Yle has seen preliminary findings from a new study which suggests potentially damaging shortcomings in the ways that many Finnish firms and organisations handle personal data.
The report, by consultant firm KPMG, surveyed 20 Finnish firms and organisations in Finland, some with just dozens of staff and others with 23,000 employees. Half of them believed their own data processing practices were insufficient, leading the authors to conclude that the overall level of data protection across Finnish data controllers can only be deemed 'satisfactory'.
The findings are released on the same day that an Yle Silminnäkija ("Eyewitness") documentary will show how a group of researchers were able to gather significant amounts of personal information about a person, including medical information and email passwords, with relative ease.
Lack of know-how
The authors of the study described one of the biggest problems in the way data is handled as “a perceived general lack of knowledge and of know-how in personnel and leadership.”
“In practice that could mean that personal data could be processed unlawfully, or it could mean that personal data falls into the wrong hands,” Mikko Viemerö, KPMG’s data protection expert and one of the report’s authors, said.
Firms surveyed also blamed ambiguities in data protection laws for the shortcomings, with half of all participants saying they have been forced to abandon projects in the past due to unattainable or unclear data protection standards.
The situation is further complicated by looming, large-scale changes to data protection laws, in the form of forthcoming EU legislation, which is likely to become law within the coming few years. Among its many changes, designed to give citizens more control over their personal data, the new laws will force organisations to reveal when a person's private information has been breached.
However, Viemerö says he believes the fact that the planned legislation will levy hefty fines on organisations with lax data protection practices is likely to spur future improvement. He added that the report did find that firms regard privacy as an important issue, and are beginning to take it more seriously.
Data hack
The findings appear to be backed up by the results of an investigation by Yle's Eyewitness programme, in which journalist Sam Kingsley gave three people permission to dig out as much personal information about him as possible, using whatever methods necessary.
Using a cover story, the researchers were able to obtain some of Kingsley's medical information, as well as an official extract from the Population Register containing his social security number – a confidential code widely used in Finland as identification in official situations.Elsewhere in the programme, Markus Alkio of cyber security firm Fiarone succeeds in capturing Kingsley's email and social media passwords by intercepting his computer's wireless internet connection – a common trick used by cyber attackers in areas with free public wifi.
The outcome raises questions about how freely some officials hand over information in Finland, and highlights the potentially dangerous consequences for individuals whose data is breached.
Authorities deceived
Pia Puu Oksanen runs Naisten Linja, an organisation which helps women escape violence. She says she regularly sees cases where a woman has taken out a total ban on their information being shared, yet abusers have still managed to trick authorities into revealing a woman’s whereabouts.
“The most dangerous moment in a woman’s life is when she decides to leave an abusive relationship, and when she tells the abuser. Keeping data safe can be a matter of life or death for women at this time,” Oksanen said.
“In some cases, women have taken out a total ban on their information being given out. I don’t want to be too pessimistic; it’s usually a very good thing to do. But if a total ban still doesn’t protect you, then you feel like nowhere is safe. You don’t know what will happen when you turn on the computer, when you step out into the street.”
No resources
The programme also highlights the wide potential for ID fraud based on someone's social security number. This code should be confidential, but is widely asked for and used in Finland.
In the programme, one researcher is shown giving a false reason to the registry office in order to obtain a certificate containing Kingsley's social security number. The registry office later told the programme makers that they do not have the resources to check the reasons people give for requesting another person's social security number, and that they trust what's told them.
Criminal target
A man identified in the programme as “Janne” tells Kingsley that after his social security number was leaked online along with over 16,000 other Finns in this country’s largest known data breach, he discovered that thieves were making expensive purchases online using his social security number.
Officials told him there was nothing he could do to prevent his details being used over and over again, because not all online retailers were consulting the credit register, which showed a ban on purchases using Janne's social security number.
In fact, it is permissible by law for a victim of identity fraud to change their social security number, but the head registry office told Yle that this is extremely rare.
Long campaign
Reijo Aarnio, Finland’s Data Protection Ombudsman, says he has long campaigned for an alternative to the widespread use of social security numbers as an identifier.
“I wish we could have something innovative like mobile IDs, or something which is based on a kind of electronic ID number which is changeable every third year,” Aarnio said.
During the making of the documentary, Yle web readers were invited to submit their experiences of having their own data misused in some way. 75 readers responded to the survey.
Yle's "Eyewitness: Nothing to hide" can be watched with English subtitles on Yle Areena.