Data security legislation proposals to increase requirements on Finnish central Government’s administrative activities

11 January 2010

Kari-Matti Lehti

The Finnish Government is planning to introduce a new statute on data security in order to increase information security in state administration. The new statute is likely to include more detailed provisions regarding the classification of documentation which is stored and handled by Finnish administrative authorities as well as specifying the safety measures required at different stages of documentation handling. The statute will only apply to authorities in central Government and not to municipal or local authorities.

The new statute may therefore increase costs for service providers who have agreed to comply with applicable laws and regulations but have not transferred the costs of doing so to their Government customers.

The main change resulting from the statute will concern the classification of documentation. According to the proposals, there will be four different levels of protection instead of the current three. This is a classification system which corresponds with international practice. The statute will not, however, place an absolute obligation on authorities in state administration to classify their documentation so as to ensure information security.

The proposed new statute will also introduce requirements regarding the treatment of documentation. These provisions will apply irrespective of whether the authority has classified its documentation or not. In other words, if the authority receives any documentation that has been classified by another authority, it must handle it according to the requirements of the statute. The extent of the safety measures required will depend on the documentation’s classification.

For example, the proposal is to impose certain information security levels on the data system where classified documentation is saved. Also, the premises where classified documentation is kept must be properly protected and any persons with access to those premises must be identified.

We do note, however, that documentation classified in the two highest levels of protection is extremely rare. Most documentation will be classified at level three or four which requires less stringent safety measures.

The new statute is therefore somewhat confusing and contradictory. It does not set an absolute obligation to classify documentation but if any authority receives any classified documentation, it must handle it according to the provisions of the statute.

The new statute is expected to come into force during the early part of this year. The Ministry of Finance is also going to publish guidelines on enforcement soon after this.