The intermediate report on the Finnish Transport Safety Agency’s online services is ready

The Ministry of Transport and Communications has received the report it requested from the Finnish Transport and Communications Agency regarding the practices related to the design, production and maintenance of the Agency's online services. The request is related to the problems that were detected in the online services of the Finnish Transport Safety Agency (Trafi) in December 2018.

The report in question is an intermediate report on investigation and development work that will last for the entire year 2019. Work is carried out at the request of the Ministry of Transport and Communications and led by Kirsi Karlamaa, Director-General of the Finnish Transport and Communications Agency.

The intermediate report presents the conclusions of the information security inspection conducted in December 2018, the information security and data protection improvement measures carried out during the spring and the status of the information security audit. Furthermore, the report describes the Agency's information security development model and control. The measures required by the report are in progress and further measures will be taken throughout the remainder of the year.

The Finnish Transport and Communications Agency has assessed the closed information services.   The assessment looked into the data protection of the services, the legality of the processing of personal data and the data content of the services. In the review, attention was paid to the purpose the services are used for and to the data protection principles of the General Data Protection Regulation, such as minimising the processing of personal data.

After the changes made during the spring, information disclosed from the services are, according to the Agency's estimate, in line with the Act on Transport Services, and the technical restriction measures to be made in the services ensure that the services are used for individual, separate disclosures of data.

The Finnish Transport and Communications Agency has started the information security audit of its services. The audit consist of several phases and goes on until the end of 2019.

"We will develop our services and operating methods on the basis of the observations made. Our focus is to ensure the security of the services as well as user data protection. These topics are at centre stage in all of our operations," says Kirsi Karlamaa, Director-General of the Finnish Transport and Communications Agency.

"The comprehensive security management model is part of the Agency's management system. Security management has been one of the focus areas when merging the agencies.  For instance, in online service projects and initiatives, data protection is now built in to the development model," notes Kirsi Karlamaa.

"People's data protection cannot be compromised, not in the least. This requirement applies to all of our online services. Data protection must not just remain at the level of the letter of law. It must also be implemented in practice," says Laura Vilkkonen, Director-General at the Ministry of Transport and Communications.

"The Finnish Transport and Communications Agency has thoroughly investigated the causes behind the service issues. It is important that we in the central government learn about this work and share our experiences. That will enable us to improve the quality of all digital services offered by the central government," comments Vilkkonen.

How did the matter proceed?

On Friday, 7 December 2018, the Tekniikka ja talous magazine reported about the Finnish Transport Safety Agency's new online service that made it possible to make searches not only into information about drivers' right to drive but also into various kinds of personal data. During the weekend, the topic spread widely in other media and in social media discussions. The debate criticised the service for providing access to an unnecessarily extensive amount of personal data. The Ministry took immediate action when it learned about these issues.

On Sunday, 9 December, the Finnish Transport Safety Agency disabled all of its online services to ensure that the driver information service would be closed while the matter was looked into.

On Monday, 10 December, the Ministry of Transport and Communications asked the Finnish Communications Regulatory Authority to review data protection and information security in the Finnish Transport Safety Agency's online services and provide the Ministry with an expert assessment.  It was requested that the assessment be made in close cooperation with the Data Protection Ombudsman.

The assessment was reported to the Ministry in two parts. The first part delivered to the Ministry on 12 December assessed whether it is possible to legally and securely open the other parts of the Finnish Transport Safety Agency's website apart from the driver information service.

According to the assessment, the level of information security in the Finnish Transport Safety Agency's services is above the average when compared to other central government inspection entities subject to equivalent information security requirements. After this assessment, some online services were re-opened on Saturday, 15 December.

After the preliminary assessment, the Finnish Transport Safety Agency ordered, at the request of the Finnish Communications Regulatory Authority, another, more extensive assessment of the service and system entity from Nixu Certification Ltd, an assessment institution as defined in the Act on Information Security Assessment Institutions. The Finnish Communications Regulatory Authority appointed a supervisor for the assessment.

This continuation assessment was completed on 19 December. This assessment, too, concluded that the Agency's online services are at a better level than many equivalent central government systems. However, according to the assessment, the specifications of the online driver information services were not entirely successful. The driver information service was not re-opened in its current form.

At the beginning of 2019, the Finnish Communications Regulatory Authority, the Finnish Transport Safety Agency and certain functions of the Finnish Transport Agency merged. The Ministry of Transport and Communications requested Kirsi Karlamaa, who was appointed the Director-General of the new Finnish Transport and Communications Agency, to investigate the practices related to the design, production and maintenance of the Agency's online services. Intermediate reports were requested to be provided to the Ministry by the end of May and the end of September. The final report was requested to be provided by 16 December 2019.

The Ministry received the intermediate report on 28 May.

What next?

The Finnish Transport and Communications Agency's internal investigation continues. The Ministry has requested the Agency to provide the next intermediate report by the end of September. The final report has been requested to be provided by 16 December. 

The observations in the intermediate reports and later in the final report will be used in the development of the administrative branch's operations under the leadership of the Ministry of Transport and Communications.

The Ministry encourages all central government organisations to utilise the analysis results in ensuring the data protection and information security of their own services.

For more information, please contact:

Laura Vilkkonen, Director-General (Data Department), tel. +358 40 500 0817, Twitter @vilkkonen
Kirsi Karlamaa, Director-General, Finnish Transport and Communications Agency, tel. +358 29 539 0403