Repository

VeriSign Australia's Privacy Statement

• See also: Privacy Issues FAQ

VeriSign Australia is committed to providing you with excellent service for all of our products. We respect your right to privacy and have developed this Privacy Statement to inform you about our privacy practices for the entire VeriSign Australia site and about our privacy practices in general.

This Privacy Statement will inform you of:

• What information our site gathers about you
• How we use and with whom we share the information we gather
• Your ability to opt-out of future notifications
• What security procedures we have in place to protect your information from loss, misuse, or alteration
• How you can correct or update your information

This Privacy Statement is designed not only to meet the twelve privacy criteria set out in the Gatekeeper accreditation criteria, but also to ensure compliance with the relevant Australian Federal and State privacy legislation. VeriSign Australia's specific policies in relation to personal information regarding its Gatekeeper accredited services are contained in the relevant Gatekeeper CP and CPS.

Questions regarding this Privacy Statement should be directed to support@verisign.com.au. Please specify "Privacy Statement" in the subject line of your e-mail.

Overview

Privacy is of great concern to most users of the Internet, and is a critical part of an enjoyable and satisfactory user experience. We at VeriSign Australia are acutely aware of and sensitive to the privacy concerns of our customers and other visitors to our Web site. Whether you are a customer of our various products and services or a visitor to our site, we assure you that we do not collect personal information from you unless you provide it to us.

If you are enrolling for a VeriSign Australia digital certificate ("Digital ID"), you may be asked to provide certain personal information. Please note, however, that we are asking for this information for the limited purposes of creating your Digital ID, providing the services that may be part of your Digital ID, and authenticating your identity in order to issue you a Digital ID.

You should also be assured that we do not provide or sell information about our customers or site visitors to vendors that are not involved in the provision of VeriSign Australia's public certification and other services. If you would like to read more about the practices related to the issuance of Digital Certificates, see the relevant Public Key Infrastructure (PKI) Certification Practices Statement and Certificate Policy and other documents which can be found at http://www.verisign.com.au/repository/

Please note that our site contains links to other sites. VeriSign Australia is not responsible for the privacy practices, privacy statements, or content regarding these other sites.

Privacy Policy Enforcement

If you feel that we are violating this Privacy Statement, please contact us at support@verisign.com.au. Please specify "Privacy Statement" in the subject line of your e-mail.

VeriSign Australia has designated its facility security officer to act as an internal 'ombudsman' to handle any complaints about breaches of this policy, and about personal information handling practices in general.

Information We Gather from You:

Personal Information
We do not collect any personal information from a visitor to our site unless that visitor explicitly and intentionally provides it. Under no circumstances do we collect any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or health. If you are simply browsing our site, we do not gather any personal information about you.

There are two ways in which you may explicitly and intentionally provide us with and consent to our collection of certain personal information:

E-mail Request for Information or Registrations for Guides or Seminars or other similar services - We use links throughout our site to provide you with the opportunity to contact us via e-mail to ask questions, request information and materials, register or sign up for guides or seminars, or provide comments and suggestions. You may also be offered the opportunity to have one of our representatives contact you personally to provide additional information about our products or services. To do so, we may request additional personal information from you, such as your name and telephone number, to help us satisfy your request.

Enrolment - If you choose to enrol for one of our products or services, we will request certain information from you. Depending on the type of product or service that you request, you may be asked to provide different personal information. For certain products and services, we may require your name, address, telephone number, e-mail address, credit card number, bank account information or IP address. Other products and services may require different or supplemental information from you in order to apply. For a detailed listing of the type of personal information requested for our various products, please refer to the enrolment page for the particular product or service.

Statistical Information About Your Visit
When you visit our site, our computers may automatically collect statistics about your visit. This information does not identify you personally, but rather about a visit to our site. We may monitor statistics such as how many people visit our site, the user's IP address, which pages people visit, from which domains our visitors come and which browsers people use. We use these statistics about your visit for aggregation purposes only. These statistics are used to help us improve the performance of our Web site.

Use of Cookies

We only use "cookies" as described in this Section. A "cookie" is a piece of information that our Web site sends to your browser, which then stores this information on your system. If a cookie is used, our Web site will be able to "remember" information about you and your preferences either until you exit your current browser window (if the cookie is temporary) or until you disable or delete the cookie. Many users prefer to use cookies in order to help them navigate a Web site as seamlessly as possible. You should be aware that cookies contain no more information than you volunteer, and they are not able to "invade" your hard drive and return to the sender with personal or other information from your computer. If you choose not to accept a cookie, you will still be able to use our Web site.

Our uses of "cookies" are limited to the following specific situations. The first situation is with respect to temporary cookies. There are two instances in which we use temporary cookies. First, if you are accessing our services through one of our enterprise (Managed PKI service) customers, our Web server may automatically send your browser a temporary cookie, which is used to help your browser navigate our site. The only information contained in these temporary cookies is a direction value that lets our software determine which page to show when you hit the back button in your browser. This bit of information is erased when you close your current browser window. If you come to our site from one of our business partners, our Web server may also send your browser a temporary cookie that reflects an "origination code" for that business partner. We use this information for statistical and marketing purposes. Second, if you are using VeriSign's Personal Trust Agent to log into an access-controlled section of our site, we set a temporary session cookie to establish that you have been authenticated. The information contained in these cookies consists of random data that is used by the server to authenticate the browser requests to the server for that particular session. It does not include any type of personally identifiable information. This bit of information is erased when you close your current browser window.

The second situation in which we may use cookies is when you visit our Web site and request documentation or a response from us. When you are filling out a form you may be given the option of having our Web site deliver a cookie to your local hard drive. This type of cookie is not temporary, although you can always delete or disable it through your browser preferences. You might choose to receive this type of cookie in order to save time in filling out forms and/or revisiting our Web site. We only send this type of cookie to your browser when you have clicked on the box labeled "Please remember my profile information" when submitting information or communicating with us. Even if you choose to receive this type of cookie, you can always set your browser to notify you when you receive any cookie, giving you the chance to decide whether to accept it in each situation in which one is sent. To find more information about cookies, if you are using Microsoft Internet Explorer® as your browser, go to the Microsoft Web site at http://www.microsoft.com/info/cookies.htm?RLD=291 or if you are using Netscape Navigator® as your browser, go to the Netscape Web site at http://home.netscape.com/security/basics/privacy.html#cookies

How We Use and With Whom We Share the Information We Gather

We assure you that the information we gather from you is used by us only as explained below.

Sending you responses and updates
We generally respond to any e-mail questions, requests for product or service information, and other inquiries that we receive. We may also retain this correspondence to improve our products, services, and Web site, and for other disclosed purposes. Frequently we retain contact information so that we can send individuals updates or other important information about our services and products. Occasionally these updates or other important information may be sent out by third parties on our behalf.

Facilitating the support, renewal, and purchase of our products and services
We may use the information you submit to contact you to discuss the support, renewal, and purchase of our products and services. We may also provide the information you have submitted to us to a VeriSign Australia subsidiary, business partner, representative, VeriSign or other VeriSign Affiliate (known collectively as "Affiliated Parties") so that the Affiliated Party can contact you and facilitate the support, renewal, and purchase of VeriSign Australia products and services. VeriSign Affiliates are either members of the VeriSign Trust Network (a certificate-based public key infrastructure that permits interoperable and secure electronic commerce and communications) or are payment services affiliates, and in both cases they help us to provide our customers with support, assistance, and the provision of our products and services in their local markets. You may receive a communication directly from an Affiliated Party who has agreed to keep your information confidential. To find out the names and locations of the Affiliated Parties to whom we have provided your information, please contact us at the address given at the end of this Privacy Statement.

Facilitating the provision of certain included products and services (if you are applying for certain types of Digital Certificates)
Certain types of Digital Certificates come with additional third-party services or products that are included with the Digital ID. If you purchase one of these Digital Certificates, we may forward some or all of the information in your application to third party providers so that they can provide you with the service or product and follow up with you directly regarding their service or product or an upgrade. Please be assured that we have agreements with these third-party service or product providers that prevent them from disclosing the information to other parties.

Validating your identity (if you are applying for certain types of Digital Certificates)
Certain types of Digital Certificates require that we compare some of the information in your application to information contained in a third-party database or with some other third party source. We do this in order to authenticate your identity and other attributes.

Forming the contents of a Digital ID
The exact information that appears in our different types of Digital Certificates is set forth in the relevant enrolment page and this Privacy Statement. Generally this information is limited to e-mail address and name, but certain classes of Digital Certificates contain additional information. For example, Server IDs will contain an organisation name. Please note that all information that you provide us that forms the content of a Digital ID will be "published." Publication of Digital Certificates in an accessible location (a repository) is an integral part of enabling the widespread use of Digital Certificates. Your Digital ID will be published in our repository so that a third party may access, review, and rely upon your Digital ID. You should have no expectation of privacy regarding the content of your Digital ID.

Processing payments (if you are using our payment services)
If you use the VeriSign Payment Services payment gateway for online transactions, we may provide your personal information to appropriate financial institutions, processors, and third parties under contract with VeriSign Australia, other VeriSign Affiliates or VeriSign for providing a subset of the payment services (for example, credit authorisation and fraud screening). For financial institutions and processors, the use of personally identifiable consumer information is governed by federal and state privacy laws. For other third parties under contract with VeriSign Australia, the use and distribution of your personal information will be used by such entity for its internal use related to fulfilling the transaction services for VeriSign Australia, will be treated as confidential by this entity, and will be transferred between VeriSign Australia and this entity only via encrypted or other secure means. We may also permit the merchant through which you placed your order to review the personal information you provide. The merchant's use of your personal information should be governed by your agreement with the merchant.

If we are required to disclose by law

If we are required by law to disclose certain information to local, state, federal, national or international government or law enforcement authorities, we will do so (for example, we may disclose the identity of purchasers of certain software products to the U.S. Department of Commerce, Bureau of Export Administration, as required under the terms of VeriSign's export licenses).

Surveys

From time-to-time we may request information from customers via surveys. Participation in these surveys is completely voluntary and the user therefore has a choice whether or not to disclose this information. Survey information will be used for purposes of monitoring or improving the use of and satisfaction with this Web site, and improving our customer service and product offerings.

Your Ability to Opt-Out of Further Notifications

From time-to-time, we notify our subscribers of new products, announcements, upgrades and updates. If you would like to opt-out of being notified, please contact us at the address given at the end of this Privacy Statement.

Please be aware that you may not opt out of receiving information regarding the security, initial use, expiration, product enhancement or migration of our Digital Certificates or other products.

Our Security Procedures

We consider the protection of all personally identifiable information we receive from our Web site visitors and subscribers as critical to our corporate mission. Please be assured that we have security measures in place to protect against the loss, misuse, and alteration of any information we receive from you. As with any transmission over the Internet, however, there is always some element of risk involved in sending personal information. In order to try to minimise this risk, we encrypt all information that you submit in ordering one of our products or services using the Secure Sockets Layer (SSL) protocol. Our security procedures are also subject to at least an annual WebTrust for Certification Authorities audit by an internationally-recognised accounting firm.

How You Can Update or Correct Your Information

We cannot update or correct information contained in a Digital ID without destroying the integrity of the Digital ID because we digitally sign each subscriber's Digital ID as a part of the Digital ID issuance process. If we were to subsequently modify or remove any information listed in a Digital ID, our digital signature would not verify the Digital ID's new content. Furthermore, if a subscriber (sender) then digitally signed a message with his or her private key, a third party would not be able to properly verify the sender's signature (created using the sender's private key) because the sender's Digital ID would have been altered after the key pair's creation. For more information and tutorials on digital signatures, Digital Certificates, keys, and related subjects, click here: http://www.verisign.com.au/repository/

If you would like to update or correct any information in our records that is not contained in your Digital ID, please contact us via e-mail at support@verisign.com.au or at the address given at the end of this Privacy Statement.

Retention and Destruction of Information

In general VeriSign Australia retains records in relation to your use of our products for at least 7 years after the date you have ceased using our products. These records will include any personal information you have provided to us. In some circumstances, VeriSign Australia retains those records for a longer period of time, for example, see VeriSign Australia's Certification Practice Statements for the relevant period of retention for VeriSign Trust Network and Gatekeeper certificates.

VeriSign Australia will perform organisation-wide audits at least every six months as the end of the retention period approaches. Information identified by the audit as held beyond its retention period shall be destroyed. The current planned process for destruction of this information entails:

• the shredding or secure destruction of all paper based records;
• the erasure of information on rewritable storage media;
• physical destruction of non-rewritable storage media

Before commencement of the destruction process a review will be performed to ensure that there is no then-current requirement to retain the records for a longer period and to ensure that the destruction methods employed are appropriate for the then-current state of technology and forms of data storage used.

How You Can Revoke (Deactivate) Your Digital ID

When a third party wants to rely on a Digital ID, it is important for the third party to know its status (for example, whether it is valid, suspended (where available) or revoked). The third party may do this by accessing our repository and querying for the status of the Digital ID. We do not generally delete Digital Certificates (and their content) from the on-line repository because a third party might not then be able to check its status. You may, however, revoke (deactivate) your Digital ID. A revoked Digital ID will still appear in the repository with an indication that it has been revoked.

Changes to this Privacy Statement

If a material change is made to this Privacy Statement and/or the way we use our customers' personally identifiable information then, we will post prominent notice of the nature of such change on the first page of this Privacy Statement.

Our mailing address is:

VeriSign Australia Pty Ltd
Attention: Support
PO Box 3092
South Melbourne, VIC 3205