Tietoturvaloukkaukset ja niistä ilmoittaminen -en
Reporting personal data breaches
In order to strengthen the rights of data subjects, data protection laws require the controller to report personal data breaches in some circumstances.
All processors of personal data have a duty to report any personal data breaches that come to their attention to the controller.
If certain conditions are satisfied, the controller must report the breach to the Data Protection Ombudsman and, in some cases, to the data subjects.
However, reporting is not necessary if the breach is unlikely to compromise data subjects’ rights.
Police’s procedure for reporting personal data breaches
If the security of your personal data has been compromised, the police will notify the Data Protection Ombudsman.
If the personal data breach poses a particular risk to your rights and freedoms, the police will report the breach via multiple channels (such as by letter or on the Poliisi.fi website).
Monitoring and oversight of data protection in the police organisation
The police ensures and systematically monitors the status of data protection and information security through both administrative and technical measures.
One of these measures is to document all operations that involve personal data processing and to evaluate the necessity of processing relative to the risks. This is called data protection impact assessment.
The data protection impact assessment process helps the police to ensure its compliance with data protection regulations.
Tietoturvaloukkaukset ja niistä ilmoittaminen - rekisterinpitäjän velvollisuudet -en
Controllers and processors have a responsibility to ensure an appropriate level of data protection.
Personal data must be processed lawfully and in a manner that prevents any accidental loss, destruction or alteration of the data.
It is the controller’s duty to carry out a risk assessment and take any steps that are necessary to manage the identified risks. The controller must ensure the security of personal data throughout their life cycle.
For example, the controller must
- prevent unauthorised access to the hardware and systems used to process personal data,
- prevent unauthorised data entry into the systems,
- prevent unauthorised browsing, alteration or deletion of the personal data held in the systems,
- keep access rights to the systems up to date, and
- ensure the reliable operation of the systems and that any faults in the systems cannot damage personal data.