Interoperability frameworks
Developing an interoperability framework requires a multi-stakeholder process and a long-term vision for the ID system. As per the European Interoperability Framework, there are four interoperability layers that need to be defined:
-
Legal interoperability—Legal, policy, and regulatory frameworks define the scope of interoperability, particularly with regard to data exchange and requirements for privacy and data protection.
-
Organizational interoperability—For interorganizational-interoperability, federation, or mutual recognition of ID systems, organizations must define trust frameworks and process standards around the identity lifecycle (e.g., the eIDAS standards).
-
Semantic interoperability—To ensure that the meaning of exchanged data and information is consistent, systems must adopt the same data standards or construct data dictionaries.
-
Technical interoperability—To enable machine-to-machine communication, systems must adopt the same technology standards for software, physical hardware components, and systems and platforms.
Throughout these four layers, interoperability frameworks also rely on crosscutting integrated public service governance to ensure usability, security, privacy, and performance. Table 36 provides an overview of key requirements for defining each layer of the interoperability framework.
Table 36. Requirements for building interoperability frameworks
| Legal |
Perform “interoperability checks” by screening existing legislation to identify:
-
Interoperability barriers: Sectoral or geographical restrictions in the use and storage of data, different and vague data license models, over-restrictive obligations to use specific digital technologies or delivery modes to provide public services, contradictory requirements for the same or similar business processes, outdated security and data protection needs, etc.
-
Coherence: Evaluate compatibility between the enabling legislation of different organizations in order to ensure interoperability
-
Digital applicability: Ensure that legislation suits digital (as well as physical) identity data processing
|
| Organizational |
Define inter-organizational relationships and processes:
-
Organizations must align their business processes, responsibilities and expectations to achieve commonly agreed and mutually beneficial goals and document them.
-
Cleary define relationship between service providers and service consumers e.g. MoU’s, Service Level Agreements (SLAs), API specifications, etc.
|
| Semantic |
Adopt data standards to be used by organizations in the interoperability framework:
-
Develop semantic vocabularies and schemata to describe data exchanges, and ensure that data elements are understood in the same way by all communicating parties (e.g., via XML and JSON languages, and the use of metadata)
-
Define syntactic format of the information to be exchanged in terms of grammar and format.
|
| Technical |
Adopt technical standards to be used for system components and devices:
-
Use open specifications, where available, to ensure technical interoperability
-
Put in place processes to select relevant standards and specifications, evaluate them, monitor their implementation, check compliance and test their interoperability.
-
Use a structured, transparent, objective and common approach to assessing and selecting standards and specifications, considering the requirement to make them consistent across borders
-
Consult relevant catalogues of standards, specifications and guidelines at national and regional level, when procuring and developing ICT solutions
|
| Integrated public service governance |
Throughout the above layers, ensure coordination and documentation of:
-
The definition of organizational structures, roles and responsibilities and the decision-making process for the stakeholders involved
-
The imposition of requirements for aspects of interoperability including quality, scalability, availability, service level agreements, security and privacy controls
-
Change management plans that define the procedures and processes needed to deal with and control changes
-
Business continuity/disaster recovery plans to ensure that digital public services and their building blocks continue to work in a range of situations (e.g. cyberattacks or systems failures)
|
