1. Introduction

Protection of privacy of the individuals' personal data is governed by the Personal Data (Privacy) Ordinance (Cap.486). Digi-Sign is a data user in terms of the provisions of the Personal Data (Privacy) Ordinance (Cap.486) (the "Ordinance"). Digi-Sign is committed to complying with the Ordinance and to upholding the data protection principles.

2. Privacy Policy

Digi-Sign adopts a framework for protecting the privacy of individuals' personal data. This framework addresses the requirements of the Ordinance, and provides Digi-Sign personnel with clear and practical guidelines in their role of ensuring the confidentiality, security, proper use and handling of personal data.

3. Statement of Practices

For the purpose of processing subscriber applications for "ID-Certs", Digi-Sign requires the subscriber to provide details, some of which are personal identity information for disclosure in the ID-Certs. The personal identity information that a subscriber is called upon to provide includes the following:

• Family name and other name(s)
• Date of birth
• Gender
• Hong Kong ID Card / passport number and issuing authority or country
• Contact details, including e-mail address

Digi-Sign will not be in a position to complete the processing of a subscriber application, if the personal identity information is incomplete.

Once a subscriber application is received, Digi-Sign will retain in a secure manner the information in a subscriber database. In accordance with its commitment, Digi-Sign will observe the data protection principles of the Ordinance when using and handling the subscriber information. Use of such information will encompass, among others, communications with the ID-Cert holders for the purpose of:

• Dissemination of updates and responses
• User support, renewal and addition of services
• Statistical information on the website usage

In accordance with the above Privacy Policy, Digi-Sign will not collect personal information, unless:

• The information is for legitimate and lawful purpose
• The information is necessary
• The information is directly related to the stated purpose, and Digi-Sign will use the information accordingly

The key points relating to the Digi-Sign's privacy practices are outlined below:

Collection of Personal Identification Information

• Personal identity information collected will be for legitimate and lawful purpose, and only sufficient details are requested relating to that purpose. The collection procedure requires that it is stated to the person from whom information is requested, the purpose of the request and use of the information.
• Collection of personal identity information is by lawful means and in circumstances that it is fair. In doing so, the person from whom the information is requested will be explicitly informed, before or during the collection, whether it is obligatory or voluntary to provide the details. In cases where it is obligatory to supply the information, the collection procedure requires that it is explained to the person the consequences, if this person chooses not to provide the information.
• The collection procedure requires that it is explained to the person from whom the information is requested that this person has the right to request access to the information, and the right to request correction of the information. For this purpose, the contact details of the Digi-Sign representative are stated in section 6 of this Policy Statement.
• Personal identity information will not be collected from minors (persons under the age of 18 years) as they are not of the legal age to assume responsibility in accordance with the law.

Collection of Information from Individuals On-line

For individuals using the Digi-Sign Websites, cookie files or other methods may be in use to store and track information. Appropriate warning message will be displayed to the effect that collection of information may occur without notice. Individuals are offered an "opt-out" option, should they choose not to provide the information.

Retention of Personal Information

Digi-Sign will retain personal information in accordance with the Code of Practice for Recognized Certification Authorities published by the Commissioner for Digital Policy under section 33 of the Electronic Transactions Ordinance (Cap.553).

Disclosure of Personal Information

• When submitting a subscriber application, an individual will be asked to indicate in writing his / her consent to the disclosure of personal information in the ID-Cert.
• In no circumstances Digi-Sign will disclose or transfer personal information to another party without the consent of the individual who has provided the personal information.

Accuracy of Personal Information

• Digi-Sign will take all reasonable and practical steps to keep accurate personal information having regard for its use.
• Whenever there are reasonable grounds to believe that the information is not accurate, having regard for the specific purpose for which it has been retained, Digi-Sign reserves its right to discontinue the use of the information, or to erase the information.
• Where Digi-Sign has disclosed personal information to a third party for lawful purpose, it will take reasonable and practical steps to advise this third party:
  
  • - Any changes to the personal information since it was first disclosed, having regard for the purpose for which the personal information was provided to the third party; and
  • - A specific date after which this third party should cease to use the personal information disclosed by Digi-Sign.

4. Security of Personal Information

Protection of the subscribers' personal information is a priority for Digi-Sign. Every reasonable and practical step will be taken to protect the security and confidentiality of the personal information. In particular, there are security measures in place to safeguard against loss, misuse and unauthorized access or alteration. Subscriber information is protected in accordance with the Digi-Sign information security policy, guidelines and practices.

5. Direct Marketing

Digi-Sign has ongoing programs, including working in conjunction with its business partners, to provide updates to subscribers on security products and services offering and related development. Any subscriber who does not want to receive these updates from Digi-Sign can send a request in writing and address it to the Chief Executive Officer, who is the Personal Data Administrator, using the contact details in section 6.

6. Contact Details

For further details about this Privacy Policy, access or correction of personal information, please contact the Chief Executive Officer, who is the Personal Data Administrator, contact details are as follows:

Digi-Sign Certification Services Limited

Digi-Sign reserves its right to ask that a request to access or correct personal information be in writing. Digi-Sign may charge reasonable fee to cover the relevant administrative expenses. But there will be no charge to correct information.

It is Digi-Sign's service pledge that all requests will be dealt with promptly. If there is any complaints or objections to the handling of a request, please contact the Chief Executive Officer, who is the Personal Data Administrator.

7. Notification of Changes

As part of its ongoing improvement program, Digi-Sign keeps its policies, guidelines and practices, including this Privacy Policy, under review. As and when change is necessary, Digi-Sign will display a revised version on its Website and, where appropriate, will inform subscribers in writing of the details of such changes.

8. Notice to All Subscribers

Whilst Digi-Sign implements necessary security measures and undertakes due care and skill in the protection of personal information, Digi-Sign is committed to reasonable care and skill, and commercially viable security measures.