Legal framework of eGovernment in Austria
The legal scope of eGovernment is not confined to a single law or regulation, but rather is defined in broader terms. Regulations that deal with eGovernment are found in numerous federal and provincial law books.
However, the basic framework for eGovernment is comprised of a relatively manageable set of laws. They are the eGovernment Act, General Administrative Procedures Act, Service of Official Documents Act and the Electronic Signature Act. These laws are further supplemented by other acts and regulations. In addition to ensuring data protection and guaranteeing a high standard of security, eGovernment should serve to simplify citizens’ lives.
In a Europe-wide comparison, Austria was one of the first Member States of the European Union to pass comprehensive legal regulations in the area of eGovernment. The eGovernment Act is viewed as an example throughout Europe.
The eGovernment Act is the core of Austrian laws on eGovernment. It was enacted on 1 March 2004 and on 1 January 2008, the first amendment was passed. This law serves as the legal basis for eGovernment services. It enables closer cooperation between all authorities that provide eGovernment services and gives them the opportunity for networking together. Many mechanisms such as the citizen card, sector-specific personal identifiers and electronic delivery of documents are also able to be put to use in the private sector.
The most important principles of eGovernment law are:
- Freedom of choice for users in selecting the means of communication when contacting with public authorities;
- Security and improved legal protection provided by appropriate technical measures such as the citizen card
- Unhindered access for people with special needs to public administration information and services.
The following sections contain a brief overview of the essential regulations.
The citizen card is electronic identification for the Internet. People can use it for identifying themselves by digital means to a public authority. It allows them to be uniquely identified and authenticated where required by law. The citizen card contains a qualified electronic signature that makes it possible to sign forms or contracts which normally require a personal handwritten signature. While practical for doing business with public authorities, the citizen card can also be put to use in personal matters, for example in order to increase the security of Internet transactions or for eBanking.
The citizen card is available in many different formats, since it does not depend on a particular type of technology and does not require one specific type of card. In most cases, the carrier medium is a chipcard (such as the eCard). It is essential that the citizen card contains a qualified electronic signature and an identity link that contains the associated security data and functions, as well as any data on mandates which may have been granted.
Due to the strict regulations on data protection in Austria, in place of using the number from the Central Register of Residents, a highly encrypted and non-reversible derivation of this number is calculated. The so called sourcePIN. For people who are not registered in the central register, the sourcePIN is created using their registration number from the supplementary register. The sourcePIN for natural persons may only be stored on their citizen card. For legal persons, the entry number in the Register of Company Names or the Central Register of Associations or the registration number in the Supplementary Register is used as the sourcePIN.
The identity link is used to create a unique link between the citizen card and its rightful owner. More specifically, the sourcePIN Register Authority verifies by way of an electronic signature that a link has been established between the citizen card holder and his or her sourcePIN for the purposes of unique identification. The identity link is entered on the citizen card.
Individuals may authorise another person to submit applications on their behalf. In such cases, the sourcePIN Register Authority stores the mandate, including any limitations it may contain, and the sourcePIN of the person being represented on the representative’s citizen card. Mandates can also be used by professional representatives.
Sector-Specific Personal Identifiers
In order to ensure the protection of data, authorities are not allowed to store the sourcePINs of natural persons in their applications. The authorities may identify natural persons only by their sector-specific personal identifier (ssPIN). The ssPINs are derived from the respective person’s sourcePIN. This process must be irreversible and it must not be possible to calculate the original sourcePIN back from the ssPIN. An ssPIN is valid only for the sector of activity of the authority under which the initiated procedure falls. Personal identifiers from other sectors may only be used in encrypted form. In order to generate an ssPIN, the sourcePIN is needed. The sourcePIN may only be used to generate the ssPIN - using the citizen card - with the agreement of the person concerned. If the sourcePIN is unknown, only the sourcePIN Register Authority may generate an ssPIN without a citizen card, and it may do so only in certain circumstances.
The sourcePINs required for the unique identification of persons are available from the sourcePIN Register. Technically, the sourcePIN register is a virtual register, meaning that sourcePINs are only generated when required and are deleted afterwards. The functions of the sourcePIN Register Authority are carried out by the Data Protection Commission.
All natural persons who do not have a registered address in Austria and legal persons who do not appear in the Register of Company Names or in the Central Register of Associations can register themselves in the supplementary registers in order to participate in eGovernment.
Standard Document Register
Until now, citizens and businesses were required to prove certain information by providing documents, such as birth certificates, proof of citizenship, or documents from the Register of Company Names in order to conduct certain transactions. With electronic administration, this is no longer necessary in many cases, since electronic data that is already stored in the registers is allowed to be used. When a person registers with an authority, the authority verifies the accuracy of the personal and nationality data by inspecting the relevant documents (standard documents). It then informs the Central Register of Residents that the information is accurate. A person may request that the accuracy of the information be recorded, even in cases where no registration procedure is being conducted, provided that he or she can provide proof of the accuracy of the information by presenting the relevant documents. Thus, certain information need no longer be presented by the person concerned but can, with the person’s consent, be directly requested by the authority from the Central Register of Residents.
Persons conducting transactions with public administration must be able to rely on the authenticity of documents they receive from the authorities. The Official Signature is an advanced electronic signature affixed by an authority to an administrative notice or document. This makes it easy to recognise electronic documents issued by authorities. Not only can the authenticity of the document be verified by means of the Official Signature, the printed version of it is also treated as being equivalent to the official document by the authorities.
SourcePIN Register Regulation
The sourcePIN Register Regulation specifies the responsibilities of the sourcePIN Register Authority which are necessary for the implementation of the citizen card concept and the cooperation with its service providers. The main provisions deal with the following:
- The process to create identity links, including setting down the duties of citizen card registration agents, the validation of identity, and the identity link dataset. The regulation also lays down that a compliant citizen card environment needs to support an interface that can bind the citizen card to the application. This interface is defined and published by the sourcePIN Register Authority.
- The transformation of sector-specific personal identifiers (ssPIN) into ssPINs of other authorities, the creation of ssPINs for specific authorities and for data applications in the public sector. The ssPIN Register Authority has an interface to create and transform ssPINs which it makes available to public authorities. This interface is also accessible via the portal network of public authorities. Each request to calculate an ssPIN is recorded by the sourcePIN Register Authority.
- The electronic representation of mandates on citizen card. One of the remarkable achievements of the citizen card concept is the possibility to represent mandates electronically. The sourcePIN Register Authority electronically signs a mandate representation dataset and thus prevents forgery of such datasets stored in a citizen card. A service to revoke mandates online over the Internet will be provided by the sourcePIN authority.
eGovernment Sectors Delimitation Regulation
For the purpose of generating sector-specific personal identifiers, each public sector data application needs to be assigned to a sector of State activity. The eGovernment Sector Delimitation Regulation defines the designations and the sector-identifiers.
Supplementary Register Regulation
This regulation plays an important role in the implementation of the citizen card concept in that it enables natural persons and other affected parties to be registered in the supplementary register, who, due to legal restrictions, are not allowed to be entered into the primary registers (Central Register of Residents, Register of Company Names, Central Register of Associations).
The supplementary register is separated into two: one register for natural persons and another one for "other concerned parties". The eGovernment Act allows the sourcePIN Register Authority to take over the duties of service provider for the Federal Ministry of Interior for the supplementary register for natural persons and for the Federal Ministry of Finance for the second supplementary register.
The Electronic Signature Law
The lays down the fundamental principles of electronic signatures in accordance with the European signature guidelines. The electronic signature law differentiates between three types of signatures: simple, advanced and qualified. The citizen card uses a qualified signature. According to the signature law, a qualified signature is equal to that of a handwritten signature. This means that you can sign electronic contracts with a qualified signature and they will be as legally binding as if the contract was signed by hand. The electronic signature law also specifies requirements for businesses that issue qualified certificates (certificate providers), as well as regulations for the authentication of foreign certificates.
General Administrative Procedures Act
As the name implies, the General Administrative Procedures Act (AVG) lays down the basic principles of administrative procedures. Article 13 of the General Administrative Procedures Act is relevant to eGovernment in that it regulates the ways with which public authorities and citizens can communicate with each other, such the transmission of applications by eMail or Web forms. The authority’s Web site must list the addresses that application forms can be sent to, whether an electronic signature is needed and which formats are recommended or required for the application. Opening times must also be published on the site.
Starting 1 January 2011, written copies of public authority transactions or of electronic created documents require a handwritten signature, certification or official signature. From this point on, all electronic documents from the public authority are required to have an official signature affixed to them.
Service of Documents Act
The Service of Documents Act governs the delivery of all documents, such as official notices, which government authorities are required by law to send out. In the electronic world and paper world alike, a differentiation is made between deliveries that require proof of delivery, by which the recipient or his representative confirms the delivery with a signature, and deliveries where no proof is required.
Proof of delivery is carried out via an electronic delivery service. This service is available from delivery service providers that have been approved by the Federal Chancellor. It allows customers (citizens and businesses) to register with their citizen card to confirm that they want to receive administrative documents electronically. A list of these delivery service providers is published by the Federal Chancellor on the Web. Registering with a delivery service is sufficient notice in order to receive admininstrative documents. However, neither citizens nor public authorities are obliged to use an electronic delivery service if they do not wish.
When an authority needs to send a document using a delivery service, the recipient is notified up to two times by electronic means (for example by eMail or short message) that a document is ready to be collected. A third notification can also be sent out by post. The delivery is confirmed as soon as the document is picked up by the recipient. Proof of delivery is verified when the document is retrieved using the recipient’s citizen card, or when an explicit agreement exists that allows documents to picked up automatically using an automated signature. Confirmation of delivery is also made even if the document is not picked up by the recipient.
Electronic deliveries without proof of delivery can be confirmed nonetheless using the above mentioned methods ("electronic delivery service" with "immediate electronic delivery", although it is not necessary for the citizen card to be used), or by using the
"electronic communication system from the authority" or an
"electronic delivery address".
Starting 1 January 2009, in accordance with §37 of the Service of Documents Act, before documents can be delivered using an individual "electronic communication service from the authority" (for example the Databox in FinanzOnline), a delivery using an electronic delivery service must be attempted first. Only afterwards is it allowed for deliveries to be sent out to recipients that are registered on the authority’s system. This includes cases in which an electronic delivery service cannot be used because the recipient is not registered with one.
Electronic delivery can also be carried in cases where the recipient gives an eMail address to the public authority as his "electronic delivery address" during a procedure. However, the use of electronic delivery may only be used during this procedure and not for any other procedures which are carried out later.
Delivery Service Regulation
The Delivery Service Regulation further defines the admission standards that are given in §30 of the Service of Documents Act. These standards include criteria for assessing the technical and organisational ability of delivery services and the reliability of data protection aspects in particular. The technical requirements that are to be fulfilled by delivery services are contained in an annex to the Delivery Service Regulation, and are to be published in the Internet.
Delivery Forms Regulation
The Delivery Forms Regulation defines the forms for the first and second notifications, which are sent electronically, as well as for the third and final notification, which is sent by postal delivery to the recipient’s delivery address (for example home address), if one has been provided.