Secondary use of social and health data means that client and register data from social and health care services are used for purposes other than the primary reason for which they were originally collected.
Findata grants permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. We compile and preprocess the data while ensuring the protection of citizens’ privacy. We also ensure the anonymity of the published results.
You have rights to your personal data when we process personal data as a data controller.
On this page you will find general information about the secondary use of social and health data, as well as information about your rights as a data subject and how to exercise them.
General information and frequently asked questions about secondary use
Social and health data can be used for secondary purposes, such as scientific research, statistics, or planning and investigation tasks by authorities.
The secondary use of data is regulated by the Act on the Secondary Use of Social and Health Data, also known as the Secondary Use Act. The secondary use of Finnish registry and research data promotes the health and well-being of citizens.
Frequently Asked Questions about the Secondary Use of Social and Health Data
What is Findata?
Findata is the data permit authority for the social and health sector, established in 2019. Our operations are based on the Act on the Secondary Use of Social and Health Data, also known as the Secondary Use Act.
We grant permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. We compile and preprocess the data while ensuring the protection of citizens’ privacy. Additionally, we maintain the secure Kapseli® environment where the processing of individual-level data occurs.
Under what law are the data used?
In Finland, the use of social and health data is regulated by several laws, such as:
- The Data Protection Act
- The Act on the Processing of Client Data in Social and Health Care
- The Medical Research Act
- The Act on Clinical Trials on Medicinal Products
- The Act on the Medical Use of Human Organs, Tissues, and Cells
- The Biobank Act
However, the secondary use of social and health sector register data is regulated by the Act on the Secondary Use of Social and Health Data, or the Secondary Use Act, which came into force in 2019. In the same year, the data permit authority Findata was established, centralizing the permit activities.
The Secondary Use Act defines how and under what conditions social and health data can be used outside of their original purpose, for example, in research, statistics, and other purposes not related to patient care or benefit processing. The Act also regulates issues concerning data protection and confidentiality obligations and sets requirements for data processing and security.
Before the Secondary Use Act came into force, permits for data use were granted by individual data controllers, the Ministry of Social Affairs and Health, or the National Institute for Health and Welfare, and there was no uniform practice for processing the data. Centralizing permit activities and data processing to Findata has improved data security and the privacy of citizens. When data is combined centrally, its use is more protected and can be monitored more effectively.
What can the data be used for?
The secondary use of social and health data is permitted only for certain purposes as specified in the Secondary Use Act:
- Education
- Scientific research
- Statistics
- Planning and reporting duties of authorities
- Development and innovation operations
- Knowledge management
- Guidance and supervision of a social and healthcare authority
Different regulations apply to different purposes.
For the education of social and health care professionals, scientific research, statistics, and planning and investigation duties of authorities, it is possible to obtain pseudonymized individual-level data.
For development and innovation operations, knowledge management, and guidance and supervision of a social and healthcare authority, only anonymous, aggregated statistical data, from which individuals cannot be identified, is available.
Additionally, social or health service providers, such as wellbeing services counties, can use the data generated in their operations or stored in their registers for knowledge management without a separate permit. The data can be used for producing, monitoring, evaluating, planning, developing, managing, and supervising service activities.
Data permit and data request decisions are public. See Findata’s data permit and data request decisions.
In what form can the data be used?
We provide pseudonymized individual-level data based on a data permit. In pseudonymized data, names and personal identifiers are replaced with other unique identifiers, so the data cannot be directly linked to individuals. We only provide identifiable data for particularly justified and necessary reasons.
Pseudonymized data is personal data that can only be processed in a secure environment. The processor of personal data must produce analysis results in an anonymous form, from which individual persons’ information or characteristics cannot be revealed. We ensure the anonymity of the results in accordance with the Secondary Use Act.
Based on a data request, we provide anonymous statistical data. In statistical data, individual personal data has been combined and summarized so that the statistics describe groups of people rather than individuals. Individual persons cannot be traced or identified from the statistical data.
What data does Findata grant permits for?
The permits granted by Findata include information extracted from various registers. Register data is information that is stored in a personal data register maintained by an authority, a private service provider, or a personal data processor.
There is information about all Finns in various registers. In Finland, this register data can be used secondarily, for example, in research that promotes the health and well-being of citizens.
Findata grants permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. Some data controllers have transferred their permit authority to Findata. See the list of these data controllers.
All permits granted by Findata comply with the minimization principle of the General Data Protection Regulation (GDPR), meaning we only grant permits for data that has a justified need.
Can anyone get a data permit for social and health data?
The law does not specifically limit who can apply for a permit. However, Findata does not grant permits to just anyone or for any purpose but only for the purposes defined in the Secondary Use Act and for projects that meet the conditions for receiving a permit.
The granting of permits is always preceded by application processing and careful permit consideration. Permits can only be granted for essential data in accordance with the minimization principle of the EU General Data Protection Regulation.
Permits are administrative decisions involving a two-step process: the application processor acts as the presenter of the decision, and the director of Findata or their deputy approves the decision. The proposed decisions are not necessarily approved directly as is; sometimes they are returned for further preparation.
Does Findata sell my data?
Findata does not sell data. As a data permit authority, we grant time-limited permits for the secondary use of social and health data when the conditions specified in the Secondary Use Act are met.
Permits are always granted for a specific purpose and define the individuals who may process the pseudonymized data. The processor of personal data must produce analysis results in an anonymous form, from which individual persons’ information or characteristics cannot be revealed.
Findata ensures the anonymity of the results in accordance with the Secondary Use Act. This applies to all data for which a permit has been granted under the Secondary Use Act. Find the criteria for ensuring the anonymity of results and examples of common analysis types on the page Producing Anonymous Results.
When the permit expires, the permit holder no longer has access to the data, and it is destroyed.
Can my data be transferred abroad?
The majority of Findatas permits have been granted to Finnish projects. Under the EU General Data Protection Regulation (GDPR), data must move freely within the EU area, meaning the permit holder can also be located within the EU or EEA. Data must still be processed in an audited secure environment, to which only individuals specified in the permit have access.
According to the Secondary Use Act, a secure processing environment cannot be located outside the EU and EEA, so we generally do not transfer personal data outside the EU or EEA or to international organizations. Within the framework of the GDPR, data can be transferred within the European Economic Area (EEA) on the same basis as within Finland. The EEA countries include EU countries as well as Norway, Liechtenstein, and Iceland.
If data needs to be transferred or processed outside these countries, known as third countries, there must be a legal basis for the transfer under Chapter V of the GDPR. Processing personal data from abroad constitutes a data transfer, even if the data is in a secure remote access environment.
Can social and health data be used for marketing or other similar commercial purposes?
Social and health data cannot be used for marketing or for determining individual commercial services, such as insurance premiums.
Data collected under the Secondary Use Act also cannot be provided for use in administrative decision-making or other similar processes concerning an individual without their explicit consent.
How does the Secondary Use Act improve data protection?
Social and health data have been used for secondary purposes in Finland for decades. Before the Secondary Use Act, permits for data use were granted by individual data controllers, the Ministry of Social Affairs and Health, or the National Institute for Health and Welfare. There was no uniform practice for granting permits, transferring, or processing data.
Previously, data could be sent directly to the permit holder in identifiable form on memory sticks or CDs. Post-processing control was practically impossible, although permit holders have undoubtedly handled personal data with the required care.
Centralized permit procedures and data processing improve data security and citizens’ privacy. When data is combined centrally, its use is more protected and can be monitored more effectively.
Regulations have been issued on the requirements for applications and the security of environments used for data analysis. For Findata’s operations, a secure, closed Kapseli environment has been built. Users authenticate in a two-step process, cannot upload any data themselves, and cannot extract anything. Once the connection to the environment is severed, permit holders have no further access to the data.
What are the benefits of broader use of social and health data for citizens?
When comprehensive registry data is more accessible to researchers and service providers, research and data-driven management become more efficient, resulting in:
- Better services for people, more effective medicines, health-promoting and supportive applications, and health technology.
- More efficient processes and service systems that better meet customer needs.
- More agile tools for monitoring and, for example, investigating adverse drug reactions.
Thus, citizens receive better and more impactful care and support, and disparities in health and well-being are reduced.
What are the laws on which Findata bases the processing of personal data?
Findata’s legal basis for processing personal data are:
- Article 6, (1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Article 4(1)(2) of the Data Protection Act: processing of data that is provided for by the law or that is directly attributable to the controller for the task prescribed by the law
We also process data belonging to special categories of personal data, formerly known as sensitive data. Such data includes, for example, a person’s health data.
The grounds for processing this kind of personal data are:
- Article 9(2)(g) of the EU General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or the exercise of public authority
- Section 6(1)(2) of the Data Protection Act: processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority
Explore research studies utilizing register data
Flagship research goes deep inside the cell – with the aim of producing breakthroughs in individual cancer treatment by combining genetic data and other patient health data
The iCAN research team is producing new information and seeking solutions to… Read more Flagship research goes deep inside the cell – with the aim of producing breakthroughs in individual cancer treatment by combining genetic data and other patient health dataA team of researchers is bridging the gap between clinical research and registry studies with the aim of reinventing cancer drug research
Heidi Loponen, Senior Scientific Consultant at MedEngine Oy, uses register data in… Read more A team of researchers is bridging the gap between clinical research and registry studies with the aim of reinventing cancer drug researchResearchers analyse the patient and registry data of thousands of diabetics in order to improve their quality-of-life – around a third of type 1 diabetics suffer from kidney disease
The FinnDiane follow-up study, which has been ongoing for more than 20… Read more Researchers analyse the patient and registry data of thousands of diabetics in order to improve their quality-of-life – around a third of type 1 diabetics suffer from kidney diseaseResearch project examines young people’s access to psychiatric care: the open dialogue approach is bringing mental health work up to the present day
A research project is studying the open dialogue treatment model, in which… Read more Research project examines young people’s access to psychiatric care: the open dialogue approach is bringing mental health work up to the present day
What are my rights related to the processing of personal data?
As a data subject, you have the right to receive information about how we use your personal data. This information is available in the privacy notices on our Privacy Policy page.
In addition, you have the following rights when we process your personal data:
- Right of access to your personal data
- Right to rectify your data
- Right to restrict the processing of your data
- Right to object to the processing of your data
- Right to lodge a complaint with a supervisory authority
Read more by clicking on the sub-headings.
Right of access to your personal data (Article 15 of the GDPR)
You have as the data subject the right to obtain a copy of your personal data processed by Findata.
In addition, you have the right to be informed of:
- where your personal data was obtained
- why your personal data is needed
- for how long your personal data is needed
- whether your personal data have been disclosed and, if so, where.
- whether your personal data has been transferred outside the EU and what safeguards have been applied to it under the GDPR
- whether the processing is carried out using automation and
- how you can exercise your rights in relation to your personal data.
Right to rectify your data (Article 16 of the GDPR)
You have as a data subject the right to correct inaccurate data processed by Findata.
Right to restrict the processing of your data (Article 18 of the GDPR)
Data subjects have the right to restrict the processing of their data in certain circumstances. Processing may also be restricted as a result of other requests without the data subject’s explicit request.
You may request Findata to restrict the processing of your personal data in the following situations:
- if your data is incorrect
- if your data are processed unlawfully but you do not want them to be deleted
- if Findata no longer needs the data for the original purpose, but you need them for the establishment, exercise or defence of legal claims
- if you have objected to the processing of your data but the final decision is still under consideration
If we restrict the processing of your data, we will, where possible, inform all those to whom the data have previously been disclosed of the restriction.
Right to object to the processing of your data (Article 21 of the GDPR)
The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR)
Under the GDPR, every data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data concerning him or her infringes the GDPR. Complaints are addressed to the Office of the Data Protection Ombudsman.
Read more on the webpage of the Office of the Data Protection Ombudsman (tietosuoja.fi).
What data do my rights cover?
The right to access one’s data, correct one’s data, and restrict the processing of one’s data applies to data held by Findata at the time the request is made. Findata does not have its own registry data except for ready-made datasets, but grants permits for data from various data controllers.
This means we only retain personal data while we compile and preprocess the data received from data controllers and verify its accuracy. We retain these data for four months after we have provided the data to the permit recipient. Ready-made datasets are those that Findata has assembled and preprocessed, for which we act as the data controller.
- Read more about how we process personal data as a data controller
- Read more about Findata’s ready-made datasets
Requests concerning the right to object to the processing of data can be made for an indefinite period and are effective from the day the request is processed. The right to object is not retroactive. We maintain a separate registry of individuals who have submitted an objection request.
Requests concerning the rights of data subjects are recorded in the case management system maintained by the National Institute for Health and Welfare (THL).
Note that a request submitted to Findata to object to the processing of personal data does not prevent other data controllers mentioned in the Secondary Use Act from providing data for secondary use.
If you need access to your data to prepare, present, or defend a legal claim, it is safest to make the request directly to the original data controller.
For example, the Digital and Population Data Services Agency has information on a person’s family relationships, marital status, and address; hospitals have information on a person’s treatment; and Kela has information on prescriptions given to a person. Find information about data controllers and the content of registries on the page Data.
Minors and data subject rights
Minors have the same rights as adults when processing personal data under the Secondary Use Act. The basic principle is that a minor who is able to form their own views is free to express their views on the use and processing of their personal data.
Can a child decide themselves whether to make requests?
In the case of minors, it is not possible to issue specific recommendations on the age at which a minor can independently decide on the use and processing of their data.
If taking into account their age and level of development the child is able to understand the matter and its significance, then they can decide on the exercise of their rights. Of course, this is not possible for very young children, but the older the child or young person is, the more decision-making power they have.
The guardian may make a request on behalf of the child – attach a certificate of custody or other legal representation of the child
The guardian of an underage child may make, on the behalf of the child, a request that relates to the child’s rights as a data subject. In cases of joint custody, the request should be made and signed by both guardians. A certificate of custody obtained from the Population Information System must be attached to the request. The request should be in accordance with the assumed desires of the child and should represent their best interests.
It is recommended that the guardians discuss the request with the child and hear the child’s opinion on the matter before making the request, even if the child is not yet able to make a decision on the matter. Requests for underage children must be made as separate messages through the Suomi.fi service so that they can be entered in the register as separate entities.
Inform the child
The guardians should inform the underage child of the request made on their behalf at the latest when the child is at an age and level of development where they can understand the matter. This is particularly important in situations where guardians have objected to the processing of personal data on behalf of a minor. Data processing objection requests are valid until further notice and thus continue to be valid even after the minor becomes an adult.
When is the exercise of rights not possible?
As a general rule, the rights of data subjects are not restricted and the data subject’s requests are complied with.
In some rare cases, it is possible for the researcher to derogate from the rights of the data subject if it is a scientific or statistical study. In such cases, the research project should have prepared a separate impact assessment and submitted it to the Office of the Data Protection Ombudsman before starting the project. In such cases, we will consider whether the data can be disclosed despite the data subject’s objections. We limit the processing of personal data while this assessment is being made.
Permit applicants also have the possibility to limit the right of data subjects to object to the processing of personal data for educational purposes, if the processing of personal data is necessary due to the rarity of the case. In such cases, the person providing the education must inform the persons following the teaching of the statutory duty of confidentiality and the consequences of breaching it.
If the data subject objects to the processing of their personal data by Findata, we will no longer disclose the data subject’s data to permit holders. If the data have been disclosed before the data subject has objected to the processing of their data, the data cannot, as a rule, be deleted.
How can I exercise my rights?
You can exercise your rights to data processed by Findata by filling in the form below and submitting it on Suomi.fi. Complete the form which concerns the right you wish to exercise. If you want to exercise several rights, fill in all the necessary forms.
- Form: Right of access (open PDF-file, 212 kb)
- Form: Right to rectification (open PDF-file, 259 kb)
- Form: Right to object (open PDF-file, 150 kb)
In order to exercise the rights, we must verify the identity of the data subject. This is important so that we can be sure to perform the measures to the data of the correct person.
How to submit a form on Suomi.fi
- Make sure you have Suomi.fi messaging enabled. Read the instructions on how to enable Suomi.fi messaging (suomi.fi).
- Log in with your personal online banking codes, a certificate card or a mobile certificate.
- Go to ”Compose a message”
- Select ”National Institute for Health and Welfare” as the recipient of the message.
- Select ”Registry” as the recipient’s service or issue.
- Enter ”Findata: rights of a data subject” as the subject.
- List the rights you wish to exercise (you may use the names of the forms) in the message field.
- Attach the completed form(s) by clicking ”Add the attachments here”.
- Finally, click the ”Send the message” button.
If you are unable to use the Suomi.fi service, you can personally visit the reception of the National Institute for Health and Welfare in Helsinki or Kuopio. You can find the addresses of the THL offices on the THL website (thl.fi).
How long does it take to process requests?
As a rule, we process requests within one month of receiving them. If the processing of the request is particularly complex for some reason, we may extend the processing time to a maximum of three months. We will send a reply on the implementation of the request or resolving the matter to the data subject as a Suomi.fi message.
How can I cancel the exercise of my rights?
If desired, a request objecting to the processing of data may be cancelled. This applies to any person who has submitted a data processing objection request.
A minor on whose behalf the guardians have submitted such a request may also cancel the request themselves if they are assessed as understanding the importance of the matter given their current age and level of development.
If you wish to cancel your request, send a message concerning the request to Findata via the Suomi.fi service or visit personally the reception of the National Institute for Health and Welfare in Helsinki or Kuopio.
Contact details
Data Protection Officer
tietosuojavastaava@findata.fi
