The Finnish PIN is gradually transforming

In Finland Digital and population data services agency (DVV), which is the agency administering the registry of citizens, has already some time ago acknowledged the fact that the current method of forming the personal identification number (PIN) codes identifying individuals, isn’t sustainable in the long run. In addition, the structure of the PIN doesn’t comply with modern privacy protection.  

DVV regularly issues new PINs to individuals born for example in the 20th century. Usually it’s the case of a foreigner in need of a Finnish PIN. As some countries mark in passports all citizens birthdate as 1.1. or 31.12., the need for PINs especially for these dates is higher than average. This in turn means that the variations are running out for the 3 digit long individualising number. This needs to be resolved – very soon. 

In addition to this most acute challenge, there are also some personal privacy issues with the current method of forming a PIN. A PIN, which should solely be a data individualizing a person, reveals in its’ current form the persons birthdate and gender. These should be faded out to make the PIN unambiguously an individualizing data.  

Ministry of Finance initiated in 2017 a pre-study about the PIN renewal. The final report was published in Spring 2020. This has served as a base for the PIN renewal project, which the Ministry of Finance kicked-off in late 2020. But, already in Spring 2021 it was apparent that the time schedule outlined in the final report wasn’t realistic. 

The magnitude of the change is rather evident. PIN tentacles are far reached, and they have often touchpoints with society critical functions, implying that the change will require actions from numerous instances, both officials and the private sector. As many instances are also inter-connected, this will require a good amount of coordination. This, and on the other hand the DVV’s more pressing need to find a solution for the individual number series, is not a straightforward quick fix. Therefore, the full-scale transformation of the PIN will be implemented in phases and in the first phase only the sufficiency of PINs will be resolved.  

For organisations faced with the changes, introducing the changes in phases is slightly annoying. Although a change process is often more controlled when performed in phases, it unfortunately usually also comes with a price tag. Therefore, already while planning for the first phase, it would be beneficial to grasp the final goal and strive to anticipate the following changes right from the beginning. For the PIN change at least three changing factors are already known, middle mark (indicating the birth century), birthdate and gender. When these change, also the method for checking the PIN changes. How well you hit the bulls’ eye with these (assumptions), remains to be seen.  

At Evitec we’re waiting for decisions, as the flexibility of Evitec Life system can in this situation again be demonstrated. None of the currently identified changes are critical for Evitec Life, as PIN is already used as only one dataset identifying a person. Take for instance the birthdate, which often is meaningful in an insurance policy, in Evitec Life it is a separate data field. But, as Evitec Life has extensive integrations and REST services to surrounding instances, dependencies between these will need to be carefully monitored to ensure a smooth change transition.