Skip to Content

Changing your personal identity code is not a quick solution to prevent its misuse – strong identification is key

Publication date 27.6.2024 13.18
Press release

A personal identity code is meant to be a permanent means of identifying a person. Under the law, it can only be changed under exceptional circumstances. The change is costly and cumbersome, and will not automatically prevent future crimes. The most effective way to prevent identity-related crime is strong identification.

The Digital and Population Data Services Agency is regularly asked whether it could change the personal identity code of victims of a data breach or data leakage. The reason for this request is the fear that if personal identity codes end up in the hands of criminals, they could be used to cause damage to the victim.

But as a personal identity code is meant to be a permanent means of identifying a person, it can only be changed under exceptional circumstances. 

Personal identity codes are permanent by law

A person may only be issued a new personal identity code in the following situations:

  • If the person's date of birth or gender is incorrectly indicated in the personal identity code.
  • If a person confirms that they belong to another gender.
  • If someone has repeatedly misused a person's personal identity code and this has resulted in significant economic or other hardship to the person.
  • If there is an imminent and permanent threat to a person's health or safety. In practice, this would require that the person be in acute danger of being the victim of homicide or assault.

These prerequisites are based on the Act on the Population Information System, which the Digital and Population Data Services Agency must comply with when maintaining the Population Information System and processing citizens' personal data. The processing of personal data, including personal identity codes, is always based on legislation.

A new personal identity code does not eliminate future risks

Victims of a data leakage may be disappointed to hear that the statutory prerequisites for changing a person's personal identity code are not very easily met. The personal identity code cannot be changed solely for the purpose of preventing crime. Even if changing the personal identity code prevented the misuse of a person's data, the same risks would exist with the new personal identity code as well. Changing a person's personal identity code also results in a need to update several registers and documents, which is cumbersome and costly.

In the event of severe identity theft, it is possible to change the personal identity code if its repeated misuse has evidently caused significant, concrete harm to the victim. Such cases include situations where, for example, someone has taken out credit or shopped online in the name of the person. The victim should not pay the invoices incurred for such fraudulent orders, but instead, they should be reported to the police.

A new personal identity code can be requested from the Digital and Population Data Services Agency if the above-mentioned conditions are met. All applications will be handled with care and on a case-by-case basis. 

Strong identification reduces the success rate of crimes

The personal identity code, or the personal identity code and the name together, may not be used as the only means of identifying a person; instead, other personal data is also needed for reliable identification. Provisions on this are laid down in the Data Protection Act (pdf).

Personal identity codes were originally designed to help differentiate between people in digital systems. Using personal identity codes for identification began after the code was included in driving licences and passports that can be used to prove one's identity. However, the personal identity code alone should not be used as a means of identification. Face to face, people can be identified by means of an identity card, and in e-services, by means of strong identification.

There are two principles that would help prevent negative impacts on victims of data leakage:

  • Best practices of identity verification must be followed in all business activities and actions taken by the authorities: the personal identity code should not be used as an identification method. 
  • Legislation could require that when credit is granted online, it always involves strong identification, i.e. the use of banking codes, a mobile certificate or a citizen certificate. 

The reliable identification of customers helps reduce errors in registers and thus improves data protection. When identity theft fails due to the strong identification requirement, the motives of criminals to steal personal data can be reduced.