On July 9, the Estonian Information System Authority (RIA) closed a database in the self-service environment for business operators on the eesti.ee state portal, which showed the first and last name, personal identification code, job title and, in some cases, connection with previous posts, of 336,733 people.
Only people whose data was in the database could access the database.
The database, including the personal data, was visible to those company representatives who had logged into the self-service environment and made queries to the access rights management system. The self-service environment is a system for authorized persons of institutions and companies to assign roles to their employees and to grant access to various services.
The data in the database are retrieved from the commercial register, where they are updated periodically. RIA has no information on whether and how anyone might have saved the information. The possibility to access the data was reported by a portal user.
"This is a feature created about a decade ago to give representatives of institutions and companies the rights to manage their employees' access rights. The system was originally built in such a way that the data of authorized persons was visible also to other authorized persons, as society's view and approach to data protection and privacy at that time was not what it is today," Margus Arm, deputy director general of RIA, said on Tuesday.
"However, for what reason the environment was not updated and which processes require critical attention so that similar things do not happen again in the future, we will find out with an internal control procedure. We also informed the Data Protection Inspectorate of what happened," Arm said.
As a result of the partial closure of the rights application of the self-service environment, authorized representatives of companies will need to contact the RIA helpdesk at email@example.com to change the roles of their staff and grant access to their staff to information systems outside the state portal.
Business operators will still be able to manage the access rights to services available on eesti.ee. This means that if a client wishes to grant rights to an accountant to fill in an incapacity for work form, which is a service available on eesti.ee, they can do so in the old way, without writing to the RIA helpdesk. If, however, they wish to give their employee the right to use an external service, they must write to the RIA helpdesk at firstname.lastname@example.org .
In the first half of 2021, the self-service environment was used about 120 times a month. After the environment was closed, the RIA helpdesk has been contacted two or three times a day on the average to change access rights.
"We are monitoring the situation on an ongoing basis. If volumes grow or some time-critical processes appear, we will adopt other solutions," Arm said.
Editor: Helen Wright