Office of the Data Protection Ombudsman investigating City of Helsinki personal data breach
The City of Helsinki has reported a serious personal data breach in its data network. The Office of the Data Protection Ombudsman is investigating the personal data breach to determine whether the City has complied with data protection requirements and employed adequate safeguards. The police are investigating the incident as aggravated unlawful access to an information system.
The City of Helsinki notified the Office of the Data Protection Ombudsman on 30 April of a personal data breach in the Education Division. According to the information provided by the City of Helsinki, the perpetrator gained access to the data of 38,000 City employees and, in the worst-case scenario, the personal data breach affects over 80,000 learners and their custodians.
The Office of the Data Protection Ombudsman took action immediately when the incident was discovered. Initially, the City was instructed to inform the data subjects and the public about the personal data breach. The investigation by the Office of the Data Protection Ombudsman is still ongoing. The City has been asked to submit a report on the incident by 5 June.
”According to our current knowledge, this is a serious incident. In cases like this, it is important to inform people as soon as possible about the personal data breach so that they can protect themselves from its consequences”, says deputy Data Protection Ombudsman Annina Hautala.
Further measures will be considered based on the report
The Office of the Data Protection Ombudsman is investigating the matter from the perspective of compliance with data protection legislation. The City has also reported the incident to the Finnish Transport and Communications Agency's (Traficom) National Cyber Security Centre and to the police. The National Cyber Security Centre and Office of the Data Protection Ombudsman will cooperate in the investigation as necessary.
”Ensuring the security of personal data processing should be the first thing on any organisation's data protection agenda. The Data Protection Ombudsman seeks to make sure that everyone complies with data protection legislation, so that we can all rest assured that our personal data is safe. To back up these powers of enforcement, the data protection authority has been given the power to impose sanctions on organisations that violate data protection legislation. We will evaluate the next steps once we have the City of Helsinki's report”, Hautala says.
Companies can be ordered to pay an administrative fine for serious personal data breaches. Under the current legislation, administrative fines cannot be imposed on public-sector entities. To provide equal sanctions for intervening in the unlawful practices of public-sector organisations, the Programme of Prime Minister Petteri Orpo's Government specifies that the administrative fines should be extended to the public sector as well.
Advice for the victims of the data breach
Those affected by the personal data breach can contact the City of Helsinki directly for additional information. The City has announced that it will provide more information as the investigation proceeds.
Instructions and advice for those affected by the personal data breach are available from the following channels:
- The customer service channel set up by the City of Helsinki, tel. +358 9 310 27139 or [email protected]
- The City of Helsinki has published an announcement and instructions for the groups possible affected by the data breach at hel.fi/data-breach
- Instructions on the Office of the Data Protection Ombudsman's website: Have you been affected by a personal data breach?
- Guide on the Suomi.fi website: My personal data has been stolen or leaked
Support and counselling is available from Victim Support Finland or the MIELI Crisis Helpline.
If an organisation has violated the General Data Protection Regulation in a manner that causes damage to an individual, they are entitled to compensation for the damage. Claims for damages related to personal data breaches or other crimes can be resolved in connection with the criminal trial. You can also submit the claim for compensation directly to the organisation in question.
Further information:
Deputy Data Protection Ombudsman Annina Hautala, annina.hautala(at)om.fi, tel. +358 29 566 6776
City of Helsinki's release, 13 May: Investigation into Helsinki Education Division data breach proceeds (hel.fi)
Article published by the National Cyber Security Centre on 13 May: Data breaches – what are they? (kyberturvallisuuskeskus.fi)
Claiming damages for violations of the GDPR (tietosuoja.fi)
The Data Protection Ombudsman's corrective powers (tietosuoja.fi)