Regular email is about as secure as a postcard, which is why it is not suitable for transmitting confidential or classified information. Such information includes, for example, trade secrets and sensitive personal data. Encrypted email ensures that the information requiring protection is always transmitted in encrypted form over the network.
In addition to encrypting data traffic, it must also be ensured that only the intended recipient is able to open the confidential message.
Authenticating the person opening the message is a legal requirement when the information being transmitted includes social welfare or healthcare data.
Encrypt email whenever the message or its attachment contains:
Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023, Section 8, excerpt):
“In the processing of client data, the client, service provider, pharmacy, other parties involved in the processing of client data and their representatives, as well as technical devices and national information system services, must be identified reliably.” The Act is the current Client Data Act, and official English-language background material is available through Kanta and STM.
Office of the Data Protection Ombudsman on personal data in social welfare, 30 September 2022:
“If the service provider uses email with sufficiently strong encryption and the parties can be identified, it is also possible to send confidential client data by email.”
The Cybersecurity Act (124/2025) requires company management to ensure appropriate cybersecurity risk-management measures. In practice, that includes reliable access control and authentication methods and, where necessary, the ability to use secure electronic communications. This is a summary of the Act’s risk-management obligations rather than a verbatim quotation.
Decision of the Deputy Data Protection Ombudsman on identification, 4 December 2023:
A healthcare customer must also be identified reliably in connection with appointment booking. The decision states that asking only for a personal identity code together with first and last name does not verify identity in electronic transactions, and that the user of an online appointment booking system must be identified in a reliable manner.
Parliamentary Ombudsman of Finland, 24 March 2011:
In healthcare, no information relating to an identifiable person, not even the person’s name, may be sent in unencrypted email. The linked decision states that confidential information must not be sent in unprotected email.
From 25 May 2018 onwards, Finnish organizations must process personal data in accordance with the EU General Data Protection Regulation. Failure to comply with the Regulation may result in a reprimand, corrective measures concerning the processing of personal data, or an administrative fine. The fine may amount to up to 20 million euros or 4% of total annual turnover.
Detailed information on the EU General Data Protection Regulation is available, among other sources, from the Office of the Data Protection Ombudsman and on its website at www.tietosuoja.fi.
The operations of Securedmail take into account the requirements of the EU General Data Protection Regulation.
Read more about the General Data Protection Regulation here.