What is Organisation eID?
It is a role-based identity, for example a employeeidentification. It is based on the fact that the user has Freja eID with an approved ID document and to this end the organisation issues its own attribute for the user’s identification within the organization. In this way, the private and the role-based e-identification are separated.
How is personal data handled in Organisation eID?
Freja eID handles the user’s personal information, such as name, address and social security number, based on consent. However, in a service identification personal data that is not attributable to the user may be processed, for example if an official handles a decision containing a citizen’s personal data. This personal data can only be processed in Freja eID if the Relying Party using Organisation eID has a personal data processing agreement with Freja eID.
How is transaction data handled and stored in Organisation eID?
We store evidence of transactions for 10 years. This includes the type of transaction, time and outcome. We also store the content of the transaction. However, it is always the Relying Party who is responsible for the attributes and transaction history that arise from data that they submit via the Organisation eID. The Relying Party owns the attributes it sets, as well the content and history of transactions, and may request that we delete transaction data or that we transfer stored transaction data.
What is the difference between a personal e-ID and Organisation eID?
In a personal e-ID, the handling of personal data is based on the user’s consent. As consent can never include someone else’s personal data, third-party information cannot be handled in a personal e-ID. However, this can be done in Organisation eID as it is the Relying Party who is responsible for personal data and Freja eID acts as assistant for the handling of personal data.
What is the difference for me as a Relying Party between a personal e-ID and Organisation eID?
A personal e-ID is one where Freja eID has verified the identity of an individual and accepts liability for any damage caused due to faults in Freja’s on-boarding and issuance process as a result of an eID being issued to the wrong person.
An Organisation eID is one or more organisational attributes relating to an individual, which an organisation can add to a user’s profile over and above their personal e-ID. These attributes may be an AD alias or a work e-mail address; typically, data which identifies the user in a corporate scenario. The organisation is the issuer and data controller of this data and it is the organisation who needs to take responsibility for the accuracy of the data.
Who is in control of Organisation eID?
Use of both personal and Organisational eID is completely under the user’s control, as are attributes stored within the framework of personal e-IDs. Attributes and transaction history connected to the user’s personal e-ID are also under their control.
On the other hand, the transaction history and attributes related connected to Organisation eID are under the control of the Relying Party. It is the Relying Party that adds the attribute with which Organisation eID is issued, and it is also the Relying Party that controls the removal of Organisation eID from the user. However, the user must consent to the Relying Party adding an Organisation eID to their Freja eID.
Why is a data processing agreement needed for Organisation eID?
This is required for the Relying Party and its users to be able to handle transactions that contain personal data about third parties, that is, information that has no legal basis to be handled solely based on the user’s consent.
Who is responsible for issuing Organisation eID?
The Relying Party is responsible for the issuing and revoking of an Organisation eID for its users. The Relying Party is also responsible for ensuring that the attribute added to the user’s Organisation eID is correct. In the event that an attribute in Organisation eID is incorrectly issued to a user, Freja eID cannot be held responsible. Freja eID’s responsibility is limited to the attributes we have issued, such as name, birth data and address.
How to integrate with Organisation eID
The Relying Party integrates via Freja eID’s REST API for Organisation eID. Note that this is a separate API from that which manages Freja eID for personal e-identification.
How are users onboarded and offboarded?
First of all, the user must download the Freja eID mobile app and register a valid ID document to be approved for a valid personal e-ID. Then, the Relying Party can add an Organisation eID to the user containing the description of the ID, the logo, the description of the attribute and the value of the attribute. The user may then consent to the addition of the Organisation eID, by making a digital signature with their personal Freja eID.
When offboarding a user, the Relying Party erases their Organisation eID attribute. In this way the connection between the Relying Party and the individual is removed.
What attributes can I add to Organisation eID?
Currenlty, we support the addition of one attribute per user. To this you can add a description of the attribute, your logo and a description of what you want to call your Organisation eID. The format of the attribute is optional and you can also add different attributes for different user groups, with custom descriptions for each attribute.
What rights does the user have in Organisation eID?
When an Organisation eID is being added to their Freja eID, the user must give their consent.
The user will see the transaction history from Organisation eID in My Pages as long as the Relying Party has Organisation eID active for that user. If/when the Relying Party revokes that user’s Organisation eID, that transaction history is deleted from My Pages.
What is the level of trust of Organisation eID?
Currently, Organisation eID can be issued if the user has undergone the process of adding an ID document to Freja eID as well as at trust level 3, if the user has been approved for Freja eID Plus.
Is Organisation eID automatically included when you have a contract with Freja eID?
No, using Organisation eID requires a separate agreement including an agreement for access to personal data.