An error by the Finnish tax authority Vero, in which approximately 27,000 customers received letters containing information relating to other individuals, has created a serious data protection situation, according to the Assistant Data Protection Commissioner Jari Råman.
"It is always a serious situation when personal information goes to the wrong place. Especially if the preliminary figures are correct that this is a relatively large amount," Jari Råman added.
A data protection error of this scale is exceptional in Finland, and there still remains the possibility that the information might be misused or abused, according to Råman.
"There is always a chance of abuse. However, it can only be evaluated on the basis of the type of information that has been placed in the wrong hands," Råman said.
The Office of the Data Protection Ombudsman will await a report from the tax administration on the security breach and the nature of the information that has been sent to the wrong people. The Ombudsman will then assess the consequences, if any, that an individual could expect to face from the possible breach of security.
Jarkko Levasma, Director of Tax Development and Information Administration at Vero, confirmed on Friday to the news agency STT that around 27,000 letters contained information relating to other costumers.
Levasma also told Yle that Vero will provide a report to the Office of the Data Protection Ombudsman on Friday. The tax authority has 72 hours to report on the circumstances of the privacy breach.
Mistake was "complete surprise"
Vero became aware of the issue on Thursday, when individual customers began contacting the authority to report errors on letters they had received.
According to Levasma, the mistake was caused by an error in the printing system of an external company, which confused and misconstrued individual customer information. The error has since been identified and the only affected letters were those sent on August 6, which was a single print run.
"For the most part, personal taxation decisions were sent at this time. There was about 17,000 of them. There were also some tax cards", Levasma said.
Story continues after photo.
The tax administrator advises any customer who received a letter containing incorrect information to destroy it, and that customers will receive a new, amended and corrected letter at a later date. According to Levasma, the correct information for each individual taxpayer can be found on the online tax system at vero.fi.
Furthermore, Levasma apologised on behalf of the tax administration and said he considers the incident to be a serious error.
"The mistake and it's location surprised me completely, as I could not have imagined that something could go wrong at that point," said Levasma, adding that millions of letters have previously been sent through the same system.
Tax cards may show sensitive information
The August 6 print run also contained corporate tax rulings as well as other tax-related letters. The tax authority believe that there may be some problem with all of the letters.
"In some cases, you have to look closely to see that the numbers appear to be from another letter," Levasma explained.
Examples of the incorrect information included, among other things, the wrong name of a spouse. The details of some companies may also have been sent to the wrong people.
Assistant Data Protection Officer Råman told Yle that he does not want to speculate as to whether the tax authority will be penalised for any breach of data protection.
"On the basis of the report, we will be able to determine whether the tax administration's actions were sufficient and whether some further action will be needed," Råman said.
Earlier on Friday, the tax authority estimated that the number of incorrect letters was 17,000, but Levasma said further errors were subsequently found elsewhere in the same print run. Previously, on Thursday, the number of erroneous letters was estimated to be 60,000.