The e-NOTUM is a service that the AOC Consortium offers to all Catalan administrations and public sector entities for the practice of notifications and communications by electronic means of administrative acts and other types of administrative communications, which allows them to comply with the legal and technical guarantees established by current regulations.

For this reason, since the acting public administration is the one who determines certain aspects of the administrative procedure based on the legally provided options, from the e-NOTUM service electronic notifications can be configured to adjust to the criteria set by each of the user entities.

Thus, the entity that must notify can define the type of credential that must be used when accessing the system and identify the person who accesses the content of the notification (for more information about the different options that e-NOTUM makes available to user entities, consult the FAQ What access level is allowed to be configured in a notification? ).

In this sense, in order to facilitate this process of identification and access to the content of the notification as much as possible, one of the options offered by e-NOTUM consists of using the contact details available to the entity in order to authenticate the identity of the person accessing the content of the electronic notification.

This option complies with the provisions of section c) of point 2 of article 9 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, and is based on the trust that the entity has in the contact details it has and in how they have been obtained and registered.

Regarding the registration necessary to use this identification option in the terms of the aforementioned article, it is indicated that the notifying entity is the one who carries it out, regardless of the characteristics of the procedure.

When someone selects this identification system to access a notification, it may be a good practice to ask the interested parties how they want to be notified, or to inform them that the characteristics of the mechanism selected by the administration will be understood to be implicitly accepted if they access the notification. Although this may be considered unnecessary, since if the user still accesses the notification and it is considered to have been made, it will also be understood that they have accepted the mechanism (without prejudice to the provisions of article 41 of Law 39/2015, of 1 October).

On the other hand, this and the rest of the identification systems of the e-NOTUM service comply with what is foreseen in the National Security Scheme in the field of Electronic Administration, regulated by Royal Decree 3/2010, of January 8 (ENS).

Specifically, the identification of the person accessing the notification based on the contact details available to the entity and a password is an identification system that offers a low level of security in accordance with the ENS. In this sense, the requirements established in point 4.2.5 of Annex II of the ENS for a low-level identification system are the following:

  1. In general, any mechanism based on a single authentication factor will be accepted.
  2. If the factor is based on “something the user knows”, such as a password, basic quality rules will apply.
  3. The security of the credential will be based on:
    1. The credential will be activated once it is under the user's control.
    2. The credential will be under the exclusive control of the user.
    3. The user acknowledges that he has received, knows and accepts the obligations implied by his possession, in particular, the duty of diligent custody, protection of confidentiality and immediate information in the event of loss.
    4. Credentials will be changed at a frequency determined by the organization's policy, depending on the category of the system being accessed.
    5. The credentials will be withdrawn and deactivated when the entity or person they authenticate ends their relationship with the system.

The identification option based on e-NOTUM's contact data, which works by sending passwords either to the user's mobile phone or to their email, complies with the previous requirements, as it is a particular system that can only be used for a specific identification procedure, and for that specific notification.

This is therefore a mechanism that, aligned with regulatory requirements for both procedure and security, can be used to identify notified persons, always taking into account the level of security it offers.