Identity Management and Data Sharing in the European Union

Identity Management and Data Sharing in the European Union Benoît Otjacques, Patrik Hitzelberger, Fernand Feltz Centre de Recherche Public Gabriel Lippmann, L-4422 Belvaux, Luxembourg {otjacque, hitzelbe, feltz}@lippmann.lu Abstract Citizens and enterprises in the European Union benefit from a common internal market and other freedoms. The resulting and growing mobility and cross-border collaboration necessity leads to specific challenges for e-government applications. This article presents the results of a study run by Luxembourg s Presidency of the EU during the first half of 2005. This study investigated one central aspect in this area: How do countries identify their citizens and businesses, and what are their national provisions regarding data protection and privacy that limit and regulate the sharing of such data? In more technical terms: What is the impact of identity management and related privacy issues on the interoperability of e-government systems? The status quo in 18 member states is illustrated, and compared with the results of a similar study run in 2001. We present a general model for describing the framework of identity management in cross-border contexts. 1. Introduction Organizational background. The European Union (EU) currently consists of 25 member states. The EU Presidency is an official EU activity where each country in the EU takes it in turns to act as President of the EU for a six-month period. The role of the Presidency is to achieve a set of political and other objectives for the development of the EU. The country presiding organizes meetings and activities of the numerous formal and semi-formal institutions and groups in the Union. The European Public Administration Network (EPAN) is one of these, and it comprises a working group on e-government. During Luxembourg s Presidency in the first half of 2005, this working group ordered a study to investigate the identification of citizen and enterprises and related data protection issues in the EU. In the identification phase, the study aimed to get an update of a study carried out by the Belgian presidency in 2001 1 hence before the accession of ten new member states to the EU in 2004. The subject of the study. The general issue of the study was the interoperability of e-government systems. Interoperability and cooperation can be regarded as enablers of the integration of e- Government applications [7]. A prerequisite (or, according to Scholl [10], the ultimate goal ) of any integrated, collaborating systems and organizations is the sharing of information or data. It is self-evident that such sharing is only possible when the identification of the entities the data describes is well understood. There are numerous other aspects of interoperability and data sharing, (cf. e.g., [10]), but the study focused on the identification and related data protection issues only. Identification and identifiers. Information systems involve data about entities. Chen s [1] definition of entity was: a thing which can be distinctly identified. In public administration, the intrinsic entities treated are natural persons (human beings) and legal persons (in the context of the study: commercial entities). The general notion identity of such persons is vague, and would require philosophical and psychological discussions that go beyond the scope of this article. The term identification can be defined in a more pragmatic way. We adopt Clarke s definition for human beings (which can be adopted for legal persons as well): human identification is the association of data with a particular human being. [2]. In order to do this association, one can use numerous means, such as appearance, name, behavior, codes and so on. In any case, we define this means of identification as identifier. For administrative purposes, the requirements regarding identifiers in terms of manageability, technical features and other parameters are a lot different from those in daily life. In our context, we limit the scope of identifiers to specific data sets bound to persons. Figure 1 illustrates that these data sets represent a 1 This study is currently not publicly available. 0-7695-2507-5/06/$20.00 (C) 2006 IEEE 1

small subset of the real-world characteristics of an actual in this case natural person. For identification purposes, the fact that someone plays violin, for instance, is irrelevant in most contexts. It is the key of the data set that normally serves as identifier. Please note that the database in figure 1 is a conceptual term and might be a paper-based register in reality. Individual Reduction key key -last -last name name -first -first name name -date -date of of birth birth Identity data set Storage Data Data set set key key 1 Data Data set set key key n register Figure 1: Identity data set It is worth mentioning that a person can (and in most cases actually does) have more than one identifier depending on the roles he/she or it plays in societal, economic, technical and public contexts. At this point, it is also justified to talk of more than one identity the same person bears. This multiplicity makes necessary the definition of technical and organizational measures and processes to handle it, or in one term: (digital) identity management. There is a strong technical bias in the research and development of identity management related concepts. Notions like digital signatures, authentication, smart cards, identity federation [11], or nymity, which adds the concept of anonymous identifiers/identities, require and encompass advanced technical approaches for handling digital identities [3]. Nevertheless, (multiple) identifiers for identifying natural and legal persons have existed for decades (The U.S. social security number, e.g., which is used as a universal national identifier and authentication token, was created in 1935 [6]). All countries we have investigated use such traditional identifiers for natural and legal persons. The most fundamental difference between these systems is the number of different identifiers used by public administrations. There might be a single, national and all-purpose identifier (which we call single identification number or SIN hereafter), used by all administrations, and possibly by economy and in private contexts. Or there might be several, socalled sector-specific and independent identifiers or actually a combination of these, although this could be regarded as being contradictory. The co-existence of a so-called single and further identifiers could be explained nonetheless either as a transitional phenomenon, because the implementation of a national identifier takes time, or as a definition problem, meaning that single in this case means almost single, and further identifiers exist only in niches. We can summarize these definitions as in Table 1. type of identifier SIN sector specific identifier characteristics of systems using such a type Single, multi-purpose identifier used in all administrative contexts One or several identifiers used in different administrative contexts. Typical: social security numbers # of personal identifiers =1 1 Table 1: Identifier characteristics Independent from their realization, the national systems had and will have a strong impact on any technical solutions, especially for cross-border e- Government applications. Besides the technical and organizational aspect of identifiers, data sharing applications are highly impacted by data protection and privacy concerns. Data protection. In order to harmonize the data protection legislation in its member states, the EU promulgated its Directive 95/46/EC (hereafter Directive ) in 1995 [4]. This directive was closely related to the creation of the so-called internal market of the EU, a market that entailed a high degree of mobility both of goods and information. Despite the fact that there are other important international guidelines and provisions regarding data protection 2, for the EU, this directive defines the common basis and the minimal requirements applicable on the national and EU level, and also regulates EU-external exchanges. The member states had the liberty (and duty) to implement the general provisions of the Directive in their specific national way. It is outside the scope of this article to explain the Directive in detail. Within the study, we evaluated the national laws and provisions brought into force regarding chiefly the following aspects: Implementation of article 8.7 that explicitly asks the member states to [ ] determine the conditions under which a national identification number or any other identifier of general application may be processed. Implementation of the specific rights the Directive guarantees to the data subjects (the person whose 2 For example, the European Convention on Human Rights from 1950, or the OECD Guidelines on the Protection of Privacy and Transborder Data Flows of Personal Data from 1980. 2

data is processed or recorded), namely the information and notification right, the access right and the right to object. Provisions regarding the obligation to notify the so-called supervisory authorities before carrying out any processing operation of personal data, especially related to identifiers. The sharing of databases using identifiers. The usage of the identifiers by private bodies and citizens. The objectives of the study. The study aimed (1) to gather data on the current situation in the EU member states and the four candidate countries regarding the way these states identify citizens (and other subgroups of natural persons) and legal persons. In particular, we were interested in the procedures and technical details of all national systems that use a SIN for this purpose. Furthermore, we wanted (2) to investigate the laws and provisions relevant for the processing of identifiers and related data. This framework is built upon the national implementations of the EU Directive as mentioned above. Finally, the study tried (3) to analyze the collected data and build a model for describing the framework of the sharing of identifiers and related data. It goes without saying that in the EU, as elsewhere, the political discussion about identifying individuals has changed significantly since the year 2001. We have confined ourselves to evaluating the European status quo of identity management and data protection application in this area, and do not make any political statement. 2. Methodology In order to collect the necessary data, we have designed a questionnaire consisting of 17 open questions. To be more precise, the questionnaire consisted of four parts that dealt with the existence and the technical, organizational and legal aspects of (single) identifiers in the EU. As regards the non-legal aspects, we adopted most of the questions already posed in 2001 (with some modifications), since the study aimed to obtain an update of the Belgian results. It is important to point out that all questions were designed from the perspective of a possible networking of national identification systems within the EU. The legal aspects part was composed (and evaluated) in collaboration with experts from Luxembourg s national data protection commission. In 2005, the questionnaire was sent to each EPAN member who forwarded it to the domestic domain experts. Eighteen countries of the 29 states replied, for a 62% response rate. (When disregarding the candidate countries, the rate was 68%). In 2001, all members replied. Some countries which did not respond in 2005 informed us that their status has not changed significantly since 2001. This confirms the results and trends we will illustrate below. After the expiration of the first deadline, all answers were shortened and edited in order to synchronize terms and vocabulary used by the responders. Then, synoptical tables with the results of all countries having answered were redistributed to the experts, allowing them to verify the editing process, and to be inspired by the answers other countries had given for adding or modifying information to their own original answers where appropriate. Additionally, in cases of unclear or missing information, the experts were contacted directly by us. After this second phase, a preliminary report was compiled and presented during an EPAN working group meeting in May 2005. A last round of verification followed and led to some final clarifications and enhancements. 3. Results of the study 3.1. Existence of a single identifier In terms of the identification of persons in general, the data shows a tendency towards the usage of national single identification numbers. Regarding natural persons, in 2001, 9 out of 15 (60%) countries had a national SIN, and one country (Austria) envisaged the installation of such a number. In 2005, 14 out of 18 countries (78%) used a SIN, and two countries (Ireland and the UK) had ongoing projects to realize it in the future. Another two countries are explicitly against the installation of such numbers, and give data protection concerns as the reason (Germany and Hungary) (cf. figure 2). 3

100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 2001 2005 No SIN Planned Figure 2: Existence of a single identifier for natural persons Regarding legal persons, the tendency towards unification is similar: In 2001, 9 of the 15 member states had such a SIN (60%), and two planned to install it. In 2005, 15 out of 18 had a SIN for legal persons (83%). No country indicated plans here (cf. figure 3). 100% 90% 80% 70% 60% 50% 40% 30% 20% 10% 0% 2001 2005 SIN No SIN Planned SIN Figure 3: Existence of a single identifier for legal persons 3.2. Technical and organizational differences Really single? Although the notion single might be relatively clear at first glance, the usage of a truly single national identifier in all public and economic areas is still rather rare, especially for natural persons. The official label single for an identifier does not mean that in practice there are no further administrative databases that use different, sector specific identifiers. Only a few countries, such as Sweden or Luxembourg, have established a truly homogenous system along with the organizational and legal framework for it. Nevertheless, among the countries where there are further identifiers besides the official single one, some indicate that this SIN will gradually replace the sector specific and parallel systems. Construction of the SIN and data linked. Again, the possible interoperability of identification systems was the main reason for examining the construction of the single identifiers (where existent) and the actual data set directly linked to it. We focus first on natural persons. As regards the construction of the number, a minority of 3 out of 14 countries where such a number currently exists have identifiers composed of purely random figures. The other 11 countries use codes that bear a certain semantic. Typically, the code contains the birth date and a consecutive number, sometimes sex, a code for the place of birth and other information bits. The Czech Republic reports that there are domestic discussions ongoing about the coding of birth date and sex in the identifier. The Austrian system differs significantly in general and will be illustrated shortly in section 3.4. As regards the data set that is linked directly to the identifier (cf. figure 1 for the concept), the replies imply a wide variety in the EU. The minimalist approach limits the fields to the ones that are absolutely necessary to identify individuals reliably. This core set consists of surname, first name, sex, date of birth and the place of birth (Lithuania is the only exception to this rule not registering the place of birth). Apart from this minimum, we found more than 30 further possible identity attributes, ranging from, for example, the main domicile (11 out of 14 countries), marital status (6), a photograph (2) or academic titles (1). Bulgaria and Cyprus, e.g., store 24 fields overall and keep history data for some of them, whereas Lithuania limits the data set to the four attributes already mentioned before. To illustrate the national approaches, figure 4 shows the number of different data fields directly linked to the national single identifier for natural persons in the corresponding registers for all countries. number of fields 30 25 20 15 10 5 0 Austria Belgium Bulgaria Cyprus Czech Republic Denmark France Italy Lithuania Luxembourg Malta Netherlands Spain Sweden Figure 4: Number of attributes linked to the single identifier 4

Organisational and other differences. In this subsection, we shortly illuminate some further areas where significant divergence regarding the processing and definition of identifiers could be found. As regards the groups of (natural) persons covered by the national identification numbers, we can sum up that besides the expected citizens, the experts reported, e.g., residents, persons born in the country, foreign workers, migrants, refugees, or persons who are liable to tax affairs. Different definitions, restrictions and provisions apply for these groups. The fact that, for example, migrant workers also normally obtain a national SIN reflects the situation that there is no unionwide ID that could be used for identifying at least EU citizens. There is more consensus in terms of the public authority which should be responsible for the management of the identifier database or register for natural persons. In most countries, the national Ministry of Interior is charged with that. In Sweden, however, this role is assumed by the Swedish Tax Agency, which is a government authority under the Ministry of Finance. The operating authorities are either dedicated registers, like Lithuania s People Register, or technical bodies, like the Luxembourg State Centre for Informatics that has many further tasks. Investigating possible cross-border interoperability, it seemed interesting to us to examine the already existing domestic approaches of networking different national databases. Here, Lithuania, for example, reported an exhaustive list of registers that access the central identifier database in this case supported by a technical replication solution provided by a database manufacturer. A similar list was given by Denmark and Malta, but those countries just use the SIN in other registers there is no technical and well-defined propagation process. Cyprus uses its single identifier as primary key in sector specific databases. As regards legal persons, many countries have already installed online accessible public registers of the data. In summary, most countries allow either direct access or distribute the identifiers and the related data to other registers, which should not surprise, because the usage of the SIN in such registers follows the basic idea of such an identifier. The technical realization of the access differs a lot, however. As regards the national documents that comprise the SIN, there is a more or less common subset of such that normally includes identity cards and passports, and very often sector specific documents like social security or health system cards. Beyond this, some countries like Cyprus, Spain and Denmark, for example, use the SIN as a multipurpose identifying characteristic on nearly all documents with personal related data, and allow also its usage for private purposes. This is similar to the usage of employee numbers in companies, where a pragmatic and demand-driven view prevails. 3.3. Legal issues In this section, again, we can only exemplify some areas of divergence in the EU regarding data protection and identifiers. Furthermore, we limit the presentation of the results to natural persons. Processing of Personal Data: Obligation to notify the authority. The Directive imposes that a supervisory authority must be notified before any processing of personal data. In fact, we found out that in most of the countries, a general notification to the supervisory is required before processing personal data. For instance, in Austria, as a matter of principle, the Austrian Data Processing Register has to be notified of each data application. Regarding the processing of identifiers, the general approach seems to be to consider the identifier analogous to other personal data and therefore not to require that the supervisory authority be notified. For instance, in Denmark, no specific notification is required on the sole basis that the processing concerns civil registration numbers. The Directive allows also exemptions to the notification rule. According to the answer received, only Denmark and Ireland offer no possibilities for exemptions. In all other countries, exemptions are possible. These exemptions fall into several categories: appointment of a personal data protection official, specific data processing explicitly listed in legislation, processing of data with political, philosophical, religious or trade union aims, processing of data with national or public security concerns. For some special cases, the personal data processing is subject to prior checks (art. 20). Yet again, different attitudes were encountered: In some countries, no prior check is required. Other countries impose a prior check in some cases, depending on the nature of the data processing or on its context. Some countries also rely on the initiative of the supervisory authority. For instance, in the Czech Republic, if the Office for Personal Data Protection, after having been notified of a personal data 5

processing, has a justified concern about the processing, it shall initiate proceedings at its own instigation. Rights of the data subject. The Directive guarantees several rights to the data subject, namely an information and notification right, an access right and a right to object. We strived to find out how these rights are realised in the national legislations. From a very general viewpoint, all these rights are granted in the national legislations. It is useful, however, to discuss in detail each of these rights to point out some nuances in their implementation. In all countries, the data subject is granted the information and notification right. Nevertheless, the information that is communicated to the data subject, the time when it is communicated and the process of communication may vary. The set of data that is notified to the data subject at least includes the purpose of the data process, as well as the name and address of the controller. In many cases, communication of complementary data, such as the recipient or the categories of recipient of the data or the rights of the data subject concerning the processing of his personal data and other, is requested. The answers have shown that some countries provide certain exemptions to the information and notification right. The most usual exemptions are summarized in the (non-exhaustive) list below: processing of personal data obtained with the consent of the data subject, personal data processing imposed by an act or a law, personal data processing performed for statistical, historical or scientific purposes, personal data processing carried out for national security reasons, personal data processing in the context of detection of criminal offences, or related investigation, processing of lawfully published personal data. In all countries, the data subject has an access right. The data subject usually has access to the following information: the confirmation that some data concerning him/her are or are not processed, the processed data, the available purpose of the use of data, and the recipients of the data. In some countries, the data subject has access to complementary information, such as the legal basis for the processing. In Cyprus, there is a right to access information about the progress of the processing. Included with the access right, the data subject is given the right to obtain the correction of any incorrect personal data that concerns him/her. Some countries mention that the correction must be offered free of charge to the data subject (e.g., Belgium). Finally, it must be noted that some countries provide exceptions to the access right as the following example illustrates: in Sweden, access must not be provided in some exceptional situations, where the Secrecy Act prescribes that information may not be disclosed to the data subject. The way to access the personal data is normally not specified by law. The type of access given to the data subject depends on the specific context. Several approaches may be identified from the cases reported in the answers. In Belgium, due to the existence of an electronic identity card, online access is allowed and authentication is achieved via the identification certificate stored on the electronic identity card. Some countries offer online access but only for some registers. In the United Kingdom, since January 2005, the information may be sent by e-mail to the person making the request. In the Netherlands, individuals in general do not have online access to their data. In all countries, the data subject has a right to object to the processing of his/her personal data. We did not find any significant differences in the national implementations of this right. Data sharing between administrations. We have evaluated the provisions regarding the transfer, sharing, interconnection and exchange of personal data between public agencies or administrative authorities using an identifier. We asked whether those operations have to be authorised explicitly by a specific law or any other provision, in particular if the public interest pursued and the purpose for which the data is intended by the different administration are different. For general data sharing between administrations, it appears that, in most of the cases, the processing has to be authorised by specific laws. Other approaches have been reported, nevertheless. In Belgium, for instance, authorisation is given by the supervisory authority. In Cyprus, the provisions of the general Data Protection Law cover the cases related to this issue. For data sharing between administrations by using an identifier, the collected answers allow pointing out that many countries have no specific authorisation or provision that would apply in this specific case. For instance, Austria mentions that regardless of the constitutional principle that every usage of data by a 6

public authority requires the legal form of an act, no additional authorisation is needed due to the use of new identifiers. Nevertheless, some exceptions are reported. In Ireland, for instance, the sharing of data using a single identifier has to be allowed by law. We have also evaluated whether the supervisory authority has to be asked for comment before giving such an authorisation. We have found several attitudes: Some countries do not at all require the comment of the supervisory authority. Some countries mention that the supervisory authority has to be consulted in some specific circumstances. Some countries do not require that the supervisory authority be asked for comments, but in practice, there is often some consultation. Some countries require that the supervisory authority be consulted during the legislative process. Some countries do require the supervisory authority to be involved. A further question treated the data sharing at the international level and asked whether it is submitted to specific provisions. The survey indicates that most of the countries impose some specific and possibly cumulative provisions, such as: the transfer to foreign country is allowed only if this country assures an adequate level of personal data protection, the transfer demands a specific legal basis to take place, the transfer is permitted if the data subject has provided his consent, the transfer is necessary for the prevention or investigation of criminal offences, the transfer is necessary for the conclusion or performance of a contract with specific requirements. Shared databases. The questionnaire also investigated the issue of shared databases, in particular when these databases are deployed by public authorities and agencies and when the data stored includes at the same time common entities recorded or accessed by all organisations and entities restricted to the organisation(s) for which these entities are relevant. The responding countries have adopted two main attitudes concerning this point. On the one hand, most of the countries allow the presence of shared databases, but only in some specific circumstances and under strict conditions. First of all, the operations relative to the shared database must obviously meet the principles stated in the Personal Data Protection legislation. In addition, some countries impose some specific and sometimes cumulative conditions, such as: obtaining prior checking and authorisation by the supervisory authority, being authorised by a specific law, being kept up-to-date and not being considered as reference data source, taking appropriate measures to ensure that the admissibility of individual access can be monitored at all times, appointing a suitable operator for the shared database. On the other hand, some countries, like the Czech Republic or Hungary, do not allow shared databases. Yet, some mechanisms to exchange data, in particular for synchronizing purposes, are permitted. Allowed use of the Single Identification Number. The first question of this subpart of the survey concerned the use of the SIN by private bodies for their internal needs. The answers show that very divergent national provisions exist: Some countries prohibit the use of the SIN in this case. Some countries allow the use of the SIN but enforce strict conditions, such as: o explicit consent of the data subject o use follows from law or regulation o processing is carried out for scientific or statistical purposes Some countries, such as Spain and Bulgaria, allow the use of the SIN in this case. Another question focused on the use of the SIN in contacts between private bodies and public administration. Several countries permit the use of the SIN for such contacts (e.g., Bulgaria, Lithuania). In some cases, this type of use is allowed while the preceding one is prohibited (e.g., Belgium). The other countries limit the circumstances in which the use of the SIN is allowed (e.g., in France, where the use is limited to contacts with social security organisations) or add conditions similar to those required for the two previous cases (e.g., explicit consent of the data subject). 3.4. The special case of the identification of persons in Austria In 2004, Austria put in place a new technologybased identification system (for a detailed description, cf. [5] for the legal base and [8] for a technical discussion) The system, on the one hand, takes into account the strong, history-related data protection concerns that prevail in the country. On the other 7

hand, it provides an efficient way of identification management and serves as an enabler for e- Government solutions, treating also authentication related issues (digital signature, PKI, etc.). All Austrian citizens are registered in the national Central Register of Residents (CRR) 3 (This was already the case before the new system.) and have a registration number. From this number, a so-called source identification number (spin) is derived, using a strong encryption algorithm. This number is stored on the new electronic citizen card. When used in contacts with public administrations, the spin serves together with a sector specific tag as input for the encryption algorithm for sector specific pins (sspins) for the exclusive usage in the corresponding sector. (e.g., tax administration). All residents Citizen Citizen Card Card Sector-Tag One-way hash Sector1 CRR Central register CRR number sourcepin Sector-Tag One-way hash Sector2 Encryption Sector-Tag One-way hash sspin1 sspin2 sspin3 Sector3 Figure 5: Austrian system for digital identification of natural persons This means that in practice, each sector must use different identifiers, hence the combination of the central identity management and its advantages with a strong silo approach making impossible uncontrolled data sharing outside well-defined sectors. Figure 5 gives a simplified overview of the system. 4. Conclusions Before summing up the conclusions of the present study, two principal limitations regarding its scope and its significance have to be underpinned. First, as a horizontal restriction, not all of the member states and candidate countries have answered the questionnaire. Hence, all conclusions drawn are, strictly speaking, 3 Similar mechanisms exist for legal persons. We limit our explanations to the identification of natural persons, however. only valid for the member states and candidate countries of the EU that have answered the survey. For the reason of readability, we simply speak of Europe or all countries. Second, as a vertical restriction, the study could only highlight its subjects, because identity management and data protection and data sharing are very complex and emerging topics, and because the scope of the answers differed, depending on the question and the country. Nevertheless, the results obtained and the comparison with the study of the Belgian presidency of 2001 lead to some interesting conclusions that might help us to gain a sound insight into the treated issues. As a further general remark, it is worth mentioning that there is a clear difference between identifiers for natural and legal persons. For natural persons, we have found concerns and most often also formal rules in order to protect its usage even if the degree of attentiveness in this area varies. Generally, it seems that identifiers for legal persons are handled pragmatically, and that most countries regard their identification as a technical issue which has no or just a slight link to data protection issues. This observation allows us to focus on natural persons in this section hereafter. As a last important general remark, we must underpin that there is no optimal solution for the identification issue in e-government. National culture, legal aspects, technical feasibility, costs and many more factors have to be taken into account when installing and deploying such solutions. Furthermore, a couple of countries explicitly pointed out that legal obstacles are wanted obstacles. Similar, the principal objective of the Directive 95/46/EC, was not to ease data sharing it provided regulations in terms of the protection of individuals with regard to the processing of personal data. The study did not evaluate the quality of national approaches it tried to describe the differences between them. The study shows a tendency towards the acceptance of single, multi-purpose identifiers in the EU. Since the Belgian study in 2001, three countries have either realised former plans to introduce a SIN for natural persons or such plans exist meanwhile or are likely to be realised in the near future. Germany is now the only country of the 15 former members that has no single identifier and does not want to install one in the future. Hungary, a new member, shares this attitude. Regarding the legal aspect that has also been investigated, all countries have brought into force national laws and regulations that conform to Directive 95/46/EC. 8

Hence, on a very general level, one might assume that the legal framework for the essential question of pan-european data sharing of person-related data using identifiers can be regarded as kind of a pieceof-cake problem: There is a single identifier nearly everywhere, and all members refer to the same directive for regulating data protection. Of course, this would be a rather naïve conclusion, and this study would not have been necessary to confirm this. Instead, the definition of the SIN itself is not clear. The identifier is not really single in most of the countries that have indicated that they have such a SIN. The majority of the respondents have reported the existence of further identification systems in their countries. Sometimes, these numbers are totally independent from each other and/or the single identifier; sometimes there are common keys or other mechanisms of synchronisation between these sector specific numbers and the general, central identifier. The degree of centralism depends on technical issues or historical evolution. For most of the countries, however, the fact that parallel and sector specific IDs exist is a clear obstacle when sharing data already on a domestic level, and might cause even more trouble when such an exchange is realized in a cross-border administrative process. Besides the denomination problem, the construction of the identifier is based chiefly on two different philosophies. The first and bigger group of countries use a semantic approach in terms of coding usually the birth date, the sex and seldom further information. The second group uses random numbers, sometimes with data protection concerns as a reason for this. Again, these diverging attitudes are potential hindrances when sharing data. Further remarkable discrepancy exists in terms of the handling of the SIN regarding: the number of data attributes linked to the identifiers, the person subgroups obtaining a SIN, the documents that comprise identifying numbers, the legislative and organisational framework set up to rule the use of identification numbers, the supervisory authority mentioned in the Directive playing various roles concerning the protection of personal data. Furthermore, the three basic rights mentioned in the directive (information and notification right, access right, right to object) are granted to the individuals, but detail provisions differ. This article could only highlight some areas where we have found such differences. A general conclusion we can draw is that the reality regarding single identification numbers and the related data protection legislation and provisions in the EU is very heterogeneous. This heterogeneity results obviously from the different national legal, political and historical framework on the one hand, and the actual chosen solutions for identity management on the other hand. Despite this heterogeneity, the vast majority of countries is concerned about data protection related issues when dealing with identification numbers. Even if in most cases there has not been a formal risk-benefit analysis of possible identification management solutions, since most countries have been using such approaches for decades, one could nevertheless propose an explanatory model (cf. figure 6) that: relates the identification management topic to the data sharing and data protection area shows that different drivers (or possible benefits) that currently throw up and push the question of identity management exist clarifies that normally the possible solutions bear risks, among which the question of the installation of a single identifier is perhaps the most basic one to answer. As we have seen, most of the countries affirm the installation of a SIN. Nevertheless, the countries who decide not to put in place such a system must and do use different mechanisms for identification. The (informal) evaluation criteria used depend heavily on national particularities and politics and historical developments. Irrespective of the basic decision of whether to install a SIN or not, the concrete realisation of the national solution consists not only of the implementation of a mere number, but of a complete package of different measures and procedures. Taking a formal approach, this package can be seen as a triplet of organisational, technical and legal measures and provisions. The study showed the high discrepancy of these national triplets. It is evident that this discrepancy can hamper cross-border data sharing. But, as already pointed out above, this is technically a neutral statement, since the hindrances might be volitional from a political point of view. Even technically advanced systems like the Austrian and Belgian ones that could be designed according to recent e-government and data protection needs and insights are not necessarily compatible, because the triplet behind is perhaps too divergent. Contrariwise, the divergence of the triplets does not totally exclude cross-border data sharing. The report has shown that there are still a lot of similarities, for instance the tendency to affirm the necessity of a SIN or the data protection Directive as 9

a common base for national data protection legislation. Any e-government solution that realises Pan- European data sharing should nevertheless scrutinize the concerned national triplets in its analysis phase and strive to find compatible solutions. Drivers for identification E-Government Better service Costs Security.. Yes SIN based SIN solution based 3 SIN solution based 2 solution 1 Risk evaluation (non-formal process) SIN? Selected solutions Solution candidates SIN Sector specific Ids Non ID-based Mail authentication. No Non-SIN Non-SIN solution 6 Non-SIN Solution 5 solution 4 Measures Legal Organisational Technical S1 L O T S2 L O T S3 L O T S4 L O T S5 L O T Sn L O T Evaluation criteria Existing law Costs Culture Data protection. Solution space National solution triplet Interoperability space Figure 6: Model for the framework of crossborder identifier sharing 5. References [1] Chen, P.P-S, The Entity-Relationship Model- Toward an Unified View of Data, ub ACM Transactions on Database Systems. Vol. 1, No. I, March 1976. [2] Clarke, R., Human Identification in Information Systems: Management Challenges and Public Policy Issues, Information Technology & People 7,4 December 1994, 6-37 [3] Damiani, E ; De Capitani di Vimercati, S. ;, P. Samarati, P., Managing Multiple and Dependable Identities IEEE Internet Computing 7(6), 2003: 29-37. [4] European Union (EU), Directive 95/46/EC of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data, Official Journal of the European Communities of 23 November 1995 No L. 281 p. 31. [5] Government of Austria: The Austrian E- Government Act - Federal Act on Provisions Facilitating Electronic Communications with Public Bodies. Entered into force March 2004, English version online available on http://www.ris.bka.gv.at/erv/erv_2004_1_10.pdf (2005-06- 12) [6] History of the social security assurance in the US, online: http://www.ssa.gov/history/briefhistory3.html (2005-06-12) [7] Klischewski, R., Information Integration or Process Integration? How to Achieve Interoperability in Administration, in: Traunmüller, R. (Ed.): Proceedings of EGOV 2004. Springer, Berlin, 2004, 57-65. [8] Leitold H., Hollosi A., Posch R., "Security Architecture of the Austrian Citizen Card Concept". Proc. of 18th Annual Computer Security Applications Conference (ACSAC'2002), Las Vegas, 2002. pp. 391-400. [9] Riedl, Reinhard, Rethinking Trust and Confidence in European E-Government. In: Winfried Lamersdorf, Volker Tschammer, Stéphane Amarger (Eds.), [10] Scholl, H. J., "Interoperability in E-Government: More than Just Smart Middleware" HICSS-38, vol. 5, no. 5, Proceedings 2005, p. 123 [11] Web pages of the Liberty Alliance, http://www.projectliberty.org/ (12.06.2005) 10