In late 2012, the Office of the Data Protection Ombudsman carried out a survey concerning the processing and protection of personal data in domestic network services. The survey was focused on 74 companies and organizations which had experienced data security breaches during October-December 2011. Because data controllers have no general obligation to report data security breaches, the survey focused only on telecommunications companies and service providers which are specifically obliged to report data security breaches related to their systems and attempted attacks on their networks or services.

The Finnish Personal Data Act contains a provision on the processing of personal data, requiring data controllers to implement appropriate technical and organizational measures to protect personal data against unauthorized access and all other unlawful forms of processing. The purpose of the survey was to determine how the companies and service providers respond to possible deficiencies in the protection of data systems and how they carry out their obligation to protect personal data. The survey sought to help the controllers assess the lawfulness of their own activities and to find areas for improvement in the processing of personal data.

The companies and service providers were asked about their knowledge of the statutory duty to protect personal data, their preparations for and defenses against security breaches and threats and whether they had noticed a reported security breach or threat and what action they had taken in response. In particular, the companies and service providers were asked whether they had informed their customers or users of the incident.

Different sizes of businesses were selected for the survey. In general, the Ombudsman noticed a direct relationship between the size of the organization and the resources it dedicated to information security and data protection. The size of the organization was reflected in its ability to detect and prevent security breaches and also in its ability to secure data security within the organization. In small companies, security breaches represented an existential threat. A number of small operators decided to quit providing services altogether after being exposed to a security breach.

According to the Data Protection Ombudsman, only 46% of respondents said that they knew the requirements of the Personal Data Act to protect personal data. Even though 92% of the involved companies and service providers submitted a response by the given deadline, only a fifth of the respondents answered all the questions. In an alarmingly large proportion of companies (30%), the security breaches or threat of breaches had not led to any action at all. Some of the companies and service providers were also unable to identify their own role in the processing of personal data in relation to outsourced services. Several online stores that had outsourced their technical implementation did not perceive themselves as liable for the handling of personal information.

In its conclusions, the Data Protection Ombudsman highlights the importance of guidance of the Finnish data controllers and advises on information security obligations in cooperation with CERT-FI's. A further survey will be carried out later by the Data Protection Ombudsman.

The Data Protection Ombudsman was only able to survey companies and service providers within the telecommunications sector as currently Finnish legislation does not contain a general obligation for data controllers to notify data protection authorities or customers in the event of a data security breach in the controller's operation. However, the situation may soon change: in the European Council and Parliament's proposal for Data Protection Regulation data controllers are under a specific notification obligation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.