Changing your personal identity code is not a quick solution to prevent its misuse – strong identification is key
A personal identity code is meant to be a permanent means of identifying a person. Under the law, it can only be changed under exceptional circumstances. The change is costly and cumbersome, and will not automatically prevent future crimes. The most effective way to prevent identity-related crime is strong identification.
The Digital and Population Data Services Agency is regularly asked whether it could change the personal identity code of victims of a data breach or data leakage. The reason for this request is the fear that if personal identity codes end up in the hands of criminals, they could be used to cause damage to the victim.
But as a personal identity code is meant to be a permanent means of identifying a person, it can only be changed under exceptional circumstances.
Personal identity codes are permanent by law
A person may only be issued a new personal identity code in the following situations:
- If the person's date of birth or gender is incorrectly indicated in the personal identity code.
- If a person confirms that they belong to another gender.
- If someone has repeatedly misused a person's personal identity code and this has resulted in significant economic or other hardship to the person.
- If there is an imminent and permanent threat to a person's health or safety. In practice, this would require that the person be in acute danger of being the victim of homicide or assault.
These prerequisites are based on the Act on the Population Information System, which the Digital and Population Data Services Agency must comply with when maintaining the Population Information System and processing citizens' personal data. The processing of personal data, including personal identity codes, is always based on legislation.
A new personal identity code does not eliminate future risks
Victims of a data leakage may be disappointed to hear that the statutory prerequisites for changing a person's personal identity code are not very easily met. The personal identity code cannot be changed solely for the purpose of preventing crime. Even if changing the personal identity code prevented the misuse of a person's data, the same risks would exist with the new personal identity code as well. Changing a person's personal identity code also results in a need to update several registers and documents, which is cumbersome and costly.
In the event of severe identity theft, it is possible to change the personal identity code if its repeated misuse has evidently caused significant, concrete harm to the victim. Such cases include situations where, for example, someone has taken out credit or shopped online in the name of the person. The victim should not pay the invoices incurred for such fraudulent orders, but instead, they should be reported to the police.
A new personal identity code can be requested from the Digital and Population Data Services Agency if the above-mentioned conditions are met. All applications will be handled with care and on a case-by-case basis.
Strong identification reduces the success rate of crimes
The personal identity code, or the personal identity code and the name together, may not be used as the only means of identifying a person; instead, other personal data is also needed for reliable identification. Provisions on this are laid down in the Data Protection Act (pdf).
Personal identity codes were originally designed to help differentiate between people in digital systems. Using personal identity codes for identification began after the code was included in driving licences and passports that can be used to prove one's identity. However, the personal identity code alone should not be used as a means of identification. Face to face, people can be identified by means of an identity card, and in e-services, by means of strong identification.
There are two principles that would help prevent negative impacts on victims of data leakage:
- Best practices of identity verification must be followed in all business activities and actions taken by the authorities: the personal identity code should not be used as an identification method.
- Legislation could require that when credit is granted online, it always involves strong identification, i.e. the use of banking codes, a mobile certificate or a citizen certificate.
The reliable identification of customers helps reduce errors in registers and thus improves data protection. When identity theft fails due to the strong identification requirement, the motives of criminals to steal personal data can be reduced.
- Individuals
- Processing times
- Marriage
- Having or adopting a child
- Names
- Moving
- Guardianship
- Life changes while living abroad
- Moving while living abroad
- Registration of a child born abroad
- Marriage concluded abroad
- Partnership registered abroad
- Divorce granted abroad
- Registration of a name change performed abroad
- Gender recognised abroad
- Death abroad
- Registration of citizenship
- Notification of retaining Finnish citizenship
- Legalisation of foreign documents
- Submitting foreign documents
- As a foreigner in Finland
- Registration of a foreigner
- Registration of a foreign student
- Municipality of residence
- Instructions on arriving in Finland from Ukraine
- Guide for employed persons
- Fast track service for specialists and growth entrepreneurs
- Instructions for legalisation
- Submitting foreign documents
- Foreigner’s move to Finland, in Finland and out of Finland
- Check your own personal details
- Elections and Right to vote
- Suomi.fi Web Service
- Citizen Certificate and electronic identity
- Certificates from the Population Information System
- Population information in the Population Information System
- Registration of a gift notification
- Services of notary public
- Certification of purchase
- Citizens’ initiative
- Death and estate inventory
- Public Service Info
- Address service
- Forms
- Digital support for citizens
- Organisations
- Certificates
- Population information services for organisations
- Public administration sampling and updating service
- Private sector information services
- PIS modified data interface
- Modified data update service
- VTJkysely interface
- Browser-based VTJkysely application
- Resident sampling services for property management offices and maintenance companies
- Data extraction for municipalities
- Reform of personal identity code
- Conditions for using population information
- Maintaining the Population Information System
- Extracts from registers
- Suomi.fi services
- Services to promote digitalisation
- Digital support
- Digital identity reform
- Digital security services
- Services of notary public
- Certification of purchase
- Right to officiate weddings
- E-services
- Finnish Authenticator identification service
- About the agency
- Digital and Population Data Services Agency
- Digital and Population Data Services Agency as an Employer
- Use our services electronically
- Contact
- Customer service for private customers
- Customer service for organisations
- Service locations
- Digital and Population Data Services Agency address, switchboard e-billing details
- Digital and Population Data Services Agency Management
- Marriage ceremony premises information
- Contact details for media
- International Affairs
- Invoicing
- Quality policy
- Equality plan for customers
- Data protection
- News
- Population Information System
- For media
- Brochures and publications
- Projects
- Foresight and research cooperation