The national interoperability scheme is established in paragraph 1 of article 42 of law 11/2007, of 22 June, electronic access of citizens to public services. Its purpose is the creation of the conditions necessary to ensure the adequate level of technical, semantic and organisational interoperability of systems and applications used by public administrations, that enable the exercise of rights and the fulfilment of duties through electronic access to public services, while it is in the interests of effectiveness and efficiency.
Royal Decree 4/2010, of January 8, which regulates the national interoperability scheme in the field of e-Government establishes, in its first additional provision, the development of the series of standards interoperability techniques which are enforced by Government.
The technical standards of interoperability to develop specific aspects of various issues, such as: electronic document, scanning, authentic copying, electronic record and conversion and policy firm, standards, intermediation of data, data models, management of electronic documents, connection to the communications network of the Spanish public administrations, data model for the exchange of registration records and Declaration of conformity; all of them are needed to ensure more practical and operational aspects of interoperability between public administrations and with citizens. These technical standards of interoperability will be developed and improved over time, in parallel to the progress of the electronic services, technological developments and infrastructures that support them, to comply with the mandate of article 42.3 of law 11/2007, of 22 June.
Within this set of standards, interoperability techniques, the rule relating to the intermediation of data responds to the provisions in article 9 of law 11/2007, of 22 June, and article 8 of the Royal Decree 4/2010, of January 8, on the access and use of services for the exchange of data and documents between public administrations; defining a model for data voice Exchange. Intermediated trade constitute a model internationally recommended both by the EU and by the OECD or the UN, given their proven efficiency as an interoperability tool in both allowing the standardization and re-use of Exchange services.
In particular, the standard technique of interoperability of protocols mediate between first and general data, defines the roles of the actors involved in intermediated data exchanges; and second, sets conditions relating to data voice Exchange processes through the intermediary of the Ministry of finance and public administration platform, also requirements for intermediation of other public administrations platforms.
These roles and conditions are established in terms of technological interoperability and will apply next to the considerations that correspond to the nature of the information subject to the Exchange or transfer of data, in accordance with the law resulting from application.
This technical standard has been developed with the participation of all public administrations which is application, it has been favorably reported by the Permanent Commission of the Higher Council of eGovernment and proposed by the sectoral Committee of e-Administration.
In application of the provisions in paragraph 2 of the first additional provision of the Royal Decree 4/2010 of 8 January, this Secretary of State resolves: first.
The standard technique of interoperability of protocols of intermediation of data whose text is included below is approved.
The standard technique of interoperability of protocols of intermediation of data which is approved by the present resolution shall apply from the day following its publication in the «Official Gazette», without prejudice to the provisions of the first transitional provision of Royal Decree 4/2010, of January 8, which regulates the national interoperability scheme in the field of eGovernment.
Madrid, 28 June 2012.-the Secretary of State of public administrations, Antonio Germán Beteta Barreda.
Technical standard of interoperability of protocols of intermediation of data index i. General provisions I.1 object.
II. actors in intermediated assignor II.1 and issuer data exchanges.
II.2 assignee and Requirente.
III. intermediation of the Ministry of finance and public administration platform.
III.2. governance of the system.
III.3. technical requirements for the Exchange.
III.4. General aspects of security.
III.5. technologies and standards.
III.6. traceability and auditing of exchanges.
III.7. catalogue of data exchange services.
I-General provisions I.1 object.
The standard technique of interoperability of protocols of intermediation of data is to establish specifications for the Exchange intemediado of data between public administrations, or linked or dependent on those public law entities (hereinafter, organizations).
1. the content of this standard shall apply to data voice exchange through the platform of intermediation of the Ministry of finance and public administration at the level established in article 3 of the Royal Decree 4/2010, of January 8, which regulates the national interoperability scheme in the field of eGovernment.
2. the conditions laid down in this standard relating to the participants in intermediated exchanges of data shall apply in other platforms of intermediation in the field established in article 3 of the Royal Decree 4/2010, of January 8, which regulates the national interoperability scheme in the field of eGovernment.
3. the conditions laid down in this standard relating to the mediation of the Ministry of finance and public administration platform may be applied in data voice exchange through other platforms of intermediation in the field referred to in paragraph 2.
4. the conditions laid down in this standard may be applied on non-intermediated data exchanges as well as other nodes of interoperability.
II. actors in intermediated assignor II.1 and issuer data exchanges.
1. a transferor is any organization that holds data relating to citizens that another may need to consult on the scope of the exercise of its powers; He is in charge of them according to the organic law 15/1999, of 13 December, of protection of Personal character data, and will offer them to potential transferees through a transmitter.
2. an issuer will be which facilitates the transfer of data from a technological point of view.
3. a licensor that facilitates the transfer of their data will act, within the scope of this standard, as issuer at the same time be licensor.
4. any node interoperability that participates in the management of the procedures of issuance or transfer of data from a transmitter, will also take the role of issuer within the scope of this standard, including the functions related to the electronic signature of communications carried out.
5 role of the licensor: to) provide the information for the catalogue or register of services for the exchange of data exchange services available to other organizations for consultation under.
((b) in regard to authorisations for access to services: b.1) establish conditions of access to services data exchange offering, allowed as well as information to get to know each Requirente consultation methods and protocols.
b.2) will justify the cases of rejection or refusal of an application.
b.3) shall define the audit policy and will conduct periodic audits on the use of the system relative to your data queries.
c) may delegate these tasks in the issuer or a node of interoperability.
6 role of the issuer: to) will establish the technical conditions of access to services for data exchange offering, permitted methods of inquiry and controls and technical audit, and may delegate the execution of these conditions in a node of interoperability.
(b) define the controls and criteria for access to the data necessary to ensure the confidentiality of information: policies and procedures for management and control of access of users and bodies.
(c) provide relevant data to each query with a guarantee of integrity and confidentiality.
(d) inform you about the availability of each service of Exchange under its responsibility, as well as on the mechanisms of support and troubleshooting available in each case, including the contact information for these services.
(e) define (SLA) service level agreements to regulate the conditions for the provision of services and specific mechanisms of response to incidents according to the criticality of the service that is being.
(f) keep the trace of all requests received and generated responses.
II.2 assignee and Requirente.
1. an assignee will be any organization authorized to consult certain data of the citizens held by a licensor.
2. an applicant shall be that facilitates the consultation of data from a technological point of view.
3. an assignee that directly performs data query will act, within the scope of this standard, as Requirente at the same time be assignee.
4. any node interoperability that participates in the management of data from a Requirente consultation procedures, will also take the role of Requirente within the scope of this standard, including the electronic signature of communications-related functions.
5 role of the assignee: to) will always request information regarding procedures and procedures approved by the assignor and within the framework of an administrative procedure.
(b) shall comply with the conditions of access to the data set by Licensor.
c) shall obtain the consent of the person concerned, unless a law exempts him from this, and will reflect the response obtained from the system, within the scope of the relevant file.
(d) you will use the information obtained from each query for the purpose for which appropriate in each case, performing the same query as many times as necessary and so requires the procedure to which it relates the query expressly assume the responsibility that might derive from any breaches.
(e) collaborate in the work of audit where required to do so, providing to Licensor information or documents necessary for the control of the consultations.
6 role of the Requirente: to) shall comply with the conditions of access to the data established by the issuer.
(b) ensure that consultation requests contain the identification information, the requested information and specification of the process or procedure in which the data will be used and, where appropriate, details of the transferee.
(c) keep the trace requests made and responses received.
(d) collaborate in the work of audit where required to do so.
(e) it will do the work of monitoring and control needed to maintain proper operation of your service.
(f) ensure the maximum guarantees of security and confidentiality of consultations, preserving the privacy of the data consulted both own Exchange and further processing of information obtained. To do so, establish controls authorization, access and use by users to applications, maintain updated data of the users and applications that access the system, notifying State and ensuring its low processing when appropriate.
(g) not be stored personal information from any citizen except the essential for the procedure requested, for the Organization on behalf of which it has been collected and only during the required time.
III. intermediation of the Ministry of finance and public administration III.1 functions platform.
1. the Ministry of finance and public administration will operate as a node of interoperability through the platform of intermediation which, according to the definition of node stealing interoperability in the Royal Decree 4/2010 of 8 January, will provide common functionality for the exchange of information between issuers and requesting.
2 role of the intermediary of the Ministry of finance and public administration platform: to) manage the assignees and requesting the conditions established by each assignor.
(b) not be stored personal information from any citizen for any transaction data exchange.
(c) ensure the confidentiality and integrity of information exchanged through appropriate mechanisms.
((d) maintain an informative web site with all the documentation relating to the platform, which will be published at least: d.1) the catalogue of services Exchange of available data by different organizations, including: the protocols of access to these services, methods of inquiry permitted, the relevant technical information, as well as the information which is required of each Requirente.
d.2) access services application forms.
d.3) agreements for the provision of each service available and the platform for intermediation of the Ministry of finance and public administration in general.
d.4) news from the service provided by the platform.
(e) keep the system running 24 x 7.
f) will support organizations and will manage all communications and produced to collaborating so with requesting and issuing incidents.
g) maintain a centre of attention to users and system integrators that channels all incidents relating to the system and will report on the contact details for the same.
(h) prepare reports of activity and use of the platform whereas the consultations and from each organization.
i) will evolve and maintain their systems guaranteeing the safety and privacy of the data according to the applicable regulations.
(j) collaborate in the work of the audit provided that the issuer or the licensor thus requires it and define, maintaining traceability and agreed statistical data, providing access to them when needed and allowing to play the sequence of operations carried out by the system.
III.2 governance of the system.
1. any organization can access information about services for the exchange of data available through the intermediary of the Ministry of finance and public administration platform or, where appropriate, through the corresponding node for interoperability.
2. the incorporation of new services in intermediation platform will be coordinated between the Ministry of finance and public administration and the relevant transferor Agency.
In the case of common services offered by the CCAAs, the incorporation of new services shall be approved previously in electronic administration Sectorial Committee.
3 for access to a service for data exchange: to) the applicant sent to the issuer request for signup for access to the service applying form to annex 1 through the intermediary of the Ministry of finance and public administration platform. This operation will take place for each transferee that manage the Requirente.
b) the issuer shall send to the Requirente the authorization of the transferee in response to such a request. This authorization will include the justification of the legitimacy and competence of the Requirente and will be recorded by the brokerage platform.
4. the functions of each actor involved in the authorization can be made by the own platform for intermediation of the Ministry of finance and public administration or, where appropriate, by a node of interoperability that has signed the corresponding agreement with the Ministry for that purpose.
III.3 technical requirements.
1. the intermediary of the Ministry of finance and public administration platform will ensure interoperability, availability, reliability and security of the information transmitted through it between different organizations with which it interacts.
2. in the access to the platform for intermediation of data of the Ministry of finance and public administration the communications network of the Spanish public administrations will be used according to provisions of the standard, technical interoperability requirements of connection to the network of the Spanish public administrations.
III.4 General aspects of security.
Data exchange between the platform of intermediation of the Ministry of finance and public administration and organizations will take place in such conditions that guarantee the security of the information that is transmitted, providing for confidentiality, integrity, availability, authenticity and traceability measures appropriate to the nature of the obligation: to) authenticity. Shall ensure the identity of all the agents involved in the process of exchange of data, in such a way that all of them are correctly identified in each Exchange. To do this, apply the security measures referred to in the Royal Decree 3/2010 of 8 January, within the group 'operational framework' in the chapter on 'Access Control' (op.acc); and the group "measures of protection" in the chapter "Protection of information" (mp.info).
(b) confidentiality and integrity of information exchanged, that will be protected in accordance with the Group of 'protection measures', chapters 'Protection of communications' (mp.com) and "Protection of information" (mp.info) defined in the Royal Decree 3/2010 of 8 January, and with the security measures set out in organic law 15/1999, of 13 December, and implementing regulations ensuring that no citizen's personal information is not stored.
(c) availability of the platform, which is ensured through measures established in the chapter "Protection services" (mp$) Group of "protective measures" defined in the Royal Decree 3/2010 of 8 January.
(d) traceability, as set out in the paragraph this rule 111.6.
III.5 technologies and standards.
1. the technologies used for exchanges will be implemented based on open and interoperable standards as set out in the standard, interoperability technique, catalogue of standards.
2. the exchange of information may be deployed via web services, which, as a set of protocols and open standards to develop data structures specific to each type of Exchange, will incorporate the necessary safety mechanisms for communication.
3 implemented web services will be designed based on the use of: a) services defined using a WSDL (Web Services Description Language) language.
(b) messages in XML format (eXtensible Mark-up Language) with structures based on published XML schemas that will facilitate its interpretation.
(c) safety standards in communications transportation point to point, by using the Transport Layer Security (TLS) Protocol with client at transport level authentication, or level through the use of protocols which guarantee the end-to-end security services Web application.
4 generally in Exchange services will be used version 3.0 protocol SCSP (replacement of certificates in support role) whose specification is available in the Administration Portal electronic PAE/CTT in the address http:// administracionelectronica.gob.es/es/ett/sesp.
Version 2 of the SCSP Protocol may be used in existing services that do not require additional security mechanisms without prejudice that there is an updated version of the same service.
III.6 traceability and auditing of exchanges.
1 issuers and requesting will maintain traceability of produced data exchanges, which may rest in features provided by the platform for intermediation of the Ministry of finance and public administration, and as provided in on traceability in the Royal Decree 3/2010 of 8 January.
2. the preservation of traces by the platform for intermediation of the Ministry of finance and public administration, established according to the security measures referred to in the Royal Decree 3/2010 of 8 January: op.exp.10 «Protection of records of activity», op.exp.8 «The users activity log», «Time-stamps» mp.info.5, will facilitate the auditing of exchanges. The information provided by the platform will be completed with one that allows the recovery of the exchanged specific data that will retain issuer and Requirente.
3. the intermediary of the Ministry of finance and public administration platform will not store information about the contents of the Exchange nor assume functions relating to the preservation of trace and audit, more beyond that stipulated in paragraph 111.6 and in which case the definition of functions and mechanisms of implementation available to the interested agent will be conveniently documented. The assignor may audit the transfer of data to verify compliance with the requirements to which it may they be subject.
4. in order to ensure the traceability of produced exchanges, it will associate to every request or query a unique identifier that allows to play the sequence of operations carried out.
5 the information stored for the traceability of each visit or Exchange includes at least the following: a) ID for the transaction.
(b) transferee of information, Requirente requesting it and end-user it performed by specifying, if possible, the public employee or application.
(c) type of information requested.
(d) date and time of completion of the inquiry.
III.7 catalogue data exchange services.
1 catalogue or register of services for the exchange of data provided by each assignor will be incorporated to the catalogue of the platform serve as reference to possible requesting intermediation from the Ministry of finance and public administration.
2 the data exchange services catalog will be available for viewing by the various organizations through any of the following means: to) an information point own the assignor or the issuer, if it delegates this by Licensor, which may be its electronic site.
(b) the intermediary of the Ministry of finance and public administration platform).
(c) instruments for interoperability established in Royal Decree 4/2010, 8 January: i. inventory of administrative procedures and services.
II. management of semantic interoperability Centre.
3 catalog or service registry shall contain, for each service available or so-called generic Exchange, at least, general information defined in annex 11.
4. for the publication of new services on the intermediation of the Ministry of finance and public administration platform you can use UDDI (Universal Description, Discovery and Integration) or a service directory as a means to facilitate the dynamic new service discovery, although the use of those will depend in any case with the formalisation of the corresponding necessary authorizations.