Henkilötunnus (HETU)
Detects Henkilötunnus (HETU) patterns. This pattern is based on a Microsoft Purview built-in sensitive information type. Users already running Purview may prefer to enable the built-in SIT directly, or use this version as a starting point for customisation.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: pattern has strong structural constraints (specific format, prefix, or character class restrictions) that significantly reduce false positive rates. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Verified
- Jurisdictions
- eu, fi
- Regulations
- BDSG, CNIL / LIL, GDPR
- Frameworks
- ISO 27001, ISO 27701
- Data categories
- pii, government-id
- Scope
- narrow
- Risk rating
- 9
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
\b\d{6}[-+A]\d{3}[A-Z0-9]\bCorroborative evidence keywords
henkilötunnus, HETU, personal identity code, ID number, identification, ID card, license, permit, registration, certificate, data record, database record, record set, data extract, data export, database table, spreadsheet, data registry, registry entry, master data (+13 more)
Proximity: 300 characters
Should match
010175-123A— Finnish HETU born in 1900s120388+234B— Finnish HETU born in 1800s150392A456C— Finnish HETU born in 2000s
Should not match
010175X123A— Invalid century character010175-12A— Too few digits in individual numbertemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- The structured format with century marker significantly reduces false positives, though test data or documentation may contain example patterns. Mitigation: The century marker (-, +, A) provides strong structural validation. Additional keyword context improves accuracy.
- In multiple languages, similar terminology used in formal or administrative contexts (education, professional documentation) that does not constitute sensitive data collection. Mitigation: Layer with additional contextual signals such as structured identifiers, form fields, or database column headers to distinguish sensitive records from general references.