Subscriber Data Privacy

1. Purpose and Scope

1.1 Purpose

This document defines the measures that Centric Limited, operating as an Electronic Certification Service Provider (E-CSP) under the brand name DDSign, has designed and implemented to protect the confidentiality and privacy of Subscriber data. It covers all categories of Subscriber information, including personal identity data, transactional data, and historical records of Subscriber usage of the certification services.

1.2 Scope

This policy applies to:

• All personal data collected during the Subscriber registration and identity verification process.
• All transactional data generated through certificate lifecycle operations (application, issuance, renewal, re-key, revocation, and status queries).
• All historical records of Subscriber usage retained for audit, compliance, and legal purposes.
• All systems, personnel, and third parties that process, store, or transmit Subscriber data within the DDSign E-CSP operation.

1.3 Regulatory Framework

This policy is designed to satisfy the following regulatory and standards requirements:

• Kenya Data Protection Act, 2019: Establishes data protection principles, lawful processing grounds, data subject rights, and breach notification obligations applicable to the processing of Subscriber personal data.
• Kenya Information and Communications Act (KICA): Governs the licensing and operation of Electronic Certification Service Providers, including requirements for confidentiality of Subscriber records.
• Kenya Information and Communications (Electronic Certification and Domain Name Administration) Regulations: Specific obligations for E-CSPs regarding Subscriber data handling, retention, and disclosure.
• ETSI EN 319 401: General policy requirements for Trust Service Providers, including confidentiality and privacy controls.
• ETSI EN 319 411-1: Policy and security requirements for Trust Service Providers issuing certificates, addressing Subscriber data protection.
• RFC 3647: Certificate Policy and Certification Practices Framework, Sections 9.3 (Confidentiality of Business Information) and 9.4 (Privacy of Personal Information).

2. Definitions

3. Data Classification

Subscriber data handled by the DDSign E-CSP is classified into the following categories. Each category has specific handling, storage, and disclosure rules.

3.1 Confidential Subscriber Data

The following data elements are classified as confidential and shall not be disclosed to any third party except as required by law or with the Subscriber's explicit consent:

• National identity document number, passport number, or other government-issued identifier.
• Copies or scans of identity documents collected during the registration process.
• Subscriber's private key material (which the E-CSP does not hold, as keys are generated client-side; this classification serves as a safeguard against inadvertent exposure).
• Authentication credentials used by the Subscriber to access the DDSign platform.
• Internal identity verification records and RA officer assessment notes.

3.2 Transactional Data (Restricted)

The following data is classified as restricted and is accessible only to authorised personnel on a need-to-know basis:

• Certificate signing request (CSR) details and issuance records.
• Certificate revocation and suspension request records, including reason codes.
• Signing event metadata (timestamp, document hash, certificate serial number used).
• OCSP and CRL query logs attributable to a specific Subscriber certificate.
• Subscriber support requests and correspondence.

3.3 Public Subscriber Data

The following data elements are inherently public by the nature of the PKI trust model and are published in issued certificates and revocation information:

• Subscriber's name as it appears in the certificate Subject Distinguished Name.
• Certificate serial number, validity period, and public key.
• Certificate status (valid, revoked, or expired) as published via CRL and OCSP.

4. Confidentiality Controls

4.1 Access Control

Access to Subscriber data is governed by the principle of least privilege:

• Role-Based Access Control (RBAC): The DDSign platform enforces RBAC. Only users assigned the RA Officer, CA Administrator, or Auditor roles may access Subscriber identity records. Access roles are documented in the Roles and Responsibilities Matrix.
• Authentication: All personnel accessing Subscriber data shall authenticate using unique credentials with multi-factor authentication (MFA) enforced for privileged roles.
• Access reviews: Access permissions are reviewed quarterly. Personnel who change roles or leave the organisation have their access revoked within 24 hours.
• Logging: All access to Subscriber data is logged with the identity of the accessor, the timestamp, and the records accessed. Logs are tamper-protected and retained per the Audit Logging Policy.

4.2 Encryption

Subscriber data is protected by encryption at rest and in transit:

• Data at rest: The DDSign database storing Subscriber identity and transactional records is encrypted using AES-256 or equivalent. Encryption keys are managed separately from the database and rotated per the key management schedule.
• Data in transit: All communications between Subscribers, the DDSign platform, and internal systems use TLS 1.2 or higher. Internal service-to-service communications within the DDSign backend are also encrypted.
• Backup encryption: All backups containing Subscriber data are encrypted before being written to the backup medium. Backup decryption keys are stored separately from the backup media.

4.3 Data Segregation

Subscriber data is logically segregated from other Centric Limited business data:

• The DDSign E-CSP database is a dedicated instance, not shared with other Centric applications.
• Network segmentation isolates the E-CSP systems from the corporate network. Access between zones requires traversal of a firewall with explicit allow rules.
• Development and test environments do not contain real Subscriber data. Anonymised or synthetic data is used for testing.

4.4 Physical Security

The physical infrastructure hosting Subscriber data is protected by the controls described in the CPS Section 5.1 (Physical Controls), including:

• Restricted access to the data centre with multi-factor physical access controls (badge and biometric).
• 24/7 CCTV monitoring and recording with a minimum retention period of 90 days.
• Visitor escort policy and access logs maintained for all facility entries.

5. Privacy Controls

5.1 Lawful Basis for Processing

Centric Limited processes Subscriber personal data on the following lawful bases under the Kenya Data Protection Act, 2019:

• Contractual necessity: Processing is necessary for the performance of the Subscriber Agreement, under which the Subscriber applies for and receives a digital certificate.
• Legal obligation: Processing is required to comply with the E-CSP licensing obligations under the Kenya Information and Communications Act and associated regulations, including identity verification and record retention requirements.
• Consent: Where processing extends beyond what is strictly necessary for certificate services (e.g., service improvement analytics), explicit opt-in consent is obtained from the Subscriber.

5.2 Data Minimisation

The DDSign E-CSP collects only the personal data that is necessary for the purposes stated:

• Identity verification collects only the data elements required to establish the Subscriber's identity to the level of assurance specified in the Certificate Policy.
• No additional personal data (e.g., financial information, health data, or biometric data beyond what is on the government-issued ID) is collected.
• Transactional data recorded is limited to what is required for certificate lifecycle management, audit, and regulatory compliance.

5.3 Purpose Limitation

Subscriber personal data collected for certificate issuance and management shall not be used for any other purpose, including:

• Marketing or promotional communications (unless separately consented to).
• Profiling, scoring, or automated decision-making about the Subscriber.
• Sale, rental, or commercial sharing with third parties.

5.4 Data Subject Rights

In accordance with the Kenya Data Protection Act, 2019, Subscribers have the following rights with respect to their personal data. Centric Limited has implemented procedures to respond to these requests within 30 days:

• Right of access: Subscribers may request a copy of the personal data held about them.
• Right to rectification: Subscribers may request correction of inaccurate personal data. Note that changes affecting the certificate Subject DN require certificate revocation and re-issuance.
• Right to erasure: Subscribers may request deletion of their personal data, subject to the E-CSP's legal obligation to retain records for the mandatory archival period.
• Right to restrict processing: Subscribers may request that processing be restricted to storage only while a dispute about accuracy or lawfulness is resolved.
• Right to data portability: Subscribers may request their personal data in a structured, commonly used, machine-readable format.
• Right to object: Subscribers may object to processing based on legitimate interests. The E-CSP shall cease processing unless compelling legitimate grounds override the Subscriber's interests.

5.5 Privacy Notices

Before collecting personal data, the DDSign platform presents Subscribers with a clear and accessible privacy notice that includes:

• The identity and contact details of the Data Controller (Centric Limited).
• The categories of personal data collected.
• The purposes of processing and the lawful basis relied upon.
• Recipients or categories of recipients of the personal data.
• Retention periods for each category of data.
• The Subscriber's rights under the Kenya Data Protection Act, 2019.
• How to lodge a complaint with the Office of the Data Protection Commissioner.

6. Data Retention and Disposal

6.1 Retention Periods

Subscriber data is retained in accordance with the following schedule, derived from the Kenya Information and Communications Act (KICA Section 411A) and the E-CSP licensing conditions:

6.2 Secure Disposal

When Subscriber data reaches the end of its retention period, it is disposed of securely:

• Electronic records: Overwritten or cryptographically erased using methods that render the data unrecoverable. Where full-disk encryption is used, secure destruction of the encryption key is an acceptable disposal method.
• Physical media: Shredded or degaussed in accordance with the organisation's media destruction procedures.
• Backups: Retained backup copies containing expired data are purged on the next backup rotation cycle following the retention expiry date.

A disposal log is maintained recording the date, method, data category, and the officer who authorised the disposal.

7. Disclosure and Sharing of Subscriber Data

7.1 Permitted Disclosures

Subscriber data shall only be disclosed in the following circumstances:

• With Subscriber consent: The Subscriber has provided explicit, informed consent for the specific disclosure.
• Legal or regulatory obligation: A court order, subpoena, or lawful request from a competent regulatory authority (including the Communications Authority of Kenya or the Office of the Data Protection Commissioner) requires disclosure.
• Certificate status information: The public elements of certificate status (valid, revoked, expired) are published via CRL and OCSP as an inherent function of the PKI trust model. This does not constitute disclosure of confidential data.

7.2 Prohibited Disclosures

The following disclosures are prohibited:

• Disclosure of Subscriber identity verification records to relying parties or any third party without a lawful basis.
• Disclosure of transactional or historical usage data to any party for commercial, marketing, or profiling purposes.
• Bulk or indiscriminate transfer of Subscriber data to any jurisdiction or entity.

7.3 Third-Party Processors

Where Subscriber data is processed by a third party on behalf of Centric Limited (e.g., a hosting provider or backup service provider), the following conditions apply:

• A written data processing agreement is in place that meets the requirements of the Kenya Data Protection Act, 2019.
• The processor is subject to confidentiality obligations no less protective than those in this policy.
• The processor is included in the Vendor Risk Assessment process.
• Centric Limited retains the right to audit the processor's data protection practices.

8. Breach Management

In the event of a personal data breach affecting Subscriber data, Centric Limited shall follow the Incident Response Plan and the following additional steps specific to privacy:

8.1 Detection and Assessment

• Any suspected or confirmed breach involving Subscriber data shall be reported to the Data Protection Officer (or designated privacy lead) immediately upon discovery.
• The severity and scope of the breach shall be assessed within 24 hours, including the categories of data affected, the number of Subscribers impacted, and the likelihood of harm.

8.2 Notification to the Regulator

• Where the breach is likely to result in a risk to the rights and freedoms of Subscribers, Centric Limited shall notify the Office of the Data Protection Commissioner within 72 hours of becoming aware of the breach, as required by the Kenya Data Protection Act, 2019.
• The Communications Authority of Kenya shall be notified within 24 hours of any confirmed security incident affecting E-CSP operations, in line with the E-CSP licensing conditions.

8.3 Notification to Affected Subscribers

• Where the breach is likely to result in a high risk to the rights and freedoms of affected Subscribers, Centric Limited shall notify them without undue delay.
• The notification shall describe the nature of the breach, the data affected, the measures taken or proposed, and how the Subscriber can protect themselves.

8.4 Post-Incident Review

• A root cause analysis shall be conducted for every breach involving Subscriber data.
• Corrective actions shall be documented and tracked to completion.
• This policy and related procedures shall be updated where the breach reveals a gap in the existing controls.

9. Personnel Obligations

All personnel with access to Subscriber data are subject to the following obligations:

• Confidentiality agreements: All staff, contractors, and third-party personnel with access to Subscriber data shall sign a confidentiality and non-disclosure agreement before access is granted.
• Training: All personnel shall complete data protection and privacy awareness training upon joining and annually thereafter. Training covers data classification, handling procedures, breach reporting, and Subscriber rights.
• Acceptable use: Personnel shall access Subscriber data only for legitimate, authorised business purposes. Unauthorised access, copying, or disclosure is a disciplinary offence and may result in termination and legal action.
• Incident reporting: Personnel shall report any suspected or actual breach of Subscriber data confidentiality immediately to the Incident Response team and the Data Protection Officer.

10. Monitoring and Compliance

10.1 Internal Audits

Compliance with this policy is verified through:

• Quarterly reviews of access control lists and access logs for Subscriber data systems.
• Annual internal audit of data protection practices against the requirements of this policy and the Kenya Data Protection Act, 2019.
• Periodic penetration testing and vulnerability assessments of systems hosting Subscriber data.

10.2 External Audits

The annual E-CSP compliance audit conducted under the authority of the Communications Authority of Kenya includes verification of Subscriber data confidentiality and privacy controls. Centric Limited shall cooperate fully with the appointed auditor and provide access to all relevant records and systems.

10.3 Continuous Improvement

This policy is reviewed annually, or sooner if triggered by a material change in operations, a regulatory update, or a data breach. Amendments are processed through the document change control procedure and approved by the Policy Authority.

11. Cross-References

This document should be read in conjunction with the following DDSign E-CSP documents: