Assess and manage risks

Data protection defines when and on what basis personal data may be processed. The right to privacy is a fundamental human right and data protection safeguards this fundamental right.

Information security refers to actions that ensure the confidentiality, integrity and availability of information.

The realisation of data protection and information security risks may result in financial damage or administrative sanctions or reputational damage to organisations. Individuals, on the other hand, may be subjected to fraud.

Public sector services process and share with their various operators a large amount of sensitive data, such as personal data, that involve risks.

If an organisation has been negligent in handling data protection, the management of the organisation and the persons responsible for data security and data protection matters may at worst commit a criminal offence.

Data protection and information security are governed by a wide range of legislation, including:

• General Data Protection Regulation (EUR-Lex)Opens in a new window.
• Data Protection Act (Finlex)Opens in a new window.
• EU Directive on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (EUR-Lex)Opens in a new window.
• Act on the Processing of Personal Data in Criminal Matters and in Connection with
  Maintaining National Security (Finlex)Opens in a new window.
• Act on Electronic Communications Services (Finlex)Opens in a new window.
• Act on the Protection of Privacy in Working Life (Finlex)Opens in a new window.
• Credit Information Act (Finlex)Opens in a new window.
• Act on International Information Security Obligations (Finlex, in Finnish).Opens in a new window.

The Information Management Board has also made the following recommendations related to information security:

• Recommendation on minimum requirements for information security (Ministry of Finance 2024:19, in Finnish)Opens in a new window.
• Recommendation on the assessment criteria for information security in public administration (Julkri)(Ministry of Finance 2022:43, in Finnish)Opens in a new window.
• Recommendation for the processing of non-disclosable documents (Ministry of Finance 2023:4, in Finnish)Opens in a new window.

Neglecting data protection and information security create reputational risks that, if realised, may result in adverse effects on the organisation’s operations. It is difficult to assess the likelihood and impacts of reputational damage in advance.

Reputational damage to public administration organisations may undermine public confidence in the authorities’ activities.

Citizens must be able to rely on the public administration to carry out its statutory tasks.

Loss of trust can

• hamper customer situations
• reduce customer satisfaction
• influence willingness of clients to use public services.

Reputational damage may also have a negative impact on the employer image conveyed by the organisation and make it difficult to recruit skilled workers in the future.

Human behaviour and organisation culture are examples of human and organisational factors that can either support or weaken the success of the activities.

Good risk culture is an essential part of effective risk management that covers the entire organisation, and maintaining it helps the organisation

• cope better with crises
• adapt to challenging situations faster
• adapt to changes more flexibly.

The term risk is not synonymous with threat, and risk management is not just part of crisis situations. A risk may also be an opportunity that can be utilised in developing the organisation’s operations and achieving its goals.

For example, utilising new technologies such as AI applications can be both a threat and an opportunity at the same time: on the other hand, it can help to make work more efficient, but its deployment involves environmental and responsibility risks.

The operating environment for risk management is constantly changing and risks can never be completely eliminated. However, risks can be anticipated, processed and their impacts or probability can be brought to a tolerable level.

• Risk management in the digital world course (eOppiva)Opens in a new window.
• Digital security risk management (Suomi.fi Service Developers)
• VAHTI-riskienhallintasanasto digitaaliseen toimintaympäristöön – esittely ja johdatusta riskiviestintään (Digi- ja väestötietovirasto, PDF, in Finnish)Opens in a new window.
• VAHTI Good Practices support material:Cost-effectiveness model for analysing digital security risks and risk management (Digital and Population Data Services Agency, PDF, in Finnish)Opens in a new window.
• Risk management handbook for central government administration (Ministry of Finance, in Finnish)Opens in a new window.

The anonymisation of data is a process in which the personal data contained in a dataset are completely and permanently changed.

It is no longer possible to identify a person from an anonymised dataset, even by combining several pieces of data.

After anonymisation, personal data are no longer personal data and, for example, the EU General Data Protection Regulation (GDPR) does not apply to anonymised data.

Read more about the anonymisation of personal data on the Data Protection Ombudsman's website (tietosuoja.fi)Opens in a new window..

Please note that as a rule, access to personal data should not be opened as open data, and that the sharing and use of personal data always requires a legal basis. Read more on the Take note of laws and regulations page of this guide.

Once you have opened access to the data, you will no longer be able to influence how it will be used in the future or by whom.

Even if the dataset you open access to does not pose risks to an individual or society on its own, it may pose risks when it is combined with another digital or non-digital dataset.

The likelihood of such risks occurring will increase in the future, as large amounts of different materials can be combined and analysed with unprecedented ease using artificial intelligence. Read more about the risks associated with artificial intelligence in the guide on Responsible Use of Artificial Intelligence.

Spatial data is part of the critical infrastructure of society and related opened data can be used not only for desired purposes but also for undesirable purposes.

For example, opening access to the water network location data can be useful because it could prevent accidental breakage of critical infrastructure in construction projects, but on the other hand, opening data makes the same infrastructure more vulnerable to intentional attacks.

The residents of an imaginary sample municipality have repeatedly asked that the location information of the plough vehicles be displayed in the municipal web service so that they could receive data immediately on when the plough was arriving to clean the snow from their home street. On this basis, the municipality begins to plan the opening of plough location data as open data.

However, when conducting a risk assessment, the municipality must take into account the fact that, in the event of a snowstorm, ploughs are critical infrastructure.

Other traffic stops completely if the roads cannot be ploughed.

In other words, the municipality must assess the risks associated with publishing the up-to-date location of ploughs. It may also consider other options: would the risk be significantly reduced, for example, by showing the location with a delay of 30 minutes?