Qualified Electronic Signatures

In a nutshell: Electronic signatures are signatures in electronic form, digital signatures are electronic signatures that are encrypted. There are three types of electronic signatures – simple, advanced, and qualified. A simple Electronic Signature would be typing your name at the end of an email. An Advanced Electronic Signature is created in a way that allows for identification & authentication of the signatory and the verification of the integrity of the signed document. A Qualified Electronic Signature can do everything an AES can plus they are created with Qualified Certificates. These certificates can only be issued by a Qualified Trust Service Provider.

The Law Society Smartcard contains a Qualified Electronic Signature, the EU digital signature with the highest form of security. This form of digital signature guarantees the integrity of the document as well as the authentication. The juridical value it has is for integrity: one is sure the text received is the same that was sent, and that literally no-one has changed it. It also guarantees identification: only practising solicitors can obtain this QES from the Law Society.

Anything where you would normally put pen to paper. The Smartcard QES is the highest available level of electronic signature. It is self-proving, i.e. with the exception of wills, you do not need a witness to your signature. According to the eIDAS Regulation (EU Regulation No 910/2014), Art 25 (2), and the UK eIDAS 2016, a QES has the same legal value as a handwritten signature. See also the Requirements of Writing (Scotland) Act 1995.

Every electronic signature can of course be interrogated. Please refer to Verifying a Smartcard Signature on how to check the validity of the signature in the document you received. In the case of the Law Society's Smartcard signature, additional reassurance is provided by the fact that only a qualified solicitor, registered with the LSS, and in possession of a valid practising certificate, can obtain a Smartcard signature. The signatory is also named in the QES itself, information that is available when interrogating the QES.

RedAbogacía is the trading name for the company Infraestructura Tecnológica del Consejo General de la Abogacía, SLU. They are wholly owned by the Spanish Bar Association and are the provider of the software and card technology behind the Smartcard with QES.

ACA is the Abogacía Certification Authority (operated by RedAbogacía). This was set up in 2005 to provide EU-compliant digital signatures to Spanish lawyers and has now authorised more than 80 registration authorities (of which the Law Society of Scotland is one) across the legal and provisional services sectors in a range of European countries.

An open tender process was followed, which required documentary evidence & pricing information and included demonstrations, site visits to current clients, and financial due diligence. A key aspect of our stated requirements was a solution which had already been deployed to a profession, ideally lawyers, of significant scale and over a period of time. RedAbogacía achieved the best score in relation to quality and cost, and all due diligence with existing clients and financial operations assured us they were the ideal partner for this project.

We had tenders from the UK and from other EU countries, but selected on price, quality, and proven track record.

Registration Authority for the Smartcard with QES is the Law Society of Scotland. We perform the necessary ID check, issue cards and digital signatures, and provide accurate information to the Certification Authority.

Certification Authority is Abogacía Certification Authority (ACA, operated by RedAbogacía). It meets all key EU and international standards required of certification authorities, holding the required information to allow the issuing and use of a secure digital QES. This saves the Law Society of Scotland the cost, resource commitment and risks of attempting to become a certification authority in its own right within a small market like Scotland, something which we did not consider as viable or desirable when we designed the specifications and tendered the project.

These two documents are mentioned in the contract solicitors sign when collecting their Smartcard with QES. They form part of the governance background and technical specification of the digital signatures we are issuing.

Certificate Policy is a document which states who the different actors/bodies of a public-private key infrastructure (PKI) are, their roles and their duties. You can view the CP for the Smartcard with QES here.

Certification Practice Statement is a document from the Certificate Authority which describes their practice for issuing and managing public-private key certificates. You can view the CPS for the Smartcard with QES here.

The card reader is a small device connected to your computer via a USB cable. You need it to enable communication between the chip of your Smartcard and your computer in order to apply a signature. An external card reader with USB connection is issued when you collect your Smartcard with QES. A complete installation guide on how to set this up can be found on the Installation page. However, if you have your own card reader, e.g. one that is already built into your laptop, you can use that one instead and don’t need to install another.

Note to Gemalto users: If you otherwise use a Gemalto card reader, this will unfortunately not work with the Smartcard; the systems are not compatible. Likewise, if you have Gemalto installed on your computer in general, you will not be able to use the Smartcard with QES. Please use another computer, or uninstall Gemalto on your machine, if this is feasible.

How to get one and how to use it

You need to be a qualified solicitor with a valid practising certificate to obtain Smartcard with QES. The submission itself is an online process; you get access to the form when you log into the members’ site with your personal credentials. Go to “Smartcard” and follow the steps in the “Smartcard submission” tab. During the submission, you will be required to upload a photograph.

Being issued a Smartcard with QES requires a face-to-face meeting with an Operator. One of the qualifiers of a QES is that the means to apply the signature, i.e. the token on the card and PIN, are under the sole control of the signatory at any given time. Under eIDAS Regulation (EU Regulation No 910/2014), we therefore cannot issue signatures remotely; it has to happen in the presence of the signatory and only s/he can enter the necessary codes (PIN & PUK). Any compromise in the process risks invalidating the signature. A list of planned dates and times for Signature Sessions can be found here. We will also be checking your identity documentation during that meeting.

The guidance for photographs and proof of identity can be found here.

The only additional information will be the photograph you upload. All other data will be the same as held on our main regulatory system, fulfilling the statutory functions around the registration of solicitors.

We issue Smartcards with QES only to solicitors holding a current practising certificate.

No. Only the person whose name appears on the Smartcard with QES and is the named signatory in the certificate can use the Smartcard QES. Allowing someone else to use your card may give rise to criminal/fraud penalties and possible civil liability if a contract proceeds on a fraudulent nature; it is the equivalent of encouraging someone to sign your name on a contract for you. The digital signature on your Smartcard will be protected by a PIN to ensure that only you can use it.

Yes. The contract is between the Certification Authority, the Registration Authority, and yourself. The Operator will sign this at the Signature Session on behalf of the Society, as Registration Authority, and as an agent acting for the Certification Authority. This is a standard contract and will be identical for everyone. An example is available here.

If you do not sign the contract, we cannot issue you a Smartcard with QES. You will still able to obtain a Lawscot ID card.

In short, you are covered. Lockton's have issued a statement concerning the Master Policy and Smartcard users; you can find here.

The Smartcard with QES incurs an annual fee of £110 + VAT. (total £132) Payment for the first year will be asked for at the time of booking your timeslot at a Signature Session. Subsequent payments will be due on the anniversary of you having been issued your signature. You will receive a reminder email 30 days before the due date with instructions on how to pay for the next year.

When you use your Smartcard with QES to apply your digital signature, you need to enter a 6-digit PIN code. You choose this code yourself when you collect your Smartcard. It operates in exactly the same way as the PIN code for your bank card and must be entered when you use the card to apply your digital signature. You also need to choose an 8-digit PUK – it is the backup code that allows you to unlock your card in case you enter the incorrect PIN codes repeatedly.

What happens if...

Your PIN is the 6-digit code you came up with and entered yourself when you collected your Smartcard. It is only stored on the chip of the card; we do not have access and we cannot reset it like the banks do.

If you are unsure, don't try and remember what you did when you picked up your card. Instead, imagine you had to come up with a 6-digit code right now, this instant. Take a note of that code, and then test it. You will need the so-called card manager to do so. (see Step 2 in "Installation and Troubleshooting " below) The card manager is not needed to apply the Smartcard signature to a document, but it is a handy tool to have when it comes to checking or changing your PIN. How to do that can be found here: How to test your PIN & PUK.

Next to the annual payment cycle, a signature is valid for 3 years and you can renew an active Smartcard QES within the last 30 days of its validity period. We will send out reminders roughly a month before your 3 years are up with instructions on how to renew the underlying digital certificate. Once you do, the clock starts again and you have a further 3 years validity, provided you complete the annual payments. You can renew your QES this way only once. After a total of six years, we would have to have another face-to-face meeting with an Operator to issue you a completely new QES.

You cannot re-activate an expired signature; neither can we. If you let your digital signature expire at the end of the first 3 years validity, it is gone and cannot be resurrected. We would have to create a new digital signature in another face-to-face meeting with you. Please do not wait until the last day indicated in the reminder email.

Your Smartcard itself, the plastic, is valid for six years from date of issue. We will send you instructions on how to replace it before your card expires.

However, the digital certificate on the chip of your card needs to be renewed after three years. This will not require a face-to-face meeting; you can renew the certificate yourself, online, as long as you remember your PIN. Renewal instructions for the digital signature will be sent to you before your QES on the chip expires.

If you have lost your Smartcard, you can cancel your digital signature on the chip. On the day you obtained your Smartcard with QES, you received an email with a cancellation code. Please following this link and enter this cancellation code. This will revoke your digital signature. You should also send an immediate email to smartcard@lawscot.org.uk, advising us that your card has been lost.

If you have a Smartcard with QES, and you don’t renew your practising certificate by 31 October, your digital signature will be revoked. In addition, we will ask you to return your card to us.

Yes, you can use your Smartcard with QES as an ID card as well, since it contains the same visible information as an ID-only card – the name you practise under, your photograph, and your solicitor ID number.

Not per se, but you might have to attend another face-to-face meeting. It depends on what email address you used when you obtained your digital signature: In case you used your own private email address, nothing changes, and you can continue using your Smartcard as before.

We recommend that you use an email address that is unique to you and one you will be able to access for several years to come. All communications concerning your digital signature – cancellation codes, reminders for the annual fee, renewal instructions – will be sent to this address. That means, if you used an email address at your now ex-employer, then you need to change the digital signature on your Smartcard, or important communication will not reach you. Updating your email address requires another meeting with an Operator, and you need to remember your PIN code. Please check the Signature Sessions page to book yourself a spot at any of the listed events to amend your digital signature.

Yes. The name you practise under should also be the name printed on your Smartcard. Once you have alerted the Member Registration Team, please contact us as smartcard@lawscot.org.uk and book yourself a slot at a Signature Session, so we can issue you a new Smartcard with QES in the correct name.

Yes, of course you can. As long as you have a Scottish practising certificate, you will be able to receive a Smartcard with digital signature. It does mean we will have to arrange for a face-to-face meeting with an Operator, though – either at any of the Signature Sessions, or at a time you are back visiting in Scotland. Please contact smartcard@lawscot.org.uk to arrange things accordingly.

For all enquiries about the Smartcard with digital signature, please contact us at smartcard@lawscot.org.uk.