Certain obligations for integration between information systems can be derived from other parts of the NAP. It is necessary to distinguish whether the integration is internal or external and also what data is exchanged in the integration and for what purpose. The integration of information systems can be divided as follows:
Integration between information systems of a single administrator is primarily the responsibility and domain of that administrator. This does not mean that such integration is not subject to compliance with the EG Principles, but it is not a primary concern of OHA until the ISMS administrator demonstrates compliance with the principles stated here (such as entity records or a linked data pool).
Technically, the recommended optimal method is to build a single integration platform and provide integration between the information systems in the form of services called and orchestrated in that integration platform. However, even when integrating (or exchanging data between) individual IS or agencies, consideration must be given to, for example, proper logging of transactions and auditing of personal data processing, especially if it concerns data on natural or legal persons.
However, the following always applies to internal integration:
In internal integration between components and systems of a single administrator, the AIFO is not primarily used because the client identifier is used. By using the client identifier and linking all data held on the subject across all agencies (always via a single AIS), the obligation not to request data already held once can be met and, combined with a single case record, the obligations to provide the subject with rights from the ISVS and to keep track of the data held on the subject and the relevant facts relating to the subject can be easily ensured.
As far as the integration between AIS and operational information systems is concerned, operational IS other than ESSL do not use AIFO in their agendas. Therefore, it is also necessary to use a client identifier or to establish another non-public identifier in the office, which can be used to link the data held in the operational systems. In any case, we do not use one of the AIFO identifiers to replace our own identifier in the office.
External integration makes maximum use of reference interfaces, in particular eGSB/ISSS as a technical means of exchanging data on subjects and objects of law. The technical implementation of integration via eGSB/ISSS shall be governed by the relevant eGSB/ISSS operational documentation.
For external integration the following shall be used:
When exchanging data within a linked data pool, the exchange mechanism via the translation of agency identifiers (AIFOs) via the ORG is always used. The integration takes place via the eGSB/ISSS services. Even in the situation where the OVM maintains some additional identifiers on the subject, it always proceeds in accordance with § 8, para. 3, of the Basic Registers Act and uses the service call provided by the agency information system providing the data, calls the service via eGSB/ISSS and calls it with the subject's AIFO identification, when subsequently eGSB/ISSS provides the translation of the AIFO, the providing AIS then sends the answer again via eGSB/ISSS, again with the translated AIFO of the interviewer. Thus, no other identifiers are necessary.
Of course, both sides of the integration log all transactions, and eGSB/ISSS itself stores information about the usage of the service.
If an OVM wants to retrieve subject data from another AIS, it must first identify the subject and have its agenda AIFO assigned to it. If it does not obtain the data from the provider, for example because the permissions to the data in the RPP are not set correctly, or because the provider has not properly identified the subject and does not have an AIFO for it, it will claim this with the provider as a breach of its obligations under the Basic Registers Act. The provider will then take corrective action.
Please note: For data so obtained from other agencies, this is data that the Authority maintains (even if technically obtained from another AIS) and therefore the Authority must follow Section 6, paragraph 2, of the Administrative Code and does not require or request the subject to provide it.