The e-NOTUM is a service that the AOC Consortium offers to all Catalan administrations and public sector bodies for the practice of notifications and communications by electronic means of administrative acts and other types of administrative communications, which allows them to comply with the legal and technical guarantees established by current regulations.
For this reason, given that the acting public administration is the one who determines certain aspects of the administrative procedure based on the legally provided options, electronic notifications can be configured from the e-NOTUM service to conform to the criteria set by each of the user bodies.
Thus, the entity that must notify can define the type of credential that must be used when accessing the system and identify the person who accesses the content of the notification (for more information on the different options that e-NOTUM makes available to users, see the FAQ What level of access is allowed to be configured in a notification?
In this regard, in order to facilitate as much as possible this process of identification and access to the content of the notification, one of the options offered by e-NOTUM is to use the contact details available to the body to in order to authenticate the identity of the person who accesses the content of the electronic notification.
This option complies with the provisions of section c) of point 2 of article 9 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, and is based on trust that we have in the contact details available and how they were obtained and registered.
Regarding the registration required to use this identification option in the terms of the cited article, it is indicated that the body that notifies is the one that carries it out, whatever the characteristics of the procedure.
When one selects this identification system for the access to a notification, it can be a good practice to ask the interested persons how they want to be notified, or to inform that the characteristics of the mechanism selected by the administration will be implicitly accepted if they access the notification. Although this may be considered unnecessary, since if the user still accesses the notification and it is given as practiced, it will also be understood that he has accepted the mechanism (without prejudice to the provisions of article 41 of the Law 39/2015, of October 1).
On the other hand, this and the rest of the identification systems of the e-NOTUM service comply with the provisions of the National Security Scheme in the field of Electronic Administration, regulated by Royal Decree 3/2010, of 8 January (ENS).
Specifically, the identification of the person who accesses the notification based on the contact details available to the entity and a password, is an identification system that offers a low level of security in accordance with the 'TO US. In this sense, the requirements established in point 4.2.5 of Annex II of the ENS for a low-level identification system are the following:
- Any mechanism based on a single authentication factor will generally be supported.
- If the factor is based on "something known" to the user, such as a password, basic password quality rules will apply.
- Credential security will be based on:
- The credential will be activated once it is under the control of the user.
- The credential will be under the exclusive control of the user.
- The user acknowledges that he has received, knows and accepts the obligations implied by his possession, in particular, the duty of diligent custody, protection of confidentiality and immediate information in case of loss.
- Credentials will be changed with a periodicity marked by the organization's policy, according to the category of the system accessed.
- Credentials will be withdrawn and deactivated when the authenticating entity or person terminates the relationship with the system.
e-NOTUM's contact data-based identification option, which works by sending passwords either to the user's mobile phone or to their email, meets the above requirements, being a system particular that can only be used for a specific identification procedure, and for that specific notification.
This is therefore a mechanism that, aligned with the regulatory requirements of both procedure and security, can be used to identify notified persons, always taking into account the level of security it offers.