Veli-Pekka Vähälummukka, Program Director at Trivore
In recent years, I have been involved in several tenders for Identity Management Systems (IAM). These have usually involved careful consideration of the technical details – sometimes with even too much attention to detail. In the best case scenario, the overall architecture gets the attention it deserves, and the IAM system becomes a natural part of the wider picture.
But then there is another side. Many calls for tender forget a key aspect: legislation. In particular, the Public Administration Information Management Act (906/2019) often takes a back seat, even though it has important implications for the design and implementation of IAM.
The data management model is the invisible backbone of the IAM system
The Data Management Act requires each data management unit to have a data management model. This is not just a formality, but a concrete description of how information lives and moves within an organisation.
The IAM system must be able to operate according to this model. Access rights must be documented and managed at the system and resource level, not only technically, but also administratively – all in a transparent manner.
Principle of least privilege in access rights
Although the law does not mention IAM explicitly, it is very clear on access rights. Access rights are defined according to the user’s tasks and must be kept up to date. This sums up the principle of least privilege: the user only gets what they need. No more and no less.
To achieve this, the IAM system must support role and task-based access management. In addition, approval processes, audit trail functionality, and the ability to link access rights to data repositories in accordance with the information management model are required. Without this, the law will easily remain a paper exercise.
Information security requires more than technical solutions
The Data Management Act emphasises the availability, integrity and confidentiality of data. IAM supports these objectives by providing tools for identification, authentication and access management. High quality logging and monitoring are core functions of the system, not optional extras.
Interoperability is the common language of systems
The law also requires that the interoperability of data resources is ensured. The IAM system must support standardised interfaces (such as SAML, OAuth, and OpenID Connect) and enable the sharing of user data between different systems. This is not just a technical detail, but a prerequisite for a functioning whole.
Cooperation across organisational boundaries
The Information Management Act emphasises cooperation between public authorities. The IAM system must therefore enable multi-organisational logins and access management across organisational boundaries. This is not a vision for the future, but a requirement of today.
Summary
IAMs are not directly mentioned in the Data Management Act, but their importance for the adhering to the Act is undeniable. Without an IAM solution to support the requirements of the law, compliance becomes both burdensome and risky. It is worth raising this aspect when drafting a call for tenders. Not only for the sake of the law, but also for smooth and secure data management.
