Short title:
Date of assent:
Date of promulgation:
Date of commencement:
Download Original File:
In force:
ACTS SUPPLEMENT No. 4 18th March, 2011. ACTS SUPPLEMENT to The Uganda Gazette No. 19 Volume CIV dated 18th March, 2011. Printed by UPPC, Entebbe, by Order of the Government. |
|
Act 7 Section. |
Electronic Signatures Act 2011 THE ELECTRONIC SIGNATURES ACT, 2011. ARRANGEMENT OF SECTIONS Part I—Preliminary |
1. |
Commencement |
2. |
Interpretation |
3. |
Equal treatment of signature technologies Part II—Electronic Signatures |
4. |
Compliance with a requirement for a signature. |
5. |
Conduct of the signatory. |
6. |
Variation by agreement. |
7. |
Conduct of the relying party. |
8. |
Trustworthiness. |
9. |
Conduct of the certification service provider. |
10. |
Advanced signatures. |
11. |
Secure electronic signature. |
12. |
Presumptions relating to secure and advanced electronic signatures. Part III—Secure Digital Signatures |
13. |
Secure digital signatures. |
14. |
Satisfaction of signature requirements. |
15. |
Unreliable digital signatures. |
16. |
Digitally signed document taken to be written document. |
17. |
Digitally signed document deemed to be original document. |
18. |
Authentication of digital signatures. |
19. |
Presumptions in adjudicating disputes. Part IV—Public Key Infrastructure |
20. |
Sphere of application. |
21. |
Designation of Controller. |
22. |
certification service providers to be licensed. |
23. |
Qualifications of certification service providers. |
24. |
Functions of licensed certification service providers. |
1 |
Act 7 |
Electronic Signatures Act 2011 |
Section. |
|
25. |
Application for licence. |
26. |
Grant or refusal of licence. |
27. |
Revocation of licence. |
28. |
Appeal. |
29. |
Surrender of licence. |
30. |
Effect of revocation, surrender or expiry of licence. |
31. |
Effect of lack of licence. |
32. |
Return of licence. |
33. |
Restricted licence. |
34. |
Restriction on use of expression “certification service provider”. |
35. |
Renewal of licence. |
36. |
Lost licence. |
37. |
Recognition of other licenses. |
38. |
Performance audit. |
39. |
Activities of certification service providers. |
40. |
Requirement to display licence. |
41. |
Requirement to submit information on business operations. |
42. |
Notification of change of information. |
43. |
Use of trustworthy systems. |
44. |
Disclosures on inquiry. |
45. |
Prerequisites to issue of certificate to subscriber. |
46. |
Publication of issued and accepted certificate. |
47. |
Adoption of more rigorous requirements permitted. |
48. |
Suspension or revocation of certificate for faculty issuance. |
49. |
Suspension or revocation of certificate by order. |
50. |
Warranties to subscriber. |
51. |
Continuing obligations to subscriber. |
52. |
Representations upon issuance. |
53. |
Representations upon publications. |
54. |
Implied representations by subscriber. |
55. |
Representations by agent of subscriber. |
56. |
Disclaimer or indemnity limited. |
57. |
Indemnification of certification service provider by subscriber |
58. |
Certification of accuracy of information given |
59. |
Duty of subscriber to keep private key secure |
60. |
Property in private key |
61. |
Fiduciary duty of a certification service provider |
62. |
Suspension of certificate certification service provider |
63. |
Suspension of certificate by Controller |
64. |
Notice of suspension |
65. |
Termination of suspension initiated by request |
2 |
Act 7 |
Section 66. 67. 68. 69. 70. 71. 72. 73. 74. 75. 76. 77. 78. 79. |
80. 81. 82. 83. 84. 85. 86. 87. 88. 89. 90. 91. 92. 93. 94. 95. 96. 97. 98.
|
Electronic Signatures Act |
Alternate contractual procedures Effect of suspension of certificate Revocation of request Revocation on subscriber’s demise Revocation of unreliable certificates Notice of revocation Effect of revocation request on subscriber Effect of notification on certification service provider Expiration of certificate Reliance limit Liability limits for certification service providers Recognition of repositories Liability of repositories Recognition of date/time stamp services Part V—Miscellaneous Prohibition against dangerous activities obligation of confidentiality False information Offences by body corporate Authorised officer Power to investigate Search by warrant Search and seizure without warrant Access to computerised data List of things seized Obstruction of authorised officer Additional powers General penalty Instruction and conduct of prosecution Jurisdiction to try offences Prosecution of officers Limitation on disclaiming or limiting application of the Act Regulations Compensation Power of Minister to amend First Schedule. Savings and transitional provisions. SCHEDULE Currency point. |
3 |
2011 |
Act 7 |
Electronic Signatures Act |
2011 |
THE ELECTRONIC SIGNATURES ACT, 2011. An Act to make provision for and to regulate the use of electronic signatures and to provide for other related matters. Date of Assent: 17th February, 2011. Date of Commencement: See section 1. Be it enacted by Parliament as follows: Part I—Preliminary
This Act shall come into force on a date appointed by the Minister by statutory instrument.
In this Act, unless the context otherwise requires— “accept a certificate” means—
|
4 |
Act 7 |
Electronic Signatures Act 2011 |
advanced electronic signature” means an electronic signature, which is—
asymmetric cryptosystem” means an algorithm or series of algorithms, which provide a secure key pair; authorised officer” means the Controller or a police officer or a public officer performing any functions under this Act; and includes any public officer authorised by the Minister or by the controller to perform any functions under this Act; certificate” means a data message or other records confirming the link between a signatory and a signature creation data; certification service provider disclosure record” means an online and publicly accessible record that concerns a licensed certification service provider, which is kept by the Controller under subsection 21(5); certification practice statement” means a declaration of the practices, which a certification service provider employs in issuing certificates generally or employs in issuing a particular certificate; certification service provider” means a person that issues certificates and may provide other services related to electronic signatures; |
5 |
Act 7 |
Electronic Signatures Act 2011 |
certify” means to declare with reference to a certificate, with ample opportunity to reflect and with a duty to apprise oneself of all material facts; confirm” means to ascertain through diligent inquiry and investigation; Controller” means National Information Technology Authority- Uganda; correspond”, with reference to keys, means to belong to the same key pair; currency point” has the meaning assigned to it in the Schedule in this Act; digital signature” means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer’s public key can accurately determine—
electronic signature” means data in electronic form affixed to or logically associated with a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory’s approval of the information contained in the data message; and includes an advance electronic signature and the secure signature; electronic signature product” means configured hardware or software or relevant components of it, which are intended to be used by a certification service provider for the provision of electronic signature services or are intended to be used for the creation or verification of electronic signatures; |
6 |
Act 7 Electronic Signatures Act “forge a digital signature” means— |
2011 |
“hold a private key” means to be able to utilise a private key; “incorporate by reference” means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated; “issue a certificate” means the act of a certification service provider in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate; “key pair” means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates; “licensed certification service provider” means a certification service provider to whom a licence has been issued by the Controller and whose licence is in effect; “message” means a digital representation of information; “Minister” means the Minister responsible for information and communication technology; “notify” means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person; “person” includes any company or association or body of persons corporate or unincorporate; 7 |
Act 7 Electronic Signatures Act 2011 |
“prescribed” means prescribed by or under this Act or any regulations made under this Act; “private key” means the key of a key pair used to create a digital signature; “public key” means the key of a key pair used to verify a digital signature and listed in the digital signature certificate; “public key infrastructure” means a framework for creating a secure method for exchanging information based on public key cryptography; “publish” means to record or file in a repository; “qualified certification service provider” means a certification service provider that satisfies the requirements under section 23; “recipient” means a person who receives or has a digital signature and is in a position to rely on it; “recognised date or time stamp service” means a date/time stamp service recognised by the Controller under section 79; “recognised repository” means a repository recognised by the Controller under section 77; “recommended reliance limit” means the monetary amount recommended for reliance on a certificate under section 76; “relying party” means a person that may act on the basis of a certificate or an electronic signature; “repository” means a system for storing and retrieving certificates and other information relevant to digital signatures; “revoke a certificate” means to make a certificate ineffective permanently from a specified time forward; “rightfully hold a private key” means to be able to utilise a private key— |
8 |
Act 7 |
Electronic Signatures Act 2011
security procedure” means a procedure for the purpose of—
secure signature creation device” means a signature creation device which meets the requirements laid down in section 4; signatory” means a person that holds signature creation data and acts either on its own behalf or on behalf of the person it represents signature creation device” means configured software or hardware, used by the signatory to create an electronic signature; signature verification data” means unique data such as codes or public cryptographic keys, used for the purpose of verifying an electronic signature; signature verification device” means configured software or hardware, used for the purpose of verifying an electronic signature; |
9 |
Act 7 |
Electronic Signatures Act 2011 |
signed” or “signature” and its grammatical variations includes any symbol executed or adapted or any methodology or procedure employed or adapted, by a person with the intention of authenticating a record, including an electronic or digital method; subscriber” means a person who—
suspend a certificate” means to make a certificate ineffective temporarily for a specified time forward; this Act” includes any regulations made under this Act; time-stamp” means—
transactional certificate” means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction; trustworthy system” means computer hardware and software which—
|
10 |
Act 7 Electronic Signatures Act 2011 “valid certificate” means a certificate which—
but a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference; “verify a digital signature” means, in relation to a given digital signature, message and public key, to determine accurately that—
“writing” or “written” includes any handwriting, typewriting, printing, electronic storage or transmission or any other method of recording information or fixing information in a form capable of being preserved.
Nothing in this Act shall be applied so as to exclude, restrict or deprive of legal effect any method of creating an electronic signature that satisfies the requirements for a signature in this Act or otherwise meets with the requirements of any other applicable law. |
11 |
Act 7 |
Electronic Signatures Act |
2011 |
|
12 |
Act 7 Electronic Signatures Act 2011 |
(1) Where signature creation data can be used to create a signature that has legal effect, each signatory shall—
The provisions of this Act may be derogated from or their effect may be varied by agreement unless that agreement would not be valid or effective under any law.
A relying party shall bear the legal consequences of his or her failure to—
13 |
Act 7 Electronic Signatures Act 2011 |
When determining whether or to what extent any systems procedures and human resources utilised by a certification service provider are trustworthy, regard may be had to the following factors—
14 |
Act 7 Electronic Signatures Act 2011 |
|
15 |
Act 7 Electronic Signatures Act 2011 |
Where, through the application of a prescribed security procedure or a commercially reasonable security procedure agreed to by the parties involved, an electronic signature is executed in a trustworthy manner, reasonably and in good faith relied upon by the relying party, that signature shall be treated as a secure electronic signature at the time of verification to the extent that it can be verified that the electronic signature satisfied, at the time it was made, the following criteria—
|
16 |
Act 7 Electronic Signatures Act 2011 |
signatures.
|
17 |
Act 7 Electronic Signatures Act 2011 Part III—Secure Digital Signatures
When a portion of an electronic record is signed with a digital signature the digital signature shall be treated as a secure electronic signature in respect of that portion of the record, if—
|
18 |
Electronic Signatures Act 2011 that digital signature is verified by reference to the public that digital signature was affixed by the signer with the the recipient has no knowledge or notice that the signer—
|
Act 7 (a)
|
19 |
Act 7 Electronic Signatures Act 2011
A copy of a digitally signed message shall be as valid, enforceable and effective as the original of the message unless it is evident that the signer designated an instance of the digitally signed message to be a unique original, in which case only that instance constitutes the valid, enforceable and effective message.
A certificate issued by a licensed certification service provider shall be an acknowledgement of a digital signature verified by reference to the public key listed in the certificate, regardless of whether words of an express acknowledgement appear with the digital signature and regardless of whether the signer physically appeared before the licensed certification service provider when the digital signature was created, if that digital signature is—
20 |
Act 7 |
Electronic Signatures Act |
2011 |
In adjudicating a dispute involving a digital signature, a court shall presume—
(aa) has breached a duty as a subscriber; or (ab) does not rightfully hold the private key used to affix the digital signature; and
|
21 |
Act 7 Electronic Signatures Act 2011 |
Part IV—Public Key Infrastructure (PKI)
This Part applies to digital signatures or signatures that are able to use the public key infrastructure (PKI).
|
22 |
Act 7 Electronic Signatures Act 2011 |
|
23 |
Act 7 |
Electronic Signatures Act |
2011 |
|
24 |
Act 7 Electronic Signatures Act 2011 |
|
25 |
Act 7 Electronic Signatures Act 2011 |
may appeal in writing to the Minister within thirty days from the date on which the notice of refusal or revocation is served on that person.
|
26 |
Act 7 Electronic Signatures Act 2011 |
|
27 |
Act 7 |
Electronic Signatures Act |
2011 |
|
28 |
Act 7 Electronic Signatures Act 2011 |
|
29 |
Act 7 Electronic Signatures Act 2011 |
|
30 |
Act 7 Electronic Signatures Act 2011 |
|
31 |
Act 7 |
Electronic Signatures Act |
2011 |
A certification service provider shall at all times display its license in a conspicuous place at its place of business and on its website.
|
32 |
Act 7 Electronic Signatures Act 2011 |
|
33 |
Act 7 Electronic Signatures Act 2011 |
issuance signed by the prospective subscriber; and
|
34 |
Act 7 Electronic Signatures Act 2011 |
Nothing in sections 31 and 32 shall preclude a certification service provider from conforming to standards, certification practice statements, security plans or contractual requirements more rigorous than, but nevertheless consistent with, this Act.
|
35 |
Act 7 Electronic Signatures Act 2011 |
Unless the subscriber and certification service provider otherwise agree, a certification service provider, by issuing a certificate, promises to the subscriber—
By issuing a certificate, a certification service provider certifies to all who reasonably rely on the information contained in the certificate that—
|
36 |
Act 7 Electronic Signatures Act 2011
By publishing a certificate, a certification service provider certifies to the repository in which the certificate is published and to all who reasonably rely on the information contained in the certificate that the licensed certification service provider has issued the certificate to the subscriber.
By accepting a certificate issued by a certification service provider, the subscriber listed in the certificate certifies to all who reasonably rely on the information contained in the certificate that—
By requesting on behalf of a principal the issue of a certificate naming the principal as subscriber, the requesting person certifies in that person’s own right to all who reasonably rely on the information contained in the certificate that the requesting person—
|
37 |
Act 7 |
Electronic Signatures Act |
2011 |
A person shall not disclaim or contractually limit the application of this part, nor obtain indemnity for its effects, if the disclaimer, limitation or indemnity restricts liability for misrepresentation as against persons reasonably relying on the certificate.
When obtaining information from a subscriber which is material to the issue of a certificate, the certification service provider may require the subscriber to certify the accuracy of the relevant information under oath or affirmation. |
38 |
Act 7 Electronic Signatures Act 2011 |
By accepting a certificate issued by a certification service provider, the subscriber named in the certificate assumes a duty to exercise reasonable care to retain control of the private key and prevent its disclosure to any person not authorised to create the subscriber’s digital signature.
A private key is the personal property of the subscriber who rightfully holds it.
Where a certification service provider holds the private key corresponding to a public key listed in a certificate which it has issued, the certification service provider shall hold the private key as a fiduciary of the subscriber named in the certificate and may use that private key only with the subscriber’s prior written approval, unless the subscriber expressly and in writing grants the private key to the licensed certification service provider and expressly and in writing permits the licensed certification service provider to hold the private key according to other terms.
|
39 |
Act 7 Electronic Signatures Act 2011 |
|
40 |
Act 7 Electronic Signatures Act 2011 |
A certification service provider shall terminate a suspension initiated by request—
Nothing in this Part shall release the subscriber from the duty under section 47 to keep the private key secure while a certificate is suspended.
|
41 |
Act 7 |
Electronic Signatures Act |
2011 |
A licensed certification service provider shall revoke a certificate which it issued—
|
42 |
Act 7 Electronic Signatures Act 2011 |
Where a subscriber has requested for the revocation of a certificate, the subscriber ceases to certify as provided in Part IV and has no further duty to keep the private key secure as required under section 59—
Upon notification as required under section 71, a certification service provider shall be discharged of its warranties based on issue of the revoked certificate and ceases to certify as provided in sections 22 and 24 in relation to the revoked certificate.
|
43 |
Act 7 Electronic Signatures Act 2011 |
Unless a licensed certification service provider waives the application of this section, a licensed certification service provider—
certificate of any fact that the licensed certification service provider is required to confirm; or
the certificate. |
44 |
Act 7 |
Electronic Signatures Act |
2011 |
45 |
Act 7 Electronic Signatures Act 2011 |
Part V—Miscellaneous
|
46 |
Act 7 Electronic Signatures Act 2011 |
|
47 |
Act 7 Electronic Signatures Act 2011 |
A person who knowingly makes, orally or in writing, signs or furnishes any declaration, return, certificate or other document or information required under this Act which is false or misleading in any particular way commits an offence and is liable, on conviction, to a fine not exceeding one hundred and twenty currency points or imprisonment for a term not exceeding five years or both.
48 |
Act 7 Electronic Signatures Act 2011
|
An authorised officer may exercise the powers of enforcement under this Act.
|
49 |
Act 7 Electronic Signatures Act 2011 |
|
50 |
Act 7 Electronic Signatures Act 2011 |
If a police officer not below the rank of Inspector in any of the circumstances referred to in section 86 has reasonable cause to believe that by reason of delay in obtaining a search warrant under that section the investigation would be adversely affected or evidence of the commission of an offence is likely to be tampered with, removed, damaged or destroyed, that officer may enter the premises and exercise in, upon and in respect of the premises all the powers referred to in section 86 in as full and ample a manner as if he or she were authorised to do so by a warrant issued under that section.
|
51 |
Act 7 Electronic Signatures Act 2011 |
A person who obstructs, impedes, assaults or interferes in any way with any authorised officer in the performance of his functions under this Act commits an offence.
An authorised officer may, for the purposes of the execution of this Act, to do all or any of the following—
|
52 |
Act 7 Electronic Signatures Act 2011
Notwithstanding any written law to the contrary, a Magistrate Grade I shall have jurisdiction to try an offence under this Act and to impose the full punishment for the offence.
An action or prosecution shall not be brought, instituted or maintained in a court against the Controller or any officer duly authorised under this Act for or on account of or in respect of any act ordered or done for the purpose of carrying into effect this Act.
Unless it is expressly provided for under this Act, a person shall not disclaim or contractually limit the application of this Act.
|
53 |
Act 7 Electronic Signatures Act 2011 |
(j) prescribing the forms for the purposes of this Act; (k) prescribing the fees and charges payable under this Act and the manner for collecting and disbursing the fees and charges;
54 |
Act 7 Electronic Signatures Act 2011 |
Where a person is convicted under this Act, the court shall in addition to the punishment provided therein, order such person to pay by way of compensation to the aggrieved party, such sum as is in the opinion of the court just, having regard to the loss suffered by the aggrieved party; and such order shall be a decree under the provisions of the Civil Procedure Act, and shall be executed in the manner provided under that Act.
The Minister may, with the approval of Cabinet, by statutory instrument, amend the Schedule to this Act.
|
55 |
Act 7 |
Electronic Signatures Act 2011 SCHEDULE Section 2 CURRENCY POINT One currency point is equivalent to twenty thousand shillings. |
56 |