The Data Protection Ombudsman’s Year in Review 2000

There was a significant increase in cases brought before the Data Protection Ombudsman. In 2000, the number of new cases recorded by the Office of the Data Protection Ombudsman increased by nearly one third from the previous year. This is explained first of all by the Office switching from telephone service to electronic customer service. Although the Office did not use electronic signatures, the Office, in accordance with the Act on the Openness of Government Activities (Openness Act), also recorded cases brought before it via email. Secondly, the contents of the cases show that controllers of registers are working actively to adapt their practices to the Personal Data Act. During the year under review, the principle of self-regulation, included in the Act, also manifested itself in drawing up codes of conduct, which continued active. The number of resolved cases increased significantly in 2000: the number of decisions issued by the Data Protection Ombudsman increased by 33 percent.

The Office strove to answer the growing need for information and services by producing guidelines and further improving the Office’s Internet website. Indeed, the website proved popular: during the year, there were approximately 47,000 visits.

The level of data protection in Finland was measured in several studies. In the spring, Statistics Finland published a report, which revealed that citizens have confidence in new technologies and do not show much concern for the level of their data protection. On the other hand, they want to know who collects and processes data concerning them and what the data is used for. Similarly citizens want to participate in the decision-making concerning themselves. That is, after all, what data protection is all about.

Another important evaluation of data protection was carried out when, in connection with the implementation of the Schengen Treaty, an evaluation and inspection group consisting of representatives of the treaty nations visited Finland. Based on the group’s report, the Schengen Joint Supervisory Body stated that Finland fulfils the requirements set for the level of data protection. The various tasks and practical operations of the Office of the Data Protection Ombudsman were presented in a publication, Oikeusolot 2000, published by the National Research Institute of Legal Policy.

In their mutual contacts, businesses are more and more switching over to the e-world, that is, electronic data transfer and commerce. Consumers, on the other hand, have been quite reserved in this respect. According to various studies, one of the most important reasons for this is that consumers are concerned about their data protection, often with just cause. The network world is a global world and the problems are global. In December, the OECD, together with several other bodies, organised an international conference in the Hague, the theme of which was building confidence in the on-line environment. It was especially delightful to see that the industry and many major economic players wanted to make arrangements to improve the level of global data protection and improve consumers’ rights. Data protection is seen as a necessity in a positive way.

The EU took major decisions on data protection. In its decision adopted on 26 July 2000, the Commission stated that national legislation in both Hungary and Switzerland guarantees a sufficiently high level of data protection. The Commission also stated that the “safe harbour” framework implemented by the United States enables transferring data to transferees who are committed to the framework. The US Department of Commerce maintains a public list of organisations who have declared that they adhere to the “safe harbour” principle. Because of opinions expressed by the Commission, the Personal Data Act was amended with an act, which entered into force on 1 December 2000, so that provisions on the Commission’s decision-making and the binding force of such decisions, in accordance with the European Commission’s Directive on Data Protection concerning transferring personal data to non-EU countries, were added to the Personal Data Act. The EU also initiated measures to adopt the Data Protection Directive in its own operations. In July, the Commission proposed an amendment for the Act on the Protection of Privacy and Data Security in Telecommunications. The aim is to harmonise the scope of the directive so that it would apply to telecommunications regardless of the medium.

Legislation

Legislative work included both completely new legislation and amending existing legislation so that acts and decrees will conform to both the Data Protection Directive and, most of all, the level required by the constitutional rights reform. The protection of privacy is guaranteed in Section 10 of the Constitution of Finland adopted on 1 March 2000, according to which “Everyone's private life, honour and the sanctity of the home are guaranteed. More detailed provisions on the protection of personal data are laid down by an Act.” The Data Protection Ombudsman is to be heard in preparing legislation.

The Office of the Data Protection Ombudsman and the Ministry of Justice co-operated to initiate a survey of special legislation. It aims at promoting the implementation of the measures necessary for updating the legislation.

The Constitution also guarantees every citizen’s right to receive data from a document or recording in the public domain. Reconciling the Personal Data Act and the Openness Act was continued in different administrative sectors during the year under review.

Work affecting the protection of privacy, aiming at legislation, was carried out in working groups and committees, for instance:

• A working group on emergency phone calls discussed utilising mobile phones’ positioning data in emergencies;
• A committee discussed checking the background of people working with children and young people;
• A committee discussed the so-called statements of trustworthiness;
• A committee sought ways to implement data security.

Events during the year under review included a government proposal on the protection of privacy in working life. The Penal Code reform on listening and surveillance was carried out.

Technology

The millennium changed safely: the feared Y2K problem threatening information systems did not materialise. Instead, different global viruses caused havoc this year too, though they did have a positive effect: the significance of data security and risks involved in ignoring it were realised better than before.

Data protection legislation is mainly neutral as to the instrument. In the best cases, technology helps in implementing data protection. At the same time, new technological innovations and applications cause great problems for authorities: are they always able to identify the phenomenon and understand the impact of the technology and its properties on the handling of personal data and the protection of privacy.

Various branches, health care in particular, seem to have created a new line of production, sometimes even called the well-being industry, which aims at developing information technology into a new export industry. Technology has also given rise to a need to give guidelines for its application and to evaluate the risks connected with it. The Steering Committee for Data Security in State Administration (Vahti), in particular, deserves thanks for this work.

Nevertheless, it often seems that the debate on risks pays too much attention to external threats, at the same time ignoring the obligations to plan and protect included in the Personal Data Act. The Office of the Data Protection Ombudsman strives to exert its influence, so that the prerequisites of the legislation on privacy protection are taken into account as a natural quality factor. During 2000, the Data Protection Ombudsman issued opinions on 20 cases to prosecutors and courts of law on violation of data protection and data security.

Events

In the beginning of the year under review, the Office of the Data Protection Ombudsman benefited from an extensive press review service, which, in February alone, produced over 160 “hits”. This shows that data protection issues were much in the public debate. In addition to issues mentioned above, topics included bank secrecy in connection with social welfare, email and mobile phone advertising, paedophiles, portals and financial department stores, and so forth.

In conclusion

The year under review was active and busy. In many ways, the staff at the Office of the Data Protection Ombudsman came under much pressure. The staff handled its duties well, however, for which I wish to express my sincere thanks.

The Office carried out an internal survey on time management, which revealed that only about one fifth of work time is used for solving individual cases. The remainder was spent on guidance, instruction, training and international affairs. The year also saw the launch of self-assessment of our working methods, equipment and priorities, so that the Office can improve its ability to serve as well as take care of its staff.

Translation: Valtasana Oy