Processing of personal data in a trust network for electronic identification

Transcription

1 Recommendation Processing of personal data in a trust network for electronic identification Annex to FICORA Regulation

2 Recommendation 1 (10) Contents 1 Introduction TRUST NETWORK AND ITS OPERATION Trust network Minimum set of data to be processed Optional set of data to be processed Other data to be processed Relaying of personal data in a trust network Definitions PROCESSING OF PERSONAL DATA IN A TRUST NETWORK IN GENERAL Requirement for legality and grounds for processing Member-specific additional data GROUNDS FOR PROCESSING PERSONAL DATA IN A TRUST NETWORK Grounds for processing data in a trust network Value added services Processors PROCESSING OF PERSONAL DATA IN ESERVICES Grounds for processing data in eservices Description of file in eservices Release of data further from the eservices DISCLOSING PERSONAL DATA ABROAD Disclosure and transfer abroad Information DATA SECURITY; STORAGE OF PERSONAL DATA General data security requirement Regulations issued by FICORA Storage of data SUPERVISION AND RIGHTS OF PERSONS TO BE IDENTIFIED Supervision Rights of persons to be identified... 8

3 Recommendation 2 (10) 8.3 Withdrawal of consent MISCELLANEOUS Governing law References... 9

4 Recommendation 3 (10) 1 Introduction The Code of Conduct and its annex on processing of personal data (data protection annex) complement the Act and Regulation on strong electronic identification and identification service provider trust network, as well as FICORA s technical regulations issued under the Act. The amendment ( /139) of the Act on Strong Electronic Identification and Electronic Trust Services (617/2009, hereinafter referred to as the Identification Act) [1] lays down provisions on the formation of an identification service trust network. The purpose of the trust network is to promote the market supply of universal identification services that are advanced, both in terms of usability and security, as well as to improve the security of eservices. The trust network allows the brokering of different identification devices to eservices under uniform technical and administrative arrangements. Further provisions on the administrative practices, technical interfaces and administrative responsibilities in the trust network are laid down in the Government Decree on the trust network of strong electronic identification service providers (169/2016, hereinafter referred to as the Trust Network Decree)[2]. This data protection annex specifies the general principles of processing personal data in a trust network. Processing of personal data in the eservices and processing of personal data not related to an identification event have been excluded from the data protection annex even though they are mentioned in the guidelines. The data protection annex to the Code of Conduct has been drawn up by personal data law specialists on the basis of needs identified in the Identification and Trust Services Working Group set up by FICORA. During the preparation, the data protection annex has been subject to discussions with the Data Protection Ombudsman. The legal nature of the Code of Conduct and the data protection annex is a FICORA Recommendation.

5 Recommendation 4 (10) 2 TRUST NETWORK AND ITS OPERATION 2.1 Trust network The identification service providers referred to in the Act on Strong Electronic Identification and Electronic Trust Services (617/2009, the Identification Act ) form a common trust network. Members of the trust network, i.e. the identification service providers referred to in the Act, are divided into two categories: identification device providers conclude contracts on the provision of identification services with their customers to be identified and identification broker service providers transmit identification events to eservice providers outside the trust network. The same organisation may act simultaneously as an identification device provider and an identification broker service provider; in this document, however, the responsibilities related to these roles are discussed separately. 2.2 Minimum set of data to be processed As part of the identification event, members of the trust network process and relay among them data on the first name, last name, date of birth and unique identifier (personal identity code or e-transaction ID) of the person to be identified. As applicable, the members may also collect, verify or update data necessary for the provision of the identification service using the Population Information System. Identification device providers are obliged to collect and update data using the Population Information System (section 7 of the Identification Act). 2.3 Optional set of data to be processed 2.4 Other data to be processed As part of the identification event, members of the trust network may process, and, if applicable, relay among them the optional set of data specified in section 12(2) of FICORA s Regulation 72. Such data includes first name(s) and last name(s) at the time of birth, place of birth, current address and gender. Members of the trust network may also provide their own added value services which can involve processing of other data in addition to the sets of data specified in sections 1(2) and 1(3) (see section 4.2 for related additional requirements).

6 Recommendation 5 (10) 2.5 Relaying of personal data in a trust network 2.6 Definitions In terms of processed personal data, all providers of identification devices, identification broker services and eservices may in principle be independent controllers referred to in the Personal Data Act which shall be assessed in accordance with the Personal Data Act. Transmitting identification events in a trust network may include disclosing of personal data between controllers as specified and required below. The legal concepts in this document bear the same meaning as in the Identification Act and legislation on personal data processing. Parties relying on electronic identification are referred to as eservices. This means network or other services which are used by the person to be identified and for which the identification is carried out. Personal data and processing of personal data bear the same meaning as in legislation on personal data processing. In principle, an identification event transmitted in a trust network always includes such personal data. 3 PROCESSING OF PERSONAL DATA IN A TRUST NETWORK IN GENERAL 3.1 Requirement for legality and grounds for processing 3.2 Member-specific additional data Members of the trust network shall only process personal data on grounds provided by law (see section 4) and only to the extent permitted by such grounds and applicable authority regulations. When members of the trust network disclose personal data to other members of the trust network and eservices, they are responsible for the receiving party s legal right to receive and process such personal data. In addition to what has been stated herein, the processing of personal data by a member of the trust network is specified in the member's description of file providing member-specific additional data. However, such description of file shall not contradict with what has been stated herein. The memberspecific description of file shall include the name and contact details of the member, and, as applicable, its data protection officer, whether the member transfers data outside the EU/EEA and grounds for such transfer, as well as other matters required

7 Recommendation 6 (10) by law. On its website, FICORA maintains a list of members of the trust network with links to the file descriptions. 4 GROUNDS FOR PROCESSING PERSONAL DATA IN A TRUST NETWORK 4.1 Grounds for processing data in a trust network 4.2 Value added services 4.3 Processors In principle, members shall process personal data of the person to be identified based on this person's assignment. This document only discusses processing of personal data for the purpose of identification services. Any value added services provided by a member of the trust network (see section 1.4) are separately described in a related description of file. On the basis of what has been stated herein, an identification device provider having a customer relationship with the person to be identified is not responsible for the processing of personal data of the person to be identified for the purpose of providing value added services. If a member uses a processor in the processing of personal data, it is responsible for ensuring that it has a written contract meeting the applicable legal requirements with the processor. 5 PROCESSING OF PERSONAL DATA IN ESERVICES 5.1 Grounds for processing data in eservices 5.2 Description of file in eservices This document does not describe the processing of personal data by an eservice provider or the grounds for such processing. A member of the trust network having a customer relationship or a similar relationship with eservices shall ensure that the eservices have sufficient grounds for receiving and processing the identification event and related personal data. If the data of the identification event include the personal identity code of the person to be identified, the personal identity code may only be disclosed to the eservices if they have legal grounds for receiving and processing personal identity codes. The eservices shall have their own description of file (or similar document) which describes the processing of personal data in

8 Recommendation 7 (10) the eservices. The eservices are responsible for ensuring that their description of file is available to the person to be identified and that the eservices fulfil their information and other obligations towards the person to be identified. However, the member of the trust network which has concluded a contract with the eservices shall ensure that the eservices fulfil these obligations, or the member may fulfil them on behalf of the eservices or assist the eservices in their fulfilment if so agreed. 5.3 Release of data further from the eservices The eservices may release the personal data obtained in connection with identification services only as permitted by law. A member of the trust network which has concluded a contract with the eservices shall ensure that the eservice provider undertakes to do so. 6 DISCLOSING PERSONAL DATA ABROAD 6.1 Disclosure and transfer abroad 6.2 Information Members of the trust network may not disclose or transfer, as part of a subcontracting or outsourcing, for example, personal data outside the European Union or the European Economic Area (EU/EEA) except as permitted by applicable legislation on processing of personal data and only if all related additional conditions have been fulfilled. If data is disclosed or transferred outside the EU/EEA, the member shall indicate this together with the grounds for such disclosure/transfer and other matters required by law in the member-specific description of file. 7 DATA SECURITY; STORAGE OF PERSONAL DATA 7.1 General data security requirement All members of the trust network are legally bound to carry out all technical and organisational measures necessary for securing personal data against unauthorised access and against accidental or unlawful destruction, manipulation, disclosure and transfer or other unlawful processing.

9 Recommendation 8 (10) 7.2 Regulations issued by FICORA 7.3 Storage of data Furthermore, all members of the trust network shall comply with FICORA's regulations applicable to the activities described herein at all times. Members of the trust network may store personal data processed as part of an identification event for the period specified in section 24(3) of the Identification Act, i.e. for a minimum of five years from the identification event, or for another period permitted or required by legislation applicable to the member's activities. 8 SUPERVISION AND RIGHTS OF PERSONS TO BE IDENTIFIED 8.1 Supervision 8.2 Rights of persons to be identified 8.3 Withdrawal of consent FICORA, the Data Protection Ombudsman and the members of the trust network shall supervise compliance with what has been stated herein. Those persons to be identified that are consumers may have the right to bring the matter to the attention of the Consumer Disputes Board ( Persons to be identified shall have the right to access the personal data on them possessed by the member of the trust network and request a copy of such data to them and/or potentially to another service provider. Persons to be identified shall also have the right to request the members to rectify any erroneous personal data on them and to erase such personal data on them that has become unnecessary for the member based on the grounds for processing the data. In certain cases, persons to be identified may also have the right to request the members to temporarily restrict the processing of data on the persons to be identified. To the extent that the activities described herein are based on consent of the person to be identified, the person to be identified may always withdraw this consent by notifying the party to which the consent has been given (see section 4.1). However, withdrawing the consent does not retroactively affect identification events already carried out. The person to be

10 9 MISCELLANEOUS 9.1 Governing law Recommendation 9 (10) identified shall understand that withdrawing consent may mean that identification services referred to in the Identification Act can no longer be provided to this person. This document, its construction and related rights and obligations are governed by the laws of Finland. 10 References [1] Act on Strong Electronic Identification and Electronic Trust Services (617/2009, the Identification Act) [2] Government Decree on the trust network of strong electronic identification service providers (169/2016, the Decree on Trust Networks)