The SourcePINs required for the unique identification of citizens are available from the SourcePIN Register. Technically speaking, the SourcePIN Register is a virtual register, meaning that SourcePINs are only generated when required and are deleted afterwards. The functions of the SourcePIN Register Authority are carried out by the Data Protection Authority.
The SourcePIN Register Authority Regulation specifies the tasks of the SourcePIN Register Authority which are necessary for the implementation of the citizen card concept and the cooperation with its service providers. The main provisions deal with the following:
- The process for creating identity links, in particular the duties of registration offices, the validation of identity, and the identity link dataset.
- The transformation of sector-specific personal identifiers (ssPIN) into ssPINs from other sectors, generating ssPINs for certain mandate relationships and the configuration of data applications from the controller from the public sector.
- The electronic presentation and verification of mandate relationships as pertains to the citizen card concept. One of the remarkable achievements of the citizen card concept is the possibility to represent mandate relationships electronically. The SourcePIN Register Authority signs the mandate dataset and thus prevents forgery of such datasets stored on citizen cards. The SourcePIN Register Authority enables users to view and revoke mandates online.
SourcePINs for Natural Persons
In order to identify a person involved in an electronic procedure, there needs to be an attribute that uniquely identifies them. Since a name alone is not enough to uniquely identify someone, each person is assigned an identifier. In Austria, every citizen that has a residence registered has a CRR number stored in the Central Register of Residents. However, since the CRR number is subject to special legal regulations, it cannot be used for identification purposes in eGovernment. Instead, a strong encryption process is used to derive a SourcePIN from the CRR number. The SourcePIN is only allowed to be stored on the citizen card (mobile phone signature or card-based citizen card), thereby guaranteeing its protection.
SourcePINs for Non-Natural Persons
For non-natural and legal persons, the respective entry number in the Commercial Register, Central Register of Associations or Supplementary Register is used as the basis for deriving the SourcePIN. Since these identifiers are public, they can be written without its derivation in plain text communications.
Sector-Specific Personal Identifiers
Since SourcePINs are only allowed to be stored on a citizen card, additional identifiers are needed that are allowed to be stored in databases during public authority procedures. One fact that must be considered is that public administration is divided into legally defined sectors of activity. The eGovernment Act states that different identifiers must be used for each sector. For this reason, a sector-specific personal identifier (ssPIN) is created from the SourcePIN using one-way derivation, so that the SourcePIN cannot be traced back from the ssPIN.
Encrypted Sector-Specific Personal Identifiers
Administrative procedures often require that authorities from different sectors work together, for example, the building industry and environment industry during construction of a facility or building. There needs to be a way to consolidate data that is saved in different sectors under different sector-specific identifiers. If an authority requires a sector-specific person identifier from another procedural sector in order to identify a natural person, they can request it from the SourcePIN Register Authority by providing the ssPIN from their own procedural sector, the first and last name, and date of birth. The SourcePIN Register Authority sends the desired ssPIN to the authority that requested it in encrypted form. The ssPIN can only be decrypted by the public authority that is responsible for the other procedural sector. The ssPIN must be based on an asymmetric encryption (e.g., RSA/1024 Bit) process and computed in a way that makes it impossible to trace it back to the person.
Personal Identifiers for the Private Sector
The method of deriving a sector-specific personal identifier from the SourcePIN for the purpose of identifying people can also be used by the private sector for e-Business. The derivation process is the same as for ssPINs. For the calculation of the ssPIN for the private sector, the SourcePIN of the legal person who wants to identify customers is used in place of the abbreviation of the procedural sector. This process creates a unique identifier that is comprised of the SourcePINs of both communication partners. Since the ssPIN can only be derived from the SourcePIN, which is protected, it ensures that the ssPIN can only be created for use in the private sector with permission of the person concerned. The ssPIN for the private sector can only be derived by the citizen card environment on the user’s system using his or her SourcePIN. Just like public administration sectors, each business and organisation is assigned to its own sector based on its registration number in the Commercial Register or Register of Associations, respectively.