Second interim report on e-services of the Transport Safety Agency completed

The Ministry of Transport and Communications received a report it had requested on the practices relating to the planning, provision and maintenance of electronic services of the Finnish Transport Safety Agency, Trafi. The request relates to the problems identified in December 2018 in the Agency's online services.              

This is the second interim report and part of the assessment and development work that will last throughout 2019. The work was commissioned by the Ministry of Transport and Communications and is led by Kirsi Karlamaa, Director-General of the Transport and Communications Agency.

The interim report discusses the measures taken to ensure information security and data protection, identifies further measures to develop the services and provides information on harmonisation and development of the risk management at the Agency.   The work at the Agency comprises of several stages and will continue until the end of 2019.

"We will apply the reports in our continuous efforts to improve our services and practices. The management and decision-making process related to the online services as well as the information security standard have been audited. We will be continuing to open up our services and will be paying attention to all aspects and outcomes involved," says Jari Ylitalo, Director of Security.

"In the public services, securing the data protection of citizens plays the key role. The safety culture and awareness must be constantly promoted. 

It is important that the work will be carried out thoroughly and the results will be extensively used across the state administration.

How did the matter proceed?

On Friday, 7 December 2018, the magazine Tekniikka ja talous reported of Transport Safety Agency's new online service that could be used for searching not only information about drivers' right to drive but also on different kinds of personal data. Over the weekend, the topic was widely discussed in other media, including the social media. The service was criticised for providing access to an unnecessarily extensive amount of personal data. The Ministry took immediate action when it learned about these issues.

On Sunday, 9 December 2018, Trafi disconnected all its online services to ensure that the driver data service be closed while the matter was looked into.

On Monday, 10 December, the Ministry of Transport and Communications requested the Communications Regulatory Authority to provide its expert assessment to the Ministry on the data protection and information security of the electronic services provided by Trafi.  The assessment was requested to be made in close cooperation with the Data Protection Ombudsman.

The report was submitted to the Ministry in two parts. The first part, delivered to the Ministry on 12 December 2018, assessed whether other parts of Trafi's website than the driver data service were legal and safe to open up.

According to the assessment, the information security level of Trafi's services is higher than average when compared to other central and local government organisations with similar information security requirements. After this assessment, some online services were re-opened on Saturday, 15 December 2018.

After the preliminary assessment, Trafi commissioned, at the request of the Communications Regulatory Authority, a further, more comprehensive assessment of the services and systems from Nixu Certification Oy, which is an inspection body referred to in the Act on information security inspection bodies. The Communications Regulatory Authority appointed a supervisor for the assessment work.

The further assessment was completed on 19 December 2018. This assessment, too, concluded that the level of Trafi's electronic services is higher than in many similar government systems. However, according to the assessment, the specifications of Trafi's driver data services had not in all respects been successful. The driver data service was not re-opened as such.

As of 1 January 2019, the Communications Regulatory Authority, the Transport Safety Agency, and certain functions of the Transport Agency merged into Transport and Communications Agency. The Ministry of Transport and Communications requested Kirsi Karlamaa, who had started as Director-General of the Transport and Communications Agency, to review the practices relating to the planning, provision and maintenance of Trafi's online services. Interim reports were requested to be provided to the Ministry by the end of May and the end of September. The final report was requested to be provided by 16 December 2019.

The Ministry received the first interim report on 28 May and the second on 30 September 2019.  The public interim reports are available in the Government's project information service at:

https://valtioneuvosto.fi/hanke?tunnus=LVM015:00/2019

What next?

Trafi's internal review continues. The Ministry has requested the Agency to submit the final report by 16 December. 

The observations in the interim reports and later in the final report will be used in developing the operations in the administrative branch under the leadership of the Ministry of Transport and Communications.

The Ministry encourages all government organisations to utilise the results of the analysis in ensuring the information security and data protection of their own services.

Inquiries:

Laura Vilkkonen, Director-General, Data Department, tel. +358 40 500 0817, Twitter @vilkkonen
Jari Ylitalo, Director of Security, Transport and Communications Agency, contacts tel. +358 29 534 5648 (Traficom's media service)