itsme^®, a trusted link to reliable data

itsme^® customers and partners using an OIDC v2 connection will soon be able to easily add additional data attributes. This requires only a configuration adjustment, with no need for a new separate implementation.

The first integrations will be with Athumi (the Flemish Data Utility Company) and Izimi (the vault offered by the Belgian Notaries). 

In Q1 of 2025, the first integration with Athumi will enable partners to receive student attestations and diplomas. Athumi will progressively connect with additional data sources from the Flemish region, and also from the Federal government, which will widen the scope of use cases that we can service with our data sharing proposition.  

In Q2 of 2025, the integration with Izimi will enable access to all available notarial deeds in Naban (the Notarial Acts Bank), but also private deeds and certified documents by the notary. itsme will soon publish an overview of the different data sources it plans to connect with in the near future. Please reach out to our team to discuss your data needs and the ways that you can benefit from itsme’s vast and connected ecosystem. 

The obligations for an organization that wants to receive data (also known as data consumers) arise from regulations and contractual agreements. Data consumers must comply with the applicable legal and regulatory compliance context (e.g., data protection laws such as GDPR, eIDAS, Digital Services Act, AML laws). When onboarding with itsme, our partners are challenged on the legal basis of their request and its proportionality. For data residing outside of itsme (in their own data vaults, data wallets or sources of data), additional contractual agreements can be requested depending on the nature of the data requested or based on the vault’s conditions.

When looking at data sharing, itsme can be considered as a ‘gateway’ or ‘rails’ that connect trusted data sources securely with companies. itsme is not, however, a data vault or a wallet. Users will be able to link their itsme accounts to specific vaults or wallets by giving itsme the consent to share data with 3rd parties from these vaults or wallets.  

The scope of one’s data in itsme is limited to core identity data that we gathered during account setup, which enables users to benefit from a reusable identity. When it comes to sharing data outside the boundaries of the core identity, our vision is to always put forward a connection to authoritative sources, directly or via a vault or wallet. Those sources are the rightful data authorities to confirm the validity and veracity of the data. 

Both options are supported by itsme, but not always by the data sources / vaults. Therefore, the option to get a copy of shared data or a link to its source will not be applicable for all attributes available through itsme. In the coming months, we will publish an overview of the different data sources itsme plans to connect with, also indicating how data can be received. 

It is worthy to mention that both options have their advantages and limitations: 

• Receiving a copy of the data allows data consumers to receive data from multiple sources through the existing itsme connection without needing additional developments, whereas receiving a link to the data requires building extra specific connections to each data vault. 

• Receiving a link enables the data consumer to check the validity of the claim throughout multiple time points without requiring the user’s consent again, whereas receiving data directly only allows checking the validity of data at the timepoint of the user’s consent.  

Since both options can have different pros and cons depending on the underlying process and on the implementation and user experience, itsme will support you in defining the best approach and user experience. 

The authentic source of the data and/or data vault is responsible for defining the default longevity of the access to the data. However, exceptions can be made and, depending on the request's purpose, the access grant's longevity can be contractually reviewed with the appropriate vault/data source.  

When onboarding and requesting access to specific data attributes through our data sharing service, contractual agreements can occur depending on the nature of the data requested or based on the vault’s conditions. Specific vaults may request the right to audit if data is handled correctly by the data consumer. Itsme, however, doesn’t take responsibility for the (non-) compliance of data consumers on the subject of data privacy.  

Healthcare use cases are on our radar. We see, for instance, that they are taken up in the European Digital Identity Wallet Large Scale Pilots, e.g., the use case of sharing prescriptions. itsme is present in workgroups discussing this within the EU, to help shape the future of digital identity and data sharing. 

When onboarding with itsme’s data sharing service, we will review the purpose of your data request and link it to the relevant types of data attributes. In the case of a student applying for a job, the applicant might need to prove their student status eligibility by providing a student attestation.

The format will depend on each source of data. Itsme passes along the available data without performing any modification on it. Looking towards the future, the large-scale pilots for the European Digital Identity Wallets are looking at verifiable credentials. Itsme would abstract the complexity of these formats and provide a verified set of data.

There are two main options to ensure that data is not tampered with: 

1. The source can provide verifiable data directly: This is a verifiable credential where data consumers can validate the information through cryptography. To learn more about this, click here. 

2. Chain of data from the authorative source to the data consumer: Trust is process-driven, and all parties taking part in the chain of data have the responsibility to make and keep the process trustworthy, reliable and secure.  

In both cases, you can consider that itsme’s role is limited to delivering a closed envelope between an authoritative source or vault and a data consumer, while making sure to keep the data uncompromised. 

The consent of the user is a mandatory prerequisite for getting access to user’s data.  

Data coming from third party authoritative sources, wallets or data vaults have a price and conditions defined by their respective data types. Often, it will be a transaction-based fee per data element requested and received. Contact our team to discuss your needs.