Ministry requests a report on the information security and data protection of Transport Safety Agency’s services
During the weekend and in the beginning of this week, a new online service of the Finnish Transport Safety Agency, Trafi, attracted a lot of media coverage and also generated a wide discussion in the social media. The information security and data protection of the service were criticised.
Trafi's online service that was opened up in July allows to look up whether or not a person has a valid right to drive (a driver's licence) or some other corresponding entitlement for driving.
Provision of such a service is not required by the Act on Transport Services but its aim is to improve the services provided to customers.
The information accessible in the service has been public already before the new service was put in place. Access to this data is important in terms of ensuring traffic safety, for example.
The service only made the data easily and free of charge available online.
The Act on Transport Services does not by any means remove Trafi's obligation to ensure that the service is defined and implemented without risking the data protection or information security.
The Ministry of Transport and Communications has requested the Finnish Communications Regulatory Authority to provide its expert opinion to the Ministry on the data protection and information security of the electronic services provided by Trafi. The assessment must be made in close cooperation with the Ombudsman for Data Protection.
The Ministry requests to take a stand on whether the electronic services were appropriately defined and whether a mass delivery of drivers' personal data was possible at the time when the service was introduced.
The Ministry requests the Communications Regulatory Authority to take a stand by 12 December whether other parts of Trafi's website than the driver data service are legal and safe to open up.
The Ministry has also requested the Director-General of the Transport Safety Agency to assess by 12 December whether other parts than the driver data service can be legally and safely taken into use.
The Ministry has requested that the Communications Regulatory Authority give its final assessment of the data protection and information security of Trafi's electronic services by 21 December 2018.
Harri Pursiainen, Permanent Secretary
Please contact his secretary Pia Hammar, tel. +358 295 34 2323