Ministry receives second assessment of the information security and data protection of Trafi's services

Ministry of Transport and Communications
Publication date 19.12.2018 11.10
Press release
Illustration (Photo: Shutterstock)
Illustration (Photo: Shutterstock)

The Ministry of Transport and Communications has received from the Finnish Communications Regulatory Authority a second expert assessment it had requested concerning the information security and data protection of the electronic services of the Transport Safety Agency, Trafi.

In the assessment, views are expressed on whether the electronic services were appropriately defined and whether a mass delivery of drivers' personal data was possible after the service was introduced.

The first preliminary assessment was carried out by interviewing Trafi employees and representatives of its service providers.  In the assessment, technical documentation was also discussed.

At the request of the Communications Regulatory Authority, Trafi commissioned a further, more comprehensive assessment of the services and systems from Nixu Certification Oy, which is an inspection body referred to in the Act on information security inspection bodies.  The Communications Regulatory Authority appointed a supervisor for the assessment work. 

In order to examine the possible mass deliveries, the Communications Regulatory Authority has also carried out its own analyses based on information provided by Trafi.

On the basis of the information delivered to the Communications Regulatory Authority, no mass deliveries seem to have taken place.

Despite deficiencies, the level of Trafi's electronic services is assessed to be higher than in many similar government systems. The Communications Regulatory Authority has assessed corresponding systems on a statutory basis since 2012. However, according to the Communications Regulatory Authority's assessment, the definition of Trafi's driver data services has not in all respects been successful.

Issues relating to the data protection of Trafi's electronic services are within the competence of the Data Protection Ombudsman. Possible deficiencies detected by the Data Protection Ombudsman have to be corrected by Trafi or, after 1 January 2019, by the Transport and Communications Agency.

Opening up of the services

Trafi's electronic services central to car sales have been opened up. However, several services, like driver data service, will not yet be opened.

The driver data service will not be reopened in its current form. According to the assessment of the Communications Regulatory Authority, the data in the service should only reveal the validity period of the professional qualifications or the right to drive.  This has also been the basis for the Act on Transport Services.

Stages of the case

On 7 December, the magazine Tekniikka ja talous reported of Trafi's new online service that could be used for searching information on drivers' right to drive and different personal data. Over the weekend, the topic was widely discussed in other media, including the social media. The service was criticised for allowing users an unnecessarily extensive access to personal data. As soon as the Ministry heard about the problems, it took measures.

On Sunday, 9 December 2018, Trafi disconnected all its electronic services to ensure that the driver data service was closed for the assessment of the case.

On Monday, 10 December, the Ministry of Transport and Communications requested the Communications Regulatory Authority to provide its expert assessment to the Ministry on the data protection and information security of the electronic services provided by Trafi.  The assessment was requested to be made in close cooperation with the Data ProtectionOmbudsman.

The Ministry requested the Communications Regulatory Authority to take a stand in its first assessment on whether other parts of Trafi's website than the driver data service were legal and safe to open up. The assessment was due by 12 December.

Trafi implemented the measures that were brought up in the preliminary assessment completed by the Communications Regulatory Authority by 12 December. Consequently, Trafi opened up a limited access to certain services on Saturday, 15 December.

The Ministry also requested the Director-General of the Transport Safety Agency to assess by 12 December whether other parts than the driver data service could be legally and safely taken into use.

The Ministry requested that the Communications Regulatory Authority give its second, more comprehensive assessment of the data protection and information security of Trafi's electronic services by 21 December 2018. The Communications Regulatory Authority submitted that report to the Ministry already on 19 December 2018.

The requested reports have been completed and the Ministry will explore them. Decisions on further measures will be made on the basis of the report results.

Some of Trafi's electronic services were reopened on Saturday, 15 December 2018. The driver data service will not be opened, however, before its operating principles have been changed. 

What next?

The Ministry will look more closely into the reports. Decisions on further measures will be made on the basis of the reports.

For the time being the Ministry will not publish or hand over the reports it received. They contain information that is confidential under the Act on the Openness of Government Activities.

(A supplement to press release of 19 December 2018 at 15.10: The Ministry of Transport and Communications has looked into the report submitted by the Communications Regulatory Authority. The Ministry has published the parts of the report of 19 December that are open to public. A link to the report has been added at the end of the press release.)

Inquiries:
Laura Vilkkonen, Director-General, tel. +358 295 34 2391