Secondary use of social and health data means that client and register data from social and health care services are used for purposes other than the primary reason for which they were originally collected.
Findata grants permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. We compile and preprocess the data while ensuring the protection of citizens’ privacy. We also ensure the anonymity of the published results.
You have rights to your personal data when we process personal data as a data controller.
On this page you will find general information about the secondary use of social and health data, as well as information about your rights as a data subject and how to exercise them.
General information and frequently asked questions about secondary use
Social and health data can be used for secondary purposes, such as scientific research, statistics, or planning and investigation tasks by authorities.
The secondary use of data is regulated by the Act on the Secondary Use of Social and Health Data, also known as the Secondary Use Act. The secondary use of Finnish registry and research data promotes the health and well-being of citizens.
Frequently Asked Questions about the Secondary Use of Social and Health Data
What is Findata?
Findata is the data permit authority for the social and health sector, established in 2019. Our operations are based on the Act on the Secondary Use of Social and Health Data, also known as the Secondary Use Act.
We grant permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. We compile and preprocess the data while ensuring the protection of citizens’ privacy. Additionally, we maintain the secure Kapseli® environment where the processing of individual-level data occurs.
Under what law are the data used?
In Finland, the use of social and health data is regulated by several laws, such as:
- The Data Protection Act
- The Act on the Processing of Client Data in Social and Health Care
- The Medical Research Act
- The Act on Clinical Trials on Medicinal Products
- The Act on the Medical Use of Human Organs, Tissues, and Cells
- The Biobank Act
However, the secondary use of social and health sector register data is regulated by the Act on the Secondary Use of Social and Health Data, or the Secondary Use Act, which came into force in 2019. In the same year, the data permit authority Findata was established, centralizing the permit activities.
The Secondary Use Act defines how and under what conditions social and health data can be used outside of their original purpose, for example, in research, statistics, and other purposes not related to patient care or benefit processing. The Act also regulates issues concerning data protection and confidentiality obligations and sets requirements for data processing and security.
Before the Secondary Use Act came into force, permits for data use were granted by individual data controllers, the Ministry of Social Affairs and Health, or the National Institute for Health and Welfare, and there was no uniform practice for processing the data. Centralizing permit activities and data processing to Findata has improved data security and the privacy of citizens. When data is combined centrally, its use is more protected and can be monitored more effectively.
What can the data be used for?
The secondary use of social and health data is permitted only for certain purposes as specified in the Secondary Use Act:
- Education
- Scientific research
- Statistics
- Planning and reporting duties of authorities
- Development and innovation operations
- Knowledge management
- Guidance and supervision of a social and healthcare authority
Different regulations apply to different purposes.
For the education of social and health care professionals, scientific research, statistics, and planning and investigation duties of authorities, it is possible to obtain pseudonymized individual-level data.
For development and innovation operations, knowledge management, and guidance and supervision of a social and healthcare authority, only anonymous, aggregated statistical data, from which individuals cannot be identified, is available.
Additionally, social or health service providers, such as wellbeing services counties, can use the data generated in their operations or stored in their registers for knowledge management without a separate permit. The data can be used for producing, monitoring, evaluating, planning, developing, managing, and supervising service activities.
Data permit and data request decisions are public. See Findata’s data permit and data request decisions.
In what form can the data be used?
We provide pseudonymized individual-level data based on a data permit. In pseudonymized data, names and personal identifiers are replaced with other unique identifiers, so the data cannot be directly linked to individuals. We only provide identifiable data for particularly justified and necessary reasons.
Pseudonymized data is personal data that can only be processed in a secure environment. The processor of personal data must produce analysis results in an anonymous form, from which individual persons’ information or characteristics cannot be revealed. We ensure the anonymity of the results in accordance with the Secondary Use Act.
Based on a data request, we provide anonymous statistical data. In statistical data, individual personal data has been combined and summarized so that the statistics describe groups of people rather than individuals. Individual persons cannot be traced or identified from the statistical data.
What data does Findata grant permits for?
The permits granted by Findata include information extracted from various registers. Register data is information that is stored in a personal data register maintained by an authority, a private service provider, or a personal data processor.
There is information about all Finns in various registers. In Finland, this register data can be used secondarily, for example, in research that promotes the health and well-being of citizens.
Findata grants permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. Some data controllers have transferred their permit authority to Findata. See the list of these data controllers.
All permits granted by Findata comply with the minimization principle of the General Data Protection Regulation (GDPR), meaning we only grant permits for data that has a justified need.
Can anyone get a data permit for social and health data?
The law does not specifically limit who can apply for a permit. However, Findata does not grant permits to just anyone or for any purpose but only for the purposes defined in the Secondary Use Act and for projects that meet the conditions for receiving a permit.
The granting of permits is always preceded by application processing and careful permit consideration. Permits can only be granted for essential data in accordance with the minimization principle of the EU General Data Protection Regulation.
Permits are administrative decisions involving a two-step process: the application processor acts as the presenter of the decision, and the director of Findata or their deputy approves the decision. The proposed decisions are not necessarily approved directly as is; sometimes they are returned for further preparation.
Does Findata sell my data?
Findata does not sell data. As a data permit authority, we grant time-limited permits for the secondary use of social and health data when the conditions specified in the Secondary Use Act are met.
Permits are always granted for a specific purpose and define the individuals who may process the pseudonymized data. The processor of personal data must produce analysis results in an anonymous form, from which individual persons’ information or characteristics cannot be revealed.
Findata ensures the anonymity of the results in accordance with the Secondary Use Act. This applies to all data for which a permit has been granted under the Secondary Use Act. Find the criteria for ensuring the anonymity of results and examples of common analysis types on the page Producing Anonymous Results.
When the permit expires, the permit holder no longer has access to the data, and it is destroyed.
Can my data be transferred abroad?
The majority of Findatas permits have been granted to Finnish projects. Under the EU General Data Protection Regulation (GDPR), data must move freely within the EU area, meaning the permit holder can also be located within the EU or EEA. Data must still be processed in an audited secure environment, to which only individuals specified in the permit have access.
According to the Secondary Use Act, a secure processing environment cannot be located outside the EU and EEA, so we generally do not transfer personal data outside the EU or EEA or to international organizations. Within the framework of the GDPR, data can be transferred within the European Economic Area (EEA) on the same basis as within Finland. The EEA countries include EU countries as well as Norway, Liechtenstein, and Iceland.
If data needs to be transferred or processed outside these countries, known as third countries, there must be a legal basis for the transfer under Chapter V of the GDPR. Processing personal data from abroad constitutes a data transfer, even if the data is in a secure remote access environment.
Can social and health data be used for marketing or other similar commercial purposes?
Social and health data cannot be used for marketing or for determining individual commercial services, such as insurance premiums.
Data collected under the Secondary Use Act also cannot be provided for use in administrative decision-making or other similar processes concerning an individual without their explicit consent.
How does the Secondary Use Act improve data protection?
Social and health data have been used for secondary purposes in Finland for decades. Before the Secondary Use Act, permits for data use were granted by individual data controllers, the Ministry of Social Affairs and Health, or the National Institute for Health and Welfare. There was no uniform practice for granting permits, transferring, or processing data.
Previously, data could be sent directly to the permit holder in identifiable form on memory sticks or CDs. Post-processing control was practically impossible, although permit holders have undoubtedly handled personal data with the required care.
Centralized permit procedures and data processing improve data security and citizens’ privacy. When data is combined centrally, its use is more protected and can be monitored more effectively.
Regulations have been issued on the requirements for applications and the security of environments used for data analysis. For Findata’s operations, a secure, closed Kapseli environment has been built. Users authenticate in a two-step process, cannot upload any data themselves, and cannot extract anything. Once the connection to the environment is severed, permit holders have no further access to the data.
What are the benefits of broader use of social and health data for citizens?
When comprehensive registry data is more accessible to researchers and service providers, research and data-driven management become more efficient, resulting in:
- Better services for people, more effective medicines, health-promoting and supportive applications, and health technology.
- More efficient processes and service systems that better meet customer needs.
- More agile tools for monitoring and, for example, investigating adverse drug reactions.
Thus, citizens receive better and more impactful care and support, and disparities in health and well-being are reduced.
What are the laws on which Findata bases the processing of personal data?
Findata’s legal basis for processing personal data are:
- Article 6, (1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Article 4(1)(2) of the Data Protection Act: processing of data that is provided for by the law or that is directly attributable to the controller for the task prescribed by the law
We also process data belonging to special categories of personal data, formerly known as sensitive data. Such data includes, for example, a person’s health data.
The grounds for processing this kind of personal data are:
- Article 9(2)(g) of the EU General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or the exercise of public authority
- Section 6(1)(2) of the Data Protection Act: processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority
Explore research studies utilising register data
Flagship research goes deep inside the cell – with the aim of producing breakthroughs in individual cancer treatment by combining genetic data and other patient health data
The iCAN research team is producing new information and seeking solutions to… Read more Flagship research goes deep inside the cell – with the aim of producing breakthroughs in individual cancer treatment by combining genetic data and other patient health dataA team of researchers is bridging the gap between clinical research and registry studies with the aim of reinventing cancer drug research
Heidi Loponen, Senior Scientific Consultant at MedEngine Oy, uses register data in… Read more A team of researchers is bridging the gap between clinical research and registry studies with the aim of reinventing cancer drug researchResearchers analyse the patient and registry data of thousands of diabetics in order to improve their quality-of-life – around a third of type 1 diabetics suffer from kidney disease
The FinnDiane follow-up study, which has been ongoing for more than 20… Read more Researchers analyse the patient and registry data of thousands of diabetics in order to improve their quality-of-life – around a third of type 1 diabetics suffer from kidney diseaseResearch project examines young people’s access to psychiatric care: the open dialogue approach is bringing mental health work up to the present day
A research project is studying the open dialogue treatment model, in which… Read more Research project examines young people’s access to psychiatric care: the open dialogue approach is bringing mental health work up to the present day
What are my rights related to the processing of personal data?
As a data subject, you have the right to receive information about how we use your personal data. This information is available in the privacy notices on our Privacy Policy page.
In addition, you have the following rights when we process your personal data:
- Right of access to your personal data
- Right to rectify your data
- Right to restrict the processing of your data
- Right to object to the processing of your data
- Right to lodge a complaint with a supervisory authority
Read more by clicking on the sub-headings.
Right of access to your personal data (Article 15 of the GDPR)
You have as the data subject the right to obtain a copy of your personal data processed by Findata.
In addition, you have the right to be informed of:
- where your personal data was obtained
- why your personal data is needed
- for how long your personal data is needed
- whether your personal data have been disclosed and, if so, where.
- whether your personal data has been transferred outside the EU and what safeguards have been applied to it under the GDPR
- whether the processing is carried out using automation and
- how you can exercise your rights in relation to your personal data.
Right to rectify your data (Article 16 of the GDPR)
You have as a data subject the right to correct inaccurate data processed by Findata.
Right to restrict the processing of your data (Article 18 of the GDPR)
Data subjects have the right to restrict the processing of their data in certain circumstances. Processing may also be restricted as a result of other requests without the data subject’s explicit request.
You may request Findata to restrict the processing of your personal data in the following situations:
- if your data is incorrect
- if your data are processed unlawfully but you do not want them to be deleted
- if Findata no longer needs the data for the original purpose, but you need them for the establishment, exercise or defence of legal claims
- if you have objected to the processing of your data but the final decision is still under consideration
If we restrict the processing of your data, we will, where possible, inform all those to whom the data have previously been disclosed of the restriction.
Right to object to the processing of your data (Article 21 of the GDPR)
The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.
Right to lodge a complaint with a supervisory authority (Article 77 of the GDPR)
Under the GDPR, every data subject has the right to lodge a complaint with a supervisory authority if he or she considers that the processing of personal data concerning him or her infringes the GDPR. Complaints are addressed to the Office of the Data Protection Ombudsman.
Read more on the webpage of the Office of the Data Protection Ombudsman (tietosuoja.fi).
What data do my rights cover?
The right to access one’s data, correct one’s data, and restrict the processing of one’s data applies only to social and health data held by Findata at the time the request is made.
What data does Findata have?
Findata does not permanently store registry data. We act as a contact point between permit applicants (usually researchers) and data controllers (such as hospitals and Kela) when granting data permits for a fixed period for data from various controllers.
- We only retain personal data while we compile and preprocess the data received from data controllers and verify its accuracy.
- These data are retained for four months after they have been provided to the permit recipient.
Exception: Ready-made datasets are precompiled and preprocessed datasets for which Findata acts as the data controller.
What does the right to object mean?
When you exercise your right to object to the processing of your data, Findata will no longer provide your data for secondary use, such as scientific research.
- An objection request is valid indefinitely from the date it is processed.
- The right to object is not retroactive, meaning that data already provided to permit recipients before the request was submitted will not be removed.
How is the right to object implemented at Findata?
When you object to the secondary use of your data through Findata:
- Your request is recorded in the case management system maintained by the Finnish Institute for Health and Welfare (THL).
- Your data will be removed from datasets received by Findata based on your personal identity code. Therefore, we must retain and process your personal identity code to implement the request.
Note: Submitting an objection request to Findata does not prevent other data controllers mentioned in the Secondary Use Act from providing your data for secondary use.
For example, hospitals hold data on a person’s treatment, and Social Insurance Institution of Finland (Kela) holds data on prescriptions issued to a person. Currently, there is no centralised system in Finland for objecting to the secondary use of data.
- Find information about data controllers and the content of registries on the page Data.
- See general instructions on objecting to the use of personal data: If you do not want your data processed (tietosuoja.fi)
Important considerations
- The Digital and Population Data Services Agency (DVV) does not process objections related to the disclosure of personal data for purposes defined in the Secondary Use Act.
- Restrictions on the disclosure of data in the Population Information System are governed by the Act on the Population Information System and the Digital and Population Data Services Agency’s Certification Services (§28).
- Read more (in Finnish): Tietojen luovuttamisen kieltäminen (dvv.fi)
- If you need access to your personal data, for example, to prepare, present, or defend a legal claim, you should submit the request directly to the original data controller.
Minors and data subject rights
Minors have the same rights as adults when processing personal data under the Secondary Use Act. The basic principle is that a minor who is able to form their own views is free to express their views on the use and processing of their personal data.
Can a child decide themselves whether to make requests?
In the case of minors, it is not possible to issue specific recommendations on the age at which a minor can independently decide on the use and processing of their data.
If taking into account their age and level of development the child is able to understand the matter and its significance, then they can decide on the exercise of their rights. Of course, this is not possible for very young children, but the older the child or young person is, the more decision-making power they have.
The guardian may make a request on behalf of the child
The guardian of an underage child may make, on the behalf of the child, a request that relates to the child’s rights as a data subject. It is recommended that the guardians discuss the request with the child and hear the child’s opinion on the matter before making the request, even if the child is not yet able to make a decision on the matter.
See step-by-step instructions on how to submit a request on Findata’s e-service
Inform the child
The guardians should inform the underage child of the request made on their behalf at the latest when the child is at an age and level of development where they can understand the matter. This is particularly important in situations where guardians have objected to the processing of personal data on behalf of a minor.
Objection requests are valid until further notice and thus continue to be valid even after the minor becomes an adult.
When is the exercise of rights not possible?
As a general rule, the rights of data subjects are not restricted and the data subject’s requests are complied with.
In some rare cases, it is possible for the researcher to derogate from the rights of the data subject if it is a scientific or statistical study. In such cases, the research project should have prepared a separate impact assessment and submitted it to the Office of the Data Protection Ombudsman before starting the project. In such cases, we will consider whether the data can be disclosed despite the data subject’s objections. We limit the processing of personal data while this assessment is being made.
Permit applicants also have the possibility to limit the right of data subjects to object to the processing of personal data for educational purposes, if the processing of personal data is necessary due to the rarity of the case. In such cases, the person providing the education must inform the persons following the teaching of the statutory duty of confidentiality and the consequences of breaching it.
If the data subject objects to the processing of their personal data by Findata, we will no longer disclose the data subject’s data to permit holders. If the data have been disclosed before the data subject has objected to the processing of their data, the data cannot, as a rule, be deleted.
How can I exercise my rights?
You can exercise your rights regarding the data processed by Findata through Findata’s e-service.
Findata must verify the identity of the person exercising their rights to ensure that actions are directed at the correct individual’s data. For this reason, we use Suomi.fi authentication in our e-service.
Suomi.fi authentication is a strong identification service that allows you to log into Finnish public administration e-services using online banking credentials, a mobile certificate, or a smart card. Using electronic services is secure when your identity has been verified. You can find more information at suomi.fi.
How to exercise your rights in Findata’s e-service
- Go to asiointi.findata.fi.
- Click “Login”.
- Select Suomi.fi as the authentication method.
- If you are logged in using another method, log out first.
- Authenticate using online banking credentials, a mobile certificate, or a smart card.
- After authentication, click “Continue to service”.
- Select the appropriate form from the list by clicking the blue “Fill in the application” button.
- To object to the processing of personal data, select “GDPR –Request to object to the processing of personal data”.
- To request access to your personal data, select “GDPR – Request to access your personal data”.
- Fill in the form carefully.
- If you are submitting a request on behalf of a minor child or a person under guardianship, select “No” under “Is the personal identification number of the person who completed the application?” and complete the form accordingly.
- Finally, click the blue “Submit application” button.
- Depending on your device, the button may be on the right side or below the form.
If you want to exercise multiple rights or act on behalf of others, complete and submit all relevant forms separately for each person.
To receive notifications about your request:
- Click your name at the top of the e-service.
- Add your email address.
- Click “Save”.
Exercising your rights without using Findata’s e-service
If you cannot or do not wish to use Findata’s e-service, print out and use these forms:
You have the option to submit a request in person or by mail. See step-by-step instructions below.
Submitting a GDPR request in person
- Print and complete the request form.
- Visit the reception of the National Institute for Health and Welfare (THL) in Helsinki or Kuopio.
- Bring an identity document for verification.
- THL office addresses are available on THL’s website (thl.fi).
If you are submitting a request on behalf of a minor child or a person under guardianship, you must include a certificate of child custody obtained from the Population Information System. The request must align with the child’s presumed will and serve the child’s best interests. In cases of joint custody, the request must be made and signed by both guardians.
Submitting a GDPR request by mail
- Print and complete the request form.
- Notarisate the authenticity of your signature.
- Mail the request and address it to Findata.
- Consider sending the request as a register letter as it contains personal information.
- Findata’s postal address is P.O. Box 30, FI-00301 Helsinki, Finland.
If you are submitting a request on behalf of a minor child or a person under guardianship, you must include a certificate of child custody obtained from the Population Information System. The request must align with the child’s presumed will and serve the child’s best interests. In cases of joint custody, the request must be made and signed by both guardians.
How long does it take to process requests?
As a rule, we process requests within one month of receiving them. If the processing of the request is particularly complex for some reason, we may extend the processing time to a maximum of three months. We will send a reply on the implementation of the request or resolving the matter to the data subject as a Suomi.fi message.
Prohibiting contacting regarding registry research findings
The right to refuse contact based on Section 55 of the Secondary Use Act differs from other rights, as it does not apply to data processed by Findata.
You can submit a prohibition on contact regarding registry research findings electronically in the new version of OmaKanta or at any public healthcare service unit. This request cannot be made through Findata, Kela, or THL.
Prohibiting contacting regarding registry research findings on Omakanta
- Log in to OmaKanta at kanta.fi.
- Select ‘Siirry kokeilemaan OmaKannan uutta versiota’ on the homepage.
- In the sidebar, choose ‘Potilastietojen uudet luvat ja kiellot’
- Open the ‘Kiellot’ tab.
- Under ‘Yhteydenottokielto’, select ‘Rekisteritutkimuksen löydöksiä koskeva yhteydenottokielto’ and click ‘Muokkaa kieltoa’
- Select ‘Tee kielto’ to refuse contact.
How can I cancel the exercise of my rights?
If desired, a request objecting to the processing of data may be cancelled. This applies to any person who has submitted a data processing objection request.
A minor on whose behalf the guardians have submitted such a request may also cancel the request themselves if they are assessed as understanding the importance of the matter given their current age and level of development.
If you wish to cancel your request, send a message concerning the request to Findata via the Suomi.fi service or visit personally the reception of the National Institute for Health and Welfare in Helsinki or Kuopio.
Contact details
Data Protection Officer
tietosuojavastaava@findata.fi
