One of Findata’s most important objectives is to improve data protection for individuals and data security for social welfare and health care data.

How will data protection improve?

Findata always discloses data in such a way that the data protection of the individuals is maximised. We only disclose as much information as is absolutely necessary.

Once we have issued the data permit, we gather the data stored with different controllers, combine this data and then make it available in a data secure user environment.

In the data secure user environment

  • the access rights for the data are set in line with the issued permits.
  • access to the devices, systems and office premises are monitored
  • unauthorised use of the offices, data and systems is prevented
  • all data-processing events are recorded in the log data
  • data communications are monitored and restricted
  • the systems are carefully protected from external threats such as acts or events that would endanger data protection, including viruses and other attacks.

Social welfare and health care data cannot be used for marketing or for specifying individual commercial services.

How does the Secondary Data Act improve data protection?

The Secondary Data Act has been drawn up based on the national-level freedom of action provided for by the EU General Data Protection Regulation (GDPR). The Constitutional Law Committee and the Social and Health Committee have taken care to ensure that the Act does not contravene the GDPR.

The Secondary Data Act sets the conditions for a data secure environment in which permit holders may process data.

  • Primarily, the permit holder is given access to the data via a remote access connection, such that the data remains within the Findata data secure user environment.
  • In some cases, it is necessary to hand the data over to the permit holder. In such cases, the permit holder must demonstrate that the data will be processed in a controlled environment which fulfils the legal data protection requirements.

The Secondary Data Act requires that the Information Systems record log data, which means the processing and event history of the data. This shows, for example, who has processed the data, how, and when.

Representatives of the Office of the Data Protection Ombudsman have participated in the drafting workgroup for the Act. The Data Protection Ombudsman has also been given a hearing by Parliament.

How is the implementation of data protection monitored?

  • Findata’s operations and the operations of controllers that issue data permits are supervised by the Parliamentary Ombudsman and the Data Protection Ombudsman, among others.
  • Those issuing data permits must give an annual report to the Data Protection Ombudsman regarding the processing of health and social data and the related log data.
  • The National Supervisory Authority for Welfare and Health Valvira monitors data secure user environments.