The City of Espoo employees’ awareness of the importance of data protection and information security has improved. Awareness is also being systematically developed. Last year, the city piloted mandatory online training for all, and during the spring it will be introduced throughout the organisation.
It is also essential to develop the employees’ ability to notice things: the aim is to identify risks in advance and not only when something happens.
These matters are included in the new Data Balance Sheet of the City of Espoo which describes how the city has implemented data protection and information security in 2019. The Data Balance Sheet is a response to the General Data Protection Regulation (GDPR) of the European Union that requires organisations to openly communicate about the way they process data. It also provides a situational picture of the way Espoo has developed its operations in these areas.
Digital services without compromising trust
Data protection and information security are often discussed from the viewpoint of threats. The City of Espoo Data Protection Officer Juho Nurmi points out that a more positive approach is also possible.
“Data protection and information security are opportunities. When we take them into account during the development of digital services, for example, we are able to offer better services to Espoo residents and maintain their trust.”
One of Espoo’s development areas in 2020 is to take even better account of data protection in digital development projects. In practice, this means that the responsibilities of the city’s operators and business partners will be specified and data processing will be streamlined.
Incident reports from the staff are a good sign
In 2019, the City of Espoo became aware of 60 personal data breaches.
“We take each incident seriously and carefully assess ways to prevent them in the future. The majority of our incidents have been caused by human errors made by our employees. We are tackling these through training and active communication. The fact that our employees report incidents to the Data Protection Officer is a good sign – we have clearly succeeded in raising awareness,” Nurmi says.
Incident reports are required by law. However, Espoo’s Data Protection Officer and Chief Information Security Officer have decided to approach the topic in an open, positive way when holding training sessions.
“We never punish the messenger, we much rather reward them. Our number one guideline is that employees should react quickly without stopping to wonder if the incident is a serious one. It is better to file a report for nothing than not to report at all,” Nurmi says.
Municipalities process large amounts of personal data
The municipal sector plays an important role when it comes to data protection and information security because very few organisations process as much sensitive personal data as municipalities.
“Municipalities have 610 statutory tasks, Espoo has more than 14,000 employees and 770 different job titles. This gives an idea of the amount of personal data handled by our organisation and of the reasons why we take data protection and information security very seriously,” Nurmi says.
- Juho Nurmi, Data Protection Officer, City of Espoo, tel. 043 827 3077, email@example.com
- Matti Parviainen, Chief Information Security Officer, City of Espoo, tel. 043 827 0246, firstname.lastname@example.org
Link: Summary of the City of Espoo Data Balance Sheet 2019 (in Finnish) (pdf, 977 Kt)