Report on e-services of the Transport Safety Agency completed
The Ministry of Transport and Communications received a report it had requested from the Transport and Communications Agency, Traficom, on the practices relating to the planning, provision and maintenance of electronic services of the Finnish Transport Safety Agency, Trafi. The request relates to the problems identified in December 2018 in the Agency's online services.
This is the final report on the assessment and development work that lasted throughout 2019. The work was commissioned by the Ministry of Transport and Communications and led by Kirsi Karlamaa, Director-General of the Transport and Communications Agency.
The report discusses the measures taken to ensure information security and data protection, identifies further measures to develop the services and provides information on harmonisation and development of the risk management at the Agency.
The work carried out at the Agency consisted of several stages during 2019.
"Traficom began operating at the beginning of this year. An extensive review of the electronic services has brought about new ways of thinking and resulted in a concrete model for managing the life span of the services in terms of information security and data protection. In future, the principles of implementing e-services in the transport and communications sectors will be more harmonised. The basic skills of public officials must include an understanding of information security, data protection and risk management," says Kirsi Karlamaa, Director General of Traficom.
"The further development of Traficom's services and practices will continue as part of the Agency's normal operations. It is important that the results of the work now carried out will be extensively used both in Traficom and across the state administration. There can be no compromise when it comes to protecting citizens' data," says Laura Vilkkonen, Director General of the Data Department of the Ministry of Transport and Communications.
How did the matter proceed?
On Friday, 7 December 2018, the magazine Tekniikka ja talous reported of Transport Safety Agency's new online service that could be used for searching not only information about drivers' right to drive but also on different kinds of personal data. Over the weekend, the topic was widely discussed in other media, including the social media. The service was criticised for providing access to an unnecessarily extensive amount of personal data. The Ministry took immediate action when it learned about these issues.
On Sunday, 9 December 2018, Trafi disconnected all its online services to ensure that the driver data service be closed while the matter was looked into.
On Monday, 10 December, the Ministry of Transport and Communications requested the Communications Regulatory Authority to provide its expert assessment to the Ministry on the data protection and information security of the electronic services provided by Trafi. The assessment was requested to be made in close cooperation with the Data Protection Ombudsman.
The report was submitted to the Ministry in two parts. The first part was delivered to the Ministry on 12 December 2018. It assessed whether other parts of Trafi's website than the driver data service were legal and safe to open up.
According to the assessment, the information security level of Trafi's services is higher than average when compared to other central and local government organisations with similar information security requirements. After this assessment, some online services were re-opened on Saturday, 15 December 2018.
After the preliminary assessment, Trafi commissioned, at the request of the Communications Regulatory Authority, a further, more comprehensive assessment of the services and systems from Nixu Certification Oy. The Communications Regulatory Authority appointed a supervisor for the assessment work.
The further assessment was completed on 19 December 2018. This assessment, too, concluded that the level of Trafi's electronic services is higher than in many similar government systems. However, according to the assessment, the specifications of Trafi's driver data services had not in all respects been successful. The driver data service was not re-opened as such.
As of 1 January 2019, the Communications Regulatory Authority, the Transport Safety Agency, and certain functions of the Transport Agency merged into Transport and Communications Agency. The Ministry of Transport and Communications requested Kirsi Karlamaa, who had started as Director-General of the Transport and Communications Agency, to review the practices relating to the planning, provision and maintenance of Trafi's online services.
The Ministry received the first interim report on 28 May, the second interim report on 30 September and the final report on 16 December 2019. The public reports are available in the Government Project Information Service at https://valtioneuvosto.fi/hanke?tunnus=LVM015:00/2019.
What next?
The observations will be used in developing the operations in the administrative sector. Development work is an ongoing part of the construction and production of electronic services in the Ministry's administrative branch.
The Ministry encourages all government organisations to examine the completed work and reports and utilise the results of the analysis in ensuring the information security and data protection of their own services.
Inquiries:
Laura Vilkkonen, Director-General, Data Department, tel. +358 40 500 0817, Twitter @vilkkonen
Jari Ylitalo, Director of Security, Transport and Communications Agency, contacts tel. +358 29 534 5648 (Traficom's media service)
Press release of 1 October 2019: Second interim report on e-services of the Transport Safety Agency completed
Press release of 28 May 2019: The intermediate report on the Finnish Transport Safety Agency's online services is ready
Press release of 19 December 2018: Internal review of e-services starts in Trafi
Press release of 19 December 2018: Ministry receives second assessment of the information security and data protection of Trafi's services
Press release of 14 December 2018: Ylen uutisen johdosta
Press release of 14 December 2018: Trafin sähköiset asiointipalvelut avataan osittain 15.12.2018
Press release of 13 December 2018: Ministry's assessment of Trafi reports - Trafi services aimed to open as soon as possible
Press release of 12 December 2018: Ministeriö sai selvitykset Trafin palveluiden tietosuojasta ja -turvasta
Press release of 10 December 2018: Ministry requests a report on the information security and data protection of Transport Safety Agency's services
Government's project information service: Selvitys Liikenteen turvallisuusviraston sähköisistä palveluista LVM015:00/2019