Part I Cryptography Service Providers
Section 1: Register of approved providers
21.This section places a duty on the Secretary of State to establish and maintain a register of approved providers of cryptography support services, and specifies what information is to be contained in the register. The section also requires the Secretary of State to make arrangements for the public to have access to the register and for any changes to the information in the register to be publicised.
cryptography support services are defined in section 6.
22.The main purpose of the register is to ensure that providers on the register have been independently assessed against particular standards of quality, in order to encourage the use of their services, and hence the development of electronic commerce and electronic communication with Government.
23.Where two people are communicating electronically, it may be necessary for one person to rely on the services provided to the other: for example, where the first person receives a communication which purports to have been signed electronically by the other.
a definition of electronic signature is given in section 7(2).
24.The register is voluntary: no provider is obliged to apply for approval and a provider who is not on the register is at liberty to provide cryptography services.
Section 2: Arrangements for the grant of approvals
25.This section places a duty on the Secretary of State to ensure that there are arrangements in force for granting approval, handling complaints and disputes and modifying or withdrawing approval.
26.Subsection (1) places a duty on the Secretary of State to ensure that there are arrangements for granting approvals for any person providing, or proposing to provide, cryptography support services in the United Kingdom, and applying to be approved.
The provision of cryptography support services in the United Kingdom is described in subsection (10) of section 2.
27.Subsection (2) sets out what the arrangements for approvals are to achieve.
28.Subsection (3) says what the Secretary of State must be satisfied about in order to grant an approval. The Secretary of State is given the power to set requirements (e.g. relating to the technology provided, to the person himself and his background and experience, and the way he provides the technology to the public) by regulation, and also to impose conditions on the approval. Subsection (5) of section 5 provides that the Secretary of State must consult before making regulations imposing requirements. The Secretary of State must also be satisfied that the person is fit and proper to be approved. Relevant factors include any known contraventions of provisions of this legislation, and convictions for offences involving fraud or dishonesty, or engaging in discriminatory practices, or engaging in deceitful, oppressive, unfair or improper business practices.
29.Subsection (4) allows for regulations made by virtue of subsection (3)(a) or (b) to frame the requirement for compliance with these requirements by reference to the opinion of a person specified, either in the regulations or chosen in a manner set out in the regulations.
30.Subsection (5) specifies the nature of the requirements which may be imposed as conditions of an approval, subject to the limits in subsection (6).
31.Subsection (7) provides for the enforcement of any requirement to provide information imposed by the conditions of an approval by the Secretary of State in civil proceedings.
32.Subsections (8) and (9) make provision about the payment of fees.
33.Subsection (10) sets out what is meant by cryptography support services being provided in the United Kingdom.
34.The arrangements for approvals, outlined above, envisage providers requesting approval for one or a number of different cryptography support services. The granting of such an approval would depend on the applicant meeting the conditions specified in the relevant regulations.
Section 3: Delegation of approval functions
35.This section enables the Secretary of State to delegate the approvals functions set out in sections 1 and 2 to any person. Subsection (4) provides that where the functions are delegated to a statutory body or office holder, the statutes relating to their original functions shall be regarded as including the new functions so delegated. Subsection (5) enables the Secretary of State to modify enactments by order, and subsection (6) provides that the order required to do this will be subject to affirmative resolution procedure in both Houses of Parliament.
Section 4: Restrictions on disclosure of information
36.This section protects certain information obtained under Part I, sets out the purposes for which it may be disclosed (e.g. in order to carry out the approvals functions, for a criminal investigation or for those civil proceedings specified in subsection (2)(e)) and makes improper disclosure a criminal offence. It safeguards individual privacy and commercially confidential information, except where disclosure is justifiable.
37.There is no restriction on who may make the disclosure or to whom it may be made, provided that the purpose is proper.
Section 5: Regulations under Part I
38.This section makes further provision relating to the regulations the Secretary of State may make under Part I and contains standard provisions commonly accorded to powers to make subordinate legislation, such as an ability to make supplementary provision. The regulations will be subject to affirmative resolution procedure in both Houses of Parliament the first time the Secretary of State exercises his powers to make regulations under this Part. They will subsequently be subject to negative resolution procedure in both Houses of Parliament.
prescribed is defined in this Part as meaning prescribed by regulations made by the Secretary of State, or determined in such a manner as may be provided for in any such regulations.
Section 6: Provision of cryptography support services
39.This section provides for the interpretation of various terms used in Part I of the Act.
The cryptography support services that may be approved under the arrangements described above are defined to include those relating to:
confidentiality, i.e. securing that such electronic communications or data can be accessed, or can be put into an intelligible form (defined in section 15(3)), only by certain persons;
securing that the authenticity or integrity (both defined in section 15(2) of electronic communications or data is capable of being ascertained, i.e. relating to an electronic signature.
40.Subsection (2) makes it clear that the approval scheme for cryptography support services includes only those services that primarily involve a continuing relationship between the supplier of the service and the customer. The scheme does not cover the supply of an item (whether software or hardware) unless such a supply is integral to the provision of the service itself.
41.Cryptography support services, falling within the scope of this section, would include registration and certification in relation to certificates, time-stamping of certificates or documents, key generation and management, key-storage and providing directories of certificates.
