One of Findata’s most important objectives is to improve data protection for individuals and data security for social welfare and health care data. We always disclose data in such a way that the data protection of the individuals is maximised and only disclose as much data as is absolutely necessary.
Once we have issued a data permit, we compile the data stored with different controllers on a permit-specific basis, combine this data in a data secure user environment and then provide it to the permit holder into a data secure user environment. After the processing is complete, the data is erased. Thus, Findata only stores or copies the data for security reasons for as long as required by the permit issued by it.
The data is retained in a separate and closed system for which fixed-term licences are issued. For example, when a permit holder wishes to extract research results from a remote access environment, we ensure that no individual person can be identified from the results or the data to be extracted.
In the data secure user environment
- the access rights for the data are set in line with the issued permits.
- access to the devices, systems and office premises are monitored
- unauthorised use of the offices, data and systems is prevented
- all data-processing events are recorded in the log data
- data communications are monitored and restricted
The systems are carefully protected from external threats such as acts or events that would endanger data protection, including viruses and other attacks.
Social welfare and health care data cannot be used for marketing or for specifying individual commercial services.
How does the Secondary Data Act improve data protection?
The Act on the Secondary Use of Health and Social Data (552/2019) has been drawn up based on the national-level freedom of action provided for by the EU’s General Data Protection Regulation (GDPR). The Constitutional Law Committee and the Social and Health Committee have taken care to ensure that the Act does not contravene the GDPR. Representatives of the Office of the Data Protection Ombudsman have participated in the drafting workgroup for the Act, and the Data Protection Ombudsman has also been given a hearing by the Parliament.
The Secondary Data Act sets the conditions for a data secure environment in which permit holders may process data.
Primarily, the permit holder is given access to the data via a remote access connection, such that the data remains within the Findata data secure user environment.
In some cases, it is necessary to hand the data over to the permit holder. In such cases, the permit holder must demonstrate that the data will be processed in a controlled environment which fulfils the legal data protection requirements.
The Secondary Data Act requires that the Information Systems record log data, which means the processing and event history of the data. The log shows, for example, who processed the data, how the data was processed, and when the data was processed.
How is the implementation of data protection monitored?
Findata’s operations and the operations of controllers that issue data permits are supervised by the Parliamentary Ombudsman and the Data Protection Ombudsman, among others.
Those issuing data permits must give an annual report to the Data Protection Ombudsman regarding the processing of health and social data and the related log data.
The National Supervisory Authority for Welfare and Health Valvira monitors data secure user environments.
What can personal data be used for?
Secondary use of health and social data means that client and register data of social welfare and health care activities is used for purposes other than the primary purpose for which it was originally stored. Primary purposes relate to, for example, treatment provided to a patient or the processing of benefits.
The Act on the Secondary Use of Health and Social Data (so-called Secondary Data Act) lays down the purposes of use for which a permit may be issued. According to section 2 of the Act, data may be disclosed for the compilation of statistics, scientific research, development and innovation activities, education, knowledge management, steering and supervision of social and health care by authorities and the planning and reporting duty of an authority.
Thus, the purposes for which a permit may be issued are limited. The permit is based on an administrative decision made by Findata. The decision is legally binding and contains clear permit conditions. In addition, Findata has the right to request a statement from the Finnish Data Protection Ombudsman before issuing the permit.
It should be noted that the utilisation of health and social data for secondary purposes is not new. Prior to the establishment of Findata, similar data have been disclosed to scientific research and for the compilation of statistics. Finland has, for a long time, collected unique register and research data that can be used to promote the health and welfare of citizens.
Personal data processing statements provide further information on how Findata uses the data.
What are the sources of the personal data?
Findata does not hold personal data, but it collects data from social and health care sector operators and authorities regulated under the Secondary Data Act. In addition, the Secondary Data Act contains provisions on the data that Findata may obtain from said operators.
Furthermore, Findata does not collect data from individuals themselves. Instead, all the data it collects is already stored by one of the aforementioned operators regulated under the Secondary Data Act.
Findata as a controller
Findata becomes a controller of personal data when it receives data from the aforementioned operators. The processing of personal data requires that the controller has a legal basis for the processing.
The legal basis for the processing by Findata is Article 6, Section 1 (e) of the EU’s General Data Protection Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority). When processing data concerning specific categories of personal data (previously referred to as sensitive data), including personal health data, the processing is carried out on the basis of Article 9, Section 2 (g) (processing is necessary for reasons of substantial public interest) in addition to the aforementioned Article 6.
Findata does not disclose data on the rights, interests or obligations of an individual for decision-making purposes. Thus, the data is not disclosed to, for example, insurance companies for the purpose of preparing individual insurance decisions or to the Social Insurance Institution of Finland (Kela) for benefit decisions. In addition, the data is not disclosed for marketing or the definition of individual commercial services.
Your rights related to the processing of personal data
Everyone has the right to their personal data. A data subject has the right to receive information on the use of their personal data. This information is available on the Findata website and in Findata’s personal data processing statements at the end of this page. In addition to receiving information, the data subject has the following rights to their data as regards the data held by Findata:
- Right of access to one’s personal data
- Right to rectify one’s data
- Right to restrict the processing of one’s data
- Right to object to the processing of one’s data.
If you wish to exercise these rights, you can find the necessary instructions on this page under section How can I exercise my rights?
Please note that as a rule, Findata can only execute the data subject’s requests regarding the data in its possession. The right to of access to personal data, the right to rectify personal data and the right to restrict the processing of personal data concern the data held by Findata at the time of filing the request. On the other hand, a request concerning the right to object may be made for an indefinite period. Findata records all requests made by a data subject in its register. Findata also maintains a separate list of data subjects who have submitted an objection request to it.
Findata has drawn up separate forms for the implementation of rights. However, the right to restrict the processing of personal data (Article 18) is only applicable in certain situations and may already be implemented directly as a result of other requests. For example, in practice, Findata restricts the processing of personal data for the period of processing a request for the rectification of personal data (Article 16). The right to restrict the processing of data is also valid in situations where the data subject requires their personal data in order to prepare, present or defend a legal claim and where Findata no longer needs such data.
Findata retains personal data only for the period required for the purpose of the permit issued by it (for example, scientific research or the planning and reporting duty of an authority). If the data subject requires their personal data in order to prepare, present or defend a legal claim, the request concerning the matter should be submitted directly to the controller that, based on the primary purpose, holds the personal data in question.
For example, the Digital and Population Data Services Agency has the data concerning a person’s family relations, marital status and address, hospitals have data on the person’s treatment, and the Social Insurance Institution of Finland (Kela) has data on the prescriptions issued to the person. Information about controllers and the data contents of registers is available on the ‘Data’ page.
When is the exercise of rights not possible?
The exercise of rights is not possible always and in all situations. With regard to scientific research and the compilation of statistics, it is possible to restrict the rights of a data subject on a case-by-case basis.
Findata does not restrict data subjects’ rights on its own initiative. Restrictions may only be applied if a decision has been made to restrict the rights of a data subject in connection with the research project for which the data permit is applied from Findata. In that case, a separate impact assessment must have been prepared concerning the research project, and it must have been submitted to the Office of the Data Protection Ombudsman prior to initiating the project. Such a restriction of rights may apply to all of the aforementioned rights. As regards other purposes of use laid down in the Secondary Data Act, permit applicants do not have the opportunity to restrict any rights.
In a situation where a data subject objects to the processing of their personal data by Findata, Findata erases the data concerning the data subject from its systems. At times, however, it is possible that the rights of the data subject, such as the right to object, have been restricted as part of a research project, for example. In that case, Findata must consider how the research project-specific restriction applies to data subjects who have objected to the use of their personal data. In general, the right to object can be exercised without harming the research project. Findata restricts the processing of personal data for the duration of this consideration.
How can I exercise my rights?
To exercise your rights, please complete the form below. There is a separate form for each right of the data subject. Complete the form which concerns the right you wish to exercise.
- Form: Right of access [PDF, 213 kb], opens in a new window.
- Form: Right to rectification [PDF, 259 kb], opens in a new window.
- Form: Right to object [PDF, 150 kb], opens in a new window.
In order to exercise the rights, Findata must verify the identity of the data subject. This is important so that we can be sure to perform the measures to the data of the correct person.
Please submit the completed form(s) primarily via the messaging function of the Suomi.fi service (www.suomi.fi/messages). Instructions for activating Suomi.fi messages are available at: https://www.suomi.fi/instructions-and-support/information-on-messages/activate-messages.
- Log in to the Suomi.fi service with your personal online banking codes, a certificate card or a mobile certificate.
- Go to “Compose a message”
- Select “National Institute for Health and Welfare” as the recipient of the message.
- Select “Registry” as the recipient’s service or issue.
- Enter “Findata: rights of a data subject” as the subject.
- List the rights you wish to exercise (you may use the names of the forms) in the message field.
- Attach the completed form(s) by clicking “Add the attachments here”.
- Finally, click the “Send the message” button.
The message is directed to the registry of the Finnish Institute for Health and Welfare (THL), from where it is forwarded to Findata for processing. As a rule, we process requests within one month of receipt. If the processing of the request is particularly complex for some reason, we may extend the processing time to a maximum of three months.
We will send a reply on the implementation of the request/resolving the matter to the data subject as a Suomi.fi message.
If you wish to cancel your request, send a message concerning the request to Findata via the Suomi.fi service.
It is possible to exercise your rights even if you are unable to use the Suomi.fi service for some reason. In that case, you must personally visit the reception of the National Institute for Health and Welfare in Helsinki or Kuopio.
It should be noted that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Act on the Secondary Use of Health and Social Data, Section 6.
If you have additional questions about exercising your rights, please contact us by email at firstname.lastname@example.org or by telephone at + 358 29 524 6500.
Personal data processing statements
- Personal data processing statement: Data requests [PDF, 83 kb], opens in a new window.
- Personal data processing statement: Requests concerning the rights of data subjects and personal data collected in connection with them [PDF, 73 kb], opens in a new window.
The personal data processing statement concerning data permits will be added to the website by 1 April 2020.
Kirsi Talonen, Data Protection Officer, Findata (email@example.com).