The eGovernment Act, the centrepiece in Austrian eGovernment law, entered into force on 1 March 2004 and was last amended on 1 July 2016 in particular as a result of the adjustment to the eIDAS Regulation. is the core of Austrian laws on eGovernment. This law serves as the legal basis for eGovernment instruments and components. Many mechanisms such as the citizen card, sector-specific personal identifiers and electronic delivery are also able to be put to use in the private sector.
The most important principles of eGovernment law are:
- Freedom of choice in selecting the means of communication when contacting public authorities.
- Providing security and data protection through appropriate technical measures such as the citizen card.
Accessibility measures for people with special needs so they have access to information and can use digital services in public administration. International standards must be adhered to and access to Internet sites must be provided.
The function “Citizen Card”
The citizen card is a form of electronic identification for the Internet. People can use it to identify themselves by digital means to a public authority, or as stated in the law - to be uniquely identified and authenticated. A fundamental characteristic of the citizen card is a qualified electronic signature that can be generated with it and that makes it possible to sign forms or contracts which normally require a handwritten signature. While practical for doing business with public authorities, the citizen card can also be put to use in personal matters, for example, in order to guarantee the best possible security during Internet transactions (such as in e-banking).
The citizen card is available in many different formats, since it does not depend on a particular type of technology and does not necessarily have to be a "card". In many cases, the carrier medium is a chip card (such as the e-card). It is also implemented as a "mobile phone signature" for mobile phones. It is essential that the citizen card connects a qualified electronic signature and an identity link that contains the respective security data and functions, and also, e.g., serve as a substitute for multitudes of username/password combinations.
Due to the strict regulations on data protection in Austria, a strongly encrypted and non-traceable derivation of the CRR number is used for SourcePIN computation in place of using the CRR number (number from the Central Register of Residents). For people who are not registered in the central register, the SourcePIN is created using their registration number from the Supplementary Register. The SourcePIN for natural persons may only be stored on their citizen card. For legal persons, the entry number in the Commercial Register (Firmenbuch) or the Central Register of Associations (Zentrales Vereinsregister) or the registration number in the Supplementary Register is used as the SourcePIN.
The identity link is used to create a unique link between the citizen card and its rightful owner. The SourcePIN Register Authority verifies with their electronic seal that a link has been established between the citizen card holder and his or her SourcePIN for the purposes of unique identification. The identity link is saved on the citizen card, whereby it is to be pointed out that “the citizen card” is to be understood as a technology-neutral concept here again. Accordingly, the citizen card is a “logical entity”, An “entry in the citizen card” therefore does not by any means mean a physical entry in a certain data carrier.
Individuals may authorise another person to submit applications on their behalf. In such cases, a confirmation can be issued by the SourcePIN Register Authority for the representation of non-natural persons or a power of representation for the representation of natural persons.
Sector-Specific Personal Identifier
In order to ensure the protection of data, public authorities are not allowed to save the SourcePINs of natural persons. Within the framework of the citizen card concept, public authorities may identify natural persons only using their sector-specific personal identifier (ssPIN). The ssPINs are derived from the respective person’s SourcePIN. This process is non-traceable and irreversible.
An ssPIN is valid only for the public authority's sector of activity under which the initiated procedure falls. Sector-specific personal identifiers from other sectors may only be used and saved in encrypted form. In order to generate an ssPIN, the SourcePIN is needed. The SourcePIN may only be used to compute the ssPIN - using the citizen card - with the agreement of the person concerned.
Only the SourcePIN Register Authority may generate an ssPIN without the citizen card of the person concerned, and it may do so only in special circumstances with the help of adequate identification attributes.
The SourcePINs required for the unique identification of citizens are calculated from the SourcePIN Register. Technically speaking, the SourcePIN Register is a virtual register, meaning that SourcePINs are only generated when required and are deleted afterwards. The functions of the SourcePIN Register Authority are carried out by the Data Protection Authority.
All natural persons who do not have a registered address in Austria and legal persons who do not appear in the Commercial Register or in the Central Register of Associations can register themselves in the Supplementary Registers in order to participate in eGovernment. Local and other authorities can register themselves in the Supplementary Register, e.g. in order to receive documents using an electronic delivery service.
“Once Only” principle
Public authorities are obligated, pursuant to their technical possibilities and in compliance with the requirements stipulated by law, to draw on the available data the person concerned from public registers of a client under public law (not just the Central Register). Thus, certain information (birth certificates, proof of citizenship, proof of residency or documents from the Commercial Register) need no longer be presented by the person concerned but can, with the person’s legal consent or with legal authorisation, be directly requested by the authority from an electronic register. The public authority's responsibility to enable queries in their registers in no way increases their authority to release information, since they are based solely on existing authorisations.
Naturally, the authenticity of electronic documents from the public authorities must be able to be relied upon. This means that the documents were really sent by the respective authority. The official signature is an advanced electronic signature (§ 2 Line 3 Electronic Signature Act) or an advanced electronic seal (§ 3 Line 26 Electronic Signature Act) that is electronically affixed to an official notice or document by a public authority. The public authority itself can be identified on the document by the official logo, the official signature and the verification note. This makes it easy to recognise electronic documents issued by authorities. Not only can the authenticity and integrity of the document be verified by means of the official signature, the printed version of a document from a public authority is equivalent to the official certificate.