoninquiry.
(1)Acertificationserviceprovidershall,onaninquirybeingmade
to itunderthis Act,disclose any materialcertification practice
statementandanyfactmaterialtoeitherthereliabilityofacertificate,
whichithasissuedoritsabilitytoperform itsservices.
(2)Acertificationserviceprovidermayrequireasigned,written
andreasonablyspecificinquiryfrom anidentifiedpersonandpayment
oftheprescribedfee,asconditionsprecedenttoeffectingadisclosure
requiredundersubsection(1).
45. Prerequisitestoissueofcertificatetosubscriber.
(1)A certificationserviceprovidermayissueacertificatetoa
subscriberwherethefollowingconditionsaresatisfied—
33
Act7 ElectronicSignaturesAct 2011
(a) thecertificationserviceproviderhasreceivedarequestforissuancesignedbytheprospectivesubscriber;and
(b) thecertificationserviceproviderhasconfirmedthat—
(i) theprospectivesubscriberisthepersontobelistedin
thecertificatetobeissued;
(ii) iftheprospectivesubscriberisactingthroughoneor
moreagents,thesubscriberhasdulyauthorisedthe
agentoragentstohavecustodyofthesubscriber’s
privatekeyand to requestissuanceofacertificate
listingthecorrespondingpublickey;
(iii) theinformationinthecertificatetobeissuedisaccurate;
(iv) theprospectivesubscriberrightfullyholdstheprivate
keycorrespondingtothepublickeytobelistedinthe
certificate;
(v) theprospectivesubscriberholdsaprivatekeycapableof
creatingadigitalsignature;and
(vi) thepublickeytobelistedinthecertificatecanbeusedto
verifyadigitalsignatureaffixedbytheprivatekeyheldby
theprospectivesubscriber.
(2)Therequirementsofsubsection(1)shallnotbewaivedor
disclaimedbythecertificationserviceprovider,thesubscriberorboth.
46. Publicationofissuedandacceptedcertificate.
(1) Where the subscriberaccepts the issued certificate,the
certification service providershallpublish a signed copy ofthe
certificate in a recognised repository,as the certification service
providerandthesubscribernamedinthecertificatemayagree,unlessa
contractbetweenthecertificationserviceproviderandthesubscriber
providesotherwise.
(2)Where the subscriberdoes notacceptthe certificate,a
certificationserviceprovidershallnotpublishitorshallcancelits
publicationifthecertificatehasalreadybeenpublished.
34
Act7 ElectronicSignaturesAct 2011
47. Adoptionofmorerigorousrequirementspermitted.
Nothinginsections31and32shallprecludeacertificationservice
provider from conforming to standards, certification practice
statements,securityplansorcontractualrequirementsmorerigorous
than,butneverthelessconsistentwith,thisAct.
48. Suspensionorrevocationofcertificateforfaultyissuance.
(1) Where afterissuing a certificate a certification service
providerconfirmsthatitwasnotissuedinaccordancewithsections31
and32,thecertificationserviceprovidershallimmediatelyrevokeit.
(2)A certification serviceprovidermaysuspend a certificate
whichithasissuedforareasonableperiodnotexceedingforty-eight
hoursasmaybenecessaryforaninvestigationtobecarriedoutto
confirm thegroundsforarevocationundersubsection(1).
(3)Thecertificationserviceprovidershallimmediatelynotifythe
subscriberofarevocationorsuspensionunderthissection.
49. Suspensionorrevocationofcertificatebyorder.
(1)TheControllermayorderthecertificationserviceproviderto
suspendorrevokeacertificatewheretheControllerdeterminesthat—
(a) thecertificatewasissuedwithoutcompliancewithsections
31and32;and
(b) thenon-complianceposesasignificantrisktopersons
reasonablyrelyingonthecertificate.
(2)Before making a determination undersubsection (1),the
Controllershallgivethelicensedcertificationserviceproviderandthe
subscriberareasonableopportunityofbeingheard.
(3)Notwithstandingsubsections(1)and(2),whereintheopinion
oftheControllerthereexistsanemergencythatrequiresanimmediate
remedy,the Controllermay,afterconsultation with the Minister,
suspendacertificateforaperiodnotexceedingforty-eighthours.
35
Act7 ElectronicSignaturesAct 2011
50. Warrantiestosubscriber.
(1)Byissuingacertificate,acertificationserviceprovider
warrantstothesubscribernamedinthecertificatethat—
(a) the certificate contains no information known to the
certificationserviceprovidertobefalse;
(b) thecertificatesatisfiesalltherequirementsofthisAct;and
(c) thecertificationserviceproviderhasnotexceededanylimits
ofitslicenceinissuingthecertificate.
(2)Acertificationserviceprovidershallnotdisclaim orlimitthe
warrantiesundersubsection(1).
51. Continuingobligationstosubscriber.
Unlessthesubscriberandcertificationserviceproviderotherwiseagree,
acertificationserviceprovider,byissuingacertificate,promisestothe
subscriber—
(a) to actpromptly to suspend orrevoke a certificate in
accordancewithPartIV;and
(b) tonotifythesubscriberwithinareasonabletimeofanyfacts
knowntothelicensedcertificationserviceprovider,which
significantlyaffectthevalidityorreliabilityofthecertificate
onceitisissued.
52. Representationsuponissuance.
Byissuingacertificate,acertificationserviceprovidercertifiestoall
whoreasonablyrelyontheinformationcontainedinthecertificatethat—
(a) theinformationinthecertificateandlistedasconfirmedby
thelicensedcertificationserviceproviderisaccurate;
(b) allinformationforeseeableandmaterialtothereliabilityof
thecertificateisstatedorincorporatedbyreferencewithin
thecertificate;
36
Act7 ElectronicSignaturesAct 2011
(c) thesubscriberhasacceptedthecertificate;and
(d) the certification service providerhas complied with all
applicablelawsgoverningtheissueofthecertificate.
52. Representationsuponpublication.
Bypublishingacertificate,acertificationserviceprovidercertifiestothe
repositoryinwhichthecertificateispublishedandtoallwhoreasonably
relyontheinformationcontainedinthecertificatethatthelicensed
certificationserviceproviderhasissuedthecertificatetothesubscriber.
54. Impliedrepresentationsbysubscriber.
Byacceptingacertificateissuedbyacertificationserviceprovider,the
subscriberlistedinthecertificatecertifiestoallwhoreasonablyrelyon
theinformationcontainedinthecertificatethat—
(a) thesubscriberrightfullyholdstheprivatekeycorresponding
tothepublickeylistedinthecertificate;
(b) allrepresentationsmadebythesubscribertothecertification
serviceproviderandmaterialtoinformationlistedinthe
certificatearetrue;and
(c) allmaterialrepresentationsmadebythesubscribertoa
certificationserviceproviderormadeinthecertificateand
notconfirmedbythecertificationserviceproviderinissuing
thecertificatearetrue.
55. Representationsbyagentofsubscriber.
Byrequestingonbehalfofaprincipaltheissueofacertificatenaming
theprincipalassubscriber,therequesting person certifiesin that
person’s own rightto allwho reasonablyrelyon the information
containedinthecertificatethattherequestingperson—
(a) holdsallauthoritylegallyrequiredtoapplyforissuanceofa
certificatenamingtheprincipalassubscriber;and
37
Act7 ElectronicSignaturesAct 2011
(b) hasauthoritytosigndigitallyonbehalfoftheprincipal,and,if
thatauthorityislimitedinanyway,adequatesafeguardsexist
topreventadigitalsignatureexceedingtheboundsofthe
person’sauthority.
56. Disclaimerorindemnitylimited.
Apersonshallnotdisclaim orcontractuallylimittheapplicationofthis
part,norobtainindemnityforitseffects,ifthedisclaimer,limitationor
indemnityrestrictsliabilityformisrepresentationasagainstpersons
reasonablyrelyingonthecertificate.
57. Indemnificationofcertificationserviceproviderbysubscriber.
(1)Byacceptingacertificate,asubscriberundertakestoindemnify
theissuinglicensedcertificationserviceproviderforanylossordamage
causedbyissueorpublicationofthecertificateinrelianceon—
(a) afalseandmaterialrepresentationoffactbythesubscriber;
or
(b) thefailurebythesubscribertodiscloseamaterialfact,ifthe
representationorfailuretodisclosewasmadeeitherwith
intenttodeceivethecertificationserviceprovideroraperson
relyingonthecertificateorwithnegligence.
(2)Wherethecertificationserviceproviderissuedthecertificateat
therequestofoneormoreagentsofthesubscriber,theagentoragents
personallyundertaketo indemnifythecertificationserviceprovider
underthissection,asiftheywereacceptingsubscribersintheirown
right.
(3) Theindemnityprovidedinthissectionshallnotbedisclaimed
orcontractuallylimitedinscope.
58. Certificationofaccuracyofinformationgiven.
Whenobtaininginformationfrom asubscriberwhichismaterialtothe
issueofacertificate,thecertificationserviceprovidermayrequirethe
subscribertocertifytheaccuracyoftherelevantinformationunderoath
oraffirmation.
38
Act7 ElectronicSignaturesAct 2011
59. Dutyofsubscribertokeepprivatekeysecure.
Byacceptingacertificateissuedbyacertificationserviceprovider,the
subscribernamed in the certificate assumes a duty to exercise
reasonablecaretoretaincontroloftheprivatekeyandpreventits
disclosuretoanypersonnotauthorisedtocreatethesubscriber’sdigital
signature.
60. Propertyinprivatekey.
Aprivatekeyisthepersonalpropertyofthesubscriberwhorightfully
holdsit.
61. Fiduciarydutyofacertificationserviceprovider.
Where a certification service provider holds the private key
correspondingtoapublickeylistedinacertificatewhichithasissued,
thecertificationserviceprovidershallholdtheprivatekeyasafiduciary
ofthesubscribernamedinthecertificateandmayusethatprivatekey
onlywiththesubscriber’spriorwrittenapproval,unlessthesubscriber
expressly and in writing grants the private key to the licensed
certificationserviceproviderandexpresslyandinwritingpermitsthe
licensedcertificationserviceprovidertoholdtheprivatekeyaccording
tootherterms.
62. Suspensionofcertificatebycertificationserviceprovider.
(1)Unlessthecertificationserviceproviderandthesubscriber
agreeotherwise,thelicensedcertificationserviceprovider,whichissued
acertificate,whichisnotatransactionalcertificate,shallsuspendthe
certificateforaperiodnotexceedingforty-eighthours—
(a) uponrequestbyapersonidentifyinghimselfasthesubscriber
namedinthecertificateorasapersoninapositionlikelyto
know ofacompromiseofthesecurityofasubscriber’s
privatekey,suchasanagent,businessassociate,employee
ormemberoftheimmediatefamilyofthesubscriber;or
(b) byorderoftheControllerundersection35.
(2) The certification service provider shalltake reasonable
measurestochecktheidentityoragencyofthepersonrequesting
suspension.
39
Act7 ElectronicSignaturesAct 2011
63. SuspensionofcertificatebyController.
(1)Unlessthecertificateprovidesotherwiseorthecertificateisa
transactionalcertificate,theControllermaysuspendacertificateissued
byacertificationserviceproviderforaperiodofforty-eighthours,if—
(a)a person identifying himselforherselfas the subscriber
namedinthecertificateorasanagent,businessassociate,
employee ormemberofthe immediate family ofthe
subscriberrequestssuspension;and
(b) therequesterrepresentsthatthecertificationserviceprovider,
whichissuedthecertificate,isunavailable.
(2)TheControllermayrequirethepersonrequestingsuspension
toprovideevidence,includingastatementunderoathoraffirmation
regardinghisorheridentityandauthorisationandtheunavailabilityof
theissuinglicensedcertificationserviceproviderandmaydeclineto
suspendthecertificateinhisorherdiscretion.
(3) The Controller or other law enforcement agency may
investigatesuspensionsbytheControllerforpossiblewrongdoingby
personsrequestingsuspension.
64. Noticeofsuspension.
(1)Uponsuspensionofacertificatebyacertificationservice
provider,thecertificationserviceprovidershallpublishasignednotice
ofthesuspension in therepositoryspecified in thecertificatefor
publicationofnoticeofsuspension.
(2) Whereoneormorerepositoriesarespecified,thecertification
serviceprovidershallpublishsignednoticesofthesuspensioninall
thoserepositories.
(3)Whereanyrepositoryspecifiednolongerexistsorrefusesto
acceptpublicationorifnosuchrepositoryisrecognisedundersection
69thecertificationserviceprovidershallalsopublishthenoticeina
recognisedrepository.
40
Act7 ElectronicSignaturesAct 2011
(4)Where a certificate is suspended by the Controller,the
Controllershallgivenoticeasrequiredinthissectionforacertification
serviceproviderifthepersonrequestingsuspensionpaysinadvance
anyprescribedfeerequiredbyarepositoryforpublicationofthenotice
ofsuspension.
65. Terminationofsuspensioninitiatedbyrequest.
Acertificationserviceprovidershallterminateasuspensioninitiatedby
request—
(a) wherethesubscribernamedinthesuspendedcertificate
requests termination of the suspension, only if the
certificationserviceproviderhasconfirmedthattheperson
requestingsuspensionisthesubscriberoranagentofthe
subscriberauthorisedtoterminatethesuspension;or
(b) wherethelicensedcertificationserviceproviderdiscovers
andconfirmsthattherequestforthesuspensionwasmade
withoutauthorisationbythesubscriber.
66. Alternatecontractualprocedures.
(1) The contract between a subscriber and a licensed
certification service provider may limit or preclude requested
suspension by the certification service providerormay provide
otherwiseforterminationofarequestedsuspension.
(2)Wherethecontractlimitsorprecludessuspensionbythe
Controllerwhentheissuinglicensedcertificationserviceprovideris
unavailable,thelimitationorpreclusionshallbeeffectiveonlyifnotice
ofitispublishedinthecertificate.
67. Effectofsuspensionofcertificate.
NothinginthisPartshallreleasethesubscriberfrom thedutyunder
section 47 to keep the private key secure while a certificate is
suspended.
68. Revocationonrequest.
(1)A licensed certification service providershallrevoke a
certificate,whichitissuedbutwhichisnotatransactionalcertificate—
41
Act7 ElectronicSignaturesAct 2011
(a) uponreceivingarequestforrevocationbythesubscriber
namedinthecertificate;and
(b) uponconfirmingthatthepersonrequestingrevocationisthat
subscriberorisanagentofthatsubscriberwithauthorityto
requesttherevocation.
(2)A certificationserviceprovidershallconfirm arequestfor
revocation and revoke a certificate within one business dayafter
receivingbothasubscriber’swrittenrequestandevidencereasonably
sufficienttoconfirm theidentityofthepersonrequestingtherevocation
oroftheagent.
69. Revocationonsubscriber’sdemise.
Alicensedcertificationserviceprovidershallrevokeacertificatewhichit
issued—
(a) uponreceiving acertified copyofthesubscriber’sdeath
certificateoruponconfirmingbyotherevidencethatthe
subscriberisdead;or
(b) uponpresentationofdocumentseffectingadissolutionofthe
subscriberoruponconfirmingbyotherevidencethatthe
subscriberhasbeendissolvedorhasceasedtoexist.
70. Revocationofunreliablecertificates.
(1)A licensedcertificationserviceprovidermayrevokeoneor
morecertificates,whichitissuedifthecertificatesareorbecome
unreliable regardless ofwhetherthe subscriberconsents to the
revocation and notwithstanding anyprovision to the contraryin a
contractbetweenthesubscriberandthelicensedcertificationservice
provider.
(2)Nothinginsubsection(1)shallpreventthesubscriberfrom
seekingdamagesorotherreliefagainstthelicensedcertificationservice
providerintheeventofwrongfulrevocation.
42
Act7 ElectronicSignaturesAct 2011
71. Noticeofrevocation.
(1)Uponrevocationofacertificatebyalicensedcertification
serviceprovider,thelicensedcertificationserviceprovidershallpublish
asignednoticeoftherevocationintherepositoryspecifiedinthe
certificateforpublicationofnoticeofrevocation.
(2)Whereoneormorerepositoriesarespecified,thelicensed
certification service providershallpublish signed notices ofthe
revocationinallsuchrepositories.
(3)Whereanyrepositoryspecifiednolongerexistsorrefusesto
acceptpublicationorifnosuchrepositoryisrecognisedundersection
69,thelicensedcertificationserviceprovidershallalsopublishthe
noticeinarecognisedrepository.
72. Effectofrevocationrequestonsubscriber.
Whereasubscriberhasrequestedfortherevocationofacertificate,the
subscriberceasestocertifyasprovidedinPartIVandhasnofurther
dutytokeeptheprivatekeysecureasrequiredundersection59—
(a) whennoticeoftherevocationispublishedasrequiredunder
section71;or
(b) wherefortyeighthourshavelapsed afterthesubscriber
requestsfortherevocationinwriting,suppliestotheissuing
licensedcertificationserviceproviderinformationreasonably
sufficienttoconfirm therequestandpaysanyprescribedfee,
whicheveroccursfirst.
73. Effectofnotificationoncertificationserviceprovider.
Uponnotificationasrequiredundersection71,acertificationservice
providershallbedischargedofitswarrantiesbasedonissueofthe
revokedcertificateandceasestocertifyasprovidedinsections22and
24inrelationtotherevokedcertificate.
74. Expirationofcertificate.
(1)Thedateofexpiryofacertificateshallbespecifiedinthe
certificate.
43
Act7 ElectronicSignaturesAct 2011
(2)Acertificatemaybeissuedforaperiodnotexceedingthree
yearsfrom thedateofissue.
(3) When a certificate expires,the subscriberand licensed
certificationserviceprovidershallceasetocertifyasprovidedunder
this Actand the licensed certification service providershallbe
dischargedofitsdutiesbasedonissueinrelationto theexpired
certificate.
(4)Theexpiryofacertificateshallnotaffectthedutiesand
obligationsofthesubscriberandlicensedcertificationserviceprovider
incurredunderandinrelationtotheexpiredcertificate.
75. Reliancelimit.
(1)Alicensedcertificationserviceprovidershall,whenissuinga
certificatetoasubscriber,specifyarecommendedreliancelimitinthe
certificate.
(2) The licensed certification service provider may specify
differentlimitsindifferentcertificatesasitconsidersfit.
76. Liabilitylimitsforcertificationserviceproviders.
Unlessalicensedcertificationserviceproviderwaivestheapplicationof
thissection,alicensedcertificationserviceprovider—
(a) shallnotbeliableforanylosscausedbyrelianceonafalseor
forgeddigitalsignatureofasubscriber,if,withrespecttothe
falseorforgeddigitalsignature,thelicensedcertification
serviceprovidercompliedwiththerequirementsofthisAct;
(b) shallnotbeliableinexcessoftheamountspecifiedinthe
certificateasitsrecommendedreliancelimitforeither—
(i)alosscausedbyrelianceonamisrepresentationinthe
certificateofanyfactthatthelicensed certification
serviceproviderisrequiredtoconfirm;or
(ii)failuretocomplywithsections31and32whenissuing
thecertificate.
44
Act7 ElectronicSignaturesAct 2011
77. Recognitionofrepositories.
(1)TheControllermayrecogniseoneormorerepositories,after
determining that a repository to be recognised satisfies the
requirementsprescribedintheregulationsmadeunderthisAct.
(2)Theprocedureforrecognition ofrepositoriesshallbeas
prescribedbyregulationsmadeunderthisAct.
(3)TheControllershallpublishalistofrecognisedrepositoriesin
suchform andmannerasheorshemaydetermine.
78. Liabilityofrepositories.
(1)Notwithstandinganydisclaimerbytherepositoryoracontract
tothecontrarybetweentherepositoryandalicensedcertification
serviceproviderorasubscriber,arepositoryshallbeliableforaloss
incurredbyapersonreasonablyrelyingonanelectronicsignature
verifiedbythepublickeylistedinasuspendedorrevokedcertificate,if
losswasincurredmorethanonebusinessdayafterreceiptbythe
repositoryofarequesttopublishnoticeofthesuspensionorrevocation
andtherepositoryhadfailedtopublishthenoticewhentheperson
reliedonthedigitalsignature.
(2)Unless waived,a recognised repository orthe owneror
operatorofarecognisedrepository—
(a) shallnotbe liable forfailure to record publication ofa
suspensionorrevocation,unlesstherepositoryhasreceived
noticeofpublicationandonebusinessdayhaselapsedsince
thenoticewasreceived;
(b) shallnotbeliableundersubsection(1)inexcessofthe
amountspecified in thecertificateastherecommended
reliancelimit;
(c) shallnotbe liable formisrepresentation in a certificate
publishedbyacertificationserviceprovider;
45
Act7 ElectronicSignaturesAct 2011
(d) shallnotbe liable foraccuratelyrecording orreporting
informationwhichalicensedcertificationserviceprovider,a
courtortheControllerhaspublishedasrequiredorpermitted
underthisAct,includinginformationaboutthesuspensionor
revocationofacertificate;and
(e) shallnot be liable for reporting information about a
certificationserviceprovider,acertificateorasubscriber,if
theinformationispublishedasrequiredorpermittedunder
thisActorispublishedbyorderoftheControllerinthe
performanceofhisorherlicensingandregulatoryduties
underthisAct.
79. Recognitionofdateortimestampservices.
(1)TheControllermayrecogniseoneormoredateortimestamp
services,afterdeterminingthataservicetoberecognisedsatisfiesthe
requirementsprescribedintheregulationsmadeunderthisAct.
(2)Theprocedureforrecognisingofdateortimestampservices
shallbeasmaybeprescribedbyregulationsmadeunderthisAct.
(3)TheControllershallpublishalistofrecogniseddateortime
stampservicesinaform andmannerashemaydetermine.
PARTV—MISCELLANEOUS
80. Prohibitionagainstdangerousactivities
(1)Acertificationserviceprovider,whetherlicensedornot,shall
notconductitsbusinessinamannerthatcreatesanunreasonablerisk
oflossto the subscribersofthe certification service provider,to
persons relying on certificates issued by the certification service
providerortoarepository.
(2)The Controllermay publish in one ormore recognised
repositoriesbriefstatementsadvisingsubscribers,personsrelyingon
digitalsignaturesandrepositoriesaboutanyactivitiesofacertification
serviceprovider,whetherlicensedornot,whichcreateariskprohibited
undersubsection(1).
46
Act7 ElectronicSignaturesAct 2011
(3)Thecertificationserviceprovidernamedinastatementas
creatingorcausingariskmayprotestthepublicationofthestatement
byfilingabriefwrittendefence.
(4) On receiptofa protestmade undersubsection (3),the
ControllershallpublishawrittendefencetogetherwiththeController’s
statementand shallimmediately give the protesting certification
serviceprovidernoticeandareasonableopportunityofbeingheard.
(5)Where,afterahearing,theControllerdeterminesthatthe
publicationoftheadvisorystatementwasunwarranted,theController
shallrevoketheadvisorystatement.
(6)Where,afterahearing,theControllerdeterminesthatthe
advisorystatementisnolongerwarranted,theControllershallrevoke
theadvisorystatement.
(7)Where,afterahearing,theControllerdeterminesthatthe
advisorystatementremainswarranted,theControllermaycontinueor
amendtheadvisorystatementandmaytakefurtherlegalactionto
eliminateorreducetheriskprohibitedundersubsection(1).
(8)TheControllershallpublishhisdecisionundersubsection(5),
(6)or(7),asthecasemaybe,inoneormorerecognisedrepositories.
81. Obligationofconfidentiality
(1)ExceptforthepurposeofthisActorforanyprosecutionforan
offenceunderanywrittenlaworunderanorderofcourt,apersonunder
anypowersconferredunderthisAct,shallnotobtainaccesstoany
electronic record, book, register, correspondence, information,
document,othermaterialorgrantaccesstoanyotherperson.
(2) A person who contravenes subsection (1)commits an
offenceandisliable,onconviction,toafinenotexceedingonehundred
twentycurrencypointsorimprisonmentforaterm notexceedingfive
yearsorboth.
47
Act7 ElectronicSignaturesAct 2011
82. Falseinformation.
Apersonwhoknowinglymakes,orallyorinwriting,signsorfurnishes
anydeclaration,return,certificateorotherdocumentorinformation
requiredunderthisActwhichisfalseormisleadinginanyparticularway
commitsanoffenceandisliable,onconviction,toafinenotexceeding
onehundredandtwentycurrencypointsorimprisonmentforaterm not
exceedingfiveyearsorboth.
83. Offencesbybodycorporate.
(1)WhereabodycorporatecommitsanoffenceunderthisAct,a
personwhoatthetimeofthecommissionoftheoffenceisadirector,
manager,secretaryorothersimilarofficerofthebodycorporateorwas
purportingtoactinthatcapacityorwasinanymannerortoanyextent
responsibleforthemanagementofanyoftheaffairsofthebody
corporateorwasassistinginsuchmanagement—
(a) maybechargedseverallyorjointlyinthesameproceedings
withthebodycorporate;and
(b) wherethebodycorporateisconvictedoftheoffence,sucha
personshallbedeemedtohavecommittedanoffenceunless,
havingregardtothenatureofhisfunctionsinthatcapacity
andtoallcircumstances,heproves—
(i) thattheoffencewascommittedwithouthisknowledge,
consentorconnivance;and
(ii) that he took allreasonable precautions and had
exercisedduediligencetopreventthecommissionof
theoffence.
(2)WhereapersonisliableunderthisActtoapunishmentor
penaltyforanyact,omission,neglectordefault,heorsheisliabletothe
samepunishmentorpenaltyforeverysuchact,omission,neglector
defaultofanyemployeeoragentofhisoroftheemployeeofsuchagent,
iftheact,omission,neglectordefaultwascommitted—
48
Act7 ElectronicSignaturesAct 2011
(a) byhisemployeeinthecourseofhisemployment;
(b) bytheagentwhenactingonhisbehalf;or
(c) by the employee ofsuch agentin the course ofhis
employmentbysuchagentorotherwiseonbehalfofthe
agent.
84. Authorisedofficer.
Anauthorisedofficermayexercisethepowersofenforcementunder
thisAct.
85. Powertoinvestigate.
(1) TheControllermayinvestigatetheactivitiesofacertification
serviceprovidermaterialtoitscompliancewiththisAct.
(2)Forthepurposesofsubsection(1),theControllermayissue
orderstoacertificationserviceprovidertofurtheritsinvestigationand
securecompliancewiththisAct.
(3)Further,inanycaserelatingtothecommissionofanoffence
underthisAct,anyauthorisedofficercarryingonaninvestigationmay
exercise allorany ofthe specialpowers in relation to police
investigationinallcasesgivenbytheCriminalProcedureCode.
86. Searchbywarrant.
(1)IfitappearstoaMagistrate,uponwritteninformationonoath
andaftersuchinquiryasheorsheconsidersnecessary,thatthereis
reasonablecausetobelievethatanoffenceunderthisActisbeingor
hasbeencommittedonanypremises,theMagistratemayissuea
warrantauthorisinganypoliceofficernotbelowtherankofInspectoror
anyauthorisedofficernamedinthewarrant,toenterthepremisesat
anyreasonabletimebydayorbynight,withorwithoutassistanceandif
needbebyforce,tosearchforandseize—
(a) copiesofanybooks,accountsorotherdocuments,including
computerized data, which contain or are reasonably
suspected to contain information as to anyoffence so
suspectedtohavebeencommitted;
49
Act7 ElectronicSignaturesAct 2011
(b) anysignboard,card,letter,pamphlet,leaflet,noticeorother
devicerepresentingorimplyingthatthepersonisalicensed
certificationserviceprovider;and
(c) any otherdocument,article oritem thatis reasonably
believed to furnish evidence ofthe commission ofthat
offence.
(2)Apoliceofficeroranauthorisedofficerconductingasearch
undersubsection(1)may,ifinhisorheropinionitisreasonably
necessarytodosoforthepurposeofinvestigatingintotheoffence,
searchanypersonwhoisinoronthosepremises.
(3)Apoliceofficeroranauthorisedofficermakingasearchofa
personundersubsection(2)mayseize,detainortakepossessionofany
book,accounts,document,computeriseddata,card,letter,pamphlet,
leaflet,notice,device,articleoritem foundonthatpersonforthe
purposeoftheinvestigationbeingcarriedoutbythatofficer.
(4)A femalepersonshallnotbesearchedunderthissection
exceptbyanotherfemaleperson.
(5)Where,byreasonofitsnature,sizeoramount,itisnot
practicabletoremoveanybook,accounts,document,computerised
data,signboard,card,letter,pamphlet,leaflet,notice,device,articleor
item seizedunderthissection,theseizingofficershall,byanymeans,
sealthatbook,accounts,document,computeriseddata,signboard,card,
letter,pamphlet,leaflet,notice,device,articleoritem inthepremisesor
containerinwhichitisfound.
(6)Apersonwho,withoutlawfulauthority,breaks,tamperswithor
damagesthesealreferredtoinsubsection(5)orremovesanybook,
accounts,document,computerised data,signboard,card,letter,
pamphlet,leaflet,notice,device,articleoritemundersealorattemptsto
dosocommitsanoffence.
50
Act7 ElectronicSignaturesAct 2011
87. Searchandseizurewithoutwarrant.
Ifa police officernotbelow the rankofInspectorin anyofthe
circumstancesreferredtoinsection86hasreasonablecausetobelieve
thatbyreasonofdelayinobtainingasearchwarrantunderthatsection
the investigation would be adverselyaffected orevidence ofthe
commissionofanoffenceislikelytobetamperedwith,removed,
damagedordestroyed,thatofficermayenterthepremisesandexercise
in,uponandinrespectofthepremisesallthepowersreferredtoin
section86inasfullandampleamannerasifheorshewereauthorised
todosobyawarrantissuedunderthatsection.
88. Accesstocomputeriseddata.
(1)Apoliceofficerconductingasearchundersection86or87
shallbegivenunlimitedaccesstocomputeriseddatawhetherstoredin
acomputerorotherwise.
(2)Forthepurposesofthissection,“access”includesbeing
providedwiththenecessarypassword,encryptioncode,decryption
code,softwareorhardwareandanyothermeansrequiredtoenable
comprehensionofcomputeriseddata.
89. Listofthingsseized.
(1)Exceptas provided in subsection (2),where any book,
accounts,document,computerised data,signboard,card,letter,
pamphlet,leaflet,notice,device,articleoritem isseizedundersection
86or87,theseizingofficershallpreparealistofthethingsseizedand
immediatelydeliveracopyofthelistsignedbyhim orhertothe
occupierofthepremiseswhichhavebeensearchedortohisorher
agentorservant,atthosepremises.
(2)Wherethepremisesareunoccupied,theseizingofficershall
postalistofthingsseizedconspicuouslyonthepremisesandleavea
copywiththelocalauthorities.
51
Act7 ElectronicSignaturesAct 2011
90. Obstructionofauthorisedofficer.
Apersonwhoobstructs,impedes,assaultsorinterferesinanywaywith
anyauthorisedofficerintheperformanceofhisfunctionsunderthisAct
commitsanoffence.
91. Additionalpowers.
Anauthorisedofficermay,forthepurposesoftheexecutionofthisAct,
todoalloranyofthefollowing—
(a) requiretheproductionofrecords,accounts,computerised
dataanddocumentskeptbyalicensedcertificationservice
providerandtoinspect,examineandcopyanyofthem;
(b) requiretheproductionofanyidentificationdocumentfrom a
personinrelationtoanycaseoroffenceunderthisAct;
(c) makesuchinquiryasmaybenecessarytoascertainwhether
theprovisionsofthisActhavebeencompliedwith.
92. Generalpenalty.
(1)ApersonwhocommitsanoffenceunderthisActforwhichno
penaltyisexpresslyprovidedisliable,onconviction,toafinenot
exceedingseventytwocurrencypointsortoimprisonmentforaterm
notexceedingthreeyearsorbothandinthecaseofacontinuing
offenceshallinadditionbeliabletoadailyfinenotexceedingtwo
currencypointsforeachdaytheoffencecontinues.
(2)Forthepurposesofthissection,“thisAct”doesnotincludethe
regulationsmadeunderthisAct.
93. Institutionandconductofprosecution.
(1)AprosecutionunderthisActshallnotbeinstitutedexceptbyor
withtheconsentoftheDirectorofPublicProsecution,butaperson
chargedwithsuchanoffencemaybearrestedorawarrantforhisorher
arrestissuedandexecutedandthepersonmaybedetainedorreleased
onpolicebond,notwithstandingthattheconsentoftheDirectorof
PublicProsecutiontotheinstitutionofaprosecutionfortheoffencehas
notyetbeenobtained,butnofurtherorotherproceedingsshallbetaken
untilthatconsenthasbeenobtained.
52
Act7 ElectronicSignaturesAct 2011
(2)AnofficeroftheControllerdulyauthorisedinwritingbythe
DirectorofPublicProsecutionsmayconducttheprosecutionforany
offenceunderthisAct.
94. Jurisdictiontotryoffences.
Notwithstandinganywrittenlaw tothecontrary,aMagistrateGradeI
shallhavejurisdictiontotryanoffenceunderthisActandtoimposethe
fullpunishmentfortheoffence.
95. Protectionofofficers.
Anactionorprosecutionshallnotbebrought,institutedormaintainedin
acourtagainsttheControlleroranyofficerdulyauthorisedunderthis
Actfororonaccountoforinrespectofanyactorderedordoneforthe
purposeofcarryingintoeffectthisAct.
96. LimitationondisclaimingorlimitingapplicationofAct.
UnlessitisexpresslyprovidedforunderthisAct,apersonshallnot
disclaim orcontractuallylimittheapplicationofthisAct.
97. Regulations.
(1)TheMinistermayontherecommendationoftheController
makeregulationsforalloranyofthefollowingpurposes—
(a) prescribingthequalificationrequirementsforcertification
serviceproviders;
(b) prescribing the manner of applying for licences and
certificatesunderthisAct,theparticularstobesuppliedbyan
applicant,themanneroflicensingandcertification,thefees
payabletherefor,theconditionsorrestrictionstobeimposed
andtheform oflicencesandcertificates;
(c) regulating theoperationsoflicensed certification service
provider;
53
Act7 ElectronicSignaturesAct 2011
(d) prescribing the requirements forthe content,form and
sources ofinformation in certification service provider
disclosure records,the updating and timeliness ofsuch
information and otherpractices and policies relating to
certificationserviceproviderdisclosurerecords;
(e) prescribingtheform ofcertificationpracticestatements;
(f) prescribingthequalificationrequirementsforauditorsand
theprocedureforaudits;
(g) prescribing the requirements for repositories and the
procedureforrecognitionofrepositories;
(h) prescribing the requirements fordate and time stamp
servicesandtheprocedureforrecognitionofdateandtime
stampservices;
(i) prescribingtheprocedureforthereviewofsoftwareforusein
creatingdigitalsignaturesandoftheapplicablestandardsin
relationtodigitalsignaturesandcertificationpracticeandfor
thepublicationofreportsonsuchsoftwareandstandards;
(j)prescribingtheformsforthepurposesofthisAct;
(k)prescribingthefeesandchargespayableunderthisActandthe
mannerforcollectinganddisbursingthefeesandcharges;
(1) providingforsuchothermattersasarecontemplatedbyor
necessaryforgivingfulleffectto,theprovisionsofthisAct
andfortheirdueadministration.
(2)Regulationsmadeundersubsection(1)mayprescribeanyact
incontraventionoftheregulationstobeanoffenceandmayprescribein
relationtotheoffence,penaltiesnotexceedingafineofseventytwo
currencypointsorimprisonmentforthreeyearsorboth.54
Act7 ElectronicSignaturesAct 2011
98. Compensation.
WhereapersonisconvictedunderthisAct,thecourtshallinadditionto
thepunishmentprovidedtherein,ordersuchpersontopaybywayof
compensationtotheaggrievedparty,suchsum asisintheopinionof
thecourtjust,havingregardtothelosssufferedbytheaggrievedparty;
andsuchordershallbeadecreeundertheprovisionsoftheCivil
ProcedureAct,andshallbeexecutedinthemannerprovidedunderthat
Act.
99. PowerofMinistertoamendtheSchedule.
TheMinistermay,withtheapprovalofCabinet,bystatutoryinstrument,
amendtheScheduletothisAct.
100.Savingsandtransitionalprovisions.
(1)Acertificationserviceproviderthathasbeencarryingonor
operatingasacertificationserviceproviderbeforethecommencement
ofthisActshall,notlaterthanthreemonthsfrom thecommencement,
obtainalicenceunderthisAct.
(2) Whereacertificationserviceproviderreferredtoinsubsection
(1)failstoobtainalicenceaftertheperiodprescribedinsubsection(1),
itshallbetakentobeanunlicensedcertificationserviceproviderand
theprovisionsofthisActshallapplytoitandacertificateissuedbyit
accordingly.
(3) Whereacertificationserviceproviderreferredtoinsubsection
(1)hasobtainedalicenceinaccordancewiththisActwithintheperiod
prescribedinsubsection(1),allcertificatesissuedbythatcertification
serviceproviderbeforethecommencementofthisAct,totheextent
thattheyarenotinconsistentwiththisAct,shallbetakentohavebeen
issuedunderthisActandshallhaveeffectaccordingly.
55
Act7 ElectronicSignaturesAct 2011
SCHEDULE
Section2
CURRENCYPOINTOnecurrencypointisequivalenttotwenty
thousandshillings.
56