The hacking hack has initiated several ID-related reforms, but the rules have not changed so far. The use of a personal identification number as the only means of identification is prohibited.
Psychotherapy center In connection with the hacking into the reception, for example, people’s personal identification numbers and other identifying information were leaked, which makes it possible to commit fraud. The case, which came to light last year, sparked a debate about the data protection of other services and the fragile role of the personal identity number as a means of identification.
As a result, the ministries took action. Ministry of Justice said in November it would start drafting legislation, which would require strong online authentication for all consumer credit agreements. Preparations were also made for expanding the possibilities for changing one’s personal identity number.
Treasury launched a project at the end of the year to renew its identity number and to develop a state-guaranteed identity. Among other things, the Ministry wants to prevent the use of personal identification numbers in identifying persons.
The preparation of the laws is in progress, and nothing has actually changed since Vastamoamo. Data Protection Officer Anu Talus already pointed out in October that identification based solely on a personal identity number and name, for example on a telephone or in an online store, is already prohibited.
“The fundamental problem is that the personal identity number and name can be known to people other than the person themselves for various reasons,” Talus tells HS.
In October, Talus also stated that the tightening of the guidelines related to the use of the personal identity number should be clarified.
“We’ve evaluated it inside the house and come to the conclusion that our current line has met the needs pretty well,” he says now.
However, it is not unequivocally such that a personal identity number is completely prohibited. The personal identification number can be used to identify people in, for example, bill collection, payroll and healthcare.
“From the point of view of the registrar, it is the case that he has a responsibility to make sure that he is the right person. It is not excluded that the personal identity number is involved in making the assessment there, but in addition to it and the name, the assessment must also contain other information, ”says Talus.
In services there are big differences in what information is required for identification. Tax information or online banking can only be accessed with strong authentication, but some services rely on other authentication methods. Currently, the obligation to verify identity carefully applies to, for example, quick loans but not one-off loans or billing services.
“In general, it would be highly recommended that strong authentication be used,” Talus says.
In addition to the personal identity number, the problem of data privacy also applies to, for example, a telephone number, e-mail or home address. This information can and does be held by anyone other than the person themselves, but can be used to identify the person in conjunction with other information.
“You can judge for yourself whether information that could easily be in someone else’s possession is used for identification,” says Talus.
With the citizen there is always a right to know for what purposes his data is collected and what information about him is collected at all. The service provider has a duty to be able to justify why a personal identity number is being asked.
“The red thread is that people’s personal information should be collected as little as possible,” Talus says.
“However, if the controller does not need to ask for a personal identity number, for example due to the correct allocation of invoicing, it should not be asked.”
#Data #protection #personal #identity #number #bad #reputation #due #Vastamos #hacking #true #EDPS #strong #identification #highly #recommended