Identification versus anonymity in e-government IDENTIFICATION IN BELGIAN FEDERAL EGOVERNMENT

Identification in Belgian federal eGovernment

Identification

The identification of an entity is the process of identifying a user or a provider in a certain context or sector. An entity is directly or indirectly identified or identifiable by reference to identity data, i.e., by reference to one or more identifiers and/or one or more attributes specific to the entity’s physical, physiological, mental, economic, cultural or social identity.

Identity data

These attributes specific to the entity’s identity are characteristics of that entity. In a number of recent opinions on the processing of personal data for user management in identity management, the Belgian Privacy Commission explained that a (natural) person can be uniquely identified without any margin of error via the combination of:

1. the identification number of the National Registry, which is a unique identifier, and 

2. his or her family name and first names, date and place of birth, the address of the main residence.

These decisions give guidance with regard to which identity data are needed to globally identify a natural person in Belgian eGovernment.

In their position paper on Belgian Federal eGovernment, Mr. Deprest and Mr. Robben explain that, besides the mentioned data, the gender, the nationality and the date and place of death are also part of the basic identification data of a natural person. With regard to enterprises, they write that in Belgian Federal eGovernment, the global identification number for enterprises is linked to a set of basic identification data, i.e., the company name, address of its head office and plants, its legal status and legal situation.

When we analyze some recent decisions of the Privacy Commission on the topic of identity management, it appears that the Privacy Commission systematically grants access to the above mentioned basic identification data, including the National Registry Number, when the parties involved claim this is needed for their user management.  

For instance, in one of the cases, the Privacy Commission accepted the reasoning of the City of Antwerp, which argued that it shall use the National Registry number for its user management, ‘because the unique identification of the users is needed and because authorization relies on authentication and authentication relies on unique identification’ (our translation).

The Privacy Commission accepted a similar reasoning in her decision about the user management of FEDICT (the Belgian federal public service for ICT). She accepted the point of view that FEDICT shall be authorized to use the National Registry number, for its user management which consists of: 

1. Identification: attributing a unique set of data that allows knowing who a person is. 

2. Authentication: verification whether what is claimed to be, also is correct. 

3. Authorization: the permission to fulfill a specified action or to use a particular service.

Although the premises of this reasoning are per se correct, we believe they are incomplete. In our view, the conclusion of the Privacy Commission could have been different, if it would have made a distinction between types of identification (see below on global vs. context-specific or sector-specific identifiers).

In other words, the authorization to access services or resources is indeed typically granted on the basis of identification of the entity, but not necessarily on the basis of global identification of that entity.

Identifiers

An identifier is an attribute or a set of attributes of an entity which uniquely identifies the entity in a certain context or sector. They have a number of characteristics:

1. They can be meaningful or meaningless. Belgian federal eGovernment relies heavily on the usage of the global identification number for natural persons (National Registry number or RRN number). This number is meaningful, since the birth date and the gender can be deduced from it. The National Registry number consists of 11 digits. The first 6 digits stand for the date of birth (2 digits for the year, 2 digits for the month and 2 digits for the day), the 3 following digits stand for the serial number of the registration (even numbers are reserved for women) and the last 2 digits form the verification number (art. 1 et seq Royal Decree 3 April 1984).

2. They can be assigned by private organizations or by the government. In eGovernment, identifiers are typically assigned by the government itself.

3. They can be sector-specific or context-specific, cross-sectoral or global. The application area of sector-specific identifiers is limited to a specific (governmental) sector in one or more contexts. The application area of context-specific identifiers is limited to a specific context in one or more sectors. For instance, sector or context-specific identifiers serve to identify an entity in different contexts or sectors via different identifiers, e.g., a health number, a judicial number, or a fiscal number. In contrast, cross-sectoral, cross-context or global identifiers are identifiers that are used in multiple, if not all (government) contexts and sectors. This means that an entity is identified in multiple government contexts and/or sectors via the same identifier.

One crucial interoperability decision in Belgian federal eGovernment has been to choose one common global identifier to identify all the relevant entities across several contexts:

1. The National Registry number serves as unique (global) identifier for Belgian citizens and foreigners that are registered in the population registers and in the consular and diplomatic registers.

2. The Crossroads Bank for Social Security issues an identification number for those natural persons that are not registered in the National Registry. This is the so-called ‘bis-’ and ‘ter-number’.

3. Enterprises also receive a global unique identifier at their first registration in the Crossroads Bank for Enterprises.

No parliamentary debate has taken place to justify this practice of using only one global identifier across several government contexts in Belgium.  

The Belgian Privacy Commission explained on multiple occasions that the real problem of identification means in general, is not that they are dangerous on their own. Their real risks lay in the fact that they enable interconnections of data repositories. From her point of view, it is important to control these interconnections between data repositories and their purposes. As we will see below, we are convinced that today’s control mechanisms are not sufficient.

The Privacy Commission has asked in a number of advices to introduce sector-specific identifiers, at least for health data and in the justice sector. Recent developments seem to indicate that this advice will be followed:

1. In its decision nr. 13/2006 of 24 May 2006 about the Phenix project (a large-scale reform of the judicial information architecture, which introduces inter alia electronic data exchange of court documents), the Privacy Commission explicitly requests the usage of a sector-specific identifier.

2. The lines of force of the planned BE-health platform (a large-scale medium to manage patient data, the platform is currently in a test phase) with respect to identification data are as follows. An irreversible patient identifier is calculated from the identification number for social security (INSZ-number), based on an algorithm which is accessible at every health care practitioner. The patient identifier is (1) either unique across all the health-care practitioner / institutions, or (2) unique per patient at a health-care practitioner / institution. Only the independent organization which manages the data exchange is able to make the conversion across the different contexts (different health-care practitioners / institutions). Data which do not require the identification of the patient (anymore) via the patient identifier are encoded or anonymized.

Control mechanisms

It is important to note that the access to and the usage of the identity data of the National Registry, including the national registry number, is strictly limited. Besides the cases where the usage of the National Registry Number is allowed by federal law or (federal) royal decree, its usage is subject to a prior authorization by the thereto appointed sectoral committee of the Privacy Commission. Only the entities listed in the law are entitled to use and/or access this data (Article 8 National Registry Act). 

These groups and purposes are Belgian public authorities, natural and legal persons acting as subcontractors of Belgian public authorities, public and private entities (Belgium) as to the information they need for fulfilling a task of public interest, notary publics and bailiffs in relation to their official tasks, pharmacists in case of delivery of dangerous medicines, and lawyers for the fulfillment of their judicial tasks. 

These entities should obtain a prior authorization to use and/or to access the personal information contained in the National Registry, including the National Registry number, from an independent sectoral committee that is part of the Privacy Commission. Authorizations are granted by the Sectoral Committee of the Privacy Commission if the access conditions are met. It mainly includes a verification if the request is compliant with the Belgian Data Protection legislation. The authorizations are subsequently made public via the website of the Privacy Commission. 

The usage of the global identifier for enterprises is also (but less stringently) regulated. When the number is being used to exchange other data than the ones contained in the Crossroads Bank for Enterprises, its usage requires the prior notification to the thereto appointed sector-specific sectoral committee of the Privacy Commission (Article 18, §4 Crossroads Bank for Enterprises Act). The usage of the ‘bis- and ter-number’ is not restricted at all (Article 8 §2 Crossroads Bank for Social Security Act). 

The divergent protection between these three types of identifiers results from the fact that the General Data Protection Directive 95/46/EC leaves the protection of unique identifiers totally up to the discretion of the Member States.