ELECTRONIC COMMUNICATIONS AND TRANSACTIONS: SUBSIDIARY LEGISLATION

INDEX TO SUBSIDIARY LEGISLATION

Electronic Communications and Transactions Regulations

ELECTRONIC COMMUNICATIONS AND TRANSACTIONS REGULATIONS

 

(under section 47)

 

(8th April, 2016)

 

ARRANGEMENT OF REGULATIONS

 

REGULATION

 

 

 

   1.   Citation

 

   2.   Interpretation

 

   3.   Application for registration as certification service provider

 

   4.   Issuance of certificate

 

   5.   Renewal of certificate

 

   6.   Refusal to grant or renew accreditation

 

   7.   Revocation, suspension or cancellation

 

   8.   Appeal

 

   9.   Recognition of secure electronic signatures

 

   10.   Audit report

 

   11.   Certification of practice statement

 

   12.   Maintenance of register

 

   13.   Conduct of business

 

   14.   Change in ownership, management, etc. of certification service provider

 

   15.   Review and audits

 

   16.   Inquiry into allegations of misconduct, etc.

 

   17.   Take-down notifications

 

   18.   Complaints relating to contravention of Act

 

      SCHEDULE

 

 

S.I. 42, 2016.

 

1.   Citation

   These Regulations maybe be cited as the Electronic Communications and Transactions Regulations.

 

2.   Interpretation

In these Regulations, unless the context otherwise provides-

   "accreditation" means accreditation granted under regulation 4;

   "accredited certification service provider" means a certification service provider accredited under these Regulations;

   "ACS Compliance Checklist" means the Accredited Certification Service Standards published by the Communications Regulatory Authority for compliance audit purposes;

   "ACS Standards" means the Accredited Certification Service Standards;

   "certification practice statement" means a statement issued by a certification service provider specifying the process of issuing certificates;

   "Communications Regulatory Authority" means the Communications Regulatory Authority established under section 3 of the Communications Regulatory Authority Act;

   "key personnel" means employees who have direct responsibility for the day to day operations, security and performance of a certification service provider, or whose duties directly involve the issuance, renewal, suspension, revocation of certificates, the process of identification of any person requesting a certificate, the creation of private keys or the administration of the certification service providers computing facilities;

   "qualifying certificate" means a certificate which conforms with the requirements set out in Schedule 2;

   "qualifying certification service provider" means a certification service provider who satisfies the requirements set out in Schedule 2;

   "qualifying signature verification device" means a signature creation service which conforms with the requirements set out in Schedule 2;

   "signatory" means a person who holds a signature creation device and acts either on his or her own behalf or on behalf of another person;

   "signature creation data" means unique data such as codes or private cryptographic keys used by the signatory to create an electronic signature;

   "signature creation device" means configured software or hardware used to implement the signature creation data;

   "signature verification data" means data such as codes or public cryptographic keys used for the purpose of verifying an electronic signature; and

   "standard end-user agreement" means an agreement between the accredited certification service provider and its customer for the provision of secure electronic signatures.

 

3.   Application for registration as certification service provider

   (1) A person who wishes to operate as a certification service provider shall make an application for accreditation to the Communications Regulatory Authority in Form A set out in Schedule 1, accompanied by a non-refundable fee of P10 000.

   (2) Any person who has been operating as a certification service provider shall notify the Communications Regulatory Authority within six months from the coming into operation of these Regulations.

   (3) A certification service provider who contravenes any provision of this regulation is liable to a fine not exceeding P5 000.

 

4.   Issuance of certificate

   (1) The Communications Regulatory Authority shall where an application made under regulation 3 meets all the requirements, issue a certificate of accreditation in Form B set out in Schedule 1.

   (2) An accreditation certificate issued in terms of this regulation shall be valid for a period of two years.

   (3) A certification service provider shall, at all times, display a certificate of accreditation issued under subregulation (1) in a conspicuous manner in its place of business.

 

5.   Renewal of certificate

   (1) An accredited certification service provider shall not later than three months before the date of expiry of the accreditation make an application to the Communications Regulatory Authority for the renewal of accreditation.

   (2) An application for renewal shall be made to the Communications Regulatory Authority in Form A set out in Schedule 1 and shall be accompanied by-

 

   (a)   a renewal fee of P5 000;

 

   (b)   the latest version of the certification practice statement;

 

   (c)   a copy of the latest version of the standard end-user agreement;

 

   (d)   the audited financial statements of the two previous years;

 

   (e)   an audited report; and

 

   (f)   any other information as the Communications Regulatory Authority may request.

   (3) The Communications Regulatory Authority may grant a renewal certificate for accreditation where it is satisfied that the applicant-

 

   (a)   meets the requirements of these Regulations; and

 

   (b)   has complied with conditions imposed on the accreditation.

   (4) An application for renewal shall be considered by the Communications Regulatory Authority within two months from the date of submission of the application.

 

6.   Refusal to grant or renew accreditation

   (1) The Communications Regulatory Authority may refuse to grant or renew accreditation where-

 

   (a)   the certification service provider-

 

      (i)   has not complied with any provisions of the Act or of these Regulations or of the ACS Standards,

 

      (ii)   has not provided the Communications Regulatory Authority with the requested information for the application or the renewal of accreditation,

 

      (iii)   is wound up or liquidated, or

 

      (iv)   has within a period of 10 years immediately preceding the date of his or her accreditation been convicted, whether in Botswana or elsewhere of an offence involving fraud or dishonesty or has been convicted of an offence under the Act or these Regulations;

 

   (b)   it is not satisfied with-

 

      (i)   the qualifications or experience of the certification service provider's key personnel,

 

      (ii)   the financial standing of the certification service provider or of its significant owners, or

 

      (iii)   the record of past performance or expertise of the certification service provider or of its personnel;

 

   (c)   it has reason to believe that the certification service provider may not be able to act in the best interest of its subscribers or customers having regard to the reputation, character, financial integrity and reliability of the certification service provider or any of its significant owners or key personnel;

 

   (d)   the certification service provider or any of its owners or key personnel is found guilty of misconduct of business; or

 

   (e)   it is of the opinion that it is in the interest of the public to do so.

   (2) The Communications Regulatory Authority shall inform the certification service provider of the reasons to refuse to grant or renew accreditation.

 

7.   Revocation, suspension or cancellation

   The Communications Regulatory Authority may revoke, cancel or suspend accreditation of a certification service provider-

 

   (a)   where it is of the view that the information provided is false, misleading or inaccurate;

 

   (b)   where the certification service provider-

 

      (i)   fails to undergo an audit required under regulation 15(1),

 

      (ii)   is likely to be wound up,

 

      (iii)   fails to carry on the business for which it was accredited, or

 

      (iv)   contravenes or fails to comply with any condition in respect of its accreditation;

 

   (c)   where the Communications Regulatory Authority has reason to believe that the certification service provider or any of its key personnel has not performed their duties efficiently, honestly or fairly; or

 

   (d)   upon receipt of a written request by the certification service provider to cancel, revoke or suspend the accreditation.

 

8.   Appeal

   Any person aggrieved by the decision of the Communications Regulatory Authority may within 30 days of the decision appeal to the High Court.

 

9.   Recognition of secure electronic signatures

   (1) A certification service provider who wishes to provide products or services required to authenticate and recognise secure electronic signatures shall make an application for accreditation to the Communications Regulatory Authority in Form A set out in Schedule 1, accompanied by-

 

   (a)   a non-refundable fee of P10 000;

 

   (b)   the service providers certification practice statement and certification policy;

 

   (c)   a copy of the standard end-user agreement;

 

   (d)   a business plan;

   (e)      the audited financial statements from the two previous years issued by an auditor appointed under the Accountants Act; and

 

   (f)   any other information as the Communications Regulatory Authority may request.

   (2) The Communications Regulatory Authority shall consider an application made under subregulation (1) within three months of receipt of the application.

   (3) Where the Communications Regulatory Authority has requested for additional information or any clarification, the three months for consideration of the application shall run from the date of the submission of the additional information.

   (4) The Communications Regulatory Authority may award accreditation subject to such conditions as it may deem fit.

 

10.   Audit report

   (1) An accredited certification service provider shall provide an audit report compiled by an auditor appointed by the Communications Regulatory Authority.

   (2) All fees relating to the audit report shall be borne by the certification service provider.

   (3) The audit report shall, confirm in respect of-

 

   (a)   an electronic signature that it-

 

      (i)   conforms with the requirements of section 25 of the Act and is capable of identifying the signatory,

 

      (ii)   is created by qualifying signature creation and signature verification devices,

 

      (iii)   is based on a qualifying certificate, and

 

      (iv)   complies with the international standards with which the certification service provider claims in its application for accreditation; and

 

   (b)   a certification service provider that it-

 

      (i)   satisfies the requirements set out in Schedule 2,

 

      (ii)   has systems in place to ensure compliance with the Act and these Regulations,

 

      (iii)   has sufficient financial resources to provide for professional indemnity or insurance cover, and

 

      (iv)   has personnel who satisfy the requirements set out in Schedule 2.

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.

Please click here to login

<hr{/mprestriction}