Tax-benefit micro simulation model for Belgium
Tax-benefit micro simulation model for BelgiumWelcome to the technical documentation pages for the project "Tax-benefit micro simulation model for Belgium", provided by the service healthdata.be (Sciensano).
These pages provide information about the technical processes of the project. The following sections are (will be) provided:
- General project information
- Table of abbreviations
- General project description
- The data collection
- The data transfer
- The data storage
- The data analysis
- Support service of healthdata.be
This documentation is being updated regularly. We try to provide as correct, complete and clear as possible information on these pages. Nevertheless, if you see anything in the documentation that is not correct, does not match your experience or requires further clarification, please create a request (type : request for information) via our portal (https://sciensano.service-now.com/sp) or send us an e-mail via support.healthdata@sciensano.be to report this documentation issue. Please, do not forget to mention the URL or web address of the page with the documentation issue. We will then adjust the documentation as soon as possible. Thank you!
General BELMOD project information
General BELMOD project informationProject name
TAX-BENEFIT MICRO SIMULATION MODEL FOR BELGIUM
Project abbreviation
BELMOD
Project code
HDBP0237
Primary organization that oversees implementation of project
- Federal Public Service - Social Security
Partner organization participating in project
- Crossroads Bank for Social Security (CBSS)
Organization that commissioned this project
Organization providing monetary or material support
- Federal Public Service - Social Security
Brief project description
- Implement and provision a “Desktops-as-a-Service” platform enabling external researchers to access and analyze data remotely in a secured environment in order the BELMOD model can be further exploited and updated.
Regulatory framework of this project
This documentation is being updated regularly. We try to provide as correct, complete and clear as possible information on these pages. Nevertheless, if you see anything in the documentation that is not correct, does not match your experience or requires further clarification, please create a request (type : request for information) via our portal (https://sciensano.service-now.com/sp) or send us an e-mail via support.healthdata@sciensano.be to report this documentation issue. Please, do not forget to mention the URL or web address of the page with the documentation issue. We will then adjust the documentation as soon as possible. Thank you!
Table of abbreviations
Table of abbreviationsAD | Active Directory |
BELMOD | Tax-benefit micro simulation model for Belgium |
CRUD | Create, Read, Update, Delete |
DHD | Domain healthdata.be |
EUROMOD | Tax-benefit microsimulation model for the European Union |
FOD-SZ | Federal Public Service - Social Security |
ISER | Institute for Social and Economic Research |
KSZ | Kruispuntbank van de Sociale Zekerheid |
MIMOSIS | Old microsimulation model of the FOD-SZ |
NTU | Non-take up |
OU | Organizational Unit |
VPN | Virtual Private Network |
General project description
General project description Bart.Servaes Mon, 04/15/2024 - 15:24Context
ContextEUROMOD is a statistical micro-simulation meta-model to describe models of tax policies and tax benefits based on household income in European countries. This meta-model makes it possible to simulate, evaluate and compare the various policies adopted and to give an estimate of the impact of work incentives on the population of each country as well as at the level of the EU zone as a whole. It is used both to calculate the effects of existing policies and to assess the impact of tax advantage policy reforms on poverty, inequality and national budgets.
The model is used as an instrument to conduct scenario analyses based on simulations using client statistical software, called EUROMOD, thus facilitating the work of researchers and decision-makers in order to assess the various political hypotheses. EUROMOD is a universal tool standardized for the EU: it is designed to produce models and results relevant for all European countries.
EUROMOD is an open access tool. It consists of 3 elements:
- the software application
- built-in policy rules that are updated via software to reflect existing policies as of the 30th of June each year. They enrich all the standard EUROMOD protocols
- input micro-data which are processed by the software
It was developed by the Institute for Social and Economic Research (ISER) at the University of Essex. Since 1st January 2021, the management has been taken over by the Joint Research Center of the European Commission. (https://euromodweb.jrc.ec.europa.eu/ ).
At the Belgian level, the Federal Public Service - Social Security (FOD-SZ) wants to be able, with the help of partners, to use this model to go further and work on more precise administrative data from several data sources to be able to estimate in advance a number of effects of policy reforms in the field of social protection. This concerns both the budgetary impact and an estimate of which persons and families will mainly see their income change.
This part is called BELMOD: Tax-benefit micro simulation model for Belgium .
The BELMOD model was developed as the modernisation of MIMOSIS. This project has ended as of August/September 2022. The exploitation and further updating of BELMOD (the model, not the project) is now an operational objective of the FPS Social Security.
Its purpose was twofold:
- at the technical level, the project aims to modernise the current microsimulation model of the FPS Social Security (MIMOSIS) and
- in terms of content, an inventory of policy measures to reduce the non-take-up (NTU) of social rights in Belgium will be drawn up
The additional data sources currently are:
- administrative data from both the Labor Market & Social Protection data warehouse
- data from the Federal Public Service - Finances: STIPAD/CADNET heritage cadaster and data from IPCAL tax returns (citizens' tax calculation sheets)
- STATBEL data
The BELMOD model is managed by the FOD-SZ and was developed in collaboration with the Federal Planning Bureau, the KU Leuven and the University of Antwerp.
Project scope
Project scopeIn this context, healthdata.be was asked to implement and provide a “Desktops-as-a-Service” platform enabling external researchers to access and analyze data remotely in a secured environment.
The remote access system (Citrix environment) should allow users to remotely operate the EUROMOD software and to consult the BELMOD output without them being able to copy the data. Moreover, since the output of the microsimulation model are also .txt files with data on an individual level, it must not be downloadable. Data are stored on a file server, not in databases.
The data collection
The data collectionIn the schema below the different organizations and infrastructure servers involved are shown.
Dataflow and access
Dataflow and accessThe SCN-P-XAWBELMOD machine is an isolated server without access to the Internet.
Several organizations, depending on the projects, will use the BELMOD environment.
KSZ and FOD-SZ will upload the data on the HD SFTP server in the BELMOD_IN folder. An automated process will then move the uploaded files to the BELMOD server in the corresponding BELMOD_IN folder.
This data will be accessed via the Citrix machine SCN-P-XAWBELMOD for analysis by the researchers. The generated reports are placed in a validation directory by researchers. Only a data publisher can validate the data and move the file(s) to the export directory of the corresponding project.
Afterwards the files will be automatically uploaded to the SFTP server BELMOD_OUT directory.
BELMOD Citrix environment
BELMOD Citrix environmentThe users will access the Citrix environment through the VPN remote.healthstat.be making use of their provisioned accounts on Active Directory (AD).
The connection gets checked in through the Citrix controller (WIV-P-DDC01), then users get access to the BELMOD server where the applications are installed. These applications are used to carry out the analysis.
The BELMOD data transfer
The BELMOD data transfer Bart.Servaes Fri, 12/29/2023 - 19:22HD integration
HD integrationThe BELMOD server is placed in its own OU, separated from all other XAW servers.
Users are grouped in AD. These groups are all under the same OU. The SCN-P-XAWBELMOD server is accessed by two different types of accounts. These types are:
- Normal users: "BELMOD users SCN-P-XAWBELMOD"
- Limited users: "BELMOD users SCN-P-XAWBELMOD limited users"
As it stands, the normal users are allowed to connect to the desktop version of the server. Limited users may only connect to the EUROMOD published application. The limited users are also further restricted in their usage of the server, as they cannot use things like the recycling bin, control panel etc. Furthermore, all users are restricted from accessing the different drives on the server.
Users are grouped in so-call "global groups" in AD. These global groups are all under the same OU.
The computer object and the different user groups are all located in the DHD.local domain.
SFTP user access
SFTP user access Bart.Servaes Wed, 03/29/2023 - 11:49SFTP BELMOD_IN
SFTP BELMOD_INCurrently, two organizations (KSZ and FOD-SZ) are able to upload data to the BELMOD environment but this could be extended to additional organizations.
BELMOD_IN
The following users have been created:.
- for KSZ: dm_ksz
- for FOD-SZ: dm_fodsz
When users log into sftp.healthdata.be:2222 they will have access to the BELMOD_IN directories:
/BELMOD_IN/data
- /BELMOD_IN/data/other → for FOD-SZ users
- /BELMOD_IN/data/source → for KSZ users
There is a script running every 30 minutes, which downloads the content of the SFPT BELMOD-IN and automatically puts it in the correct directories on the BELMOD server. A log file of the download is created and placed in the E:\Administrators\logs directory of the server. The log file contains the timestamp, status and target directory of the download.
The file(s) will be removed automatically after a successful download.
Data coming from the KSZ is encrypted by the public key of the FOD-SZ using ‘Kleopatra’.
The data managers on the BELMOD server are able to decrypt the data with their private key using ‘Kleopatra’, which is installed on the BELMOD server.
Note: Should the user encounter a problem with the script, an incident must be reported via Service Now (see section How to report an incident).
SFTP BELMOD_OUT
SFTP BELMOD_OUTThe BELMOD-OUT SFTP has been set up to give the possibility to publish reports outside of the BELMOD environment.
User accounts – one per project – have been provided for the first 5 projects but that number could be extended as required. This needs creating a ticket in Service Now.
- Gen_user_project_1 → sftp directory: /BELMOD_out/data/project_1/export/
- Gen_user_project_2 → sftp directory: /BELMOD_out/data/project_2/export/
- Gen_user_project_3 → sftp directory: /BELMOD_out/data/project_3/export/
- Gen_user_project_4 → sftp directory: /BELMOD_out/data/project_4/export/
- Gen_user_project_5 → sftp directory: /BELMOD_out/data/project_5/export/
When these users log into sftp.healthdata.be:2222 they will have access to the export files of their project, as described above. Each user only has access to their own project.
A script is running every 30 minutes, which uploads the content of export directory “E:\Belmod\project_<number>\<project_name>\Export” and automatically puts it in the corresponding project directory on the SFTP server. A log file is also created and placed in the E:\Administrators\logs directory.
Once the file has been successfully downloaded, please make sure to delete it from the BELMOD_OUT SFTP. The SFTP directories should be used as a temporary storage location.
Note: Should the user encounter a problem with the script, an incident must be reported via Service Now (see section How to report an incident).
Unified Messaging-Encryption Module (UM-EM)
Unified Messaging-Encryption Module (UM-EM)General description of the application UM-EM
Text GenDescrUMEM
User manual of the application UM-EM
Text UserManUMEM
Technical manual of the application UM-EM
Text TechManUMEM
Support services UM-EM
Text SupportServicesUMEM
Local manager of UM-EM
Text LocalManagerUMEM
Service and Support portal of healthdata.be (Sciensano)
eHealth Trusted Third Party Service (eHealth TTP service)
eHealth Trusted Third Party Service (eHealth TTP service)General description of the eHealth TTP service
Text GenDescreHealthTTP
User manual of the eHealth TTP service
Text UserManeHealthTTP
Technical manual of the eHealth TTP service
Text TechManeHealthTTP
Support services eHealth TTP service
Text SupportServiceseHealthTTP
Support portal of eHealth
Text SupportPortaleHealth
eHealthBox (eHBox)
eHealthBox (eHBox)General description of the application eHBox
The eHealthBox service of the eHealth platform is a secure electronic mailbox, which was specifically developed for healthcare providers and institutions. The aim is to enable a secure electronic communication of the necessary confidential and medical data between Belgian healthcare actors.
The eHealthBox service is available as a web service (accessible via a medical software package) and as a web application (accessible via a PC and an eID/ITSME or TOTP).
User manual of the application eHBox
Technical manual of the application eHBox
Support services eHBox
Text SupportServiceseHBox
Local manager of eHBox
Text LocalManagereHBox
Support portal of eHealth
Text SupportPortaleHealth
eHealthBox client (eHBox Client)
eHealthBox client (eHBox Client)General description of the application eHBox client
Text GenDescreHBoxClient
User manual of the application eHBox client
Text UserManeHBoxClient
Technical manual of the application eHBox client
Text TechManeHBoxClient
Support services eHBox client
Text SupportServiceseHBoxClient
Local manager of eHBox client
Text LocalManagereHBoxClient
Support portal of healthdata.be (Sciensano)
The data storage
The data storage Bart.Servaes Tue, 04/04/2023 - 14:55BELMOD Server
BELMOD ServerWithin the BELMOD Desktop application (SCN-P-XAWBELMOD machine) the following restrictions apply to all users:
- no internet access
- no access to the C:\ drive
- unable to check and modify file or directory properties
- unable to install software
- unable to turn off or restart the server
- no copy-paste between the BELMOD server and local machine
There are two distinctive type of applications users:
- Euromod application users: have access to the Euromod Citrix application.
- Full application users: have access to the BELMOD Citrix Desktop application containing all requested applications (including EUROMOD) – see full list via section 6.
There are also Local Administrators. They have extra privileges and have access to all the files and directories on the E:\ drive.
Note: Should the local administrators need a new project to be created, an RFI must be reported via Service Now (see section How to create and submit a request for information) with the project name, corresponding directories and users requiring access to that project and in which group(s) they need to have access to.
Users have access to the Citrix server via following link → https://remote.healthstat.be/vpn/index.html
Note: If new credentials are required, a local Administrator has to create and submit a Service Now ticket (see section How to create and submit a request for information) with the following information:
- First Name. Last Name
- Phone number
- E-mail address
- Citrix limited user or Citrix full access user
- User access → member of which group(s)
Directory privileges
Directory privilegesThe directory access is separated in two sections.
- ‘Developers’ directory: only accessible by FOD-SZ users groups
- ‘project_x’ directory used by the project users.
'Developers' directory
'Developers' directoryPlease find below an overview of the directory structure for FOD-SZ users groups:
- Belmod Data managers FOD-SZ: Belmod Local Administrators
- Belmod External developers: non-FOD-SZ developers
- Belmod Internal developers: FOD-SZ developers
Directory | BELMOD Data managers FOD-SZ | BELMOD External developers | BELMOD Internal developers |
\Developers | CRUD | Read | Read |
\Developers\Data | CRUD | Read | Read |
\Developers\Data\Input | CRUD | CRU | CRUD |
\Developers\Data\Other | CRUD | CRU | CRUD |
\Developers\Data\Source | CRUD | CRU | CRUD |
\Developers\Data\Source\Orig | CRUD | Read | Read |
\Developers\Model | CRUD | CRUD | CRUD |
\Developers\Syntax | CRUD | CRUD | CRUD |
\Developers\Syntax\Intern | CRUD | CRUD | |
\Developers\Syntax\ProgInput | CRUD | CRUD | CRUD |
\Developers\Syntax\ProgSource | CRUD | CRUD | CRUD |
'project x' directory
'project x' directoryPlease find below an overview of the project X directory structure:
- Belmod Data managers FOD-SZ: Have administrator access for all the sub-directories under their responsibilities
- Project x full access: Have extra privileges compared to the ‘project x limited access’ group (CRUD to \project_x\<name>\Data)
- Project x limited access: Have only read access to \project_x\<name>\Data
- Belmod Data Publishers FOD-SZ: Ensure validation of the data prior to the automated upload program
Directory | BELMOD Data managers FOD-SZ | project x full access | project x limited access | BELMOD Data Publishers FOD-SZ |
\project_x | Read | Read | Read | Read |
\project_x\<name> | CRUD | CRUD | CRUD | Read |
\project_x\<name>\BELMOD_Model | CRUD | Read | Read | No access |
\project_x\<name>\Data | CRUD | CRUD | Read | No access |
\project_x\<name>\Export | Read | Read | Read | CRUD |
\project_x\<name>\Export\processed | Read | Read | Read | CRUD |
\project_x\<name>\Models | CRUD | CRUD | CRUD | No access |
\project_x\<name>\Results | CRUD | CRUD | CRUD | No access |
\project_x\<name>\to_validate_for_export | CRUD | CRUD | CRUD | CRUD |
Citrix access
Citrix accessBelow is a view of what the Citrix server looks like depending on the users:
Figure 3: View of Citrix server for full access users
Figure 4: View of Citrix server for limited access users
Local Administrators have access to the E:\Administrators directory. Within the directory they have access to several text files with additional information on groups, directory privileges etc. Every day a task is generated to create a text files that includes:
- BELMOD_xxx: The name of the groups and which users are in them.
- t_project: A list of all the projects.
- t_directory_access: A list of the directory access with the privileges
In this way the local Administrators are able to see the specific privileges of every directory.
In the logs directory they can check whether the uploads and/or downloads have been successful.
Note: These log files do not contain any sensitive information.
Figure 5: Directory privileges files
A local Administrator can’t create new project users; this is the privilege of healthdata.be. If required, a local Administrator has to create and submit a Service Now ticket (see section How to create and submit a request for information) with the following information:
- phone number
- e-mail address
- limited access user or full access user
- member of which local groups
- organization
Important: If the user needs access to multiple projects (if the projects use different datasets), then multiple user accounts need to be created to avoid security violations.
Back-up policies and restore process
Back-up policies and restore processThe E:\ drive has a continuous backup available.
Users can restore their own deleted files via the ‘recycle bin’ application.
If it is not possible to recover a file, a Service Now ticket can be created so that healthdata.be can forward the restore request to Arxus.
The data analysis
The data analysisThe following applications are available for users to perform their analysis:
- EUROMOD
- SAS
- R
- Stata
- Open Office
Support service of healthdata.be
Support service of healthdata.beThe Service Desk of healthdata.be (Sciensano) helps users of our applications and services and deals with requests and problems when they arise.
For most efficient processing of your request, we advise you to use our service portal: https://sciensano.service-now.com/sp.
Please find below our support window hours:
How to report an incident
How to report an incidentThe healthdata.be service (Sciensano) processes each incident report according to a standard operating procedure (SOP). A public version of this SOP "HD Incident Management Process" is also available on this portal docs.healthdata.be.
To submit an incident related to projects and applications in production and facilitated or managed by Sciensano's healthdata.be service, you must first log into the HD Service and Support portal: https://sciensano.service-now.com/sp.
After the login step, you will arrive at the main page of the portal.
When logging in for the first time, you will have to complete your profile e.g. with contact data, in order to follow up on your ticket. Once the profile has been submitted, you want to return to the main page of the portal.
On the main page, you must select "Get Help".
The following Create incident page will appear.
You can now document your incident or problem by providing the following information:
Indicate the Urgency of resolving your issue based on its criticality to the business.
After selection of the Role you take up, a list of Applications relevant for you becomes available: select the application you are experiencing a problem with.
Search and select the desired Project by entering a key word, the HD project number or the project abbreviation.
Now, describe clearly and briefly (1 sentence) the subject of your problem.
Please describe the problem in detail. The following aspects are important for us to understand and solve the problem:
- a description of the actions you want to perform but fail to perform (e.g. provide us with a field name, a validation rule, a button, etc.)
- a description (if possible) of the sequential steps you follow to use the service or the application of healthdata.be for which you need support;
- a brief description of the technical problem you are experiencing (e.g. error messages)
We strongly recommend that you add a screenshot describing the problem (IMPORTANT: Do not provide us with patient data!).
You can add the screenshot by clicking on "Add attachments".
On the right side of the form, the mandatory information items of the incident form are listed. When these fields are completed, their names disappear from the "required information" box.
The form can only be submitted if all required fields are filled in, by pressing the green "Submit" button.
If all required fields have not been completed, a warning message will appear at the top of the form.
In addition, missing mandatory fields will be highlighted in green.
When the incident form has been successfully submitted, a preview of your submission appears in a new screen.
On the right side of the screen you will find the details, including the incident number.
On the left side of the screen, you will find a chronology of your incident processing, starting with your creation.
How to create and submit a request for information
How to create and submit a request for informationTo submit a request for information, please follow the healthdata.be work instructions described underneath.
Procedure overview diagram
Procedure as work instructions
STEP 1. User requests an information
Action: A user requests an information. This can be :
- An explanation on a project, …
- A list
- …
STEP 2. Service Desk creates a ticket Request For Information
Action: If the user did not create a ticket from the portal, the Service Desk creates a ticket, of type Request for Information on behalf of the user
Mandatory fields are the subject and description.
The request is submitted by clicking on ‘Order now’
STEP 3. Service Desk investigates the request and enriches the request
Action: Service Desk opens the requested item, linked to the request, and investigates the needs of the requestor. If necessary, the Service Desk will add clarification info in the customer communication, which is visible for the user.
STEP 4. Fulfill the request
Action: If the Service Desk knows how to fulfill the requested item, they will execute the action. If they do not know how, they will first investigate if they are able to fulfill the requested item or if they have to assign the requested item to another assignment group (step 6)
STEP 5. Set the requested item to ‘Closed Complete’
Action: Service Desk or 2L-assignment group will inform the user by entering a user friendly comment in the ‘customer communication’ field and set the requested item to the state ‘Closed Complete’
STEP 6. Assign the requested item to L2-group
Action: if no fulfillment possible, the Service Desk will assign the requested item to a L2-assignment group.
STEP 7. Fulfill the request
Action: the L2-assignment group will fulfill the requested item and execute step 5.
Email security policy
Email security policyWHAT IS THE PROBLEM?
Sciensano blocks e-mails from organizations if the configuration of their e-mail and/or DNS services allow potential abuse by spammers/attackers. More specifically, if the configuration enables other senders to impersonate your organisation by allowing them to mimic your organization’s e-mail “Header From”.
In other words, they can send phishing and spam mails that cannot be distinguished from genuine mails from your organization.
If you’re responsible for managing your ICT infrastructure, keep reading. If not, pass this message on to your ICT department or to the ICT service that’s managing your ICT infrastructure.
HOW TO SOLVE IT?
You’ll have to verify that your configuration complies with “Sender Alignment” security requirements.
More specifically, your mail services and DNS will have to be configured according to ICT standards.
These configurations are common, well-documented and supported by hosting companies. Some useful links:
- https://dmarcian.com/alignment/
- https://mxtoolbox.com/dmarc/spf/spf-alignment
- https://o365info.com/how-does-sender-verification-work-how-we-identify-spoof-mail-the-fiveheros-spf-dkim-dmarc-exchange-and-exchange-online-protection-part-9-of-9/
We’ve noticed that this issue frequently occurs in organizations which moved their ICT infrastructure to cloud services such as Microsoft (O365), Amazon, Google, and MS Azure without properly configuring the ICT infrastructure which is not managed by these providers.
The configurations and recommendations need to be implemented on the customer’s ICT infrastructure, either internally or externally. DNS and Mail services are the main ICT platforms for these actions.
THE USE OF DIFFERENT DOMAINS IN THE MAIL SENDING PROCESS
E-mails contain an “Envelope From” and a “Header From”. Both need to match to avoid that the mail is blocked.
Some examples:
- A public service is using its new domain name in the “Header From” and its old domain name in the “Envelope From”.
- Envelope From = noreply@publicservice.fgov.be
- Header From = noreply@publicservice.belgium.be
➔ These e-mails will be blocked.
Remark: Because it’s a noreply address, the sender will not even be aware of us rejecting the e-mail …
2. An organization is using a cloud service (Freshservice) for its helpdesk tool and the “Envelope From” has not been customised.
• EnvelopeFrom = bounces+us.3.52773-helpdesk=organisation.be@emailus.freshservice.com
• Header From = helpdesk@organisation.be
➔ These e-mails will be blocked.
3. A company uses a cloud service (Amazon SES) to send the delivery notification and the “Envelope From” has not been customized.
- Envelope From = 01020188573f374-96de6437-9134-45f4-8aa6-3e9ac18d5848-000000@euwest-1.amazonses.com
- Header From = noreply@company.be
➔ These e-mails will be blocked.