According to the expert, thousands of data security breaches occur in Finland every year.
Mass emails should be sent in such a way that the recipients cannot see each other’s information. Adobe Stock / AOP
The Vantaa competence center’s summer job search started in January. Information about the search and the job interviews that will take place in February was sent to a large number of job seekers of the municipal employment experiment in Vantaa and Kerava.
However, the job seeker who received the e-mail would rub his eyes when the contact information of dozens of other recipients was visible to the recipient of the message. In addition to the e-mail addresses, the full name of the part was found in the recipient field.
A seemingly mundane mistake is a data security breach. The e-mail should be sent in such a way that the e-mail addresses of the recipients are entered in the BCC field. This way the recipients would not see each other’s information.
– Yes, according to the definition of the law, it is a security breach of personal data, says the deputy data protection commissioner Heljä-Tuulia Pihamaa.
Thousands a year
It is often a matter of human error, which happens a lot. About 11,000 cases come to the Office of the Data Protection Commissioner every year, almost 50 percent of which concern data security breaches.
– A very large number of incidents are caused by human error, says Pihamaa.
That is, precisely situations where the sender of the message has inadvertently put the addresses of the entire group in the recipient field, when the BCC field should have been used. Another typical situation is when information about another person is accidentally sent to the wrong person.
The matter was dealt with immediately
In the case of Vantaa that came to Iltalehti’s attention, at least one of the recipients of the message had pointed out the error to the sender.
In the return message, the sender had apologized for the error, asked not to ignore the erroneous message, and said that he would forward the message about the error.
– We’ve discussed the matter through in the team, but there’s really nothing else you can do in a situation like that, other than emphasize the importance of care, commented the service manager on the case Kari Ahlström Vantaa’s employer services.
Ahlström says that the city of Vantaa’s “information security notices according to practice” were made about the mistake. The party that made the mistake has the obligation to report the data security breach to the authority.
“You have to learn from these”
In certain situations, those affected by the error must also be notified. This was also done in the case of Vantaa by sending an apology message to the parties involved.
– When we receive such a notification, we evaluate the whole. If the situation seems to be a matter of human error and the matter has been corrected, there is usually no need for further investigation, says Pihamaa.
If the data security violations are systematic or repeated, or due to an error, the necessary corrective measures are not taken, such as a notification to the victim of the violation, we will investigate the matter in more detail if necessary.
– You have to learn from these. If this type of error happens constantly, it can indicate, for example, a lack of competence and training in the organization, and it must be addressed, says Pihamaa.
Kari Ahlström says that after the mistake, Vantaa’s employer services have thought about possible alternative ways to send messages. Such could be, for example, a program where it is not possible to send a message so that the recipients can see each other’s addresses.