The Data Inspection Board has audited three different companies that arrange personal insurance. Such insurance brokers are required by law to record adequate and relevant data on customers’ background, financial status, etc. in order to provide comprehensive advice to the customer. This data is often very sensitive and should not, therefore, be accessible to unauthorized persons.

In each case, the Data Inspection Board found that the company did not meet the requirements set out in the Personal Data Act (1998:204), hereinafter referred to as the PDA, on sensitive personal data. The Data Inspection Board has therefore demanded that the companies implement more secure ways of identifying their users.

The audits were part of the Data Inspection Board’s project to map and verify how insurance brokers process personal data in connection with arranging personal insurance and to verify associated IT security.

According to Section 31 of the PDA, the data controller must take appropriate technical and organizational measures to protect processed personal data. The measures should create a level of security that is appropriate to the technical possibilities available, what it would cost to implement the measures, the specific risks associated with the processing of personal data and how sensitive the personal data in question is. This means that, in order to discourage any infringement of the privacy of the people whose data is registered, the insurance brokers must implement appropriate security measures to prevent unauthorized dissemination of data.

The Data Inspection Board believes that privacy-sensitive personal data may be disclosed through the internet to identify users only if their identity is guaranteed using strong authentication. Strong authentication can be achieved in different ways. The most common way is the use of E-identification. In order to achieve strong authentication, other technical asymmetric encryption functions, single use passwords, etc. may be used.