National Identity Authority

The NIA provides state-guaranteed services to public administrations identification and authentication, including federation of data on the subject of law from the basic registers and the possibility of transmitting login identities according to the Single Sign-On principle. For persons listed in the ROB or logging in with an eIDAS identity from EU Member States, the OVS does not need to handle login identities for its clients itself. In the current state of the ROB (As-Is state), therefore, only for citizens of the Czech Republic and foreigners with permanent residence. In the future state (To-Be state) for Czech citizens, foreigners with permanent residence and other natural persons (EjFO) who have a legal or property relationship to the Czech Republic (foreign property owner, foreign doctor, foreign student, etc.).

The National Identity Authority creates a federated system consisting of the following components:

• National Point as the central point of the federative system, which ensures communication and registration of the federation participants. This component also ensures that the person who proves his identity by presenting authentication means is always uniquely identified.
• Qualified administrator, which issues remote authentication (proof of identity) devices to uniquely identified individuals and performs all activities related to the management of these devices and proof of identity of the individual
• Basic registries, which provide unambiguous identification of an individual and ensure the linkage of that individual to reference data about the individual
• The eIDAS National Node, which provides for the acceptance of remote proof of identity from the notified systems under the eIDAS Regulation and the transmission of remote identification and authentication from the Czech Republic to other EU states. Other EU states will have to accept Czech identities from 13 September 2020, when the notified Electronic Identity Card means expires.

Although the NIA currently provides its services only as a "front-end" solution using SAML tokens, it is planned to also provide services as a "back-end" for the use of identity translations and identifiers using eGON services.

There are already more than 50 service providers and more are in the pipeline. The final number is in the hundreds. The current list is available here https://info.eidentita.cz/sep/.

Just as other states are obliged under eIDAS to accept Czech declared means of identity (eObčanka), Czech service providers are obliged to accentuate the identity declared by another state under eIDAS. The obligation to allow login using the IIG - International Identity Gateway is enabled for all service providers as of 30.6.2020.

The following attributes are issued by the NIA to so-called Qualified Service Providers. The issue is also described in Portals of public administration and private data users. The bolded attributes correspond to the eIDAS standard, while the other attributes do not correspond to the standard, but the qualified service provider has the possibility to request their release when communicating within the Czech Republic.

The pseudonym, or natural person identifier, transmitted from the NIA is unique and immutable for each qualified service provider. It does not serve as a public identifier, but as a technical identifier. Should a situation arise where the pseudonym for a natural person changes, the authority will be informed of this fact through the basic registers information system, as its agenda identifier of the natural person will also change. The private data user will not be notified of this change as he cannot be connected to the basic registers indirectly, but this service can be provided by his superior authority.

However, if the qualified service provider wants to be sure that the pseudonym is up-to-date, it has to follow the rules of linked data pool, i.e. to have its data trunk identified and to receive notifications from basic registers information system.

A fundamental requirement of security and transparency for public administration information systems is the requirement for uniform electronic identification of external users. For each operation, knowledge of the person performing the operation is required, especially in terms of the undeniable responsibility of the person. External users (clients) of public administration information systems must be uniquely identified, in particular for reasons of personal data protection and from a procedural point of view, as provided for in the Administrative Procedure Code (unambiguous proof of the identity of the parties to the proceedings).

The access management task for each public administration information system consists of the following steps:

• Identification - unambiguous and undeniable identification of the natural person accessing the public administration information system
• Authentication - proving that the accessing person is the person he/she claims to be. Authentication takes place by presenting authentication means (e.g. username and password, authentication certificate) assigned to the person by the administrator of the information system
• Authorisation - on the basis of the data about the identified and authenticated person and other data about this person (for example, job classification), assignment of the person to the appropriate role and the resulting evaluation of the authorisation for actions and data within the information system.

The NAP requires the following principles to be implemented for all public administration information systems in this area:

1. Any authority that provides its services electronically and needs an authenticated client for them must use the services of a qualified electronic identification system (currently only NIA) where identity verification is required by law or by the exercise of competence
2. In order to use a qualified electronic identification system, an organisation must become a Qualified Service Provider (SeP), following the process described below
3. Each authority must accept not only the identity of a Czech citizen, but of any citizen of the European Union according to eIDAS.
4. When creating the identity space, first make an analysis whether one of the federated identities within the qualified electronic identification system (currently only NIA) is not already sufficient.
5. Any new identity space must be built to be federated within a qualified electronic identification system (currently only NIA)
6. Means of identification and authentication shall always be issued in a secure and unambiguous manner to the identified person so as to ensure a minimum level of trust that is substantial. There shall be a permanent record of this issuance of the means, together with details of how the identity of the person was verified
7. The person to whom the funds have been issued is inherently responsible for protecting the funds from theft and misuse
8. The person to whom the means have been issued shall be solely responsible for all operations performed on the information system using those means
9. The substantive administrator of the agendas that are carried out within the information system is responsible for the assignment of persons to roles (technically carried out by the technical administrator of the information system, but always on the basis of input from the substantive administrators). He may delegate this responsibility to more than one responsible person within the organisational structure.

The following steps describe each part of the process outlined below, based on verification through ISDS. Currently, registration of an organisation through the National Point Portal is only available to public authorities, other entities must register directly with the Basic Registry Administration (see step 8). The complete guide is available here.

1. The user, as a representative of an organisation, shall request the service enabling the registration of the organisation from the National Point Portal, which is a Service Provider. This registration allows the organisation to function in NIA and to create individual Service Providers.
2. The National Point Portal contacts the National Identity Authority, which provides the authentication, with a request for authentication of the person (user).
3. For user authentication for organisation registration or individual Service Provider configurations, the Identity Provider is the designated Information System for Data Mailboxes (ISDS). The National Identity Authority will redirect to the data mailbox login.
4. The user authenticates himself by logging in to the data mailboxes. In order to register an organisation on the National Point Portal, the user must be logged in via ISDS (in the defined role and mailbox type of the OVM). If the organisation is not an OVM, registration with the Basic Registry Administration is required.
5. In the case where the user is successfully authenticated, the Data Mailbox Information System will pass an authentication token containing the entity ID and name, the role of the logged-in user and other attributes to the National Identity Authority as a result of the authentication.
6. The National Identity Authority collects the attributes in the Information System of Basic Registers (ISZR) and then checks the existence of the ID.
7. The National Identity Authority transmits to the National Point Portal the necessary attributes from the Basic Registers Information System and the attributes received in the authentication token from the Data Box Information System, which are necessary to process the registration form.
8. Upon successful completion of the previous steps, the National Point Portal shall enable the registration service of the organisation (SeP) and display the completed registration form to the user. This applies only to organisations that are OVMs. If the organisation is not an OVM, detailed information on how to register directly with the Basic Registry Administration is displayed instead of the registration form.
9. The user confirms the correctness of the data and the registration of the organisation (SeP).
10. The National Point Portal processes the received registration request and after successful registration allows the user to configure the individual Service Providers falling under the organisation (list of qualified provider configurations).
11. The user shall perform the Service Provider configuration including the following data:
    • Entity ID
    • Qualified Provider Name.
    • Description of the qualified provider.
    • URL linking to the qualified provider's homepage.
    • URL address for submitting requests
    • Address for receiving the issued token
    • URL to which the user will be redirected when logging out of your website
    • Retrieving the certificate
    • Address to retrieve the public portion of the encryption certificate from the metadata
    • Accessing authentication through the eIDAS gateway
    • Qualified provider logo

The health service provider is not a public authority and therefore the following steps need to be ensured in addition to the above procedure:

1. Apply to the Ministry of Health to be entered into the register of rights and obligations as an SPMU according to the obligations arising from Acts 250/2017 Coll. and 372/2011 Coll., ideally under the agenda A1086
2. At https://www.eidentita.cz/Home/Ovm log in as an authorised user with the data mailbox of the health service provider
   • A new manual data entry should be offered with a further procedure
   • If it does not appear, follow the general points above - send a data message containing the necessary data (URL, logo….)
3. Edit your profile on https://www.eidentita.cz/Home/Ovm for access by others (IT department e.g.) and manage your profile, configure for the Health Service Provider Patient Portal.