Govt proposes amendment to Personal Data Acts

The government on Thursday submitted a proposal to the parliament to amend the Act on the Processing of Personal Data by the Police in order to bring it in line with the new EU data protection requirements.

The Act also includes provisions on the processing of personal data by the Finnish Security Intelligence Service. Following the updates, the Act would be connected to the purposes of processing personal data rather than to specific registers or data management systems, said an official press release on Friday.

“The new Act will improve the possibilities of the police to use the personal data obtained through their duties in the prevention, detection and investigation of crimes. The amendments will not broaden the authority of the police to gather information,” said Minister of the Interior Kai Mykkänen.

The Act would give the police the possibility to use the data obtained under their existing powers in a more versatile way in the prevention, detection and investigation of crimes. For example, the police would be able to assess the need for personal data for a maximum of six months.

The aim of the new Act on the Processing of Data by the Police is to ensure that the police process personal data in compliance with the requirements of the new data protection legislation at the national and EU levels. The Act on the Processing of Personal Data by the Police complements the general legislation on data protection.

Currently, the police process the data they require for crime prevention and detection using sources such as the Suspect Data System (Epri) and temporary crime analysis registers. Moving forward, all of these personal data would be processed in line with unified national-level procedures. This would facilitate data protection and the monitoring of data processing, which would, in turn, also improve the legal protection of data subjects.

The police would be able to process the personal data of individuals other than those directly connected to a crime or criminal activity for crime prevention and detection purposes only when it is absolutely necessary. The new Act defines more clearly how the police can process personal data on witnesses, victims, injured parties and persons who have filed police reports in the prevention and detection of crimes. When dealing with the personal data of individuals other than those suspected of a crime, more stringent criteria would be applied to the processing of personal data to ensure adequate data protection and legal safety.

The police are permitted to use only those personal data that are required for their work. Access rights to the police data systems are granted based on the tasks of individual police officers. Compliance with the law when processing personal data is part of the official duties of the police and other authorities.

The processing of personal data by the police is monitored by the Ombudsman for Data Protection. The use of data systems is also monitored regularly as part of the oversight of legality carried out by the National Police Board and within police units. The legal compliance of the activities of the police and the processing of personal data are also evaluated by the Parliamentary Ombudsman, the Office of the Chancellor of Justice and the Ministry of the Interior. The police force engages in cooperation with the data protection authorities and the authorities responsible for the oversight of legality in the development of data processing. The new general legislation on data protection contains further provisions on data security and the monitoring of the processing of personal data.

The planned amendments to the Act on the Processing of Personal Data by the Border Guard also aim to bring the processing of personal data by the Border Guard in line with the new EU data protection legislation. With the amendments, the structure of the Act would be streamlined and the provisions simplified.

The new Act would lay down provisions on the purposes of personal data processing by the Border Guard, rather than on individual registers and data systems. In line with the existing act, the purposes of processing personal data would be to carry out border control, maintain order and security at the border, investigate crimes within the Border Guard’s competence, maintain public order and security, prevent and detect crimes under the Border Guard’s jurisdiction, enforce justice under military law and carry out other statutory duties of the Border Guard, such as various monitoring duties.

The efficiency of personal data processing by the Border Guard for crime prevention purposes would be improved in the same ways as proposed for the Act on the Processing of Personal Data by the Police. The rights of the data subject and the monitoring of the processing of personal data would be subject to the same provisions as those in effect for the police.