This makes you vulnerable to identity theft. Swedish residents have no legal right to protect their personal identifying information (PII) which includes the first 6 digits of the 10 digits (AAMMDD-xxxx) of Swedish IDs. Except is if you have a protected identity. Following is the response I received from one of the credit reporting agencies that I contacted.
“We are a credit reporting agency with permission from the Data Inspectorate (Datainspektionen). The data in our database are and should be a reflection of public databases retrieved from authorities such as tax authorities (Skattemyndigheten), payment remarks and debt collecting agencies (Kronofogdemyndigheten), and the bureau of statistics (SCB). Public data means that anyone can contact the respective government authority and get the same information there. We are by the Credit Information Act (Kreditupplysningslagen) required to make changes in our database to correct faults, but you have no right to be omitted from the register. All residents in Sweden who are over the age of 16 are included.
Protected Identity is the only way to hide the address and other personal information with the authorities, and thus also with us, and it may be issued through the tax or police authorities. Once an identity has been protected the data is hidden automatically in our system.”
This was in response to the following request I made.
I would like to kindly request that you do NOT share my personal information with third parties that make money from my personal identifying information, an example is ‘birthday.se”. Due to the sharing of my PII the first 6 digits of my Swedish ID is public, consequences are that it makes me vulnerable to identity fraud.
Can you please confirm that this is done. If not would be be kind enough to give me enough information to understand why not?
This is the letter from the Swedish Data Inspection Board. They were kind enough to reply in English 🙂
The Swedish Data Inspection Board has received your complaint.
The Swedish Data Inspection Board is supervisory authority according to the Personal Data Act (1998:204). There is a possibility for websites to apply for impediment to publication (utgivningsbevis). If a website is granted impediment to publication (e.g. ratsit.se) the website will be protected according to constitutional law. That means that the Personal Data Act is not applicable on information that is posted at such websites.
The Swedish Data Inspection Board is therefore unable to help you in this matter. It is legal for ratsit.se to publish your personal information. Ratsit.se is not obliged to remove your information.
For more information about utgivningsbevis, see The Swedish Broadcasting Authority’s website: http://www.radioochtv.se/en/Licensing/Internet/.
The Swedish Data Inspection Board notes with regularity the problems with utgivningsbevis to the Ministry of Justice. You can read more about it here:
Are there any Swedish lawyers out there that can help me fix this?
Hopping mad you should be if you are a Swedish resident, after taking a visit here http://www.ratsit.se, and search for your name. This is against the Data Protection directive, of which Personuppgiftslagen (PUL) is the legal enactment of. I am so bored of asking to have my name removed, only for it to pop up again later, and now I see that it is impossible to remove your personal identifying information (PII) (http://www.ratsit.se/Content/FaqSearch.aspx)… it is PUBLIC for all to see forever! What a smorgasbord for identity thieves!
I can see how old you are, where you live and the first 6 digits of 10 digits from your Swedish ID!
It seems to be that the Kreditupplysningslagen (KuL) has priority over PuL. In PuL you have a right to personal privacy. You should be informed who has had access, or even viewed your personal information. Now KuL does inform you when a request is made for your creditworthiness, but it doesn’t tell you about who has viewed your Personal Identifying Information (PII) through http://www.ratsit.se who they share your PII with, for example. Your PII includes your date of birth, where you live, etc…
I am going to make an official compliant to the Datainspektion. If you are interested to add yourself to a petition to support me in this, please Like this Post here on the blog direct, or on LinkedIn or FB status update, wherever you happen to pick this up.
I was surprised when taking a coffee with one of my colleagues in the office. She received an SMS thanks from another of our colleagues her for the birthday greeting. When I asked her, how did she know, she said she found it online at http://www.birthday.se/kontakta-oss/Default.aspx. She then told me when my birthday was and even a map to where I lived (although they did get this wrong). Nevertheless surprise became horror. I had already removed my details from www.hitta.se only to find myself at another site. So I checked with a previous colleague of mine (Martin Da Fonseca) that studied security law in Sweden if this was in fact legal? And this was his response.
“It is legal. The service provided by Upplysning.se is regulated in Kreditupplysningslagen (credit information legislation) (1973:1173).
I believe the service provided by birthday.se is using (or exploiting) the fact that this information is considered “public information” (allmän handling), because it is stored at a goverment agency. As part of Tryckfrihetsförordningen (“freedom of press”, sort of) (1949:105) 2:1 it says that every Swedish citizen shall have the right to access to public documents. All documented information that a goverment agency has is to be considered public. This is also regulated by Sekretesslagen (official secrets legislation) (1980:100), which states when information is to be considered secret and not part of public documentation. Personuppgiftslagen (1998:204) is also in effect here; it is applied on the actual agencies storing the information. And perhaps to some extent on companies like Birthday.se, depending on what they do with the information (if they store it).”
Should I really be surprised? Not really, as mentioned it’s not the first time in Sweden I’ve needed to remove my personal information from some public register. And getting it removed is a pain, many phone calls, and then like magic it pops up again a year or two later! I believe that this is in direct contravention of the EU directive on Data Privacy. Am I wrong here? Surely I must be? Although Sweden is quite ‘transparent’ in how it operates, there there is much trust between the government and its citizens that makes Sweden quite unique. Transparency is a part of the EU directive, although we should give our consent to sharing personal data. Maybe i have done this automatically by becoming a resident of Sweden. The personal ID is not compulsory in Sweden but its just about imposssible to operate without it. Just try taking out a prescription at the chemist without this ID, you can when they realise that they have no choice, like what happened when I lost my ID, but it takes time and is very annoying if you end up with someone that insists on following the rules. This ID is shared everywhere and is really easy to get hold of. It is composed of date-of-birth (which you can find on http://www.birthday.se) yymmdd-xxxx and four digits, that are even if you are female and odd if you are mail.
There are cases in the U.S. whereby the addresses of car drivers were public until some celebrity was murdered due to the availability of this information. This is evidence that placing this type of information in public domain is dangerous! Does this mean that Sweden has worse data privacy for their citizens than what is found in the U.S.? Is this possible for a country of the EU?