Clear requirements, supervision and cooperation between authorities at the core of key sectors’ data security
The interim report of the cross-sectoral working group surveying the data protection and security of sectors of key importance for the functioning of society has been submitted for statements on 15 December 2020. The working group's main observation was that good data security culture is created as a result of data security requirements in the legislation, not on the basis of instructions or other voluntary measures.
The working group found that data security requirements for critical sectors should be defined more precisely in the legislation of each sector and the implementation of the requirements should also be monitored actively. The authorities need more resources and the cooperation between the authorities should be more organised and efficient than currently.
In November, the Ministry of Transport and Communications appointed a working group to identify needs to amend the legislation on data security and protection in sectors of key importance for the functioning of society and to submit a proposal to the Government for policy guidelines on them.
The working group's report concentrated on the key sectors of society, such as health care, energy supply, the financial sector, water supply, traffic and digital infrastructure and its services.
Higher data security requirements for the critical sectors
The working group emphasises in its interim report that the digital society sectors are dependent on each other, which means that a disruption in one sector may have far-reaching impacts. Therefore, it should be ensured that the regulations concerning the data security and protection of the critical sectors is sufficiently clear and obligations set for each sector are targeted correctly.
In the policy proposals, the working group suggests that higher data security requirements be set for the critical sectors. Furthermore, sector-specific data security requirements should be specified and regularly assessed in order to ensure that they are up-to-date. It was also proposed that the compliance with the data security requirements be monitored more closely and that enough resources be allocated to these authorities' actions.
A separate statute on cooperation between the authorities
The working group also suggests improving the data security competence of the operators and boost the cooperation in monitoring the data security requirements between the authorities.
The cooperation would be strengthened by enacting a separate statute that is inspired by the Act on Cooperation between the Police, Customs and the Border Guard (PCB). The statute would provide details for information exchange between different authorities in certain situations and the coordination of the authorities' actions in general in cases of data breaches concerning multiple authorities and their prevention, among other things.
The interim report also provides an assessment of additional needed resources, with a focus on developing the operational capacity of supervisory authorities.
In addition, the working group highlights the significance of the public sector as the key operator in society and emphasises the role of the National Cyber Security Centre in particular in supporting other operators. In terms of data protection, the policy proposal underlines the role of the Office of the Data Protection Ombudsman and increased use of data protection certification.
Data security is part of society's preparedness
According to Minister of Transport and Communications Timo Harakka, the cyber security triangle consists of the binding legislation, clear division of responsibilities and sufficient resources.
"Data security is perhaps the most important part of the preparedness for exceptional circumstances in society. In this team effort, everyone must take initiative in their own roles to create the world's most reliable and secure infrastructure and digital services."
The working group is chaired by Laura Vilkkonen, Director General at the Ministry of Transport and Communications. The group consists of representatives of different ministries and authorities.
What next?
The interim report of the working group has been submitted for statements on 15 December 2020. The deadline for submitting statements ends on 6 January 2021.
Statements may be submitted by all organisations and citizens at www.lausuntopalvelu.fi or by email to [email protected].
The term of the working group ends on 31 January 2021, after which the final report of the working group will be published.
Additional information:
Director General Laura Vilkkonen, tel. +358 40 500 0817
Lausuntopalvelu.fi: Selvitys tietoturvan ja tietosuojan parantamiseksi yhteiskunnan kriittisillä toimialoilla; työryhmän väliraportti (VN/24348/2020) (in Finnish)
Government Project Database: Yhteiskunnan kriittisten toimialojen tietoturvan ja tietosuojan parantaminen (LVM073:00/2020) (Improving the data security and protection of sectors of key importance for the functioning of society) (in Finnish)