When issuing CertifiO for employees, CertifiO for professionals and CertifiO for individuals, Notarius performs an identify verification process in accordance with the relevant Notarius Certification Policy. Owing to the high reliability nature of these digital certificates, Notarius certifies the veracity of the information stated in the digital certificates, including the name of the certificate holder. Notarius therefore conducts a rigorous identity verification process during which two government issued identity credentials are verified and copies of same are kept by Notarius.
At issue is why are such records kept by Notarius and how can the conservation of this private information be deemed in compliance with applicable privacy laws in Canada?
In Canada and most countries, the proof of identity ultimately rests on the possession of government issued identity credentials. They can be foundational documents such as a Certificate of Birth or generally accepted identity credentials such as provincial driving licences and health cards. When sensitive transactions are conducted, proof of identity is often required.
For example, when an individual wishes to open a bank account in Canada and the person is a first-time customer, that person must show accepted identity credentials in the form of government issued documents. The bank retains copies of these identity credentials and typically remits new bank identity credentials to the customer in the form of an ATM card and/or electronic access credentials. From that moment and on a going forward basis, the customer only need to use bank issued credentials, except perhaps for critical transactions for which government issued credentials are verified again.
Similarly, when a first time customer wishes to obtain a digital certificate from Notarius, that person must show accepted and valid identity credentials in the form of government issued documents. The Notarius Identity Verification Agent (IVA), after confirmation that identity verification requirements have been met, digitally signs that verification. Notarius, as a Certification and Repository Services Provider, keeps a copy of these identity credentials (and of the consent given by the customer to keep this information) because such credentials are the underlying justification for the digital identity credentials provided by Notarius. If there ever was a fraud or attempt to fraud using a Notarius digital certificate, Notarius would need to demonstrate the complete chain of evidence linking the individual that made the digital certificate request to the digital certificate used to sign. This chain of evidence necessarily includes the identity credentials used during the identity verification process.
The vast majority of Notarius employees do not need access to these customer identity credentials. They are therefore encrypted before they are saved using the industry’s best practices and in a manner that only Notarius Public Key Infrastructure (PKI) Officers can decrypt these credentials in highly controlled circumstances. There are currently only two employees at Notarius that can access these records. These roles and access rights are documented in our Certification Policies and related documents. It is important to know that Notarius Certification Policies and supporting documentation are externally audited on a yearly basis, such audits including ISO 27001, AATL and eIDAS (Qualified Signatures Level).
In conclusion, Notarius keeps a copy of customer supplied and government issued identity credentials for a valid reason and under explicit consent given by customers and only for as long as needed.