General trends with regard to ID numbers: Belgium

 

Xavier Huysmans, KU Leuven, ICRI 

 

Introduction

In this country report we describe general trends with regard to personal ID numbers, i.e., numbers used to refer to natural and/or legal persons, assigned to or being used in a Belgian public sector context.

The main ID numbers being used in Belgian eGovernment are: (1) the National Registry number, (2) the ID card number, (3) the Social Security Card number, (4) the INSZ number, (5) the Crossroads Bank for Social Security number, (6) the Fiscal number, (7) the eGovernment registration number and (8) the Enterprise number. We briefly explain the properties and usage modalities of each of these ID numbers. 

 

The RRN-number

Context

Belgian municipalities maintain a number of registries, such as the civil status register, the birth register and the population register. The latter consists out of 3 sub-registers, namely:

1. The (core) ‘population register’: contains data about Belgians, foreigners who have a permanent residence permit, gypsies, commercial travelers and homeless people who have a reference address;  

2. The foreigners register: contains data about foreigners with a temporary residence permit. It is also called the ‘bis-register’.

3. The waiting register: contains information about candidate refugees. It is also called the ‘ter-register’.

 

Municipalities also issue ID cards to Belgians and foreigners that are authorized to reside in Belgium. The card serves as a proof of registration in the population register.

Belgian municipalities are responsible for keeping their population registers accurate and up to date. The law also requires them to synchronize a number of basic identification data from their population registry, as well as their change history with the National Registry. In practice, this synchronization is being done via the National Registry number of the people to which the data refer (‘data owners’).

The National Registry is an information processing system responsible for the intake, storage and communication of information regarding the identification of natural persons (art. 1 Act 8 August 1983). As the data of the law indicates, it officially exists since 1983. Since then, it evolved from an internal tool to rationalize the population registry management of the municipalities, to a major building block of Belgian eGovernment.

One of the main principles of the Belgian federal interoperability framework used in eGovernment is that every relevant entity (i.e., an entity that has to be identified), shall have one and only one identification number that remains stable over time.

To achieve this, the law of 25 March 2003 altered the purpose of the National Registry Act. Its article 1 now indicates that the National Registry puts a file with basic identification data at disposal of a restricted group of government administrations, institutes and persons. Its purpose is to:

1. facilitate the exchange of information between administrations and to enable the automated updating of the public sector databases and

2. enable the automated updating of the databases of the public sector in regard to general data of citizens (within the limits of the law).

3. rationalizing the communal management of the population registries, and 

4. simplify some administrative formalities requested from the citizens.

From a data protection perspective, this means that this new article of the National Registry Act has created a legitimacy ground to some entities to process the identifier of the National Registry Number to exchange data about the people that are registered in it within the whole Belgian public sector context. We come back to this below.

 

Properties

A National Registry Number (RRN-number) is attributed to each entity at its first registration in the National Registry (art. 2 Act of 8 August 1983). It is a meaningful ID number that consists of 11 digits:  

1. the first 6 digits stand for the date of birth (2 digits for the year, 2 digits for the month and 2 digits for the day) 

2. the 3 following digits stand for the serial number of the registration (whereas even numbers are reserved for women) 

3. the last 2 digits stand for the verification number (art. 1 et seq Royal Decree 3 April 1984).  

 

A first important property of the number lays in its uniqueness: there is one and only one RRN number per registered natural person. The same number cannot be assigned to several entities. Given the mentioned legitimacy ground, its usage is not limited to one specific or contexts or sectors. It is a global identifier, as previously defined.

Other important, related properties of the RRN-number are: 

1. Its stability through time: it does not contain variable characteristics of the registered entity. It is not transferable and cannot be reattributed to another entity. 

2. Its stability through attributes: it does not contain references to other entities. The ID number does not change when the quality or characteristic of the registered entity changes. 

3. It is meaningful: one can derive the data of birth and the sex of the registered person from it.  

4. Its exhaustivity: every entity that has to be identified (for the National Registry) has an ID number 

5. It is not revocable. 

6. As explained earlier in this deliverable, it is personal data.  

 

There has not been a large debate going on in Belgium with regard to the appropriateness of having only one global ID number in Belgium. The point of view of the Privacy Commission is that only with regard to specifically sensitive data, being health data and judicial data, a separate sector-specific identifier is needed. With regard to the meaningfulness of the ID number, a law proposal has been filed to change it to a non-meaningful number, but apparently the cost to switch all numbers is currently too high (DE BOT 2005, p. 128, wetsontwerp 25 Maart 2003, p. 6-7). 

 

Usage

eGovernment should obviously be done in accordance with data protection regulation (purpose binding etc.).

On the topic of global identifiers, in Belgian Federal eGovernment a particular model was chosen to comply with the data protection rules, namely one that puts the decision on the legitimate usage of one particular global identifier in the hands of the Belgian Privacy Commission. More specifically, data exchange based on the RRN number is subordinate to authorizations by an independent committee, which is part of the Privacy Commission. It is called the ‘Sectoral Committee of the Privacy Commission’.

Access to and usage of the RRN Number requires a prior authorization, except for the National Statistical Institute (NIS) – a separate law regulates statistical processing and except in the cases foreseen by law or royal decree (article 8 of the National Registry Act). In other words, other legal rules can derogate from the general obligation to ask a prior authorization of the Sectoral Committee of the National Registry.

The authorization to use the RRN number can only be granted to a limited set of entities, namely:

1. Belgian public authorities, for the information they need to know based on a law, regional decree or ordinance; 

2. Public and private institutions of Belgian law that perform tasks of public interest that have been committed by or by virtue of a law, regional decree or ordinance or have been recognized as such by the sectoral committee, for the information they need to fulfill these tasks of public interest; 

3. Natural persons or legal persons that act as subcontractor (1) on the demand , control and responsibility or (2) Belgian public authorities and/or public and private institutions of Belgian law that perform tasks of public interest. 

4. Notary Publics and bailiffs (individually), for the information they have the right to know based on a law, regional decree or ordinance. 

5. The chamber of Pharmacies, to communicate the main residence of a client that has been delivered a dangerous medicine 

6. The chamber of Lawyers, for the information they need to fulfill their tasks as associates of the Court. 

 

The law explicitly states that the Identification number of the National Registry (i.e., the RRN number) shall not be used without authorization or for other purposes for which the authorization has been granted.

The National Registry Act does not explicitly state what should be understood under the term ‘using’ the RRN number. Based on the prior advice of the Belgian Privacy Commission on that topic we can conclude that a distinction should be made between internal and external usage of the number.

The term internal usage refers to the usage of the ID number by a public authority, an institution or person for the internal management of the data it disposes of in the context of a specific task. It should, of course, be limited to the exertion of these tasks of legal or regulatory nature. Examples of the concrete usage are, for instance, to include the number in specific files, records or registers that have not necessarily been computerized.

Another type of usage would be to use the number for user management, to manage the actions that specific users are authorized to do. The term external usage refers to the usage of the number in specific situations in contacts with external entities, such as other government authorities, institutions or persons. This type of usage should be explicitly granted in the authorization decision. It is only possible if the other entity is also authorized to process the RRN number.

The term network connections means that the number is being used to exchange data about specific persons with other government authorities, institutions or persons. Article 8,§1,4 of the National Registry Act explicitly allows the usage of the number for network connections, on the condition that the authorization demand explicitly lists the connections that will result from this usage. There appears to be consensus in the literature that the mere reading the number on a document is, as such, not considered as ‘usage’.

The 7 protection measures of the RRN number provided required by the National Registry law can be summarized as follows:

1. There is an obligation to notify new and modified network connections (exception if there has been a prior decision of a sectoral committee) 

2. A dedicated information security and data protection consultant should be appointed. His/her identity should be communicated to the commission. 

3. Penal sanctions apply when the number is being used for other purposes than the ones that are authorized. 

4. The Privacy Commission requests a list of organs / employees that are entitled to use the RRN number as well as an information security plan. 

5. There is an obligation to provide a confidentiality contract with and to provide training of the people that are authorized to use the RRN number. 

6. Each person has the right to access and correct personal data held about him/herself, including the one based on the RRN number (article 10 of the National Registry Act). 

7. The authorizations are made public via the website of the Privacy Commission (article 12 of the National Registry Act). 

In addition to that, in the vision paper by Mr. Deprest and Mr. Robben (see the bibliography), we also read that: 

1. Each electronic exchange of personal information shall be preventively checked for compliance with current access authorizations by the used service integrator (for example, the Crossroads Bank for Social Security)

2. Each electronic exchange of personal information shall be logged, to ensure the subsequent traceability of any abuse. 

3. Each time information is used to take a decision, the information used shall (ideally) be notified to the person concerned together with the decision made.

 

Usage of the RRN in the Belgian eID. How it should be?

A specific type of usage of the RRN number is its integration on and in the Belgian electronic identity card. For instance, the number has been printed on the card and included in the X.509 citizen certificates (authentication and non repudiation certificate).

This means that with each exchange of a digital signature created with the Belgian eID, the signatory propagates the National Register number to external parties that have not necessarily received an authorization to use the number by the Privacy Commission.

Of course, strictly speaking, one could argue that the mere fact that third parties can see the RRN-number, shall not be qualified as ‘usage’ in the legal sense of the term – and does therefore not conflict with the mentioned obligation to request a prior authorization for a particular purpose.

Nevertheless, as explained in the general legal chapter of this deliverable, using a global identifier to interchange data between several contexts and/or sectors creates important linkage risks.  

Even if we leave in the middle whether this linkage risk is affordable or not in the public sector, it is clear that the RRN number is not supposed to be used: 

1. outside the public sector  (according the legal provisions mentioned above, only a limited number of government entities, their processors and subcontractors can use it), and

2. without the legal controlling mechanism of authorizations by the Sectoral Committee of the RRN at the Privacy Commission.  

When we take one step back and apply the theory we’ve mentioned in the legal contribution of this deliverable to evaluate whether or not the appropriate technical and organizational security measures have been taken to protect the number against any unlawful processing (article 17 of the Data Protection Directive and article 16§4 of the Belgian Data Protection Act) we are not sure whether it is indeed the case. Moreover, article 11 of the National Registry Act goes one step beyond, with regard to the processing of data of the National Registry (thus: including the RRN number).

It requests from everyone that intervenes in the data processing to take all the necessary precautions to guarantee the safety of the data and, among others, to prevent that they are being communicated to persons that have not received an authorization to view it (Dutch: ‘inzage nemen’)

The main reasons why we are not sure whether in casu the appropriate technical security measures have been taken can be summarized in terms of these two rules:

1. The eID is designed and targeted to be also used outside a strict eGovernment context. For instance, on the website www.eid.belgium.be, one can for example read that the eID will be usable, among others, as a library card, to sign your purchases via the web, as an access key to the network of your company, as the access key to safe chatboxes, as the identity proof at the reservation of your hotel etc.

2. However, to process a global ID number in a legitimate way, appropriate technical and organizational security measures are needed. These measures shall prevent any unlawful data processing of that number. 

3. Also, to process the RRN number in a legitimate way, the necessary precautions should have been taken to prevent it from being communicated to entities that have not received an authorization to view it.  

In practice, we believe that the data controller should in this case have taken the measures needed to prevent processing of the number outside a governmental context (e.g., in eCommerce), since the usage outside this context is not allowed.  

In addition, we believe that he should also have taken the appropriate measures to avoid the number from being processed by government entities (mentioned above, article 5 of the National Registry Act) that are not entitled to process the number, e.g. before they dispose of the necessary legal provision or authorization of the Sectoral Committee of the RRN at the Privacy Commission.

As far as we know, none of these precautions have been taken in the design of the current version of the eID. Possible measures are, for example, to encrypt the number, and make decryption available to the authorized entities only.  

The problem is known to the Belgian administration, and we are sure that they are taking the necessary steps to solve this issue. 

 

Other ID numbers processed by municipalities

Context

As explained, the population register contains a number of data that is needed for the identification and localization of the inhabitants (art. 2 Act 19 July 1991).

This list partially differs from the data contained in the National Registry. For instance, in addition to the basic identification data being synchronized with the National Registry, population registers for example also contain: 

1. passport details (including the passport number), 

2. the number of the Belgian ID card, 

3. the number and date of issuance of the Social Security Card and 

4. pseudonyms. 

 

These 4 identifiers are, in principle, not being processed by the National Registry. Nevertheless, in practice, municipalities are allowed to delegate the processing of these (and other) additional data to the National Registry. Municipalities regularly do so when they do not dispose of a data center of their own, or one that is jointly operated with one or more other municipalities.

 

From a data protection perspective, in this case, the National Registry is not a data controller, but a data processor with regard to the mentioned additional data. By consequence, the National Registry is only allowed to process the data (and a fortiori communicate it) on behalf of the municipalities themselves, unless it is required to do otherwise by law.

In other words, one can only confirm that, at the moment, the law says that if the National Registry is requested to process additional data, it can only communicate it to the administration that communicated it in the first place. It offers no guarantee for the future (laws can change) and it is not technically verifiable.

Pursuant to Council Regulation 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals, the passport document number should be included in the residence permit, produced as a ICAO compliant visa or travel document. The number should include special security features and be preceded by an identification letter.

With regard to the eID and the social security card, it is relevant to note that both cards contain a separate ID card number that is also being stored by the above mentioned population register. The card number of the eID consists of 12 numbers, the first and the last 3 separated by a dot. An example of a possible eID card number is ‘591.0831050.76’. The card number of the SIS card consists of a string of 10 numbers. An example of a possible SIS card number is ‘0352936373’.

Apart from the obligation to include the number in the eID card registry, no specific regulation is foreseen to protect these measures. As a result, only the general data protection rules apply. The last type of identifiers processed by the Population Registry are pseudonyms. We come back to them in the next section (‘usage’).

 

Usage

An interesting finding is that – contrary to the National Registry Number – no specific data protection guarantee has been foreseen with regard to these 4 identifiers. As mentioned earlier in the legal background contribution of this deliverable, this is not surprising, because the general Data Protection Directive leaves the decision whether or not to protect identifiers with general application to the member states. In other words, in Belgium only the general data protection rules apply to these identifiers (and ID numbers – a pseudonym is not necessarily a number).

As far as we know, these numbers are currently not being used by government entities to interconnect data (‘network connections’ as mentioned above). Therefore, the legal risks applying to them may at first sight be less important than those applying to the RRN number. 

Yet, this situation could easily change. For example, in 2006 a popular private website for elderly people www.seniorennet.be granted access to its chatbox via the eID and the SIS card, by just identifying the users via the content data of these cards (the basic identification data is not encrypted).

When reading out the SIS / eID card, besides the RRN number, the SIS / eID card number is also being disclosed… 

Strictly speaking, if a data controller would decide to use this card number, or easier, the certificate number of the eID, instead of the strictly regulated RRN number, linkability risks would be similar to the risks with the RRN mentioned above, without being illegal (since the data controller could fulfill the data protection requirements, e.g., processing based on informed consent).

As a result, the card holder has no other choice but to trust the data controller of the counterparty in the communication, and to hope that the data will not be used for other purposes, and will never be ‘further processed in a way incompatible with the original purposes’.

We believe this is not sufficient, especially in a governmental context, where – as we explained – purposes can much more easily be changed by adapting the law. In our view, the balancing exercise to know which security measures are appropriate or not, should:

1. take the risks connected to the nature of the data processing in the public sector into account,  

2. prevent any unlawful processing of these numbers outside the public sector context and

3. prevent any unlawful processing of these numbers before the necessary legal ground is available (either a legal provision or an authorization of the competent Sectoral Committee of the Privacy Commission). 

 

For example, the Royal Decree of 8 January 2006 has made officially clear, that when an administration is authorized to receive access to the name and surname of a citizen or group of citizens (art. 3,1,1° National Registry Act, part of the official basic data that a municipality has to synchronize with the National Registry), it also receives access to the person’s surname, first names, pseudonym, (nobility) title, and the changes in surname, first names and nobility title (art. 1,1,1° of the Royal Decree).

Both the Privacy Commission and the Raad van State (Supreme Administrative Court) to this Royal Decree disagreed with the enlargement of the definition. Nevertheless, their advice to not include some of the information types, such as the change of sex, or the pseudonym, or the disappearance of the person, has not been taken into account.  

As a result, today, the processing of a person’s pseudonym by the National Registry is not incompatible with the original purposes. It can legitimately be processed at the same level as it processes the first name or the surname of that person The pursued (new) finality is not incompatible with the original ones.This illustrates that there is a risk that legislation will change the granted purposes later on, and make what is illegal today, may be allowed tomorrow.

 

ID number for social security

Context

As explained earlier in this deliverable, one of the main principles of the Belgian federal interoperability framework used in eGovernment is that every relevant entity shall have one and only one identification number that remains stable over time.

Even though the numbers managed by the Population Registry and the National Registry cover most of the entities that need to be identified in eGovernment, there are also a number of entities that are not. For instance, some categories of natural persons that are relevant for social security, fiscal and other purposes are not included in it (for example, people that are radiated ex officio of the population registers, or people that only work but do not reside in Belgium etc).

This is where the ID number for social security (INSZ number) comes in. Article 8 of the Crossroads Bank for Social Security Act of 15 January 1990 (as amended by law of 16 January 2003) says that for the processing of the data needed in application of this law – which means: for social security purposes – it shall use the National Registry number or, when applicable the identification number of the Crossroads Bank itself.

 

Properties

The INSZ number is the combination of both the Crossroads Bank number and the RRN number (article 1,4° Royal Decree 18 December 1996). The Crossroads Bank number is built in the same way as the RRN-number. It consists out of 11 digits:  

1. the first 6 digits stand for the date of birth (2 digits for the year, 2 digits for the month and 2 digits for the day) 

2. the 3 following digits stand for the serial number of the registration (whereas even numbers are reserved for women) 

3. the last 2 digits stand for the verification number (art. 1 et seq Royal Decree 8 February 1991).  

 

Usage

The law explicitly states that the usage of the Crossroads Bank number is free. By consequence, the INSZ-number falls under two different usage regimes:  

1. first, the (restricted) usage rules that apply to the RRN-number explained earlier and  

2. second, the limited usage that applies to the Crossroads Bank for Social Security number. Since this number can be qualified as personal data, the general data protection law applies.  

 

The Fiscal number

Properties

Article 314,§1 of the Belgian Income Tax Code (Wetboek van Inkomstenbelastingen) foresees that all taxable persons are assigned a fiscal ID number.The second part of the paragraph explains that for natural persons, this number corresponds to the RRN number. The third paragraph confirms that for legal persons that are not registered in the National Registry, a fiscal ID number is being assigned, according to the rules set by Royal Decree. 

The fiscal ID number for legal persons is their VAT number, which consists of the country code BE plus a string of 9 numbers between 0 and 9. An example of a Belgian VAT can be BE123456789.

Other persons that are not registered in the National Registry receive a separate ID number, which is built according to the same rules as those applying to the Crossroads Bank for Social Security number (Royal Decree of 8 February 1991). 

 

Usage

The fiscal ID number can, be used for identification purposes of a number of internal and external relations the Fiscal administration has with other entities. 

Such external relations are, for example possible with the holders of the number, his/her successors, and identification government entities that have received a prior authorization based on article 8 of the National Registry Act (see above). 

The Enterprise number

Properties

The Crossroads Bank for Enterprises is a register that has the obligation to record,  store, manage and put at disposal data related to the identification of enterprises (article 3,3° Crossroads Bank for Enterprises Act).

The purpose of the register is in the first place to simplify administrative formalities, to organize public services more efficiently and, to some extent, to commercialize the data of the registry (article 3, second part and article 19 of the Crossroads Bank for Enterprises Act). Important for our deliverable, is that at its first registration in the registry, each entity is assigned a unique ID number (article 5 Crossroads Bank for Enterprises Act). Enterprises get a so-called ‘Enterprise Number’ (Ondernemingsnummer) and branches get a so- called ‘Branch Number’ (Vestigingsnummer).

The Enterprise number consists of a string of 10 numbers represented as follows: ZNNN.NNN.NNN. The ‘Z’ stands for 0 or 1 and each position ‘N’ stands for a number between 0 and 9. If Z is equal to zero, is should not be mentioned. The Enterprise Number of an enterprise that is subject to Belgian VAT, is its VAT number (without the country code) preceded by the index 0. Similarly, any enterprise that is registered in the National Legal Persons Registry gets the latter number, also preceded by the index 0 (Royal Decree of 24 June 2003).

The composition of the Branch Number is very similar. It is represented as ZNNN.NNN.NNN, with ‘Z’ being a number between 2 and 8 and the position ‘N’ being a number between 2 and 9 (Royal Decree of 24 June 2003). 

Both numbers are not limited to a specific context or sector. It is a global identifier, as previously defined.

Other important, related properties of the Enterprise-number are: 

1. Its stability through time: it does not contain variable characteristics of the registered entity. Contrary to the Branch Number, the Enterprise Number is not transferable and cannot be reattributed to another entity, except when the enterprise is being divided. If the Enterprise Number was assigned to other types of legal entities, the transfer is not possible. If it was assigned to a natural person, the transfer is not possible either. The number remains assigned to that natural person, even if the activities are suspended or stopped, when the registered activities change or if the person dies. The number cannot be taken up by the successor.

2. Its stability through attributes: it does not contain references to other entities. The ID number does not change when the quality or characteristic of the registered entity changes. 

3. Its stability through attributes: it does not contain references to other entities. The ID number does not change when the quality or characteristic of the registered entity changes. 

4. It is meaningful: if the number holder is subject to VAT, one can derive the VAT number from it.  This is, however, public data.

5. Its exhaustivity: every entity that has to be identified has an ID number 

6. It is in principle not revocable. However, if an Enterprise Number is being crossed out, it cannot be reassigned to a third party.

7. It is in principle not personal data, unless it refers to an identified or identifiable natural person. In that case, the higher mentioned data protection principles, including article 8,7° of the Data Protection Directive should be taken into account.

 

Usage

In principle, the usage of the Enterprise and the Branch Number is free. This means that – contrary to the RRN number – enterprises can also use this number in their internal relations. The usage of the number is compulsory for all the contacts the enterprises have with administrative and judicial administrations, and for all the contacts these administrations have among each other. 

Moreover, the number should also be mentioned on a number of fixed items, e.g., all acts, invoices, official announcements, orders letters and all other documents of commercial nature (e.g. by artisans, vendors etc.), on commercial buildings, etc.  

The usage of the Enterprise and the Branch number should respect the rights and liberties of others. The Crossroads Bank of Enterprises Act therefore imposes a prior notification to the thereto competent Sectoral Committee of the Privacy Commission, for all other data exchange between government entities that is based on the Enterprise or the Branch number (article 18 of the Crossroads Bank of Enterprises Act).

In other words, the legislator felt that when these numbers are being used to link different data sources between 2 or more government entities, it was necessary to map the interconnections via a registry and to make them public. In this case, the task of the Sectoral Committee of the Crossroads Bank of Enterprises is (1) to register the interconnections in a registry and (2) to verify whether the legislation has been respected (e.g. exchange of this ‘other’ data only within the limits of the law). Contrary to the rules applicable to the RRN-number, the Crossroads Bank for Enterprises Act does not impose additional guarantees, such as the appointment of a information security consultant.

 

Conclusion

In this country report we’ve given an overview of the main ID numbers that are being used in a Belgian public sector context, especially in the context of eGovernment. At first sight it appears that a multitude of numbers are being used, such as the National Registry Number, the Social Security Number, the Tax number, the Enterprise number etc. 

These numbers are, however, in most cases synchronized with each other. The statement taken from the vision paper by Deprest and Robben that every relevant entity shall have one and only one identification number that remains stable over time, seems therefore to be totally the case in practice.

As a result, this brings us back to the point we’ve explained in the general legal contribution of this deliverable, whether or not technical unlinkability should be a requirement in eGovernment. Our main finding is that because the situation that applies to the RRN number is similar to the risks that apply to other global ID numbers in eGovernment, at least the unique legal authorization mechanism that was explained above should be made applicable to all global ID numbers used in eGovernment.

In addition, because this legal mechanism alone does not solve the data protection issues, we believe there is a strong case for technical unlinkability in eGovernment as an appropriate security measure to prevent unlawful processing of these numbers.

If the Belgian eID has to be useable outside the strictly eGovernment context, one should for example consider encrypting the identifiers and adding in a more user-centric architecture, where the user can decide for himself whether or not some of these attributes can or cannot be processed. If we take the long term risks sufficiently into account, we believe the necessary costs to implement this type of infrastructure with compulsory context- and/or sector-specific identifiers can be worth the cost of its implementation. 

 

 

References

 

Belgian Income Tax Code 

Belgian Income Tax Code, available at www.staatsblad.be.

De Bot 2005 

D. De Bot, Privacybescherming bij e-government in België. Een kritische analyse van het Rijksregister, de Kruispuntbank van Ondernemingen en de elektronische identiteitskaart, Brugge: Vandenbroele 2005.

De Cock, Wolf & Preneel 2006 

D. De Cock, C. Wolf & B. Preneel, ‘The Belgian Electronic Identity Card’, in M. Meints and M. Hansen (eds.), FIDIS D3.6 Study on ID Documents, Deliverable 3.6 of the EU funded FIDIS project, available at: http://www. fidis.net/fileadmin/fidis/deliverables/fidis-wp3-del3.6.study_on_id_documents.pdf, December 2006, last visited: 16 January 2007, 94-98.

Council Regulation 13 June 2002 

Council Regulation 1030/2002 of 13 June 2002: COUNCIL REGULATION (EC) No 1030/2002 of 13 June 2002 laying down a uniform format for residence permits for third-country nationals. 

Crossroads Bank for Enterprises Act 2003 

http://www.staatsblad.be.

Data Protection Act 1992 

    Law of 8 December 1992 on Privacy Protection in relation to the Processing of Personal Data, Belgian State Gazette 18 March 1993, as modified by the law of 11 December 1998 implementing Directive 95/46/EC, Belgian State Gazette 3 February 1999, and the law of 26 February 2003, Belgian State Gazette 26 June 2003.

Data Protection Directive 1995 

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data on the free movement of such data, Official Journal of the European Communities, L 281, 23 November 1995, 31-50. 

Deprest & Robben 2003 

J. Deprest & F. Robben, eGovernment: the approach of the Belgian federal administration, available at: http://www.ksz.fgov.be/En/Como/2003%20-%20EGovernment%20paper%20v%201.0.pdf, June 2003, last visited: 20 June 2006.

Dumortier 2005 

J. Dumortier, ‘eID en de paradoks van het Rijksregisternummer’, Trends Business ICT, March 2005.

Identity Cards Royal Decree 25 March 2003 

    Royal Decree of 25 March 2003 concerning the identity cards, Belgian State Gazette of 28 March 2003, http://www.staatsblad.be.

Information Types Royal Decree 8 January 2006 

    Royal Decree of 8 January 2006 to the attribution of the information types connected with the information data meant in article 3, first paragraph of the National Registry Act of 8 August 1983, Belgian State Gazette, 25 January 2006, http://www.staatsblad.be

Koops, Buitelaar & Lips 2007 

E.J. Koops, H. Buitelaar & M. Lips (eds.), D5.4: Anonymity in electronic government: a case-study analysis of governments’ identity knowledge, deliverable 5.4 of the EU funded FIDIS project, available at: http://www.fidis.net/fileadmin/fidis/deliverables/fidis-wp5.del5.4-anonymity-egov.pdf, May 2007, last visited: 13 June 2007.

National Registry Law 1983 

http://www.staatsblad.be.

National Registry Royal Decree 1984 

http://www.staatsblad.be.

Population registers Act 1991 

    Law of 19 July 1991 on the population registers and the identity cards, adapting the National Registry Law, Belgian State Gazette 3 September 1991, http://www.staatsblad.be.

Population Registers Royal Decree 1992 

http://www.staatsblad.be.

Reform of the National Registry Act 2003 

Law of 25 March 2003 on the modification of the Law of 8 August 1983 on the organization of a Registry of natural persons and the Law of 19 July 1991 on the population registers and the identity cards, adapting the National Registry Law, Belgian State Gazette 28 March 2003, http://www.staatsblad.be.

Royal Decree Composition ID number if not RRN 1991 

    Royal Decree of 8 February 1991 on the composition and the attribution modalities of the identification of natural persons that are not registered in the National Registry, Belgian State Gazette 19 February 1991, http://www.staatsblad.be.

Royal Decree Enterprise Number Attribution 2003 

    Royal Decree of 24 June 2003 on determining the attribution rules, the composition and the transfer modalities of the Enterprise Number and the Branch Number in the Crossroads Bank of Enterprises, Belgian State Gazette 30 June 2003, http://www.staatsblad.be.

Royal Decree SIS Card 1996 

    Royal Decree of 18 December 1996 on measures for the introduction of a social ID card for the benefit of all social insured persons, in application of the articles 38, 40, 41 and 49 of the law of 26 July 1996 on the modernization of t-Social Security and the safeguarding of the legal pension systems, Belgian State Gazette 7 February 1997, http://www.staatsblad.be.

 

 

 

12 / 20