§ Mr. ClappisonTo ask the Chancellor of the Exchequer (1) whether the use of Digicerts supplied by Equifax to UK firms must comply with USA export law and regulations, with particular reference to those imposing trade sanctions on other countries. [77126]
(2)what assessment he has made of the legal liability of those using Digicerts; [77130]
(3)whether the Government have carried out an audit of Equifax data systems; [77124]
(4) if he will make a statement on the award of the contract to Equifax as a supplier of Digital certificates; [77128]
(5) what representations he has received concerning the New Export System for non-European Community exports; [77132]
(6) what assessment he has made of the application of the provisions of the Data Protection Act 1998 to information supplied under the New Export System; and what assessment he has made of the compliance of the Equifax digital application procedure with the Act; [77123]
(7) what agreements must be entered into by those applying for Digicerts from Equifax and whether (a) UK and (b) US law governs the use of Digicerts supplied to UK companies by Equifax; [77127]
(8) whether (a) individuals and (b) organisations may apply for Digicerts; [77131]
(9) whether Digicerts supplied to UK companies by Equifax can be used in the course of exports to (a) Cuba and (b) Iran; [77125]
(10) what information must be supplied by applicants for Digicerts; and what protection is given concerning the use of such information; [77129]
(11) what assessment he has made of the role of Digital Certificates in the new export system; and if he will list Government approved Digicert-issuing bodies. [77133]
§ John HealeyCustoms and Excise's New Export System (NES) went live at all Maritime and Inland locations (including Inland Clearance Depots) throughout the UK on 27 October 2002. NES is606W electronic-based system which enables exporters and agents to send their export declarations to Customs electronically.
It replaces the current paper-based system, facilitates legitimate trade and helps combat VAT and Excise fraud. NES provides a number of tailored models and procedures to meet the needs of different trade sectors. It will allow Customs to target their controls more effectively and therefore minimise disruption to legitimate trade; and there will be a reduction in the time it takes to process an export declaration.
The legal basis for the information supplied by exporters and their agents under NES is the Community Customs Code (Council Regulation (EEC) 2913/92) and the Implementing Regulation (Commission Regulation (EEC) 2454/93). Article 15 of the Community Customs Code imposes an obligation of privacy on customs authorities. NES complies with the Data Protection Act (DPA) 1998.
The Paymaster General received one representation on NES from the British International Freight Association (BIFA) on 20 December last year, to which the Financial Secretary replied on 24 January 2002.
To operate the New Export System electronically a digital certificate may be required. Either an individual or an organisation may apply for a digital certificate. Customs require Level 2 Security to meet authentication and non-repudiation requirements for all non-European Community declarations made via the world wide web to their export declaration processing system.
The policy of the e-Envoy's Office is that Level 2 security requirements should be met by use of digital certificates. Customs have adopted the e-Envoy's Office's policy for Level 2. Agreements concerning digital certificates are a contractual matter between the issuer and applicant; the Electronic Communications Act 2000 and the EU Electronic Signatures Directive determine the general legal admissibility of digital certificates.
The Government do not approve or carry out audits of digital certificate providers, but it encourages them to seek approval from tScheme, a voluntary, not-for-profit, industry-led body or an equivalent approval scheme. Equifax is one of several digital certificate suppliers undergoing tScheme accreditation. tScheme is the organisation set up to create strict service criteria and to approve electronic trust services, including qualified certificate services. Any digital certificate provider that meets the tScheme requirements and is technically compatible is able to supply digital certificates that can be used with the Government Gateway. Other providers are ChamberSign and BT Trust Services (available from mid-November 2002).
The only contract between these digital certificate providers and the UK Government are a standard "relying party agreement". This contract ensures that each provider supplies up-to-date lists of all digital certificate holders so that the UK Government can verify their identities when transacting through the Government Gateway.
607WThe information supplied by applicants will depend on the certificate issuer and the intended use of the certificate. Any personal information provided and not intended for public access is covered by the DPA. It is not the Government's role to make assessments on the compliance of certificate issuers with the DPA but they are bound by its requirements.
Whether or not a digital certificate complies with US export laws is a matter for the firm and the issuer of the certificate, not the UK Government. The certificate policy should make clear the extent of any liability of the certificate issuer to the certificate relying party. This is a matter for the certificate issuer and the applicant.