Data security and data protection
Suomi.fi Messages is a secure messaging service developed and produced by the Digital and Population Data Services Agency, which allows you to send messages and documents to end-users electronically.
Some Suomi.fi Messages client organisations will also receive messages sent by end-users via Suomi.fi Messages.
Suomi.fi Messages uses other Suomi.fi services as follows:
- The Suomi.fi Web Service serves as the browser interface for Suomi.fi Messages
- The Suomi.fi mobile application serves as the mobile interface for Suomi.fi Messages
- Using Suomi.fi Messages in the Suomi.fi Web Service always requires strong identification with Suomi.fi e-Identification. The Suomi.fi mobile application requires strong identification with Suomi.fi e-Identification at regular intervals.
- Suomi.fi e-Authorizations is used to grant the right to use an e-service.
The requirements of data security have been addressed in the design and provision of Suomi.fi Messages. The production environment of the service is secure, and any integrations and links to the service have been implemented in compliance with the applicable requirements.
The Digital and Population Data Services Agency, uses a risk management technique to assess the need to meet data security requirements related to the services and the implementation of data security. In addition, the risks associated with the service are regularly monitored.
The design and provision of the service complies with the legislation on data security and privacy. A privacy statement has been created on the processing of personal data. Data security requirements related to the processing of personal data have been taken into consideration in service design and implementation.
The Digital and Population Data Services Agency's information security certificate complies with the ISO/IEC 27001:2022 standard. The Suomi.fi Messages production environment has been audited with regard to information security in accordance with this standard.
The Digital and Population Data Services Agency carries out regular performance tests. When changes are made to the service, the functionality of the changes and the data security of the service are tested in advance. Testing is also performed to verify the correctness of data combination and the disturbance-free operation of the service during the changes. The Digital and Population Data Services Agency has created a testing plan for the Suomi.fi services.
The data security of the service is regularly audited by both the Digital and Population Data Services Agency and external parties.
The usability and reliability of the service are monitored by means of automatic monitoring.
Monitoring and disruptions
Normal and anticipated external disruptions and security threats have been taken into consideration in service design and implementation. Processes are in place for monitoring and incident management.
Information on disruptions is provided on the Suomi.fi for Service Developers website. In some cases, a bulletin will also be sent to the contact email address provided by your organisation.
Ensuring the security of your organisation's Suomi.fi Messages interface is a necessary maintenance measure, which you can read more about on the Technical maintenance page.
The Act on Common Administrative E-Service Support Services (Support Services Act 571/2016Opens in a new window., in Finnish) contains provisions on Suomi.fi Messages and the production and development of the service. The processing of personal data in Suomi.fi Messages is thus based on compliance with DVV’s statutory obligation. When processing data for statistical purposes or for determining the extent of use of Suomi.fi Messages and related costs, the processing of personal data is based on the performance of a task carried out in the public interest. When data is used for statistical purposes, the data is collected and published in such a way that individual persons (or companies) cannot be identified.
The Digital and Population Data Services Agency acts as the controller for the processing of personal data concerning Suomi.fi Messages. The processing of personal data does not involve joint controllership. The client organisation acts as the controller for the message content in the messages it sends.
The personal data of end-users that is processed, the data sources and retention periods for these are described in more detail in the Suomi.fi Messages Privacy StatementOpens in a new window.. DVV has set the retention periods of the data in the Suomi.fi Messages register on the basis of the Support Services Act, data protection legislation, the Act on Information Management in Public Administration and other relevant legislation. The service includes an assessment on the minimisation of personal data. The necessity of the personal data processed is also always assessed as part of the process of developing new functionalities.
The contact details of Suomi.fi Messages client organisation representatives are used
- for the deployment and maintenance of an organisation’s interface
- for the provision of information concerning changes made to Suomi.fi Messages
- for the provision of information on incidents
- for the collection of customer insight.
The email address specified as the contact address may contain the name of an individual. In addition, the client organisation may add its representative’s name to the message sent to the end-user.
As the personal data registered in Suomi.fi Messages is obtained either from the Population Information System or from the user and there are only a few pieces of collected data, the risk of the data being inaccurate is very small.
The Suomi.fi Messages register is protected by means of access control and the servers can only be accessed from the central government’s internal network. In addition, personal data is protected by monitoring the use of personal data and a set of instructions provided for the processing of personal data. Officials processing data are liable for acts in office. The persons processing the data have been subject to a security clearance and they have signed a non-disclosure agreement. In addition, the legality of the processing of data saved on the use of Suomi.fi Messages is ensured by storing log data on the log for DVV employees and consultants. The log of the log contains information on the person processing data, the date and time of processing and the search terms used.
The Digital and Population Data Services Agency produces and develops Suomi.fi Messages on the basis of section 4(1) of the Support Services Act. Under section 11(1) of the Support Services Act, the Digital and Population Data Services Agency maintains a register of the general consent given by the user for the implementation of electronic notification procedure for the purpose of carrying out electronic notifications related to official activities. Under section 12 of the Support Services Act, the Digital and Population Data Services Agency is entitled to process personal and other data referred to in section 9 of the Support Services Act in order to produce and develop the Suomi.fi Messages service. In addition the collection of event data and log data is regulated in the Support Services Act (Section 13 and Section 20)
Additional information on data protection:
- The privacy statement for Suomi.fi Messages is available in the Suomi.fi Web ServiceOpens in a new window..
- The organisation associated with the service must accept the Suomi.fi Messages terms and conditions, which also include terms and conditions concerning the processing of personal data. The terms and conditions are available on the Applying for an access license page.