Swedish personal identity number

Swedish personal identity number

The Swedish personal identity number, or personnummer, is a persistent identifier used across public administration and much of the private economy. It makes records about the same person easy to retrieve and reconcile, which reduces administrative ambiguity. The same property makes it an unusually effective correlation key.

Persistent, but not literally immutable

The number normally remains the same for life. Skatteverket can assign a new one after correction of a registered birth date or a change of legal sex, and a fictitious identity used for severe threats includes a new number. “Practically permanent” is therefore more accurate than “immutable.”

The ordinary ten digits encode a birth date, a three-digit birth number, and a checksum. One digit of the birth number records legal sex. If birth date and sex are known, the candidate space is small; in many cases there is no need to guess because the full number can be obtained from a public record or directory.

This means a personnummer should not be treated as a secret. Its exposure is primarily a privacy and linkage problem, not proof that the possessor is the person named.

Identifier is not authenticator

Vem där - fastställande av identitet vid statliga myndigheter distinguishes a registered identity from verification that a claimant is connected to it. A personnummer selects the account or record. An identity document, electronic identification, or another strong process authenticates the person.

Fraud becomes easier when a workflow confuses the two, or when public biographical attributes can answer weak knowledge-based checks. The secure response is not to make the existing number a password. It is to remove it from authentication decisions, use strong electronic or documentary proof, minimize displayed attributes, and monitor high-risk changes and transactions.

Special Swedish protection does not make it secret

IMY describes personal identity numbers as specially protected under Swedish data-protection law, although they are not one of the GDPR’s special categories of sensitive data. Without consent, processing must be clearly justified by the purpose, secure identification, or another noteworthy reason. Controllers should expose as little of the number as possible.

That rule constrains a controller’s use; it does not turn the number into confidential authentication material. The tension is structural: the same stable identifier is valuable because authorities and firms can agree on who a record concerns, but that shared agreement also makes cross-context joining cheap.

Better identity architecture

A privacy-preserving system would separate functions that one universal number currently performs:

  • a confidential internal record key for each organization;
  • a strong authentication method for proving control of an identity;
  • narrowly disclosed attributes, such as age eligibility without full birth date;
  • sector-specific or pairwise identifiers that cannot be joined outside their intended relationship;
  • an accountable legal route for necessary cross-sector matching.

Migration would be difficult because the personnummer is embedded throughout Swedish administration. Near-term controls should therefore focus on data minimization, masking, purpose limitation, strong authentication, and limits on bulk correlation.

Its place in the wider transparency system is analyzed in Swedish public-record privacy.

Sources

  1. skatteverket.se
  2. imy.se
  3. riksrevisionen.se