Go to content

Summary

EU has initiated several initiatives to support services both in public and private sector to be available cross border and in personalized manner where that is preferred or necessary. However, as eIDAS implementation report
 showed, the actual usage of cross-border services is low, and the availability is not reachable for most of the EU residents. Moreover, there are currently no cross-border processes at EU level to avoid the situation where one person owns multiple eIDs issued or assure that a person is successfully matched to correct eID under different notified eID schemes. This can lead to denial of access to services in cases where the receiving Member State cannot exclude duplication or match multiple legitimate eIDs from different eID schemes.
Nordic and Baltic countries differ heavily from most of the EU by having strong public sector data registries that are used to provide a rich selection of services for their residents. This region has so far had also a common approach in most countries that an individual is recognized in different datasets through commonly agreed unique identifiers or data sets. But even in the Nordic-Baltic region, there are still differences and deviations regarding identity and record matching.
The aim of this analysis was to conduct region-wide recommendations that would help person to interact in meaningful manner with all the Member States in the region, but also produce Member State (MS) specific policy suggestions to pave the way for that vision to be implemented in specific Member State regarding identity and record matching.
To develop possible solutions and formulate recommendations, a current situation analysis (AS-IS) was first conducted, consisting of four main parts:
  • Analysis of the main EU-level requirements and their relevance to identity and record matching.
  • Assessment of the existing processes and solutions for identity and record matching within the EU/EEA region
  • Mapping of the data requirements necessary for identity and record matching across three service areas (banking, health, academia) within the Nordic-Baltic countries.
  • Overview of structural challenges encountered by the Nordic-Baltic countries regarding identity and record matching.
The analysis of EU-level requirements concluded that Nordic-Baltic countries are following the same principles in terms of how data about country’s population is maintained. All Nordic-Baltic countries have implemented centralized digital solution for population registry, which assures common practice of population management, reliability of data and high system availability.
The analysis of best practices for identity and record matching in EU/EEA countries concluded that different strategies are used by countries, like:
  • One central database of all identities (including a small amount of available information about foreign identities connected to the local ones).
  • Video identification.
  • Central passports register stores photo and fingerprints, which can be checked, to make sure that no duplicate identities are created.
  • Manual supervision over connecting duplicated identities (same person with more than one match from the database).
  • Name details are coded to match language specific changes in the surname.
  • Infinite shelf life of ID number (= identity) with added status (like “living” or “deceased”).
  • Using digital signature together with ID number for making any commitments.
The analysis of data requirements in three different sectors (banking, health, and academia) concluded that one can see remarkable challenges to be tackled if cross-sectoral data availability and data machine-readability would be targeted. For example:
  • Implemented systems do vary from country-to-country dependent on availability of resources and/or volumes of cases. In addition, within the country implementations in sub-domains of specific domain may have significant discrepancies.
  • Rules for identifying persons can be missing although the domain is regulated on EU-level, and matching identity with record is crucial.
  • Domain specific data is not deployable for cross-sectorial usage, as it is commonly prohibited due to data protection constraints, data can be non-disclosable for reason of being a business/bank secret.
The analysis of structural challenges in Nordic-Baltic region revealed five main problems with the most significant impact that need to be addressed collaboratively:
  • Recurring work is done for identity verification and matching if person’s activities engage different domains as identity matching results are not shared within the state. Moreover, the identity matching results are not shared between the states.
  • There are differences in PII (Personal Identifiable Information) datasets operated by states due to their legal and cultural particularities (e.g., place of birth logic, contact address obligation, facial biometric data storage/usage, derived PNOs towards other states, pseudonyms).
  • Risks associated with potential identity mismatch and the economic benefits of enhanced/automated processes are small/minimal. Thus, motivation for changing the status quo is low.
  • Low capability of Population Registries to adapt to any changes in PII dataset or modifications/improvements in processes of PII handling.
  • Identity verification and matching is manual work performed by personnel who are not trained/experts in ID-management (healthcare, educational personnel, etc.).
These five main challenges served as the basis for developing the TO-BE solutions and recommendations. 10 potential solutions were identified and four of them proved higher potential:
  1. eIDASNode+, where for every foreign identity a local personal identification number will be assigned. After authentication with eID mean through eIDAS node, e-services approach local identity matching service for retrieval of local personal identification number of user. E-services continue operating with local personal identification number.
  2. Easy_EAA, which allows "pairing" of eID means of two countries. Country of e-service provider concludes identity matching using eID means at person’s hand. Identity matching service establishes a link between two identities based on attributes received from eID means of both countries. Ground for match bases on uninterrupted process performed by authoritative party during which authentication with both eID means is performed, thus identities of two countries can be linked. Output of identity matching process is delivered in format of electronic attestation of attributes (EAA), which includes link between personal identification numbers of two countries and other necessary PII. EAA is delivered to e-service that is being accessed by user. In addition, EAA is delivered to the user, so a person can use it as identity matching evidence during future interactions with e-services.
  1. QuickFix, where converting personal identification number’s physical issuance process into digital remote video identity verification process and integrate this process into current business flow of e-services’ usage. Proposed digital identity creation (personal identification number issuance) is based on combination of eID authentication and capture of biometric identifier (facial image). Processing facial images depends on country’s practices. The process ends with establishing connection between two countries’ personal identification numbers in local population registry.
  2. Hard_EAA, where a country of e-service provider concludes identity matching using eID mean from other country and data from local population registry. Output of identity matching process is delivered in format of electronic attestation of attributes (EAA), which includes link between personal identification numbers of two countries and other necessary PII. EAA is delivered to e-service that is being accessed by user. In addition, EAA is delivered to the user, so a person can use it as identity matching evidence during future interactions with e-services.
In conclusion, eIDASNode+ should be implemented in all Nordic-Baltic countries, as a common approach, adding the other three described possibilities to that, depending on country specific needs.
Nordic Council of Ministers I www.norden.org/publications I pub@norden.org