ACTSSUPPLEMENTNo.418thMarch,2011.

ACTSSUPPLEMENTtoTheUgandaGazetteNo.19VolumeCIVdated18thMarch,2011.

PrintedbyUPPC,Entebbe,byOrderoftheGovernment.

Act7

Section.

ElectronicSignaturesAct2011THE

ELECTRONICSIGNATURESACT,2011.ARRANGEMENTOFSECTIONS

PARTI—PRELIMINARY

1. Commencement2. Interpretation

3. Equaltreatmentofsignaturetechnologies

PARTII—ELECTRONICSIGNATURES

4. Compliancewitharequirementforasignature.5. Conductofthesignatory.

6. Variationbyagreement.

7. Conductoftherelyingparty.8. Trustworthiness.9. Conductofthecertificationservice

provider.10. Advancedsignatures.

11. Secureelectronicsignature.12. Presumptionsrelatingtosecureandadvancedelectronic

signatures.PARTIII—SECUREDIGITALSIGNATURES13. Securedigitalsignatures.

14. Satisfactionofsignaturerequirements.

15. Unreliabledigitalsignatures.

16. Digitallysigneddocumenttakentobewrittendocument.17. Digitallysigneddocumentdeemedtobeoriginaldocument.

18. Authenticationofdigitalsignatures.

19. Presumptionsinadjudicatingdisputes.

PARTIV—PUBLICKEYINFRASTRUCTURE

20. Sphereofapplication.

21. DesignationofController.22. certificationserviceproviderstobe

licensed.23. Qualificationsofcertificationserviceproviders.24. Functionsoflicensedcertificationserviceproviders.

1

Act7

ElectronicSignaturesAct2011

Section.

25. Applicationforlicence.

26. Grantorrefusaloflicence.27. Revocationoflicence.28. Appeal.29. Surrenderoflicence.30. Effectofrevocation,surrenderorexpiryoflicence.31. Effectoflackoflicence.32. Returnoflicence.33. Restrictedlicence.34. Restrictiononuseofexpression“certificationservice

provider”.35. Renewaloflicence.36. Lostlicence.37. Recognitionofotherlicenses.38. Performanceaudit.39. Activitiesofcertificationserviceproviders.40. Requirementtodisplaylicence.41. Requirementtosubmitinformationonbusinessoperations.42. Notificationofchangeofinformation.43. Useoftrustworthysystems.44. Disclosuresoninquiry.45. Prerequisitestoissueofcertificatetosubscriber.46. Publicationofissuedandacceptedcertificate.47. Adoptionofmorerigorousrequirementspermitted.48. Suspensionorrevocationofcertificateforfacultyissuance.49. Suspensionorrevocationofcertificatebyorder.50. Warrantiestosubscriber.51. Continuingobligationstosubscriber.52. Representationsuponissuance.53. Representationsuponpublications.54. Impliedrepresentationsbysubscriber.55. Representationsbyagentofsubscriber.56. Disclaimerorindemnitylimited.57. Indemnificationofcertificationserviceproviderby

subscriber58. Certificationofaccuracyofinformationgiven59. Dutyofsubscribertokeepprivatekeysecure60. Propertyinprivatekey61. Fiduciarydutyofacertificationserviceprovider62. Suspensionofcertificatecertificationserviceprovider63. SuspensionofcertificatebyController64. Noticeofsuspension65. Terminationofsuspensioninitiatedbyrequest

2

Act7

Section

66.67.68.69.70.71.72.73.74.75.76.77.78.79.

80.81.82.83.84.85.86.87.88.89.90.91.92.93.94.95.96.97.9

ElectronicSignaturesAct

AlternatecontractualproceduresEffect of suspension ofcertificateRevocationofrequestRevocation on subscriber’sdemiseRevocationofunreliablecertificatesNoticeofrevocationEffectofrevocationrequestonsubscriberEffectofnotificationoncertificationserviceproviderExpirationofcertificateReliancelimitLiabilitylimitsforcertificationserviceprovidersRecognitionofrepositoriesLiabilityofrepositoriesRecognitionofdate/timestampservices

PARTV—MISCELLANEOUS

ProhibitionagainstdangerousactivitiesobligationofconfidentialityFalseinformationOffencesbybodycorporateAuthorisedofficerPowertoinvestigateSearchbywarrantSearchandseizurewithoutwarrantAccesstocomputeriseddataListofthingsseizedObstructionofauthorisedofficerAdditionalpowersGeneralpenaltyInstructionandconductofprosecutionJurisdictiontotryoffencesProsecutionofofficersLimitationondisclaimingorlimitingapplicationoftheActRegulationsCompensationPowerofMinistertoamendFirstSchedule.Savingsandtransitionalprovisions.

SCHEDULE

Currency

point.

3

2011

Act7 ElectronicSignaturesAct 2011

THEELECTRONICSIGNATURESACT,2011.AnActtomakeprovisionforandtoregulatetheuseofelectronic

signaturesandtoprovideforotherrelatedmatters.

DATEOFASSENT:17thFebruary,2011.

DateofCommencement:Seesection1.

BEITENACTEDbyParliamentasfollows:

PARTI—PRELIMINARY

1. Commencement

ThisActshallcomeintoforceonadateappointedbytheMinisterby

statutoryinstrument.

2. Interpretation

InthisAct,unlessthecontextotherwiserequires—

“acceptacertificate”means—

(a) tomanifestapprovalofacertificate,whileknowingor

havingnoticeofitscontents;or

(b) toapplytoacertificationserviceproviderforacertificate,

withoutrevokingtheapplicationbydeliveringnoticeof

the revocation to the licensed certification service

providerandobtainingasigned,writtenreceiptfrom the

certificationserviceprovider,ifthecertificationservice

providersubsequentlyissuesacertificatebasedonthe

application;

4

Act7 ElectronicSignaturesAct 2011

advancedelectronicsignature”meansanelectronicsignature,

whichis—

(a) uniquelylinkedtothesignatory;

(b) reliablycapableofidentifyingthesignatory;

(c) createdusingsecuresignaturecreationdevicethatthe

signatorycanmaintain;and

(d) linkedtothedatatowhichitrelatesinsuchamanner

that any subsequent change of the data or the

connectionsbetweenthedataandthesignatureare

detectable;

asymmetric cryptosystem”means an algorithm orseries of

algorithms,whichprovideasecurekeypair;

authorisedofficer”meanstheControllerorapoliceofficerora

publicofficerperforminganyfunctionsunderthisAct;and

includesanypublicofficerauthorisedbytheMinisterorbythe

controllertoperform anyfunctionsunderthisAct;

certificate”meansadatamessageorotherrecordsconfirming

thelinkbetweenasignatoryandasignaturecreationdata;

certificationserviceproviderdisclosurerecord”meansanon¬line

and publiclyaccessible record thatconcerns a licensed

certificationserviceprovider,whichiskeptbytheController

undersubsection21(5);

certification practice statement”means a declaration ofthe

practices,whichacertificationserviceprovideremploysin

issuing certificates generally or employs in issuing a

particularcertificate;

certification service provider”means a person thatissues

certificates and may provide otherservices related to

electronicsignatures;

5

Act7 ElectronicSignaturesAct 2011

certify”meanstodeclarewithreferencetoacertificate,with

ample opportunityto reflectand with a dutyto apprise

oneselfofallmaterialfacts;

confirm” means to ascertain through diligent inquiry and

investigation;

Controller”meansNationalInformationTechnologyAuthority-

Uganda;

correspond”,withreferencetokeys,meanstobelongtothesame

keypair;

currencypoint”hasthemeaningassignedtoitintheSchedulein

thisAct;

digitalsignature”meansatransformationofamessageusingan

asymmetriccryptosystem suchthatapersonhaving the

initialmessageandthesigner’spublickeycanaccurately

determine—

(a) whetherthe transformation was created using the

privatekeythatcorrespondstothesigner’spublickey;

and

(b) whetherthe message has been altered since the

transformationwasmade;

electronicsignature”meansdatainelectronicform affixedtoor

logicallyassociatedwithadatamessage,whichmaybeused

toidentifythesignatoryinrelationtothedatamessageand

indicatethesignatory’sapprovaloftheinformationcontained

inthedatamessage;andincludesanadvanceelectronic

signatureandthesecuresignature;

electronic signature product”means configured hardware or

softwareorrelevantcomponentsofit,whichareintendedto

beusedbyacertificationserviceproviderfortheprovisionof

electronicsignatureservicesorareintendedtobeusedfor

thecreationorverificationofelectronicsignatures;

6

Act7 ElectronicSignaturesAct

“forgeadigitalsignature”means—

2011

(a) tocreateadigitalsignaturewithouttheauthorisationof

therightfulholderoftheprivatekey;or

(b) tocreateadigitalsignatureverifiablebyacertificate

listingassubscriberapersonwhoeitherdoesnotexist

ordoesnotholdtheprivatekeycorrespondingtothe

publickeylistedinthecertificate;

“holdaprivatekey”meanstobeabletoutiliseaprivatekey;

“incorporatebyreference”meanstomakeonemessageapartof

another message by identifying the message to be

incorporated and expressing the intention that it be

incorporated;

“issue a certificate”means the actofa certification service

providerincreatingacertificateandnotifyingthesubscriber

listedinthecertificateofthecontentsofthecertificate;

“keypair”meansaprivatekeyanditscorrespondingpublickeyin

anasymmetriccryptosystem,wherethepublickeycanverify

adigitalsignaturethattheprivatekeycreates;

“licensed certification service provider”means a certification

serviceprovidertowhom alicencehasbeenissuedbythe

Controllerandwhoselicenceisineffect;

“message”meansadigitalrepresentationofinformation;

“Minister”meanstheMinisterresponsibleforinformationand

communicationtechnology;

“notify”meanstocommunicateafacttoanotherpersonina

mannerreasonablylikelyunderthecircumstancestoimpart

knowledgeoftheinformationtotheotherperson;

“person”includesanycompanyorassociationorbodyofpersons

corporateorunincorporate;

7

Act7 ElectronicSignaturesAct 2011

“prescribed”means prescribed by orunderthis Actorany

regulationsmadeunderthisAct;

“privatekey”meansthekeyofakeypairusedtocreateadigital

signature;

“publickey”meansthekeyofakeypairusedtoverifyadigital

signatureandlistedinthedigitalsignaturecertificate;

“publickeyinfrastructure”meansa frameworkforcreating a

securemethodforexchanginginformationbasedonpublic

keycryptography;

“publish”meanstorecordorfileinarepository;

“qualified certification service provider”means a certification

serviceproviderthatsatisfiestherequirementsundersection

23;

“recipient”meansapersonwhoreceivesorhasadigitalsignature

andisinapositiontorelyonit;

“recogniseddateortimestampservice”meansadate/timestamp

servicerecognisedbytheControllerundersection79;

“recognised repository”meansarepositoryrecognised bythe

Controllerundersection77;

“recommended reliance limit” means the monetary amount

recommendedforrelianceonacertificateundersection76;

“relyingparty”meansapersonthatmayactonthebasisofa

certificateoranelectronicsignature;

“repository”meansasystem forstoringandretrievingcertificates

andotherinformationrelevanttodigitalsignatures;

“revokea certificate”meansto makea certificateineffective

permanentlyfrom aspecifiedtimeforward;

“rightfullyholdaprivatekey”meanstobeabletoutiliseaprivate

key—

8

Act7 ElectronicSignaturesAct 2011

(a) which the holderorthe holder’s agents have not

disclosedtoanypersonincontraventionofthisact;and

(b) whichtheholderhasnotobtainedthroughtheft,deceit,

eavesdroppingorotherunlawfulmeans;

securityprocedure”meansaprocedureforthepurposeof—

(a) verifyingthatanelectronicrecordisthatofaspecific

person;or

(b) detecting errororalteration in the communication,

contentorstorage ofan electronic record since a

specificpointintime,whichmayrequiretheuseof

algorithms orcodes,identifying words ornumbers,

encryption, answer back or acknowledgement

proceduresorsimilarsecuritydevices;

securesignaturecreationdevice”meansasignaturecreation

devicewhichmeetstherequirementslaiddowninsection4;

signatory”meansapersonthatholdssignaturecreationdataand

actseitheronitsownbehalforonbehalfofthepersonit

represents

signature creation device” means configured software or

hardware,used bythe signatoryto create an electronic

signature;

signatureverificationdata”meansuniquedatasuchascodesor

publiccryptographickeys,usedforthepurposeofverifying

anelectronicsignature;

signature verification device”means configured software or

hardware,usedforthepurposeofverifyinganelectronic

signature;

9

Act7 ElectronicSignaturesAct 2011

signed”or“signature”anditsgrammaticalvariationsincludesany

symbol executed or adapted or any methodology or

procedure employed oradapted,by a person with the

intentionofauthenticatingarecord,includinganelectronicor

digitalmethod;

subscriber”meansapersonwho—

(a) isthesubjectlistedinacertificate;

(b) acceptsthecertificate;and

(c) holdsaprivatekeywhichcorrespondstoapublickey

listedinthatcertificate;

suspendacertificate”meanstomakeacertificateineffective

temporarilyforaspecifiedtimeforward;

thisAct”includesanyregulationsmadeunderthisAct;

time-stamp”means—

(a) toappendorattachtoamessage,digitalsignatureor

certificateadigitallysignednotationindicatingatleast

thedate,timeandidentityofthepersonappendingor

attachingthenotation;or

(b) thenotationappendedorattached;

transactionalcertificate”meansacertificate,incorporatingby

referenceoneormoredigitalsignatures,issuedandvalidfor

aspecifictransaction;

trustworthysystem”meanscomputerhardwareandsoftware

which—

(a) arereasonablysecurefrom intrusionandmisuse;

(b) provideareasonablelevelofavailability,reliabilityand

correctoperation;and

(c) are reasonably suited to performing theirintended

functions;

10

Act7 ElectronicSignaturesAct 2011

“validcertificate”meansacertificatewhich—

(a) alicensedcertificationserviceproviderhasissued;

(b) hasbeenacceptedbythesubscriberlistedinit;

(c) hasnotbeenrevokedorsuspended;and

(d) hasnotexpired,

butatransactionalcertificateisavalidcertificateonlyinrelationtothe

digitalsignatureincorporatedinitbyreference;

“verifyadigitalsignature”means,inrelationtoagivendigital

signature,messageandpublickey,todetermineaccurately

that—

(a) thedigitalsignaturewascreatedbytheprivatekey

correspondingtothepublickey;and

(b) themessagehasnotbeenalteredsinceitsdigital

signaturewascreated;

“writing”or“written”includesanyhandwriting,typewriting,printing,

electronicstorageortransmissionoranyothermethodof

recordinginformationorfixinginformationinaform capable

ofbeingpreserved.

(2)ForthepurposesofthisAct,acertificateshallberevokedby

makinganotationtothateffectonthecertificateorbyincludingthe

certificateinasetofrevokedcertificates.

(3)The revocation ofa certificate does notmean thatitis

destroyedormadeillegible.

3. Equaltreatmentofsignaturetechnologies.

NothinginthisActshallbeappliedsoastoexclude,restrictordepriveof

legaleffectanymethodofcreatinganelectronicsignaturethatsatisfies

therequirementsforasignatureinthisActorotherwisemeetswiththe

requirementsofanyotherapplicablelaw.

11

Act7ElectronicSignaturesAct

PartII—ElectronicSignatures.

2011

4. Compliancewitharequirementforasignature.

(1) Where the law requires a signature ofa person,that

requirementismetinrelationto adatamessageifanelectronic

signatureisusedwhichisasreliableaswasappropriateforthepurpose

forwhichthedatamessagewasgeneratedorcommunicated,inlightof

allthecircumstances,includinganyrelevantagreement.

(2)Subsection(1)applieswhethertherequirementreferredtoin

thatsubsectionintheform ofanobligationorwhetherthelawsimply

providesconsequencesfortheabsenceofasignature.

(3)Anelectronicsignatureisconsideredtobereliableforthe

purposeofsatisfyingtherequirementreferredtoinsubsection(1)if—

(a) thesignaturecreationdataare,withinthecontextinwhich

theyareused,linkedtothesignatoryandtonootherperson;

(b) thesignaturecreationdatawere,atthetimeofsigning,under

thecontrolofthesignatoryandofnootherperson;

(c) anyalterationtotheelectronicsignature,madeafterthetime

ofsigning,isdetectable;and

(d) whereapurposeoflegalrequirementforasignatureisto

provideassuranceastotheintegrityoftheinformationto

whichitrelates,anyalterationmadetothatinformationafter

thetimeofsigningisdetectable.

(4)Subsection(3)doesnotlimittheliabilityofanyperson—

(a) toestablishinanyotherway,forthepurposeofsatisfyingthe

requirementreferredtoinsubsection(1),thereliabilityofan

electronicsignature;or

(b) toadduceevidenceofthenon-reliabilityofanelectronic

signature.

12

Act7 ElectronicSignaturesAct 2011

5. Conductofthesignatory.

(1)Wheresignaturecreationdatacanbeusedtocreateasignature

thathaslegaleffect,eachsignatoryshall—

(a) exercisereasonablecaretoavoidunauthoriseduseofits

signaturecreationdata;

(b) withoutunduedelay,notifyanypersonthatmayreasonably

beexpectedbythesignatorytorelyonortoprovideservices

insupportoftheelectronicsignatureif—

(i) thesignatoryknowsthatthesignaturecreationdata

havebeencompromised;or

(ii) thecircumstancesknowntothesignatorygiverisetoa

substantialriskthatthesignaturecreationdatamay

havebeencompromised;

(c) whereacertificateisusedtosupporttheelectronicsignature,

exercise reasonable care to ensure the accuracy and

completenessofallmaterialrepresentationsmadebythe

signatorywhicharerelevanttothecertificatethroughoutits

life-cycleorwhicharetobeincludedinthecertificate.

6. Variationbyagreement.

TheprovisionsofthisActmaybederogatedfrom ortheireffectmaybe

varied byagreementunlessthatagreementwould notbevalid or

effectiveunderanylaw.

7. Conductoftherelyingparty.

Arelyingpartyshallbearthelegalconsequencesofhisorherfailureto—

(a) takereasonablestepstoverifythereliabilityofanelectronic

signature;or

(b) whereanelectronicsignatureissupportedbyacertificate,

takereasonablesteps—

13

Act7 ElectronicSignaturesAct 2011

(i) toverifythevalidity,suspensionorrevocationofthe

certificate;and

(ii) toobserveanylimitationwithrespecttothecertificate.

8. Trustworthiness.

Whendeterminingwhetherortowhatextentanysystemsprocedures

andhumanresourcesutilisedbyacertificationserviceproviderare

trustworthy,regardmaybehadtothefollowingfactors—

(a) financialandhumanresources,includingexistenceofassets;

(b) qualityofhardwareandsoftwaresystems;

(c) procedureforprocessingofcertificatesandapplicationsfor

certificatesandretentionofrecords;

(d) availability of information to signatories identified in

certificatesandtopotentialrelyingparties;

(e) regularityandextentofauditbyanindependentbody;

(f) theexistenceofadeclarationbythestate,anaccreditation

body or the certification service provider regarding

compliancewithorexistenceoftheforegoing;or

(g) anyotherrelevantfactor.

9. Conductofthecertificationserviceprovider.

(1)Whereacertificationserviceproviderprovidesservicesto

supportanelectronicsignaturethatmaybeusedforlegaleffectasa

signature,thatcertificationserviceprovidershall—

(a) actin accordance with representations made byitwith

respecttoitspoliciesandpractices;

(b) exercise reasonable care to ensure the accuracy and

completenessofallmaterialrepresentationsmadebyitthat

arerelevanttothecertificatethroughoutitslife-cycleorwhich

areincludedinthecertificate;

14

Act7 ElectronicSignaturesAct 2011

(c) providereasonablyaccessiblemeanswhichenablearelying

partytoascertainfrom thecertificate—

(i) theidentityofthecertificationserviceprovider;

(ii) thatthesignatorythatisidentifiedinthecertificatehad

controlofthesignaturecreationdataatthetimewhen

thecertificatewasissued;

(iii) thatsignaturecreationdatawerevalidatorbeforethe

timewhenthecertificatewasissued;

(d) providereasonablyaccessiblemeanswhichenablearelying

partytoascertain,whererelevant,from thecertificateor

otherwise—

(i) themethodusedtoidentifythesignatory;

(ii) anylimitationonthepurposeorvalueforwhichthe

signaturecreationdataorthecertificatemaybeused;

(iii) thatthesignaturecreationdataarevalidandhavenot

beencompromised;

(iv) any limitation on the scope or extentof liability

stipulatedbythecertificationserviceprovider;

(v) whethermeansexistforthesignatorytogivenotice

undersection4(1);

(vi) whetheratimelyrevocationserviceisoffered;

(e) whereservicesunderparagraph(d)(v)areoffered,providea

meansforasignatorytogivenoticeundersection4(1)(b)and,

whereservicesunderparagraphd(vi)areoffered,ensurethe

availabilityofatimelyrevocationservice;

(f) utilize trustworthy systems, procedures and human

resourcesinperformingitsservices.

(2)Acertificationserviceprovidershallbeliableforitsfailureto

satisfytherequirementsofsubsection(1).

15

Act7 ElectronicSignaturesAct 2011

10.Advancedsignatures.

(1)Anadvanced electronicsignature,verified withaqualified

certificate,isequaltoanautographicsignatureinrelationtodatain

electronic form and has therefore equallegaleffectiveness and

admissibilityasevidence.

(2)The advanced signature verification process shallensure

that—

(a) the data used for verifying the electronic signature

correspondtothedatadisplayedtotheverifier;

(b) the signature is reliably verified and the resultofthe

verificationandidentityofthecertificateholderiscorrectly

displayedtotheverifier;

(c) theverifiercanreliablyestablishthecontentsofthesigned

data;

(d) theauthenticityandvalidityofthecertificaterequiredatthe

timeofsignatureverificationareverified;

(e) theuseofapseudonym isclearlyindicated;

(f) anysecurity-relevantchangescanbedetected.

11. Secureelectronicsignature.

Where,throughtheapplicationofaprescribedsecurityprocedureora

commerciallyreasonablesecurityprocedureagreedtobytheparties

involved,anelectronicsignatureisexecutedinatrustworthymanner,

reasonablyandingoodfaithrelieduponbytherelyingparty,that

signatureshallbetreatedasasecureelectronicsignatureatthetimeof

verificationtotheextentthatitcanbeverifiedthattheelectronic

signaturesatisfied,atthetimeitwasmade,thefollowingcriteria—

(a) thesignaturecreationdatausedforsignaturecreationis

uniqueanditssecrecyisreasonablyassured;

(b) itwascapableofbeing used to objectivelyidentifythat

person;

16

Act7 ElectronicSignaturesAct 2011

(c) itwascreatedinamannerorusingameansunderthesole

controlofthe person using it,thatcannotbe readily

duplicatedorcompromised;

(d) itislinkedtotheelectronicrecordtowhichitrelatesinsucha

mannerthatiftherecordwaschangedtoelectronicsignature

wouldbeinvalidated;

(e) thesignatorycanreliablyprotecthisorhersignaturecreation

datafrom unauthorisedaccess.

12. Presumptionsrelatingtosecureandadvancedelectronic

signatures.

(1)Inanycivilproceedingsinvolvingasecureelectronicrecord,it

shallbepresumed,unlessthecontraryisproved,thatthesecureor

advancedelectronicrecordhasnotbeenalteredsincethespecificpoint

intimetowhichthesecurestatusrelates.

(2)In any civilproceedings involving a secure oradvanced

electronic signature,the following shallbe presumed unless the

contraryisproved—

(a) thesecureoradvancedelectronicsignatureisthesignature

ofthepersontowhom itcorrelates;and

(b) thesecureoradvancedelectronicsignaturewasaffixedby

thatpersonwiththeintentionofsigningorapprovingthe

electronicrecord.

(3)Intheabsenceofasecureoradvancedelectronicsignature,

nothing in this Partshallcreate anypresumption relating to the

authenticityand integrityofthe electronicrecord oran electronic

signature.

(4)Theeffectofpresumptionsprovidedinthissectionistoplace

onthepartychallengingthegenuinenessofasecureoradvanced

electronicsignatureboththeburdenofgoingforwardwithevidenceto

rebutthepresumptionandtheburdenofpersuadingthecourtofthe

factthatthenon-existenceofthepresumedfactismore.

17

Act7 ElectronicSignaturesAct 2011

PARTIII—SECUREDIGITALSIGNATURES

13. Securedigitalsignatures.

Whenaportionofanelectronicrecordissignedwithadigitalsignature

thedigitalsignatureshallbetreatedasasecureelectronicsignaturein

respectofthatportionoftherecord,if—

(a) the digitalsignature was created during the operational

periodofavalidcertificateandisverifiedbyreferencetoa

publickeylistedinthecertificate;and

(b) the certificate isconsidered trustworthy,in thatitisan

accurate binding ofa public key to a person’s identity

because—

(i) the certificate was issued bya certification service

provideroperatingincompliancewithregulationsmade

underthisAct;

(ii) the certificate was issued bya certification service

provideroutsideUgandarecognisedforthepurposeby

thecontrollerpursuanttoregulationsmadeunderthis

Act;

(iii) thecertificatewasissuedbyadepartmentorministryof

the Government,an organ of state of statutory

corporation approved by the ministerto actas a

certificationserviceprovideronsuchconditionsasthe

regulationsmayspecify;or

(iv) thepartieshaveexpresslyagreedbetweenthemselves

tousedigitalsignaturesasasecurityprocedureandthe

digitalsignaturewasproperlyverifiedbyreferencetothe

sender’spublickey.

14. Satisfactionofsignaturerequirements.

(1)Wherearuleoflawrequiresasignatureorprovidesforcertain

consequencesintheabsenceofasignature,thatruleshallbesatisfied

byadigitalsignaturewhere—

18

ElectronicSignaturesAct 2011

thatdigitalsignatureisverifiedbyreferencetothepublic

keylistedinavalidcertificateissuedbyalicensed

certificationserviceprovider;

thatdigitalsignaturewasaffixedbythesignerwiththe

intentionofsigningthemessage;and

therecipienthasnoknowledgeornoticethatthesigner—

(i) hasbreachedadutyasasubscriber;or

(ii) doesnotrightfullyholdtheprivatekeyusedtoaffixthe

digitalsignature.

(2)Notwithstandinganywrittenlawtothecontrary—

(a) adocumentsignedwithadigitalsignatureinaccordancewith

thisActshallbeaslegallybindingasadocumentsignedwith

ahandwrittensignature,anaffixedthumbprintoranyother

mark;and

(b) adigitalsignaturecreatedinaccordancewiththisActshallbe

takentobealegallybindingsignature.

(3)NothinginthisActshallprecludeasymbolfrombeingvalidasa

signatureunderanyotherapplicablelaw.

15. Unreliabledigitalsignatures.

(1)Unlessotherwiseprovidedbylaworcontract,therecipientofa

digitalsignatureassumestheriskthatadigitalsignatureisforged,if

reliance on the digitalsignature is not reasonable under the

circumstances.

(2)Wheretherecipientdecidesnottorelyonadigitalsignature

underthissection,therecipientshallpromptlynotifythesignerofits

determinationnottorelyonadigitalsignatureandthegroundsforthat

determination.

Act7

(a)

(a)

(

c)

19

Act7 ElectronicSignaturesAct 2011

16.Digitallysigneddocumenttakentobewrittendocument.

(1)Amessageshallbeasvalid,enforceableandeffectiveasifit

hadbeenwrittenonpaperif—

(a) itbearsinitsentiretyadigitalsignature;and

(b) thatdigitalsignatureisverifiedbythepublickeylistedina

certificatewhich—

(i) wasissuedbyalicensedcertificationserviceprovider;

and

(ii) wasvalidatthetimethedigitalsignaturewascreated.

(2)NothinginthisActshallprecludeanymessage,documentor

recordfrom beingconsideredwrittenorinwritingunderanyother

applicablelaw.

17. Digitallysigneddocumentdeemedtobeoriginaldocument.

Acopyofadigitallysignedmessageshallbeasvalid,enforceableand

effectiveastheoriginalofthemessageunlessitisevidentthatthe

signerdesignatedaninstanceofthedigitallysignedmessagetobea

uniqueoriginal,inwhichcaseonlythatinstanceconstitutesthevalid,

enforceableandeffectivemessage.

18.Authenticationofdigitalsignatures.

Acertificateissuedbyalicensedcertificationserviceprovidershallbe

anacknowledgementofadigitalsignatureverifiedbyreferencetothe

publickeylistedinthecertificate,regardlessofwhetherwordsofan

express acknowledgementappearwith the digitalsignature and

regardlessofwhetherthesignerphysicallyappearedbeforethelicensed

certificationserviceproviderwhenthedigitalsignaturewascreated,if

thatdigitalsignatureis—

(a) verifiablebythatcertificate;and

(b) wasaffixedwhenthatcertificatewasvalid.

20

Act7 ElectronicSignaturesAct 2011

19.Presumptionsinadjudicatingdisputes.

Inadjudicatingadisputeinvolvingadigitalsignature,acourtshall

presume—

(a) thatacertificatedigitallysignedbyalicensedcertification

serviceproviderand—

(i) publishedinarecognisedrepository;or

(ii) made available bythe issuing licensed certification

service providerorby the subscriberlisted in the

certificate,isissuedbythelicensedcertificationservice

providerwhichdigitallysigneditandisacceptedbythe

subscriberlistedinit;

(b) thattheinformationlistedinavalidcertificateandconfirmed

by a licensed certification service providerissuing the

certificateisaccurate;

(c) thatwherethepublickeyverifiesadigitalsignaturelistedina

validcertificateissuedbyalicensedcertificationservice

provider—

(i) thatdigitalsignature is the digitalsignature ofthe

subscriberlistedinthatcertificate;

(ii) thatdigitalsignaturewasaffixedbythatsubscriberwith

theintentionofsigningthemessage;and

(iii) therecipientofthatdigitalsignaturehasnoknowledge

ornoticethatthesigner—

(aa)hasbreachedadutyasasubscriber;or

(ab)doesnotrightfullyholdtheprivatekeyusedtoaffix

thedigitalsignature;and

(d) thata digitalsignature wascreated before itwastime-

stampedbyarecogniseddateortimestampserviceutilising

atrustworthysystem.

21

Act7 ElectronicSignaturesAct 2011

PARTIV—PUBLICKEYINFRASTRUCTURE(PKI)

20. Sphereofapplication.

ThisPartappliestodigitalsignaturesorsignaturesthatareabletouse

thepublickeyinfrastructure(PKI).

21. Controller.

(1)Thecontrollershall,inparticularberesponsibleformonitoring

andoverseeingtheactivitiesofcertificationserviceprovidersandshall

perform thefunctionsconferredonthecontrollerunderthisAct.

(2)The controllershallexercise its functions underthis Act

subjecttosuchdirectionsastothegeneralpolicyguidelinesasmaybe

givenbytheMinister.

(3)TheControllershallmaintainapubliclyaccessibledatabase

containingacertificationserviceproviderdisclosurerecordforeach

certificationserviceprovider,whichshallcontainalltheparticulars

requiredunderregulationsmadeunderthisAct.

(4)TheControllershallpublishthecontentsofthedatabaseinat

leastonerecognisedrepository.

22. Certificationserviceproviderstobelicensed.

(1)Apersonshallnotcarryonoroperateorholdhimselfoutas

carryingonoroperating,asacertificationserviceproviderunlessthat

personhasavalidlicenceissuedunderthisAct.

(2)Apersonwhocontravenessubsection(1)commitsanoffence

andisliable,onconviction,toafinenotexceedingtwohundredandforty

currencypointsorimprisonmentnotexceedingtenyearsorboth;andin

thecaseofacontinuingoffenceisinadditionliabletoadailyfinenot

exceedingtencurrencypointsforeachdaytheoffencecontinues.

(3)TheMinistermay,onanapplicationinwritingbeingmadein

accordancewiththisAct,exemptapersonoperatingasacertification

serviceproviderwithinanorganisationfromtherequirementofalicence

underthis section where certificates and keypairs are issued to

membersoftheorganisationforinternaluseonly;buttheMinistershall

notdelegatethatpowertotheController.

22

Act7 ElectronicSignaturesAct 2011

(4)TheliabilitylimitsspecifiedinPartIVshallnotapplytoan

exemptedcertificationserviceproviderandPartVshallnotapplyin

relationtoadigitalsignatureverifiedbyacertificateissuedbyan

exemptedcertificationserviceprovider.

23. Qualificationsofcertificationaserviceproviders.

(1) The Minister in consultation with NationalInformation

TechnolologyAuthority-ugandashall,byregulationsmadeunderthis

Act,prescribe the qualifications required forcertification service

providers.

(2) The Minister in consultation with NationalInformation

TechnolologyAuthority-ugandamayvaryoramendthequalifications

prescribedundersubsection(1)butanysuchvariationoramendment

shallnotbeappliedtoacertificationserviceproviderholdingavalid

licenceunderthisActuntiltheexpiryofthatlicence.

24. Functionsoflicensedcertificationserviceproviders.

(1)Thefunctionofacertificationserviceprovidershallbetoissue

acertificatetoasubscriberuponapplicationanduponsatisfactionof

thecertificationserviceprovidersrequirementsastotheidentityofthe

subscribertobelistedinthecertificateanduponpaymentofthe

prescribedfeesandcharges.

(2)The certification service providershall,before issuing a

certificateunderthisAct,takeallreasonablemeasurestocheckfor

properidentificationofthesubscribertobelistedinthecertificate.

25. Applicationforlicence.

(1)AnapplicationforalicenceunderthisActshallbemadein

writingtotheControllerinsuchform asmaybeprescribed.

(2)Anapplicationundersubsection(1)shallbeaccompaniedby

suchdocumentsorinformationasmaybeprescribedandthecontroller

may,atanytime afterreceiving the application and before itis

determined,requiretheapplicanttoprovidesuchadditionaldocuments

orinformationasmaybeconsiderednecessarybythecontrollerforthe

purposesofdeterminingthesuitabilityoftheapplicantforthelicence.

23

Act7 ElectronicSignaturesAct 2011

(3)Whereanyadditionaldocumentorinformationrequiredunder

subsection(2)isnotprovidedbytheapplicantwithinthetimespecified

intherequirementoranyextensiongranted bytheController,the

applicationshallbetakentobewithdrawnandshallnotbefurther

proceededwith,withoutprejudicetoafreshapplicationbeingmadeby

theapplicant.

26. Grantorrefusaloflicence.

(1)TheControllershall,onanapplicationhavingbeendulymade

inaccordancewithsection25andafterbeingprovidedwithallthe

documentsandinformationashemayrequire,considertheapplication

and when he orshe is satisfied thatthe applicantis a qualified

certificationserviceproviderandasuitablelicenseeanduponpayment

oftheprescribedfee,grantthelicencewithorwithoutconditionsor

refusetograntalicence.

(2)A licence granted undersubsection (1)shallsetoutthe

durationofthelicenceandthelicencenumber.

(3)Thetermsandconditionsimposedunderthelicencemayat

anytimebevariedforjustcauseoramendedbytheControllerbutthe

licenseeshallbegivenareasonableopportunityofbeingheard.

(4)TheControllershallnotifytheapplicantinwritingofhisorher

decisiontograntorrefusetograntalicencewithinthirtydaysof

receivingtheapplication.

27. Revocationoflicence.

(1)TheControllermayrevokealicencegrantedundersection26if

satisfiedthat—

(a) thecertificationserviceproviderhasfailedtocomplywithan

obligationimposeduponitbyorunderthisAct;

(b) the certification service provider has contravened any

conditionimposedunderthelicence,anyprovisionofthisAct

oranyotherwrittenlaw;

24

Act7 ElectronicSignaturesAct 2011

(c) thecertificationserviceproviderhas,eitherinconnectionwith

theapplicationforthelicenceoratanytimeafterthegrantof

thelicence,providedthecontrollerwithfalse,misleadingor

inaccurateinformationoradocumentordeclarationmadeby

oronbehalfofthecertificationserviceproviderorbyoron

behalfofapersonwhoisoristobeadirector,controlleror

managerofthelicensedcertificationserviceproviderwhich

isfalse,misleadingorinaccurate;

(d) thecertificationserviceprovideriscarryingonitsbusinessin

amannerwhichisprejudicialtotheinterestofthepublicorto

thenationaleconomy;

(e) thecertificationserviceproviderhasinsufficientassetsto

meetitsliabilities;

(f) awindinguporderhasbeenmadeagainstthelicensed

certificationserviceprovideroraresolutionforitsvoluntary

winding-uphasbeenpassed;

(g) thecertificationserviceprovideroritsdirector,controlleror

managerhasbeenconvictedofanoffenceunderthisActin

hisorhercapacityas;or

(h) thecertificationserviceproviderhasceasedtobeaqualified

certificationserviceprovider.

(2)Beforerevokingalicence,theControllershallgivethelicensed

certificationserviceprovideranoticeinwritingofhisorherintentionto

revokethelicenceandrequirethelicensedcertificationserviceprovider

toshow causewithinthirtydaysastowhythelicenceshouldnotbe

revoked.

(3)WheretheControllerdecidestorevokethelicence,heorshe

shallnotifythecertificationserviceproviderofhisorherdecisionbya

noticeinwritingwithin48hoursofmakingthedecision.

25

Act7 ElectronicSignaturesAct 2011

(4)Therevocationofalicenceshalltakeeffectwherethereisno

appealagainsttherevocation,ontheexpirationofthirtydaysfrom the

dateon which thenoticeofrevocation isserved on thelicensed

certificationserviceprovider.

(5)Whereanappealhasbeenmadeagainsttherevocationofa

licence,the certification service providerwhose licence has been

revoked shallnotissueanycertificatesuntiltheappealhasbeen

disposedofandtherevocationhasbeensetasidebytheMinisterbut

nothinginthissubsectionshallpreventthecertificationserviceprovider

from fulfillingitsotherobligationstoitssubscribersduringthatperiod.

(6) Apersonwhocontravenessubsection(5)commitsanoffence

andisliable,onconviction,toafinenotexceedingtwohundredandforty

currencypointsortoimprisonmentnotexceedingtenyearsorboth.

(7)Where the revocation ofa licence has taken effect,the

Controllershall,assoonaspracticable,causetherevocationtobe

publishedinthecertificationserviceproviderdisclosurerecordheorshe

maintains for the certification service provider concerned and

advertisedinatleasttwoEnglishlanguagenationaldailynewspapers

foratleastthreeconsecutivedays.

28. Appeal.

(1)Apersonwhoisaggrievedby—

(a) therefusaloftheControllertolicenseacertificationservice

providerundersection26ortorenewalicenceundersection

35;or

(b) therevocationofalicenceundersection27,

mayappealinwritingtotheMinisterwithinthirtydaysfrom thedateon

whichthenoticeofrefusalorrevocationisservedonthatperson.

(2)TheMinistershall,uponreceiptoftheappealrespondwithin

thirtydays.

26

Act7 ElectronicSignaturesAct 2011

(3)ApersonnotsatisfiedwiththeMinister’sdecisionmayappeal

totheHighCourt.

29. Surrenderoflicence.

(1)Acertificationserviceprovidermaysurrenderitslicenceby

forwardingittotheControllerwithawrittennoticeofitssurrender.

(2)ThesurrendershalltakeeffectonthedatetheController

receivesthelicenceandthenoticeundersubsection(1)orwherealater

dateisspecifiedinthenotice,onthatdate.

(3)Thelicensedcertificationserviceprovidershall,notlaterthan

fourteendaysafterthedatereferredtoinsubsection(2),causethe

surrendertobepublishedinthecertificationserviceproviderdisclosure

recordofthecertificationserviceproviderconcernedandadvertisedin

atleasttwoEnglishlanguagenationaldailynewspapersforatleast

threedaysconsecutive.

30. Effectofrevocation,surrenderorexpiryoflicence.

(1)Wheretherevocationofalicenceundersection27orits

surrenderundersection29hastakeneffectorwherethelicencehas

expired,thelicensedcertificationserviceprovidershallimmediately

ceasetocarryonoroperateanybusinessinrespectofwhichthelicence

wasgranted.

(2)Notwithstanding subsection (1),the Ministermay,on the

recommendationoftheController,authorisethelicensedcertification

serviceproviderinwritingtocarryonitsbusinessforsuchdurationas

theMinistermayspecifyintheauthorisationforthepurposeofwinding

upitsaffairs.

(3)Notwithstandingsubsection(1),alicensedcertificationservice

providerwhoselicencehasexpiredshallbeentitledtocarryonits

businessasifitslicencehadnotexpireduponproofbeingsubmittedto

theControllerthatthelicensedcertificationserviceproviderhasapplied

forarenewalofthelicenceand thatsuchapplicationispending

determination.

27

Act7 ElectronicSignaturesAct 2011

(4)Apersonwhocontravenessubsection(1)commitsanoffence

andisliable,onconviction,toafinenotexceedingseventytwocurrency

pointsortoimprisonmentnotexceedingtenyearsorbothandinthe

caseofacontinuingoffenceshallinadditionbeliabletoadailyfinenot

exceedingfivecurrencypointsforeachdaytheoffencecontinues.

(5) Withoutprejudice to the Controller’s powers under

section

26,therevocationofalicenceundersection27oritssurrenderunder

section29oritsexpiryshallnotaffectthevalidityoreffectofany

certificateissuedbythecertificationserviceproviderconcernedbefore

suchrevocation,surrenderorexpiry.

(6)Forthepurposesofsubsection(5),theControllershallappoint

another licensed certification service provider to take over the

certificatesissuedbythecertificationserviceproviderwhoselicence

hasbeenrevokedorsurrenderedorhasexpiredandthecertificateshall,

totheextentthattheycomplywiththerequirementsoftheappointed

licensedcertificationserviceprovider,bedeemedtohavebeenissued

bythatlicensedcertificationserviceprovider.

(7)subsection (6)shallnotpreclude the appointed licensed

certificationserviceproviderfrom requiringthesubscribertocomply

withitsrequirementsinrelationtotheissueofcertificatesorfrom

issuinganewcertificatetothesubscriberfortheunexpiredperiodofthe

originalcertificateexceptthatanyadditionalfeesorchargestobe

imposedshallonlybeimposedwiththepriorwrittenapprovalofthe

Controller.

31. Effectoflackoflicence.

(1)The liabilitylimits specified in PartIV shallnotapplyto

unlicensedcertificationserviceproviders.

(2)PartVshallnotapplyinrelationtoanelectronicsignature,

which cannotbe verified by a certificate issued by a licensed

certificationserviceprovider.

(3) In any othercase,unless the parties expressly provide

otherwisebycontractbetweenthemselves,thelicensingrequirements

underthisActshallnotaffecttheeffectiveness,enforceabilityorvalidity

ofanydigitalsignature.28

Act7 ElectronicSignaturesAct 2011

32. Returnoflicence.

(1)Wheretherevocationofalicenceundersection27hastaken

effectorwherethelicencehasexpiredandnoapplicationforitsrenewal

hasbeensubmittedwithintheperiodspecifiedorwhereanapplication

forrenewalhasbeenrefusedundersection35,thelicensedcertification

serviceprovidershallwithinfourteendaysreturnthelicencetothe

Controller.

(2) Apersonwhocontravenessubsection(1)commitsanoffence

andisliable,onconviction,toafinenotexceedingseventytwoeight

currencypointsortoimprisonmentnotexceedingthreeyearsortoboth

andinthecaseofacontinuingoffenceshallinadditionbeliabletoa

dailyfinenotexceedingfivecurrencypointsforeachdaytheoffence

continuesandthecourtshallretainthelicenceandforwardittothe

Controller.

33. Restrictedlicence.

(1)TheControllermayclassifylicencesaccordingtospecified

limitationsincluding—

(a) maximum numberofoutstandingcertificates;

(b) cumulative maximum ofrecommended reliance limits in

certificates issued by the licensed certification service

provider;and

(c) issuanceonlywithinasinglefirm ororganisation.

(2)TheControllermayissuelicencesrestrictedaccordingtothe

limitsofeachclassification.

(3) A licensed certification service provider that issues a

certificateexceedingtherestrictionsofitslicencecommitsanoffence.

(4)Where a licensed certification service providerissues a

certificateexceedingtherestrictionsofitslicence,theliabilitylimits

specifiedinPartIVshallnotapplytothelicensedcertificationservice

providerinrelationtothatcertificate.

29

Act7 ElectronicSignaturesAct 2011

(5)Nothinginsubsection(3)or(4)shallaffectthevalidityoreffect

oftheissuedcertificate.

34. Restrictiononuseofexpression“certificationserviceprovider”.

(1)ExceptwiththewrittenconsentoftheController,apersonshall

notbeingalicensedcertificationserviceprovider,assumeorusethe

expressions“certificationserviceprovider”or“licensedcertification

service provider”,as the case maybe oranyderivative ofthose

expressionsinanylanguageoranyotherwordsinanylanguagecapable

ofbeingconstruedasindicatingthecarryingonoroperationofsuch

business,inrelationtothebusinessoranypartofthebusinesscarried

onbythatpersonormakeanyrepresentationtothateffectinanybill

head,letter,paper,notice,advertisementorinanyothermanner.

(2) Apersonwhocontravenessubsection(1)commitsanoffence

andisliable,onconviction,toafinenotexceedingonehundredsixty

eightcurrencypointsortoimprisonmentnotexceedingsevenyearsor

toboth.

35. Renewaloflicence.

(1)A licensed certification service providershallsubmitan

applicationtotheControllerinsuchform asmaybeprescribedforthe

renewalofitslicenceatleastthirtydaysbeforethedateofexpiryofthe

licenceandtheapplicationshallbeaccompaniedbysuchdocuments

andinformationasmayberequiredbytheController.

(2)Theprescribedfeeshallbepayableuponapprovalofthe

application.

(3) Where a licensed certification service provider has no

intention ofrenewing its licence,the licensed certification service

providershall,atleastthirtydaysbeforetheexpiryofthelicence,publish

theintentioninthecertificationserviceproviderdisclosurerecordofthe

certificationserviceproviderconcernedandadvertisesuchintentionin

atleasttwoEnglishlanguagenationaldailynewspapersforatleastfive

consecutivedays.

30

Act7 ElectronicSignaturesAct 2011

(4)Withoutprejudicetoanyothergrounds,theControllermay

refusetorenewalicencewheretherequirementsofsubsection(1)have

notbeencompliedwith.

36. Lostlicense.

(1)Whereacertificationserviceproviderhaslostitslicense,it

shallimmediatelynotifytheControllerinwritingoftheloss.

(2) Thecertificationserviceprovidershall,assoonaspracticable,

submitanapplicationforareplacementlicenseaccompaniedbyall

suchinformationanddocumentsasmayberequiredbytheController

togetherwiththeprescribedfee.

37. Recognitionofotherlicenses.

(1)The Controllermay recognise,by orderpublished in the

Gazette,certificationserviceproviderslicensedorotherwiseauthorised

byentitiesoutsideUgandathatsatisfytheprescribedrequirements.

(2) Where a license orotherauthorisation ofan entity is

recognisedundersubsection(1)—

(a) the recommended reliance limit,ifany,specified in a

certificate issued by the certification service provider

licensedorotherwiseauthorisedbysuchanentityshallhave

effectinthesamemannerasarecommendedreliancelimit

specifiedinacertificateissuedbyacertificationservice

providerofUganda;and

(b) Part IV shallapply to the certificates issued by the

certificationserviceproviderlicensedorotherwiseauthorised

bysuchentityinthesamemannerasitappliestoacertificate

issuedbyacertificationserviceproviderofUganda.

38. Performanceaudit.

(1)Theoperationsofacertificationserviceprovidershallbe

auditedaleastonceayeartoevaluateitscompliancewiththisAct.

31

Act7 ElectronicSignaturesAct 2011

(2) Theauditshallbecarriedoutbyaninternationallyrecognised

computersecurityprofessionaloracertifiedpublicaccountanthaving

expertiseintherelevantfield.

(3)Thequalificationsoftheauditorsandtheprocedureforan

auditshallbeasmaybeprescribedbyregulationsmadeunderthisAct.

(4)TheControllershallmaintainandpublish,thedateandresultof

theauditinthecertificationserviceproviderdisclosurerecordheorshe

maintainsforthecertificationserviceproviderconcerned.

39. Activitiesofcertificationserviceproviders.

(1)A certification service providershallonly carry on such

activitiesasmaybespecifiedinitslicense.

(2)Acertificationserviceprovidershallcarryonitsactivitiesin

accordancewiththisActandanyregulationsmadeunderthisAct.

40. Requirementtodisplaylicense.

Acertificationserviceprovidershallatalltimesdisplayitslicenseina

conspicuousplaceatitsplaceofbusinessandonitswebsite.

41. Requirementtosubmitinformationonbusinessoperations.

(1)A licensedcertificationserviceprovidershallsubmittothe

Controller such information and particulars including financial

statements,audited balance sheets and profitand loss accounts

relatingtoitsentirebusinessoperationsasmayberequiredbythe

Controllerwithinthetimeheorshemaydetermine.

(2)Apersonwhocontravenessubsection(1)commitsanoffence

andisliable,onconviction,toafinenotexceedingtwentyfourcurrency

pointsorimprisonmentnotexceedingoneyearorbothandinthecaseof

acontinuingoffenceshallinadditionbeliableto adailyfinenot

exceedingtwocurrencypointsforeachdaytheoffencecontinues.

32

Act7 ElectronicSignaturesAct 2011

42. Notificationofchangeofinformation.

(1)A certification service providershall,before making an

amendmentoralterationtoanyofitsconstituentdocumentsorbefore

any change in its directororchiefexecutive officer,furnish the

Controllerparticularsinwritingofanyproposedamendment,alteration

orchange.

(2)A licensed certification service providershallimmediately

notifytheControllerofanyamendmentoralterationtoanyinformation

ordocumentwhichhasbeenfurnishedtotheControllerinconnection

withthelicence.

43. Useoftrustworthysystems.

(1)A certificationserviceprovidershallonlyuseatrustworthy

system—

(a) toissue,suspendorrevokeacertificate;

(b) topublishorgivenoticeoftheissuance,suspensionor

revocationofacertificate;and

(c) tocreateaprivatekey,whetherforitselforforasubscriber.

(2)Asubscribershallonlyuseatrustworthysystem tocreatea

privatekey.

44. Disclosuresoninquiry.

(1)Acertificationserviceprovidershall,onaninquirybeingmade

to itunderthis Act,disclose any materialcertification practice

statementandanyfactmaterialtoeitherthereliabilityofacertificate,

whichithasissuedoritsabilitytoperform itsservices.

(2)Acertificationserviceprovidermayrequireasigned,written

andreasonablyspecificinquiryfrom anidentifiedpersonandpayment

oftheprescribedfee,asconditionsprecedenttoeffectingadisclosure

requiredundersubsection(1).

45. Prerequisitestoissueofcertificatetosubscriber.

(1)A certificationserviceprovidermayissueacertificatetoa

subscriberwherethefollowingconditionsaresatisfied—

33

Act7 ElectronicSignaturesAct 2011

(a) thecertificationserviceproviderhasreceivedarequestforissuancesignedbytheprospectivesubscriber;and

(b) thecertificationserviceproviderhasconfirmedthat—

(i) theprospectivesubscriberisthepersontobelistedin

thecertificatetobeissued;

(ii) iftheprospectivesubscriberisactingthroughoneor

moreagents,thesubscriberhasdulyauthorisedthe

agentoragentstohavecustodyofthesubscriber’s

privatekeyand to requestissuanceofacertificate

listingthecorrespondingpublickey;

(iii) theinformationinthecertificatetobeissuedisaccurate;

(iv) theprospectivesubscriberrightfullyholdstheprivate

keycorrespondingtothepublickeytobelistedinthe

certificate;

(v) theprospectivesubscriberholdsaprivatekeycapableof

creatingadigitalsignature;and

(vi) thepublickeytobelistedinthecertificatecanbeusedto

verifyadigitalsignatureaffixedbytheprivatekeyheldby

theprospectivesubscriber.

(2)Therequirementsofsubsection(1)shallnotbewaivedor

disclaimedbythecertificationserviceprovider,thesubscriberorboth.

46. Publicationofissuedandacceptedcertificate.

(1) Where the subscriberaccepts the issued certificate,the

certification service providershallpublish a signed copy ofthe

certificate in a recognised repository,as the certification service

providerandthesubscribernamedinthecertificatemayagree,unlessa

contractbetweenthecertificationserviceproviderandthesubscriber

providesotherwise.

(2)Where the subscriberdoes notacceptthe certificate,a

certificationserviceprovidershallnotpublishitorshallcancelits

publicationifthecertificatehasalreadybeenpublished.

34

Act7 ElectronicSignaturesAct 2011

47. Adoptionofmorerigorousrequirementspermitted.

Nothinginsections31and32shallprecludeacertificationservice

provider from conforming to standards, certification practice

statements,securityplansorcontractualrequirementsmorerigorous

than,butneverthelessconsistentwith,thisAct.

48. Suspensionorrevocationofcertificateforfaultyissuance.

(1) Where afterissuing a certificate a certification service

providerconfirmsthatitwasnotissuedinaccordancewithsections31

and32,thecertificationserviceprovidershallimmediatelyrevokeit.

(2)A certification serviceprovidermaysuspend a certificate

whichithasissuedforareasonableperiodnotexceedingforty-eight

hoursasmaybenecessaryforaninvestigationtobecarriedoutto

confirm thegroundsforarevocationundersubsection(1).

(3)Thecertificationserviceprovidershallimmediatelynotifythe

subscriberofarevocationorsuspensionunderthissection.

49. Suspensionorrevocationofcertificatebyorder.

(1)TheControllermayorderthecertificationserviceproviderto

suspendorrevokeacertificatewheretheControllerdeterminesthat—

(a) thecertificatewasissuedwithoutcompliancewithsections

31and32;and

(b) thenon-complianceposesasignificantrisktopersons

reasonablyrelyingonthecertificate.

(2)Before making a determination undersubsection (1),the

Controllershallgivethelicensedcertificationserviceproviderandthe

subscriberareasonableopportunityofbeingheard.

(3)Notwithstandingsubsections(1)and(2),whereintheopinion

oftheControllerthereexistsanemergencythatrequiresanimmediate

remedy,the Controllermay,afterconsultation with the Minister,

suspendacertificateforaperiodnotexceedingforty-eighthours.

35

Act7 ElectronicSignaturesAct 2011

50. Warrantiestosubscriber.

(1)Byissuingacertificate,acertificationserviceprovider

warrantstothesubscribernamedinthecertificatethat—

(a) the certificate contains no information known to the

certificationserviceprovidertobefalse;

(b) thecertificatesatisfiesalltherequirementsofthisAct;and

(c) thecertificationserviceproviderhasnotexceededanylimits

ofitslicenceinissuingthecertificate.

(2)Acertificationserviceprovidershallnotdisclaim orlimitthe

warrantiesundersubsection(1).

51. Continuingobligationstosubscriber.

Unlessthesubscriberandcertificationserviceproviderotherwiseagree,

acertificationserviceprovider,byissuingacertificate,promisestothe

subscriber—

(a) to actpromptly to suspend orrevoke a certificate in

accordancewithPartIV;and

(b) tonotifythesubscriberwithinareasonabletimeofanyfacts

knowntothelicensedcertificationserviceprovider,which

significantlyaffectthevalidityorreliabilityofthecertificate

onceitisissued.

52. Representationsuponissuance.

Byissuingacertificate,acertificationserviceprovidercertifiestoall

whoreasonablyrelyontheinformationcontainedinthecertificatethat—

(a) theinformationinthecertificateandlistedasconfirmedby

thelicensedcertificationserviceproviderisaccurate;

(b) allinformationforeseeableandmaterialtothereliabilityof

thecertificateisstatedorincorporatedbyreferencewithin

thecertificate;

36

Act7 ElectronicSignaturesAct 2011

(c) thesubscriberhasacceptedthecertificate;and

(d) the certification service providerhas complied with all

applicablelawsgoverningtheissueofthecertificate.

52. Representationsuponpublication.

Bypublishingacertificate,acertificationserviceprovidercertifiestothe

repositoryinwhichthecertificateispublishedandtoallwhoreasonably

relyontheinformationcontainedinthecertificatethatthelicensed

certificationserviceproviderhasissuedthecertificatetothesubscriber.

54. Impliedrepresentationsbysubscriber.

Byacceptingacertificateissuedbyacertificationserviceprovider,the

subscriberlistedinthecertificatecertifiestoallwhoreasonablyrelyon

theinformationcontainedinthecertificatethat—

(a) thesubscriberrightfullyholdstheprivatekeycorresponding

tothepublickeylistedinthecertificate;

(b) allrepresentationsmadebythesubscribertothecertification

serviceproviderandmaterialtoinformationlistedinthe

certificatearetrue;and

(c) allmaterialrepresentationsmadebythesubscribertoa

certificationserviceproviderormadeinthecertificateand

notconfirmedbythecertificationserviceproviderinissuing

thecertificatearetrue.

55. Representationsbyagentofsubscriber.

Byrequestingonbehalfofaprincipaltheissueofacertificatenaming

theprincipalassubscriber,therequesting person certifiesin that

person’s own rightto allwho reasonablyrelyon the information

containedinthecertificatethattherequestingperson—

(a) holdsallauthoritylegallyrequiredtoapplyforissuanceofa

certificatenamingtheprincipalassubscriber;and

37

Act7 ElectronicSignaturesAct 2011

(b) hasauthoritytosigndigitallyonbehalfoftheprincipal,and,if

thatauthorityislimitedinanyway,adequatesafeguardsexist

topreventadigitalsignatureexceedingtheboundsofthe

person’sauthority.

56. Disclaimerorindemnitylimited.

Apersonshallnotdisclaim orcontractuallylimittheapplicationofthis

part,norobtainindemnityforitseffects,ifthedisclaimer,limitationor

indemnityrestrictsliabilityformisrepresentationasagainstpersons

reasonablyrelyingonthecertificate.

57. Indemnificationofcertificationserviceproviderbysubscriber.

(1)Byacceptingacertificate,asubscriberundertakestoindemnify

theissuinglicensedcertificationserviceproviderforanylossordamage

causedbyissueorpublicationofthecertificateinrelianceon—

(a) afalseandmaterialrepresentationoffactbythesubscriber;

or

(b) thefailurebythesubscribertodiscloseamaterialfact,ifthe

representationorfailuretodisclosewasmadeeitherwith

intenttodeceivethecertificationserviceprovideroraperson

relyingonthecertificateorwithnegligence.

(2)Wherethecertificationserviceproviderissuedthecertificateat

therequestofoneormoreagentsofthesubscriber,theagentoragents

personallyundertaketo indemnifythecertificationserviceprovider

underthissection,asiftheywereacceptingsubscribersintheirown

right.

(3) Theindemnityprovidedinthissectionshallnotbedisclaimed

orcontractuallylimitedinscope.

58. Certificationofaccuracyofinformationgiven.

Whenobtaininginformationfrom asubscriberwhichismaterialtothe

issueofacertificate,thecertificationserviceprovidermayrequirethe

subscribertocertifytheaccuracyoftherelevantinformationunderoath

oraffirmation.

38

Act7 ElectronicSignaturesAct 2011

59. Dutyofsubscribertokeepprivatekeysecure.

Byacceptingacertificateissuedbyacertificationserviceprovider,the

subscribernamed in the certificate assumes a duty to exercise

reasonablecaretoretaincontroloftheprivatekeyandpreventits

disclosuretoanypersonnotauthorisedtocreatethesubscriber’sdigital

signature.

60. Propertyinprivatekey.

Aprivatekeyisthepersonalpropertyofthesubscriberwhorightfully

holdsit.

61. Fiduciarydutyofacertificationserviceprovider.

Where a certification service provider holds the private key

correspondingtoapublickeylistedinacertificatewhichithasissued,

thecertificationserviceprovidershallholdtheprivatekeyasafiduciary

ofthesubscribernamedinthecertificateandmayusethatprivatekey

onlywiththesubscriber’spriorwrittenapproval,unlessthesubscriber

expressly and in writing grants the private key to the licensed

certificationserviceproviderandexpresslyandinwritingpermitsthe

licensedcertificationserviceprovidertoholdtheprivatekeyaccording

tootherterms.

62. Suspensionofcertificatebycertificationserviceprovider.

(1)Unlessthecertificationserviceproviderandthesubscriber

agreeotherwise,thelicensedcertificationserviceprovider,whichissued

acertificate,whichisnotatransactionalcertificate,shallsuspendthe

certificateforaperiodnotexceedingforty-eighthours—

(a) uponrequestbyapersonidentifyinghimselfasthesubscriber

namedinthecertificateorasapersoninapositionlikelyto

know ofacompromiseofthesecurityofasubscriber’s

privatekey,suchasanagent,businessassociate,employee

ormemberoftheimmediatefamilyofthesubscriber;or

(b) byorderoftheControllerundersection35.

(2) The certification service provider shalltake reasonable

measurestochecktheidentityoragencyofthepersonrequesting

suspension.

39

Act7 ElectronicSignaturesAct 2011

63. SuspensionofcertificatebyController.

(1)Unlessthecertificateprovidesotherwiseorthecertificateisa

transactionalcertificate,theControllermaysuspendacertificateissued

byacertificationserviceproviderforaperiodofforty-eighthours,if—

(a)a person identifying himselforherselfas the subscriber

namedinthecertificateorasanagent,businessassociate,

employee ormemberofthe immediate family ofthe

subscriberrequestssuspension;and

(b) therequesterrepresentsthatthecertificationserviceprovider,

whichissuedthecertificate,isunavailable.

(2)TheControllermayrequirethepersonrequestingsuspension

toprovideevidence,includingastatementunderoathoraffirmation

regardinghisorheridentityandauthorisationandtheunavailabilityof

theissuinglicensedcertificationserviceproviderandmaydeclineto

suspendthecertificateinhisorherdiscretion.

(3) The Controller or other law enforcement agency may

investigatesuspensionsbytheControllerforpossiblewrongdoingby

personsrequestingsuspension.

64. Noticeofsuspension.

(1)Uponsuspensionofacertificatebyacertificationservice

provider,thecertificationserviceprovidershallpublishasignednotice

ofthesuspension in therepositoryspecified in thecertificatefor

publicationofnoticeofsuspension.

(2) Whereoneormorerepositoriesarespecified,thecertification

serviceprovidershallpublishsignednoticesofthesuspensioninall

thoserepositories.

(3)Whereanyrepositoryspecifiednolongerexistsorrefusesto

acceptpublicationorifnosuchrepositoryisrecognisedundersection

69thecertificationserviceprovidershallalsopublishthenoticeina

recognisedrepository.

40

Act7 ElectronicSignaturesAct 2011

(4)Where a certificate is suspended by the Controller,the

Controllershallgivenoticeasrequiredinthissectionforacertification

serviceproviderifthepersonrequestingsuspensionpaysinadvance

anyprescribedfeerequiredbyarepositoryforpublicationofthenotice

ofsuspension.

65. Terminationofsuspensioninitiatedbyrequest.

Acertificationserviceprovidershallterminateasuspensioninitiatedby

request—

(a) wherethesubscribernamedinthesuspendedcertificate

requests termination of the suspension, only if the

certificationserviceproviderhasconfirmedthattheperson

requestingsuspensionisthesubscriberoranagentofthe

subscriberauthorisedtoterminatethesuspension;or

(b) wherethelicensedcertificationserviceproviderdiscovers

andconfirmsthattherequestforthesuspensionwasmade

withoutauthorisationbythesubscriber.

66. Alternatecontractualprocedures.

(1) The contract between a subscriber and a licensed

certification service provider may limit or preclude requested

suspension by the certification service providerormay provide

otherwiseforterminationofarequestedsuspension.

(2)Wherethecontractlimitsorprecludessuspensionbythe

Controllerwhentheissuinglicensedcertificationserviceprovideris

unavailable,thelimitationorpreclusionshallbeeffectiveonlyifnotice

ofitispublishedinthecertificate.

67. Effectofsuspensionofcertificate.

NothinginthisPartshallreleasethesubscriberfrom thedutyunder

section 47 to keep the private key secure while a certificate is

suspended.

68. Revocationonrequest.

(1)A licensed certification service providershallrevoke a

certificate,whichitissuedbutwhichisnotatransactionalcertificate—

41

Act7 ElectronicSignaturesAct 2011

(a) uponreceivingarequestforrevocationbythesubscriber

namedinthecertificate;and

(b) uponconfirmingthatthepersonrequestingrevocationisthat

subscriberorisanagentofthatsubscriberwithauthorityto

requesttherevocation.

(2)A certificationserviceprovidershallconfirm arequestfor

revocation and revoke a certificate within one business dayafter

receivingbothasubscriber’swrittenrequestandevidencereasonably

sufficienttoconfirm theidentityofthepersonrequestingtherevocation

oroftheagent.

69. Revocationonsubscriber’sdemise.

Alicensedcertificationserviceprovidershallrevokeacertificatewhichit

issued—

(a) uponreceiving acertified copyofthesubscriber’sdeath

certificateoruponconfirmingbyotherevidencethatthe

subscriberisdead;or

(b) uponpresentationofdocumentseffectingadissolutionofthe

subscriberoruponconfirmingbyotherevidencethatthe

subscriberhasbeendissolvedorhasceasedtoexist.

70. Revocationofunreliablecertificates.

(1)A licensedcertificationserviceprovidermayrevokeoneor

morecertificates,whichitissuedifthecertificatesareorbecome

unreliable regardless ofwhetherthe subscriberconsents to the

revocation and notwithstanding anyprovision to the contraryin a

contractbetweenthesubscriberandthelicensedcertificationservice

provider.

(2)Nothinginsubsection(1)shallpreventthesubscriberfrom

seekingdamagesorotherreliefagainstthelicensedcertificationservice

providerintheeventofwrongfulrevocation.

42

Act7 ElectronicSignaturesAct 2011

71. Noticeofrevocation.

(1)Uponrevocationofacertificatebyalicensedcertification

serviceprovider,thelicensedcertificationserviceprovidershallpublish

asignednoticeoftherevocationintherepositoryspecifiedinthe

certificateforpublicationofnoticeofrevocation.

(2)Whereoneormorerepositoriesarespecified,thelicensed

certification service providershallpublish signed notices ofthe

revocationinallsuchrepositories.

(3)Whereanyrepositoryspecifiednolongerexistsorrefusesto

acceptpublicationorifnosuchrepositoryisrecognisedundersection

69,thelicensedcertificationserviceprovidershallalsopublishthe

noticeinarecognisedrepository.

72. Effectofrevocationrequestonsubscriber.

Whereasubscriberhasrequestedfortherevocationofacertificate,the

subscriberceasestocertifyasprovidedinPartIVandhasnofurther

dutytokeeptheprivatekeysecureasrequiredundersection59—

(a) whennoticeoftherevocationispublishedasrequiredunder

section71;or

(b) wherefortyeighthourshavelapsed afterthesubscriber

requestsfortherevocationinwriting,suppliestotheissuing

licensedcertificationserviceproviderinformationreasonably

sufficienttoconfirm therequestandpaysanyprescribedfee,

whicheveroccursfirst.

73. Effectofnotificationoncertificationserviceprovider.

Uponnotificationasrequiredundersection71,acertificationservice

providershallbedischargedofitswarrantiesbasedonissueofthe

revokedcertificateandceasestocertifyasprovidedinsections22and

24inrelationtotherevokedcertificate.

74. Expirationofcertificate.

(1)Thedateofexpiryofacertificateshallbespecifiedinthe

certificate.

43

Act7 ElectronicSignaturesAct 2011

(2)Acertificatemaybeissuedforaperiodnotexceedingthree

yearsfrom thedateofissue.

(3) When a certificate expires,the subscriberand licensed

certificationserviceprovidershallceasetocertifyasprovidedunder

this Actand the licensed certification service providershallbe

dischargedofitsdutiesbasedonissueinrelationto theexpired

certificate.

(4)Theexpiryofacertificateshallnotaffectthedutiesand

obligationsofthesubscriberandlicensedcertificationserviceprovider

incurredunderandinrelationtotheexpiredcertificate.

75. Reliancelimit.

(1)Alicensedcertificationserviceprovidershall,whenissuinga

certificatetoasubscriber,specifyarecommendedreliancelimitinthe

certificate.

(2) The licensed certification service provider may specify

differentlimitsindifferentcertificatesasitconsidersfit.

76. Liabilitylimitsforcertificationserviceproviders.

Unlessalicensedcertificationserviceproviderwaivestheapplicationof

thissection,alicensedcertificationserviceprovider—

(a) shallnotbeliableforanylosscausedbyrelianceonafalseor

forgeddigitalsignatureofasubscriber,if,withrespecttothe

falseorforgeddigitalsignature,thelicensedcertification

serviceprovidercompliedwiththerequirementsofthisAct;

(b) shallnotbeliableinexcessoftheamountspecifiedinthe

certificateasitsrecommendedreliancelimitforeither—

(i)alosscausedbyrelianceonamisrepresentationinthe

certificateofanyfactthatthelicensed certification

serviceproviderisrequiredtoconfirm;or

(ii)failuretocomplywithsections31and32whenissuing

thecertificate.

44

Act7 ElectronicSignaturesAct 2011

77. Recognitionofrepositories.

(1)TheControllermayrecogniseoneormorerepositories,after

determining that a repository to be recognised satisfies the

requirementsprescribedintheregulationsmadeunderthisAct.

(2)Theprocedureforrecognition ofrepositoriesshallbeas

prescribedbyregulationsmadeunderthisAct.

(3)TheControllershallpublishalistofrecognisedrepositoriesin

suchform andmannerasheorshemaydetermine.

78. Liabilityofrepositories.

(1)Notwithstandinganydisclaimerbytherepositoryoracontract

tothecontrarybetweentherepositoryandalicensedcertification

serviceproviderorasubscriber,arepositoryshallbeliableforaloss

incurredbyapersonreasonablyrelyingonanelectronicsignature

verifiedbythepublickeylistedinasuspendedorrevokedcertificate,if

losswasincurredmorethanonebusinessdayafterreceiptbythe

repositoryofarequesttopublishnoticeofthesuspensionorrevocation

andtherepositoryhadfailedtopublishthenoticewhentheperson

reliedonthedigitalsignature.

(2)Unless waived,a recognised repository orthe owneror

operatorofarecognisedrepository—

(a) shallnotbe liable forfailure to record publication ofa

suspensionorrevocation,unlesstherepositoryhasreceived

noticeofpublicationandonebusinessdayhaselapsedsince

thenoticewasreceived;

(b) shallnotbeliableundersubsection(1)inexcessofthe

amountspecified in thecertificateastherecommended

reliancelimit;

(c) shallnotbe liable formisrepresentation in a certificate

publishedbyacertificationserviceprovider;

45

Act7 ElectronicSignaturesAct 2011

(d) shallnotbe liable foraccuratelyrecording orreporting

informationwhichalicensedcertificationserviceprovider,a

courtortheControllerhaspublishedasrequiredorpermitted

underthisAct,includinginformationaboutthesuspensionor

revocationofacertificate;and

(e) shallnot be liable for reporting information about a

certificationserviceprovider,acertificateorasubscriber,if

theinformationispublishedasrequiredorpermittedunder

thisActorispublishedbyorderoftheControllerinthe

performanceofhisorherlicensingandregulatoryduties

underthisAct.

79. Recognitionofdateortimestampservices.

(1)TheControllermayrecogniseoneormoredateortimestamp

services,afterdeterminingthataservicetoberecognisedsatisfiesthe

requirementsprescribedintheregulationsmadeunderthisAct.

(2)Theprocedureforrecognisingofdateortimestampservices

shallbeasmaybeprescribedbyregulationsmadeunderthisAct.

(3)TheControllershallpublishalistofrecogniseddateortime

stampservicesinaform andmannerashemaydetermine.

PARTV—MISCELLANEOUS

80. Prohibitionagainstdangerousactivities

(1)Acertificationserviceprovider,whetherlicensedornot,shall

notconductitsbusinessinamannerthatcreatesanunreasonablerisk

oflossto the subscribersofthe certification service provider,to

persons relying on certificates issued by the certification service

providerortoarepository.

(2)The Controllermay publish in one ormore recognised

repositoriesbriefstatementsadvisingsubscribers,personsrelyingon

digitalsignaturesandrepositoriesaboutanyactivitiesofacertification

serviceprovider,whetherlicensedornot,whichcreateariskprohibited

undersubsection(1).

46

Act7 ElectronicSignaturesAct 2011

(3)Thecertificationserviceprovidernamedinastatementas

creatingorcausingariskmayprotestthepublicationofthestatement

byfilingabriefwrittendefence.

(4) On receiptofa protestmade undersubsection (3),the

ControllershallpublishawrittendefencetogetherwiththeController’s

statementand shallimmediately give the protesting certification

serviceprovidernoticeandareasonableopportunityofbeingheard.

(5)Where,afterahearing,theControllerdeterminesthatthe

publicationoftheadvisorystatementwasunwarranted,theController

shallrevoketheadvisorystatement.

(6)Where,afterahearing,theControllerdeterminesthatthe

advisorystatementisnolongerwarranted,theControllershallrevoke

theadvisorystatement.

(7)Where,afterahearing,theControllerdeterminesthatthe

advisorystatementremainswarranted,theControllermaycontinueor

amendtheadvisorystatementandmaytakefurtherlegalactionto

eliminateorreducetheriskprohibitedundersubsection(1).

(8)TheControllershallpublishhisdecisionundersubsection(5),

(6)or(7),asthecasemaybe,inoneormorerecognisedrepositories.

81. Obligationofconfidentiality

(1)ExceptforthepurposeofthisActorforanyprosecutionforan

offenceunderanywrittenlaworunderanorderofcourt,apersonunder

anypowersconferredunderthisAct,shallnotobtainaccesstoany

electronic record, book, register, correspondence, information,

document,othermaterialorgrantaccesstoanyotherperson.

(2) A person who contravenes subsection (1)commits an

offenceandisliable,onconviction,toafinenotexceedingonehundred

twentycurrencypointsorimprisonmentforaterm notexceedingfive

yearsorboth.

47

Act7 ElectronicSignaturesAct 2011

82. Falseinformation.

Apersonwhoknowinglymakes,orallyorinwriting,signsorfurnishes

anydeclaration,return,certificateorotherdocumentorinformation

requiredunderthisActwhichisfalseormisleadinginanyparticularway

commitsanoffenceandisliable,onconviction,toafinenotexceeding

onehundredandtwentycurrencypointsorimprisonmentforaterm not

exceedingfiveyearsorboth.

83. Offencesbybodycorporate.

(1)WhereabodycorporatecommitsanoffenceunderthisAct,a

personwhoatthetimeofthecommissionoftheoffenceisadirector,

manager,secretaryorothersimilarofficerofthebodycorporateorwas

purportingtoactinthatcapacityorwasinanymannerortoanyextent

responsibleforthemanagementofanyoftheaffairsofthebody

corporateorwasassistinginsuchmanagement—

(a) maybechargedseverallyorjointlyinthesameproceedings

withthebodycorporate;and

(b) wherethebodycorporateisconvictedoftheoffence,sucha

personshallbedeemedtohavecommittedanoffenceunless,

havingregardtothenatureofhisfunctionsinthatcapacity

andtoallcircumstances,heproves—

(i) thattheoffencewascommittedwithouthisknowledge,

consentorconnivance;and

(ii) that he took allreasonable precautions and had

exercisedduediligencetopreventthecommissionof

theoffence.

(2)WhereapersonisliableunderthisActtoapunishmentor

penaltyforanyact,omission,neglectordefault,heorsheisliabletothe

samepunishmentorpenaltyforeverysuchact,omission,neglector

defaultofanyemployeeoragentofhisoroftheemployeeofsuchagent,

iftheact,omission,neglectordefaultwascommitted—

48

Act7 ElectronicSignaturesAct 2011

(a) byhisemployeeinthecourseofhisemployment;

(b) bytheagentwhenactingonhisbehalf;or

(c) by the employee ofsuch agentin the course ofhis

employmentbysuchagentorotherwiseonbehalfofthe

agent.

84. Authorisedofficer.

Anauthorisedofficermayexercisethepowersofenforcementunder

thisAct.

85. Powertoinvestigate.

(1) TheControllermayinvestigatetheactivitiesofacertification

serviceprovidermaterialtoitscompliancewiththisAct.

(2)Forthepurposesofsubsection(1),theControllermayissue

orderstoacertificationserviceprovidertofurtheritsinvestigationand

securecompliancewiththisAct.

(3)Further,inanycaserelatingtothecommissionofanoffence

underthisAct,anyauthorisedofficercarryingonaninvestigationmay

exercise allorany ofthe specialpowers in relation to police

investigationinallcasesgivenbytheCriminalProcedureCode.

86. Searchbywarrant.

(1)IfitappearstoaMagistrate,uponwritteninformationonoath

andaftersuchinquiryasheorsheconsidersnecessary,thatthereis

reasonablecausetobelievethatanoffenceunderthisActisbeingor

hasbeencommittedonanypremises,theMagistratemayissuea

warrantauthorisinganypoliceofficernotbelowtherankofInspectoror

anyauthorisedofficernamedinthewarrant,toenterthepremisesat

anyreasonabletimebydayorbynight,withorwithoutassistanceandif

needbebyforce,tosearchforandseize—

(a) copiesofanybooks,accountsorotherdocuments,including

computerized data, which contain or are reasonably

suspected to contain information as to anyoffence so

suspectedtohavebeencommitted;

49

Act7 ElectronicSignaturesAct 2011

(b) anysignboard,card,letter,pamphlet,leaflet,noticeorother

devicerepresentingorimplyingthatthepersonisalicensed

certificationserviceprovider;and

(c) any otherdocument,article oritem thatis reasonably

believed to furnish evidence ofthe commission ofthat

offence.

(2)Apoliceofficeroranauthorisedofficerconductingasearch

undersubsection(1)may,ifinhisorheropinionitisreasonably

necessarytodosoforthepurposeofinvestigatingintotheoffence,

searchanypersonwhoisinoronthosepremises.

(3)Apoliceofficeroranauthorisedofficermakingasearchofa

personundersubsection(2)mayseize,detainortakepossessionofany

book,accounts,document,computeriseddata,card,letter,pamphlet,

leaflet,notice,device,articleoritem foundonthatpersonforthe

purposeoftheinvestigationbeingcarriedoutbythatofficer.

(4)A femalepersonshallnotbesearchedunderthissection

exceptbyanotherfemaleperson.

(5)Where,byreasonofitsnature,sizeoramount,itisnot

practicabletoremoveanybook,accounts,document,computerised

data,signboard,card,letter,pamphlet,leaflet,notice,device,articleor

item seizedunderthissection,theseizingofficershall,byanymeans,

sealthatbook,accounts,document,computeriseddata,signboard,card,

letter,pamphlet,leaflet,notice,device,articleoritem inthepremisesor

containerinwhichitisfound.

(6)Apersonwho,withoutlawfulauthority,breaks,tamperswithor

damagesthesealreferredtoinsubsection(5)orremovesanybook,

accounts,document,computerised data,signboard,card,letter,

pamphlet,leaflet,notice,device,articleoritemundersealorattemptsto

dosocommitsanoffence.

50

Act7 ElectronicSignaturesAct 2011

87. Searchandseizurewithoutwarrant.

Ifa police officernotbelow the rankofInspectorin anyofthe

circumstancesreferredtoinsection86hasreasonablecausetobelieve

thatbyreasonofdelayinobtainingasearchwarrantunderthatsection

the investigation would be adverselyaffected orevidence ofthe

commissionofanoffenceislikelytobetamperedwith,removed,

damagedordestroyed,thatofficermayenterthepremisesandexercise

in,uponandinrespectofthepremisesallthepowersreferredtoin

section86inasfullandampleamannerasifheorshewereauthorised

todosobyawarrantissuedunderthatsection.

88. Accesstocomputeriseddata.

(1)Apoliceofficerconductingasearchundersection86or87

shallbegivenunlimitedaccesstocomputeriseddatawhetherstoredin

acomputerorotherwise.

(2)Forthepurposesofthissection,“access”includesbeing

providedwiththenecessarypassword,encryptioncode,decryption

code,softwareorhardwareandanyothermeansrequiredtoenable

comprehensionofcomputeriseddata.

89. Listofthingsseized.

(1)Exceptas provided in subsection (2),where any book,

accounts,document,computerised data,signboard,card,letter,

pamphlet,leaflet,notice,device,articleoritem isseizedundersection

86or87,theseizingofficershallpreparealistofthethingsseizedand

immediatelydeliveracopyofthelistsignedbyhim orhertothe

occupierofthepremiseswhichhavebeensearchedortohisorher

agentorservant,atthosepremises.

(2)Wherethepremisesareunoccupied,theseizingofficershall

postalistofthingsseizedconspicuouslyonthepremisesandleavea

copywiththelocalauthorities.

51

Act7 ElectronicSignaturesAct 2011

90. Obstructionofauthorisedofficer.

Apersonwhoobstructs,impedes,assaultsorinterferesinanywaywith

anyauthorisedofficerintheperformanceofhisfunctionsunderthisAct

commitsanoffence.

91. Additionalpowers.

Anauthorisedofficermay,forthepurposesoftheexecutionofthisAct,

todoalloranyofthefollowing—

(a) requiretheproductionofrecords,accounts,computerised

dataanddocumentskeptbyalicensedcertificationservice

providerandtoinspect,examineandcopyanyofthem;

(b) requiretheproductionofanyidentificationdocumentfrom a

personinrelationtoanycaseoroffenceunderthisAct;

(c) makesuchinquiryasmaybenecessarytoascertainwhether

theprovisionsofthisActhavebeencompliedwith.

92. Generalpenalty.

(1)ApersonwhocommitsanoffenceunderthisActforwhichno

penaltyisexpresslyprovidedisliable,onconviction,toafinenot

exceedingseventytwocurrencypointsortoimprisonmentforaterm

notexceedingthreeyearsorbothandinthecaseofacontinuing

offenceshallinadditionbeliabletoadailyfinenotexceedingtwo

currencypointsforeachdaytheoffencecontinues.

(2)Forthepurposesofthissection,“thisAct”doesnotincludethe

regulationsmadeunderthisAct.

93. Institutionandconductofprosecution.

(1)AprosecutionunderthisActshallnotbeinstitutedexceptbyor

withtheconsentoftheDirectorofPublicProsecution,butaperson

chargedwithsuchanoffencemaybearrestedorawarrantforhisorher

arrestissuedandexecutedandthepersonmaybedetainedorreleased

onpolicebond,notwithstandingthattheconsentoftheDirectorof

PublicProsecutiontotheinstitutionofaprosecutionfortheoffencehas

notyetbeenobtained,butnofurtherorotherproceedingsshallbetaken

untilthatconsenthasbeenobtained.

52

Act7 ElectronicSignaturesAct 2011

(2)AnofficeroftheControllerdulyauthorisedinwritingbythe

DirectorofPublicProsecutionsmayconducttheprosecutionforany

offenceunderthisAct.

94. Jurisdictiontotryoffences.

Notwithstandinganywrittenlaw tothecontrary,aMagistrateGradeI

shallhavejurisdictiontotryanoffenceunderthisActandtoimposethe

fullpunishmentfortheoffence.

95. Protectionofofficers.

Anactionorprosecutionshallnotbebrought,institutedormaintainedin

acourtagainsttheControlleroranyofficerdulyauthorisedunderthis

Actfororonaccountoforinrespectofanyactorderedordoneforthe

purposeofcarryingintoeffectthisAct.

96. LimitationondisclaimingorlimitingapplicationofAct.

UnlessitisexpresslyprovidedforunderthisAct,apersonshallnot

disclaim orcontractuallylimittheapplicationofthisAct.

97. Regulations.

(1)TheMinistermayontherecommendationoftheController

makeregulationsforalloranyofthefollowingpurposes—

(a) prescribingthequalificationrequirementsforcertification

serviceproviders;

(b) prescribing the manner of applying for licences and

certificatesunderthisAct,theparticularstobesuppliedbyan

applicant,themanneroflicensingandcertification,thefees

payabletherefor,theconditionsorrestrictionstobeimposed

andtheform oflicencesandcertificates;

(c) regulating theoperationsoflicensed certification service

provider;

53

Act7 ElectronicSignaturesAct 2011

(d) prescribing the requirements forthe content,form and

sources ofinformation in certification service provider

disclosure records,the updating and timeliness ofsuch

information and otherpractices and policies relating to

certificationserviceproviderdisclosurerecords;

(e) prescribingtheform ofcertificationpracticestatements;

(f) prescribingthequalificationrequirementsforauditorsand

theprocedureforaudits;

(g) prescribing the requirements for repositories and the

procedureforrecognitionofrepositories;

(h) prescribing the requirements fordate and time stamp

servicesandtheprocedureforrecognitionofdateandtime

stampservices;

(i) prescribingtheprocedureforthereviewofsoftwareforusein

creatingdigitalsignaturesandoftheapplicablestandardsin

relationtodigitalsignaturesandcertificationpracticeandfor

thepublicationofreportsonsuchsoftwareandstandards;

(j)prescribingtheformsforthepurposesofthisAct;

(k)prescribingthefeesandchargespayableunderthisActandthe

mannerforcollectinganddisbursingthefeesandcharges;

(1) providingforsuchothermattersasarecontemplatedbyor

necessaryforgivingfulleffectto,theprovisionsofthisAct

andfortheirdueadministration.

(2)Regulationsmadeundersubsection(1)mayprescribeanyact

incontraventionoftheregulationstobeanoffenceandmayprescribein

relationtotheoffence,penaltiesnotexceedingafineofseventytwo

currencypointsorimprisonmentforthreeyearsorboth.54

Act7 ElectronicSignaturesAct 2011

98. Compensation.

WhereapersonisconvictedunderthisAct,thecourtshallinadditionto

thepunishmentprovidedtherein,ordersuchpersontopaybywayof

compensationtotheaggrievedparty,suchsum asisintheopinionof

thecourtjust,havingregardtothelosssufferedbytheaggrievedparty;

andsuchordershallbeadecreeundertheprovisionsoftheCivil

ProcedureAct,andshallbeexecutedinthemannerprovidedunderthat

Act.

99. PowerofMinistertoamendtheSchedule.

TheMinistermay,withtheapprovalofCabinet,bystatutoryinstrument,

amendtheScheduletothisAct.

100.Savingsandtransitionalprovisions.

(1)Acertificationserviceproviderthathasbeencarryingonor

operatingasacertificationserviceproviderbeforethecommencement

ofthisActshall,notlaterthanthreemonthsfrom thecommencement,

obtainalicenceunderthisAct.

(2) Whereacertificationserviceproviderreferredtoinsubsection

(1)failstoobtainalicenceaftertheperiodprescribedinsubsection(1),

itshallbetakentobeanunlicensedcertificationserviceproviderand

theprovisionsofthisActshallapplytoitandacertificateissuedbyit

accordingly.

(3) Whereacertificationserviceproviderreferredtoinsubsection

(1)hasobtainedalicenceinaccordancewiththisActwithintheperiod

prescribedinsubsection(1),allcertificatesissuedbythatcertification

serviceproviderbeforethecommencementofthisAct,totheextent

thattheyarenotinconsistentwiththisAct,shallbetakentohavebeen

issuedunderthisActandshallhaveeffectaccordingly.

55

Act7 ElectronicSignaturesAct 2011

SCHEDULE

Section2

CURRENCYPOINTOnecurrencypointisequivalenttotwenty

thousandshillings.

56