Table of Contents 

1 Executive Summary 

This deliverable is concerned with the generic application of the best practice guidelines concerning interoperability, which incorporate an effective development method and framework. The guidelines presented in “D4.6: Draft best practice guidelines” have been applied, in broad terms, to four areas of interest relating to identity, namely the FIDIS research project itself and the sectors of e-Government, e-Health and e-Commerce. The identity classification system, which was outlined in “D4.7: Review and classification for a FIDIS identity management model”, has been applied in the report for each of these areas of interest.  

The emphasis is on the delivery of a practical approach, incorporating sound tools and techniques that may be applied in the project and within business sectors dealing with identity management. Imposing a method, that provides a framework and discipline, should assist with the development, dissemination and application of the FIDIS results.

The rationale for developing the method and framework to assist with the creation of the best practice guidelines is outlined in Chapter 2, together with the aims of the deliverable. Chapter 3 briefly restates the proposed FIDIS information management method and framework. The application of the method, to the FIDIS project, e-Government, e-Health and e-Commerce is described in Chapter 4. Chapter 5 discusses how the work will be progressed in the FIDIS 3rd and 4th Work Plans and outlines the method envisaged for disseminating and exploiting the FIDIS results.

2 Introduction 

One of the objects of investigation for the FIDIS research community is the interoperability of identity management systems from the technical, policy, legal and socio-cultural perspectives. It looks at the limits of identity systems designed for one purpose being used for other purposes (e.g. inter-purpose interoperability: e-government, e-health, e-commerce systems), and sees the role of the market in generating interoperability (e.g. interplay of governmental regulation, self-regulation and no regulation: cross-border and cross-sector comparisons). It is important to stress that interoperability of identity management should strike a balance between the need to exchange data and the need to prevent threats against privacy and security.  

The aim of the FIDIS project is to develop integrated approaches for security, virtual identity management, and privacy enhancing technologies at application level, system level and infrastructure level. A fundamental aspect to be considered when applying identity management, involving many disciplines, within all areas of government, commerce and industry, is the development of a common comprehensive framework, which can be shared and applied by practitioners involved with identity management.  

1. 1. The proposed FIDIS framework endeavours to provide managers and developers with an approach to manage effectively and efficiently the vast amount and myriad forms of information and the many issues, such as security and privacy, which identity management technology and systems engender. The framework brings together a wide range of topics that are required to reach good decisions on interoperable identity and its application. 

      The proposed FIDIS framework endeavours to provide managers and developers with an approach to manage effectively and efficiently the vast amount and myriad forms of information and the many issues, such as security and privacy, which identity management technology and systems engender. The framework brings together a wide range of topics that are required to reach good decisions on interoperable identity and its application. 

2.1 Aims of the deliverable 

The aims of the deliverable are: 

1. To apply the proposed FIDIS generic framework, in broad terms, to four areas of interest namely the FIDIS research project and the sectors of e-Government, e-Health and e-Commerce 

2. To apply the proposed FIDIS classification system for each area of interest 

3. To demonstrate the application of the framework and models to support interoperability 

3 The proposed FIDIS Information Management Method and Framework

In the FIDIS project, to meet the challenge of bringing together the many different disciplines of identity management, there is a need for recommending best practice guidelines, which incorporate a method and framework for providing effective governance and information management. To assist the reader, the method and framework are briefly re-stated below. 

The method is separated into four domains, developed by the authors, as shown in Figure 1, namely the requirements domain; the business modelling domain; the information management principles domain; and the system specification domain. In FIDIS these domains cover all aspects of identity management. 

Figure 1: Domains of the Framework 

3.1 Requirements domain 

The requirements are divided into two main areas, those specifying the application activities and those specifying the management activities.  

3.2 Business Modelling Domain 

Business modelling of the activities is an essential prerequisite before information management can be implemented. Organisations should be able to analyse and anticipate the effects of processes, information flows, document management and enabling technologies, such as e-business, upon their operations. 

3.2.1 Types of models

Business modelling takes many different forms and there are many techniques available. What is important is that fundamental processes should be modelled, and the way that this is done should maximise the generation of value for the institution.  

3.2.1.1 Entity models 

Entity models specify the relationships between such entities as people, objects, processes, and information within and between organisations. They are used to brainstorm, or when working from a fresh start, to specify and resolve business issues and to define the related corporate information.  

3.2.1.2 Stakeholder models 

Stakeholder models highlight the different stakeholders who are involved in the various activities of identity management throughout the supply chain. Stakeholder models may be created for particular business sectors, such as e-Government and e-Health, and they may be used as a basis for information flows within and between stakeholders.  

3.2.1.3 Process and information flow models 

Information flow models show the business processes, how they interact with each other and how information flows between them. They provide a functional overview of the operations and allow personnel to see the functions and processes of a business quite independently of the organizational chart.

3.2.1.4 Compliance models 

A generic compliance model, (see D4.6: Section 4.2.1.4),  has been developed in order to assess the degree to which institutions are fulfilling their obligations and their effectiveness in applying identity management.

3.3 Information management principles domain 

The five principles discussed below underpin the modelling and are intended to serve as guidelines for those involved with the design and operation of information systems, irrespective of the technology being deployed.

The principles bring together the high-level internal policy issues and the detailed operational levels of any business or organisation. They are intended to provide a framework within which managers and others can develop detailed operational procedures. Alternatively they may be used as a template to check for the completeness or adequacy of an existing set of procedures and job descriptions. 

The five principles take the form of a set of statements of objectives for information management. These are intended to act as guidelines for a set of procedures that any institution should be capable of devising and operating as an extension of their current standard operating procedures, or of their quality management processes. 

3.3.1 Five Principles of Information Management

The Five Principles are: 

1    Recognise and understand all types of information

2    Understand the legal issues and execute "duty of care" responsibilities

3    Identify and specify business processes and procedures

4    Identify enabling technologies to support business processes and procedures

5    Monitor and audit business processes and procedures

The ordering of the principles also reflects a cascade from the high level classification of information streams to responsibilities, and then on to technology and operational considerations. 

3.3.1.1    Information

To ensure that the institution: 

1. Recognises, understands and controls data and information through its classification, structure and the way it is represented. 

2. Chooses appropriate methods to capture, store and transmit data within the institution and across its boundaries to, and from, its business partners. 

3. Evaluates the information that it holds and takes appropriate measures to protect its information resources. 

4. Implements appropriate levels of security for managing its information. 

3.3.1.2    Duty of Care

To ensure that the institution: 

1. Informs appropriate staff of pertinent legislation and regulations, which apply to the way information and data is handled within their industry and business activities 

2. Executes its responsibilities under the duty of care principle. 

3.3.1.3 es

To ensure that the institution: 

1. Identifies, documents and describes its processes and procedures. 

2. Monitors and controls changes to standard procedures using the documented descriptions of its operations. 

3.3.1.4      Enabling technologies

To ensure that the institution: 

1. Identifies, assesses and applies appropriate technologies to support and enable its business processes and procedures 

2. Establishes procedures to monitor and control potential exposure to risks arising from the misuse or failure of its computer systems 

3.3.1.5       Auditing

To ensure that the institution: 

1. Employs appropriate measures to monitor and document its operations and any deviations from its designated standards and methods of operation as established by its industry’s regulatory bodies. 

3.4 System Domain 

Applying all of the above domains and their components helps to create the specification and requirements of an application system, either manual or electronic, in terms of processes, information and personnel. (See D4.6: Section 4.5)

4 Application of the method

This section outlines how the proposed method and framework may be applied to interoperability within the four areas of interest namely, the FIDIS research project, e-Government, e-Health and e-Commerce. 

4.1 FIDIS research project 

A requirements model for the FIDIS research project is shown in Figure 2. 

Figure 2 : FIDIS Project requirements model  

Research activities 

1. Establish and maintain the “FIDIS Identity Wiki” to disseminate electronically the research (WP2) 

2. Execute research activities relating to “High-Tech Technologies” to support identity and identification (WP3) 

3. Develop the transversal perspective across the full spectrum of FIDIS work through “Interoperability” (WP4) 

4. Jointly execute the research activities relating to “Profiling”(WP7) 

5. Execute research activities relating to “Mobility & Identity” (WP11) 

6. Execute research activities relating to “Emerging Technologies” (WP12) 

7. Execute research activities relating to “Privacy and Privacy Technologies” (WP13) 

8. Jointly execute research activities relating to “Privacy” (WP14) 

Management activities 

1. Manage the research activities through the “Internal Communication Infrastructure” (WP1) 

2. Manage the FCI Steering Committee 

3. Perform the management activity of the “Dissemination of the Research” (WP9) 

4. Perform the activity of the “Network Management” (WP10) 

5. Jointly execute the “PhD Training” in the NoE (WP15) 

4.1.2

A stakeholder model for the FIDIS research project is shown in Figure 3 and represents the members of the FIDIS consortium. The information flows between them are performed by the internal communications infrastructure which is managed in WP1. 

Figure 3: FIDIS Stakeholders 

1.   The principles of information management relating to the FIDIS project are shown in Tables 1 and 2

1.  

   Table 1 

    

   Table 1 

1. Table 2 

   Table 2 

2.   The principles of information management relating to all sectors are shown in Table 3

1.  

   Personal Identifiers / Credentials used within all sectors 

    

    

   Personal Identifiers / Credentials used within all sectors 

    

1. Table 3 

    

    

    

    

    

   Table 3 

    

    

    

    

    

4.2    e-Government

1.  

   It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “European Interoperability Framework for Pan-European eGovernment Services” which was published by the European Commission. The framework will be applied to D16.1: conceptual framework for Privacy-Friendly Identity Management for e-Government.

    

    

   It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “European Interoperability Framework for Pan-European eGovernment Services” which was published by the European Commission. The framework will be applied to D16.1: conceptual framework for Privacy-Friendly Identity Management for e-Government.

    

A requirements model for e-Government is shown in Figure 4. 

1.  

   
   

   Figure 4: e-Government requirements model 

    

   
   

   Figure 4: e-Government requirements model 

Operational / application activities include: 

1. Manage the identity of the citizen to ensure that it is secure and strictly confidential to those who are authorised to see the information. 

1. Request and receive certificates such as birth, marriage, death, residence, and nationality 

2. Apply for, and receive entitled unemployment benefits, family allowances, student grants and medical costs, which require identity items relating to Tax Registration, Status (married/single, dependents, disability registration, etc) 

3. Apply for and deliver electronic identity documents such as passports, visas, medical papers, etc 

4. Submit and execute tax returns which require identity items such as Insurance Number/Citizen Service Number and Tax Details 

5. Request and execute driving licences and car registrations (new/unused/imported), 

which require identity items such as Vehicle registrations, licences, insurances, roadworthiness  

1. Search and make reservations of library materials from public libraries 

2. Search for vacancies that correspond to qualifications, to obtain information about organisations and to enrol in professional training programmes 

3. Request building permits from their municipality, to file an appeal procedure and to make building permits decisions public 

Management activities 

The requirements for management activities should specify the management tools, techniques and procedures, which have to be employed to ensure that all the information, roles and responsibilities, processes and technologies are in place to manage identity activities. These should include the management of projects, finance, human and technology resources.  

4.2.2

A stakeholder model for e-Government is shown in Figure 5, which might represent a “typical” structure of government. The government policies are determined by parliament and performed by the various departments and agencies. The proposed European Interoperability Framework is to “support the EU’s strategy of providing user-centred eServices by facilitating the interoperability of services and systems between public administrations, as well as between administrations and the public (citizens and enterprises), at a pan-European level”.

1. 
   

   Figure 5: Typical stakeholders within Government sector 

   
   

   Figure 5: Typical stakeholders within Government sector 

4.2.3 Information management principles for e-Government are shown below in Table 4

1. Table 4 

    

    

   Table 4 

    

    

4.3    e-Health

1.  

   It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “Connected Health – Quality and safety for European Citizens” which was published by the European Commission.

    

    

   It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the report “Connected Health – Quality and safety for European Citizens” which was published by the European Commission.

    

4.3.1

1.  

   A requirements model for e-Government is shown in Figure 6. 

   
   

    

   A requirements model for e-Government is shown in Figure 6. 

   
   

2. Figure 6 : e-Health requirements model 

Operational / application activities include: 

1. Manage the identity of the patient to ensure that it is secure and strictly confidential to those who are authorised to see the information 

1. Provide health care to all citizens 

2. Manage professional medical institutions by verifying qualifications  supported by certificates, diplomas, degrees, etc

1. Provide and manage medical practitioners by verifying qualifications and CVs of practitioners such as doctors, surgeons and nurses 

2. Supply and monitor funds 

3. Keep medical records up to date of doctors, patients, biological data, etc 

1. Management activities 

    

   Management activities 

    

The requirements for management activities should specify the management tools, techniques and procedures, which have to be employed to ensure that all the information, roles and responsibilities, processes and technologies are in place to manage identity activities. These should include the management of projects, finance, human and technology resources.  

1. 1. 1. Business modelling domain

1.  

   A stakeholder model for e-Health is shown in Figure 7 which represents a “typical” structure of a national health service. The government policies are determined by parliament and performed by the various departments and agencies.  The Connected Health initiative considers the “requirements of e-Health interoperability which aim to provide systems and services that are connected and can work together easily and effectively, while maintaining patient and professional confidentiality, privacy and security”.

   
   

   Figure 7: Typical stakeholders within health sector 

    

   A stakeholder model for e-Health is shown in Figure 7 which represents a “typical” structure of a national health service. The government policies are determined by parliament and performed by the various departments and agencies.  The Connected Health initiative considers the “requirements of e-Health interoperability which aim to provide systems and services that are connected and can work together easily and effectively, while maintaining patient and professional confidentiality, privacy and security”.

   
   

   Figure 7: Typical stakeholders within health sector 

4.1.3 Information management principles domain

1. The principles of information management relating to e-Health are shown in Tables 5

   Health Sector – Identifiers / Credentials 

    

   The principles of information management relating to e-Health are shown in Tables 5

   Health Sector – Identifiers / Credentials 

    

1. Table 5 

    

    

   Table 5 

    

    

4.4    e-Commerce

e-Commerce consists primarily of distributing, buying, selling, marketing and servicing products and services over electronic systems such as the internet and other computer networks. It is vital that the electronic  transfer of identities and information, relating to individuals and organisations, are protected at an appropriate level.

1. An example of a security standard is the PCI Data Security Standard which is  a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, to help facilitate the adoption of consistent data security measures on a global basis. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer identity and information.  
   

   An example of a security standard is the PCI Data Security Standard which is  a set of comprehensive requirements for enhancing payment account data security. It was developed by the founding payment brands of the PCI Security Standards Council, including Visa, MasterCard, American Express, Discover Financial Services and JCB, to help facilitate the adoption of consistent data security measures on a global basis. The PCI DSS includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organisations proactively protect customer identity and information.  
   

4.4.1

A requirements model for e-Commerce is shown in Figure 8. 

1.  

   
   

   Figure 8: e-Commerce requirements model 

    

   
   

   Figure 8: e-Commerce requirements model 

Operational / application activities include: 

1. Manage the identity of the customer to ensure that it is secure and strictly confidential to those who are authorised to see the information 

1. Create and execute financial accounts with organisations such as banks, building societies, insurers and retailers 

2. Manage accounts within banks, building society and insurance companies, credit and debit cards  

3. Perform financial and other transactions with organisations and individuals using cheques and Internet payments of bills for services, products and taxes  

1. Apply for, and fulfil employment with organisations utilising application forms, CVs, qualifications, salary/pension details 

2. Carry out personal activities such as leisure and travel using such items as club membership cards and airline tickets 

1.  

   Management activities include: 

    

    

   Management activities include: 

    

The requirements for management activities should specify the management tools, techniques and procedures, which have to be employed to ensure that all the information, roles and responsibilities, processes and technologies are in place to manage identity activities. These should cover the management of project, finance, human and technology resources.  

1. 1. 1. Business modelling domain

1. A stakeholder model for e-Commerce is shown in Figure 9 which represents a “typical” structure of a commercial sector. All types of information, documents, products and currencies flow, within and between organisations and customers, throughout supply chains within the commercial sector 

   A stakeholder model for e-Commerce is shown in Figure 9 which represents a “typical” structure of a commercial sector. All types of information, documents, products and currencies flow, within and between organisations and customers, throughout supply chains within the commercial sector 

1. Figure 9: Typical stakeholders within commerce sector 

   Figure 9: Typical stakeholders within commerce sector 

4.4.3

1. The principles of information management relating to e-Commerce are shown in Table 6

   Commerce Sector – Identifiers / Credentials 

    

   The principles of information management relating to e-Commerce are shown in Table 6

   Commerce Sector – Identifiers / Credentials 

    

Table 6 

5    Conclusion and future work

This deliverable should only be considered as the start of a continuous process for developing best practice guidelines. It is concerned with the generic application of the best practice guidelines concerning interoperability, which incorporate an effective development method and framework. The guidelines presented in “D4.6: Draft best practice guidelines” have been applied, in broad terms, to four areas of interest relating to identity, namely the FIDIS research project itself and the sectors of e-Government, e-Health and e-Commerce. The identity classification system, which was outlined in “D4.7: Review and classification for a FIDIS identity management model”, has been applied in the report for each of the areas of interest.

1. It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the EC reports: 

    

   It is envisaged that the proposed FIDIS interoperability framework will be suitable for performing the applications discussed in the EC reports: 

    

1. “European Interoperability Framework for Pan-European eGovernment Services”  

2. “Connected Health – Quality and safety for European Citizens”  

5.1rd Work Plan

The next deliverable, D4.9: “An application of the management method to an interoperability case study” will apply the method in detail to determine recommendations for best practice, relating to identity management, within the e-health sector.

5.2th Work Plan

The generic best practice guidelines, which incorporate an effective development method and framework, will be applied in the following deliverables: 

1. D4.11: Overview of reflections and models underlying the health identity management of different types of welfare states in Europe

2. D7.14: Report Where Idem meet Ipse

3. D16.1: Conceptual framework for Privacy-Friendly Identity Management for e-Government

To enable the practical adoption of the management method, we are proposing for development in a further deliverable, a FIDIS portal, rooted in the constructs illustrated in Figure 10, established to assist with the dissemination and exploitation of the FIDIS results. It is envisaged that the final best practice guidelines will be established after the delivery of D4.10 “Specification of a portal for interoperability of identity management systems”.

Figure 10: Structure of Portal for Interoperability