General identifiers

All countries use general identifiers, i.e. identifiers that are not restricted to use within one specific application or sector. Such identifiers would in principle be more suitable for identification purposes than sector/application specific sectors, since they are less likely to be restricted to a limited user group.

However, in some countries their use is restricted by law, precisely in order to avoid that governments can link personal data about a specific person across different sectors, which is considered to be a privacy threat in some countries. This can render them unusable for cross border authentication purposes. For this reason, the tables below indicate each identifier’s legal status as being either unprotected or protected. In the latter case, the table also indicates the type of protection (legal/technical) and the scope of the protection.

If the identifier is used within a specific token, this is also indicated in the table. However, this need not be the case, since an identifier can also be used exclusively within administrations for the purposes of internal data exchange.

The following countries have been found to have adopted general (application/sector neutral) identifiers:

Country Description User group Included in token(s)?

Legal status / privacy issues Austria SourcePIN (not

accessible – see

persons No. Not protected.

Vereinsregistern

number Belgian nationals and non-nationals

SIS card number Natural persons subject to Belgian

number Legal persons

established in

Bulgaria Unified Citizen

Number Bulgarian citizens and foreign

Croatia The Personal Identification

consideration. Introduced in 2008.

Unique Personal Identification Number

Croatian citizens Stored in the certificates of the CIHI card.

To be gradually replaced by the aforementioned

(Jedinstveni

number Citizens, persons of Cypriot descent

Denmark Central personal identification

of the eID card. Unprotected

Centre of

FINEID card In the certificates of the FINEID

France National SIREN number Legal entities

which are

SIRET number Legal entities

which are

economically active in France

In certificates of

the CPS card. Unprotected.

Consists of the Germany AZR number Non-German

persons that have

purposes is

forbidden. semantic number.

Iceland Social Security

Number (SSN#) Natural and legal

Ireland Personal Public Service (PPS)

Latvia Personal identity

number Persons

Liechtenstein ID card number Identity card

carriers No. Unprotected

Lithuania Personal code Persons

registered in the

Luxembourg Identity number Natural and legal persons

RCS number Legal persons and entrepreneurs

age of 14 and

Dutch citizens No (although this may change in the

date, gender) is

REGON number Legal persons and entrepreneurs

of the eID card. Protected

Romania Personal

number Legal entities

established in

persons.

Spain Personal ID

number (ID card number)

ID card holders In the certificates

on the eID card. Protected Foreigners

Turkish citizens No. Unprotected

Enterprise

number Legal entities

established in

Provisionally, the table above allows a number of conclusions to be formulated. Specifically:

• The table shows a wide variety of approaches, with most countries relying on legacy identifiers traditionally used in paper administrations (e.g. Belgium, the Czech Republic, Poland); while others have introduced specific identifiers for the explicit purpose of authentication (e.g.

Finland, The Netherlands), or in the Austrian case even an obfuscated identifier which is used

internally to generate context specific identifiers, but which is never used for authentication purposes in an uncoded form.

• More importantly, the table shows that the countries have different standards for the legal protection of identifiers. While identifiers for natural persons are by definition personal data and thus subject to the provisions of local data protection laws, this is not considered sufficient in some countries. As will be further commented below (see section 4.5.3.1.), a number of countries consider that public sector issued identifiers such as those above should be protected against trivialisation through private sector use, as this would create a privacy risk by allowing parties to more easily link data from various sources together without due permission.

Additional legal protection regimes were reported in 20 of the 32 surveyed countries (30%). In such countries (such as e.g. France and Belgium) these identifiers can only be used after authorisation has been granted by or under law.

• It should be noted that in a number of countries, correspondents have expressed doubts with regard to the reliability (specifically the unique character) of the reported identifiers, even when these were considered of key importance for eIDM purposes. It goes without saying that a lacking reliability would render these identifiers unsuitable for authentication purposes (as, in effect, they no longer meet the definition of an identifier). Such doubts were reported in Poland and Slovakia, where initiatives have begun to rectify this situation.

• It is also interesting to note that a number of these identifiers have been reported as being (partially) semantic in nature in 7 out of 32 countries; i.e. the identifier reveals the date of birth and/or gender of the subject. Oddly, this is not considered to be a problem in some countries (e.g. Belgium), whereas in others (e.g. Croatia, Slovakia and Poland) it is considered that this makes the identifier unsuitable for authentication purposes, as it would be insufficiently secure.

From an interoperability perspective, the main conclusion appears to be that semantic identifiers should be avoided, as they are considered politically unsuitable in some countries.

• Inclusion of key identifiers in tokens is not as common as one might expect: 18 identifiers were reported to be stored in a token, whereas 36 were not. While this might appear counterintuitive, this can be the case where such an identifier is required for registration purposes (e.g. to obtain a username/password), or where an administration uses an identifier to obtain additional information after a successful authentication. From an interoperability perspective, the main conclusion is that the importance of such identifiers is difficult to assess:

the identifier may be crucial for an administration even if it is not stored on a token; and inversely it may be unused even when it is.

• However, the most important conclusion for the purposes of European interoperability stems from the fact that legal regimes in at least two countries (Germany and Hungary) oppose the use of general identifiers for identification purposes on constitutional grounds; with similar but more limited objections existing in other countries such as Portugal and France (see section 4.5.3.1. below for a more detailed analysis). In effect, this renders the examination of general unique identifiers somewhat moot, as the use of general identifiers for the identification of natural persons would at any rate be unacceptable in these countries.