4.3. Classification from the perspective of data processing rules

Based on the Act on the Openness of Government Activities, the data collected by the City is by default public, and publishing information as open data for the benefit of other operators, where possible, is in line with the City Strategy. However, the processing of the City’s information resources is regulated by numerous laws that restrict the processing of information. Data classification from this perspective is illustrated in Figure 7.

Figure 7: Data classification from the perspective of data processing rules

Figure 7: Data classification from the perspective of data processing rules

The processing of the following datasets is always restricted:

  • Security classified information and documents are secret based on the Act on the Openness of Government Activities on the grounds of general safety or the public good. Such documents have to do with security arrangements related to individuals, buildings and information systems, preparation for emergencies and national defence.[1]
  • Secret information and documents: Documents that are classified as secret in the Act on the Openness of Government Activities and special enactments. Section 24 of the Act on the Openness of Government Activities provides a definition for secret official documents. Secret information may also include unlisted telephone numbers or addresses that are secret for safety reasons.
  • The General Data Protection Regulation (GDPR) defines special categories of personal data, the processing of which is subject to stricter grounds. These special categories of personal data largely correspond to the sensitive data defined in the now defunct Personal Data Act. Special categories of personal data are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic or biometric data used for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

The processing of personal data is also restricted and regulated by the EU’s General Data Protection Regulation and the Finnish Data Protection Act.

  • Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • Personal data can include addresses, e-mail addresses, photographs, audio or video recordings, car registration numbers, fingerprints or other biological samples.

The data produced by the City is by default public and available for external or internal use. In this case, the data may be:

  • Public by discretion. Documents that are still being drafted are not necessarily public before they are finished, for example.
  • Public data available by request or making an agreement on the use of the data.
  • Public data that can be published as open data.

The City also has data that has be opened up via APIs or in a specific file format for free use in a machine-readable format. The City’s open data is published under an open Creative Commons Attribution 4.0 license in accordance with recommendation JHS189. Other data published by the City may be subject to license-based usage restrictions, for which the City will also strive to create City-wide policies.

As regards external data sources, the processing of data may be restricted based on agreements even when the data is not technically considered restricted data. It is also possible to combine data from different public data sources to produce datasets that are confidential or otherwise restricted (by combining statistics in a way that makes it possible to guess an individual person’s identity, for example).

To facilitate the implementation of data classification, the classification model must be validated by testing in practice with select example datasets and use cases and by comparing it to existing classification models (such as the data management plan, HRI’s and the Urban Research and Statistics Unit’s data catalogues, information systems and associated documents, instructions, external classifications). These tests and comparisons also serve to ensure the consistency of the classification and clarify the associated concept definitions. Furthermore, training should be organised and guidelines issued about the implementation of the classification model in the City’s functions and processes (data management plan, classifications and system planning related to information systems, the City’s data functions).


[1] The provisions of the Act on Information Management on security classified documents (section 18) apply to the central government, but not municipalities. The City is currently looking into the possibility of implementing the same security classification at City level as well. Enquiries about the matter have been made with the officials of the Information Management Board, but their responses have been negative from the perspective of the City, and the City has been told that municipalities do not have the authority to decide on security classification. Provisions on stamps of secrecy and classification are provided separately in the Act on the Openness of Government Activities, and the City can affix stamps of secrecy to documents within the framework of the Act. The implementation of security classification should wait until the matter has been further clarified.

Luonnos