Principal Legislation
Log in

Login to your account

Username *
Password *
Remember Me







   1.   Commencement.

   2.   Interpretation.

   3.   Equal treatment of signature technologies.



   4.   Compliance with a requirement for a signature.

   5.   Conduct of the signatory.

   6.   Variation by agreement.

   7.   Conduct of the relying party.

   8.   Trustworthiness.

   9.   Conduct of the certification service provider.

   10.   Advanced signatures.

   11.   Secure electronic signature.

   12.   Presumptions relating to secure and advanced electronic signatures.



   13.   Secure digital signatures.

   14.   Satisfaction of signature requirements.

   15.   Unreliable digital signatures.

   16.   Digitally signed document taken to be written document.

   17.   Digitally signed document deemed to be original document.

   18.   Authentication of digital signatures.

   19.   Presumptions in adjudicating disputes.



   20.   Sphere of application.

   21.   Controller.

   22.   Certification service providers to be licensed.

   23.   Qualifications of certification service providers.

   24.   Functions of licensed certification service providers.

   25.   Application for licence.

   26.   Grant or refusal of licence.

   27.   Revocation of licence.

   28.   Appeal.

   29.   Surrender of licence.

   30.   Effect of revocation, surrender or expiry of licence.

   31.   Effect of lack of licence.

   32.   Return of licence.

   33.   Restricted licence.

   34.   Restriction on use of expression "certification service provider".

   35.   Renewal of licence.

   36.   Lost licence.

   37.   Recognition of other licenses.

   38.   Performance audit.

   39.   Activities of certification service providers.

   40.   Requirement to display licence.

   41.   Requirement to submit information on business operations.

   42.   Notification of change of information.

   43.   Use of trustworthy systems.

   44.   Disclosures on inquiry.

   45.   Prerequisites to issue of certificate to subscriber.

   46.   Publication of issued and accepted certificate.

   47.   Adoption of more rigorous requirements permitted.

   48.   Suspension or revocation of certificate for faculty issuance.

   49.   Suspension or revocation of certificate by order.

   50.   Warranties to subscriber.

   51.   Continuing obligations to subscriber.

   52.   Representations upon issuance.

   53.   Representations upon publications.

   54.   Implied representations by subscriber.

   55.   Representations by agent of subscriber.

   56.   Disclaimer or indemnity limited.

   57.   Indemnification of certification service provider by subscriber.

   58.   Certification of accuracy of information given.

   59.   Duty of subscriber to keep private key secure.

   60.   Property in private key.

   61.   Fiduciary duty of a certification service provider.

   62.   Suspension of certificate by certification service provider.

   63.   Suspension of certificate by Controller.

   64.   Notice of suspension.

   65.   Termination of suspension initiated by request.

   66.   Alternate contractual procedures.

   67.   Effect of suspension of certificate.

   68.   Revocation of request.

   69.   Revocation on subscriber's demise.

   70.   Revocation of unreliable certificates.

   71.   Notice of revocation.

   72.   Effect of revocation request on subscriber.

   73.   Effect of notification on certification service provider.

   74.   Expiration of certificate.

   75.   Reliance limit.

   76.   Liability limits for certification service providers.

   77.   Recognition of repositories.

   78.   Liability of repositories.

   79.   Recognition of date or time stamp services.



   80.   Prohibition against dangerous activities.

   81.   Obligation of confidentiality.

   82.   False information.

   83.   Offences by body corporate.

   84.   Authorised officer.

   85.   Power to investigate.

   86.   Search by warrant.

   87.   Search and seizure without warrant.

   88.   Access to computerised data.

   89.   List of things seized.

   90.   Obstruction of authorised officer.

   91.   Additional powers.

   92.   General penalty.

   93.   Institution and conduct of prosecution.

   94.   Jurisdiction to try offences.

   95.   Prosecution of officers.

   96.   Limitation on disclaiming or limiting application of the Act.

   97.   Regulations.

   98.   Compensation.

   99.   Power of Minister to amend schedule.

   100.   Savings and transitional provisions.


      Schedule   Currency point.



Commencement: 15 April 2011.

   An Act to make provision for and to regulate the use of electronic signatures and to provide for other related matters.




1.   Commencement.

   This Act shall come into force on a date appointed by the Minister by statutory instrument


2.   Interpretation.

   In this Act, unless the context otherwise requires—

   "accept a certificate" means—

   (a)   to manifest approval of a certificate, while knowing or having notice of its contents; or

   (b)   to apply to a certification service provider for a certificate, without revoking the application by delivering notice of the revocation to the licensed certification service provider and obtaining a signed, written receipt from the certification service provider, if the certification service provider subsequently issues a certificate based on the application;

   "advanced electronic signature" means an electronic signature, which is—

   (a)   uniquely linked to the signatory;

   (b)   reliably capable of identifying the signatory;

   (c)   created using secure signature creation device that the signatory can maintain; and

   (d)   linked to the data to which it relates in such a manner that any subsequent change of the data or the connections between the data and the signature are detectable;

   "asymmetric cryptosystem" means an algorithm or series of algorithms, which provide a secure key pair;

   "authorised officer" means the Controller or a police officer or a public officer performing any functions under this Act; and includes any public officer authorised by the Minister or by the controller to perform any functions under this Act;

   "certificate" means a data message or other records confirming the link between a signatory and a signature creation data;

   "certification service provider disclosure record" means an online and publicly accessible record that concerns a licensed certification service provider, which is kept by the Controller under subsection 21(5);

   "certification practice statement" means a declaration of the practices, which a certification service provider employs in issuing certificates generally or employs in issuing a particular certificate;

   "certification service provider" means a person that issues certificates and may provide other services related to electronic signatures;

   "certify" means to declare with reference to a certificate, with ample opportunity to reflect and with a duty to apprise oneself of all material facts;

   "confirm" means to ascertain through diligent inquiry and investigation;

   "Controller" means National Information Technology Authority-Uganda;

   "correspond", with reference to keys, means to belong to the same key pair;

   "currency point" has the meaning assigned to it in the Schedule in this Act;

   "digital signature" means a transformation of a message using an asymmetric cryptosystem such that a person having the initial message and the signer's public key can accurately determine—

   (a)   whether the transformation was created using the private key that corresponds to the signer's public key; and

   (b)   whether the message has been altered since the transformation was made;

   "electronic signature" means data in electronic form affixed to or logically associated with a data message, which may be used to identify the signatory in relation to the data message and indicate the signatory's approval of the information contained in the data message; and includes an advance electronic signature and the secure signature;

   "electronic signature product" means configured hardware or software or relevant components of it, which are intended to be used by a certification service provider for the provision of electronic signature services or are intended to be used for the creation or verification of electronic signatures;

   "forge a digital signature" means—

   (a)   to create a digital signature without the authorisation of the rightful holder of the private key; or

   (b)   to create a digital signature verifiable by a certificate listing as subscriber a person who either does not exist or does not hold the private key corresponding to the public key listed in the certificate;

   "hold a private key" means to be able to utilise a private key;

   "incorporate by reference" means to make one message a part of another message by identifying the message to be incorporated and expressing the intention that it be incorporated;

   "issue a certificate" means the act of a certification service provider in creating a certificate and notifying the subscriber listed in the certificate of the contents of the certificate;

   "key pair" means a private key and its corresponding public key in an asymmetric cryptosystem, where the public key can verify a digital signature that the private key creates;

   "licensed certification service provider" means a certification service provider to whom a licence has been issued by the Controller and whose licence is in effect;

   "message" means a digital representation of information;

   "Minister" means the Minister responsible for information and communication technology;

   "notify" means to communicate a fact to another person in a manner reasonably likely under the circumstances to impart knowledge of the information to the other person;

   "person" includes any company or association or body of persons corporate or unincorporate;

   "prescribed" means prescribed by or under this Act or any regulations made under this Act;

   "private key" means the key of a key pair used to create a digital signature;

   "public key" means the key of a key pair used to verify a digital signature and listed in the digital signature certificate;

   "public key infrastructure" means a framework for creating a secure method for exchanging information based on public key cryptography;

   "publish" means to record or file in a repository;

   "qualified certification service provider" means a certification service provider that satisfies the requirements under section 23;

   "recipient" means a person who receives or has a digital signature and is in a position to rely on it;

   "recognised date or time stamp service" means a date/time stamp service recognised by the Controller under section 79;

   "recognised repository" means a repository recognised by the Controller under section 77;

   "recommended reliance limit" means the monetary amount recommended for reliance on a certificate under section 76;

   "relying party" means a person that may act on the basis of a certificate or an electronic signature;

   "repository" means a system for storing and retrieving certificates and other information relevant to digital signatures;

   "revoke a certificate" means to make a certificate ineffective permanently from a specified time forward;

   "rightfully hold a private key" means to be able to utilise a private key—

   (a)   which the holder or the holder's agents have not disclosed to any person in contravention of this act; and

   (b)   which the holder has not obtained through theft, deceit, eavesdropping or other unlawful means;

   "security procedure" means a procedure for the purpose of—

   (a)   verifying that an electronic record is that of a specific person; or

   (b)   detecting error or alteration in the communication, content or storage of an electronic record since a specific point in time, which may require the use of algorithms or codes, identifying words or numbers, encryption, answer back or acknowledgement procedures or similar security devices;

   "secure signature creation device" means a signature creation device which meets the requirements laid down in section 4;

   "signatory" means a person that holds signature creation data and acts either on its own behalf or on behalf of the person it represents

   "signature creation device" means configured software or hardware, used by the signatory to create an electronic signature;

   "signature verification data" means unique data such as codes or public cryptographic keys, used for the purpose of verifying an electronic signature;

   "signature verification device" means configured software or hardware, used for the purpose of verifying an electronic signature;

   "signed" or "signature" and its grammatical variations includes any symbol executed or adapted or any methodology or procedure employed or adapted, by a person with the intention of authenticating a record, including an electronic or digital method;

   "subscriber" means a person who—

   (a)   is the subject listed in a certificate;

   (b)   accepts the certificate; and

   (c)   holds a private key which corresponds to a public key listed in that certificate;

   "suspend a certificate" means to make a certificate ineffective temporarily for a specified time forward;

   "this Act" includes any regulations made under this Act;

   "time-stamp" means—

   (a)   to append or attach to a message, digital signature or certificate a digitally signed notation indicating at least the date, time and identity of the person appending or attaching the notation; or

   (b)   the notation appended or attached;

   "transactional certificate" means a certificate, incorporating by reference one or more digital signatures, issued and valid for a specific transaction;

   "trustworthy system" means computer hardware and software which—

   (a)   are reasonably secure from intrusion and misuse;

   (b)   provide a reasonable level of availability, reliability and correct operation; and

   (c)   are reasonably suited to performing their intended functions;

   "valid certificate" means a certificate which—

   (a)   a licensed certification service provider has issued;

   (b)   has been accepted by the subscriber listed in it;

   (c)   has not been revoked or suspended; and

   (d)   has not expired,

but a transactional certificate is a valid certificate only in relation to the digital signature incorporated in it by reference;

   "verify a digital signature" means, in relation to a given digital signature, message and public key, to determine accurately that—

   (a)   the digital signature was created by the private key corresponding to the public key; and

   (b)   the message has not been altered since its digital signature was created;

   "writing" or "written" includes any handwriting, typewriting, printing, electronic storage or transmission or any other method of recording information or fixing information in a form capable of being preserved.

   (2) For the purposes of this Act, a certificate shall be revoked by making a notation to that effect on the certificate or by including the certificate in a set of revoked certificates.

   (3) The revocation of a certificate does not mean that it is destroyed or made illegible.


3.   Equal treatment of signature technologies.

Nothing in this Act shall be applied so as to exclude, restrict or deprive of legal effect any method of creating an electronic signature that satisfies the requirements for a signature in this Act or otherwise meets with the requirements of any other applicable law.




4.   Compliance with a requirement for a signature.

   (1) Where the law requires a signature of a person, that requirement is met in relation to a data message if an electronic signature is used which is as reliable as was appropriate for the purpose for which the data message was generated or communicated, in light of all the circumstances, including any relevant agreement.

   (2) Subsection (1) applies whether the requirement referred to in that subsection in the form of an obligation or whether the law simply provides consequences for the absence of a signature.

   (3) An electronic signature is considered to be reliable for the purpose of satisfying the requirement referred to in subsection (1) if—

   (a)   the signature creation data are, within the context in which they are used, linked to the signatory and to no other person;

   (b)   the signature creation data were, at the time of signing, under the control of the signatory and of no other person;

   (c)   any alteration to the electronic signature, made after the time of signing, is detectable; and

   (d)   where a purpose of legal requirement for a signature is to provide assurance as to the integrity of the information to which it relates, any alteration made to that information after the time of signing is detectable.

   (4) Subsection (3) does not limit the liability of any person—

   (a)   to establish in any other way, for the purpose of satisfying the requirement referred to in subsection (1), the reliability of an electronic signature; or

   (b)   to adduce evidence of the non-reliability of an electronic signature.


5.   Conduct of the signatory.

   (1) Where signature creation data can be used to create a signature that has legal effect, each signatory shall—

   (a)   exercise reasonable care to avoid unauthorised use of its signature creation data;

   (b)   without undue delay, notify any person that may reasonably be expected by the signatory to rely on or to provide services in support of the electronic signature if—

      (i)   the signatory knows that the signature creation data have been compromised; or

      (ii)   the circumstances known to the signatory give rise to a substantial risk that the signature creation data may have been compromised;

   (c)   where a certificate is used to support the electronic signature, exercise reasonable care to ensure the accuracy and completeness of all material representations made by the signatory which are relevant to the certificate throughout its life-cycle or which are to be included in the certificate.


6.   Variation by agreement.

   The provisions of this Act may be derogated from or their effect may be varied by agreement unless that agreement would not be valid or effective under any law.


7.   Conduct of the relying party.

   A relying party shall bear the legal consequences of his or her failure to—

   (a)   take reasonable steps to verify the reliability of an electronic signature; or

   (b)   where an electronic signature is supported by a certificate, take reasonable steps—

      (i)   to verify the validity, suspension or revocation of the certificate; and

      (ii)   to observe any limitation with respect to the certificate.


8.   Trustworthiness.

   When determining whether or to what extent any systems procedures and human resources utilised by a certification service provider are trustwo

This section of the article is only available for our subscribers. Please click here to subscribe to a subscription plan to view this part of the article.