Processing of personal data by the police - Police
Henkilötietojen käsittely poliisissa -en
General principles of personal data processing
Controllers must, when processing personal data, respect the rights and freedoms of data subjects. The police has a statutory duty to ensure the security of personal data and the privacy of people’s information.
The EU’s General Data Protection Regulation lays down the data protection principles that controllers must observe when processing personal data.
The GDPR mentions the following data protection principles relating to the processing of personal data:
- lawfulness, fairness and transparency
- purpose limitation
- data minimisation
- storage limitation
- integrity and confidentiality
In practice, lawfulness can most easily be demonstrated through certain technical, administrative or organisational measures as well as careful planning and documentation.
The police has a system in place for monitoring and overseeing the management of information security and data protection. Progress in respect of information security and data protection is regularly reviewed and the results compiled into reports.
The following data protection principles govern all aspects of personal data processing by the police:
1. The processing of personal data by the police is based on law and the police’s duties.
Personal data are only processed for the purposes of the police’s statutory duties and to the extent required for the exercise of the police’s powers as defined by the law.
The police ensures that the personal data that are processed are complete, relevant and necessary for achieving the legal purpose of the processing. The processing of personal data by the police is carefully planned and instructed.
2. Personal data are processed in a transparent manner.
Personal data are only used for specific purposes that are disclosed to the data subjects. The information provided to data subjects on the police’s personal data files and the rights of data subjects is comprehensive.
The personal data collected by the police, the purposes and methods of processing as well as the ways in which the data are protected and the rights of data subjects are documented.
3. The integrity of the data and the rights of data subjects are ensured.
The police makes sure that the personal data held in its systems are accurate and up to date. Data subjects are given an opportunity to exercise their right of access and request that any inaccuracies in their data are corrected.
Information about personal data processing on the Poliisi.fi website
You have the right to receive transparent information about the way in which your personal data are processed. The controller must provide the information in a concise, transparent, intelligible and easily accessible form.
In order to ensure transparency and openness, we explain how personal data are processed by the police on the Poliisi.fi website.
The Poliisi.fi website explains
- what kinds of personal data pertaining to you the police processes,
- the purposes for which your personal data are processed,
- how long your personal data are kept,
- how your personal data are protected,
- which parties may be given your personal data,
- how to contact the controller, and
- how to contact the Data Protection Officer.
The website also contains information about
- how you can access your data,
- circumstances in which your right of access can be restricted,
- how you can ask for your data to be corrected,
- why log data are processed,
- how the police, as the controller of the data, ensures your rights, and
- how you can request access to the police’s files for research purposes.
The information on the website is updated regularly.
Processing of log data by the police
The police processes log data systematically and with care. The objective is to demonstrate the lawfulness of the police’s actions and compliance with data protection regulations.
Logs are kept in order to
- ensure that data are used in accordance with the applicable regulations,
- investigate misuse and information security breaches,
- detect faults in the system, and
- produce statistics on the use of data.
Log data management covers the entire life cycle of logs: data collection, processing, storage, disclosure and erasure.
Systematic and careful processing of log data is important to protect the police’s information system architecture and to detect irregularities.
It also helps to protect the legal rights of both data subjects and processors.
Right of access to log data
The police’s log data make up a personal data file. Usage logs contain information about those who use the police’s information systems.
The right of access provided under data protection laws is limited to information pertaining to each data subject personally. You therefore do not have the right to access the police’s usage logs, as the data do not concern you personally.
Publicity of log data under the Act on the Openness of Government Activities
Data subjects may have the right to access some information in the police’s usage logs based on party status within the meaning of section 11 of the Act on the Openness of Government Activities.
Section 11 of the Act on the Openness of Government Activities cannot be used as grounds for requesting access based on a mere suspicion by a data subject that their personal data in the police’s information systems has been used inappropriately (the Supreme Administrative Court of Finland’s ruling in case KHO:2014:69).
Party status can only be used as grounds for requesting access to log data if the data in question have or may have affected the handling of a case concerning the party in question by the police (the Supreme Administrative Court of Finland’s ruling in case KHO:2014:69).
Criminal records and security clearances
Criminal records in Finland are managed by the Legal Register Centre, which answers to the Ministry of Justice.
Information about criminal records and the disclosure of criminal records data is available on the Legal Register Centre’s website.
Data subjects’ right to access records pertaining to themselves is limited. In addition to a criminal background extract, you can request an extract to be presented to foreign authorities for the purpose of obtaining a visa, a work permit, a residence permit or similar. A fee is payable for criminal background extracts.
Security clearances are based on filing system searches carried out by the authorities. The security clearance vetting system is designed for preventing activity and crimes that could compromise, for example, national security, public finances or particularly significant private economic interests. The need for a security clearance may also arise from international obligations.
There are three levels of security clearances depending on the interest to be protected and the importance of the position sought: concise, standard and comprehensive. Security clearance vetting always requires the subject’s written consent. Security clearance vetting is the responsibility of the Finnish Security Intelligence Service.
Concise security clearances are designed to establish whether or not a person can be given access to a specific building or room for the purpose of their work. Standard and comprehensive security clearances are intended to establish whether or not a person can be given access to certain kinds of information through their work. Standard security clearances can be requested by businesses and government agencies, comprehensive vetting by government agencies only.
Security clearances for the defence administration are the responsibility of the Defence Command.