let user prove their identity

[tomislavmamic]

KYC

In some cases, we might need to make sure we know exactly who the user is to manage his access to the features. For example, we need to know who is the person who gets the funds that are paid out from a grant program.

Feature: KYC
  As a program manager
  I also want to make sure only person can apply as themselves
  Because I want to prevent impersonation

  Scenario: User applies on behalf of themselves

[b0rza]

@tomislavmamic you mentioned Split Smart City having a way to provide user data, is that right? As far as I can see, they use NIAS to do log in. Is there an API they provide, or should we integrate with NIAS if possible. Do you want me to look into it?

[tomislavmamic]

I would avoid NIAS as a plague. It would make it almost impossible to onboard users. I will try to talk to them to see if we can do something else. One idea is that user can prove their identity by proving they know some information that is exchanged between the city and them only. For example, they can provide:

• their name
• number of their last bill from city's utility company (cistoca, vodovod, stanouprava,...) or a confirmation (from school, uni, kindergarten, etc.)
• make a small reservation payment or something like using their bank card (so that we can check if their name matches)

There is also a service used by Hajduk for elections where they can check identity by asking user to provide OIB, name and ID number. We can look into that too.

[b0rza]

Sounds good. I'd like to know how Hajduk does it and specifically:

• do they handle GDPR in any way (even if it's just a consent checkbox)
• do they retain any of the data collected
• which integration do they use to do it

[tomislavmamic]

I'll ask them

On Mon, 1 Jul 2024 at 15:37, Ante Borzić @.***> wrote:

Sounds good. I'd like to know how Hajduk does it and specifically:

• do they handle GDPR in any way (even if it's just a consent checkbox)
• do they retain any of the data collected
• which integration do they use to do it

— Reply to this email directly, view it on GitHub https://github.com/tomislavmamic/muqa/issues/5#issuecomment-2200033409, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADZV5K3XVBTOH6N43XRZUT3ZKFERDAVCNFSM6AAAAABJF4FZNGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDEMBQGAZTGNBQHE . You are receiving this because you were mentioned.Message ID: @.***>

-- Tomislav Mamić

[tomislavmamic]

Here: https://oib.oib.hr/SaznajOibWeb/fizickaOsoba.html

Re: GDPR, it's fine if they give it willingly and consent on keeping the data. Also the same if they let us check some information about them from the city (like the bill number). We'll make a statement and ask them to sign.

[kkatusic]

Here: https://oib.oib.hr/SaznajOibWeb/fizickaOsoba.html

Re: GDPR, it's fine if they give it willingly and consent on keeping the data. Also the same if they let us check some information about them from the city (like the bill number). We'll make a statement and ask them to sign.

Here you must know jor MBG or old name is JMBG, you don't know that number.

Because GDPR it is not funny to ask more data that we need, if we need OIB I suggest that we encrypt some data in the database, for example that number and all other ID numbers related to user. We all have witnessed security failures recently in croatia and penatly isn't small for breach or leaking data.

GDPR define every single data that you collect from user, what you do with that data, where you store that data, ho is responsible for that data and if user request you need to delete all data that isn't related to some invoice, tax or legal entity that you need hold as organization, company...

And in. future they will introduce also obligation for various procedure what you will do if something happened with user data.

Less data, less obligation for us, unfortunatel.