A recent privacy breach of motorists' personal data from Finland's Transport Safety Agency Trafi has led to more vocal calls for top data security with regards to the Incomes Register, a nationwide database for information that will be launched on 1 January 2019.
The Tax Administration, which was the prime motivator of the massive data repository, assures people with security concerns that the information in the online register will be safe.
"We have invested heavily in data security, and it has been taken into consideration at every stage of the project. It is an important issue whenever electronic services are launched, as personal information is at stake," says Jarkko Levasma, the Finnish Tax Administration's head of development and information.
Data on 4.6 million people eventually
The Incomes Register will at first contain real-time wage and salary information provided by employers, or what is estimated to be the income data of 2.8 million people.
If everything proceeds according to plan, as of 2020, the population's pension and benefit data will be added to the register, expanding the scope of the database contents to information on 4.6 million people.
Representatives of the state-owned social benefits administrator Kela also seek to calm down people's worries.
"Kela will employ the same data protection principles it uses with its own register information in dealing with the data of the people found in other registers," says Mia Hella, Kela's legal unit head.
Several state authorities will have access to the centralized database in future, including the Tax Administration, Kela and Finland's pension firms. Once the pension and benefit data is added, groups like unemployment funds, insurance companies and municipalities, among others, will also have access to the database.
Cybersecurity expert: Every large database contains risks
Aalto University's professor of cybersecurity Jarno Limnéll points out that larger registers always involve risks that need to be recognized.
"Sizeable databases are of interest to many malicious actors. The motive may not only be to steal or exploit data, but also to manipulate this kind of information, which is one risk that is increasingly being discussed on the international stage," he says.
The Tax Administration's Levasma says individual civil servants will not be granted access to see more than just the Incomes Register data directly relevant to their work.
"All views of the online database are accumulated in a log file that can later be checked to see which items have been looked at and whether they are linked to the work task in question. The log will be reviewed regularly in an effort to pinpoint anomalies," Levasma says.
Kela's Helle says that a mark is also made in Kela's database each time data on benefit decisions and register information is accessed.
"It is therefore possible to check who it was that viewed the data in the Incomes Register, after the fact," she says.
Individuals can only view their own data
The Incomes Register was designed to be a centralised database for use by state organisations and other authorities.
Ordinary residents of the country will only be able to see their own information in the system. In order to access the data, both an ID number and correct bank code number must be provided.
Even business owners and other employers – that will now be obliged to report their employees' salary and wage data to the register – will only be able to view the data that they contribute.
Sanna Linna-Aro, head of tax affairs at the Federation of Finnish Enterprises, the largest federation of business owners in the country, said in early November that accounting firms appear to be quite well prepared for the rollout of the Incomes Register on 1 January 2019, but she suspects that many employers aren't aware of the new Incomes Register and haven't made the necessary preparations.