Skip to main content

Government: Online Transactions

Volume 704: debated on Wednesday 29 October 2008

asked Her Majesty's Government:

What steps they are taking to promote the widespread use of the government root certificate (public key infrastructure) to encourage persons to communicate only with authentic government certificates in the knowledge that the arrangements are secure; and [HL4027]

Whether all electronic correspondence between and with government bodies is made secure through the use of computerised certificates; and [HL4028]

Whether it is their policy for all government websites that solicit information to use computerised certificates; and [HL4029]

Whether any United Kingdom government certificates are stored in the United States or South Africa; if so, whether the security arrangements pertaining to them are satisfactory; and whether they have made representations to the Government of the United States about the applicability of the Patriot Acts to United Kingdom government certificates. [HL4030]

There are many different ways of securing communications between government departments and citizens. The appropriate method is adopted to suit the needs of the particular business. Such security and authentication regimes include measures such as: traditional cryptography, transport layer security, and X.509 server certificates as well as digital certificates. Many of the secure links between government departments use traditional cryptography which does not use certificates.

Where personal or sensitive information is exchanged electronically with a member of the public, this is usually secured through the use of the industry standard transport layer security (TSL) and an X.509 server certificate rather than using a HMG root certificate.

Central government departments with internet websites using personal or other sensitive information are required to implement appropriate protective measures. Normally, this would include the use of the industry standard transport layer security (TSL) one component of which would be an X.509 server certificate. In exceptional cases client certificates are also used.

Some public key certificates issued by the Government can be expected to be held overseas. For example, certificates relating to verifications of passports need to be held overseas in order to check the authenticity of UK passports.

Certificates issued to departments or their agencies contain no reference to individuals or their personal information. There is no requirement for these certificates to be treated confidentially.

Some certificates are issued to individuals and could contain personal information. In such instances, the handling of these certificates would need to comply with the relevant data protection principles.

Data stored in the UK and overseas must adhere to data protection legislation.