Data

You can obtain social and health sector register data through us, when you need these for secondary use and the data originates from numerous different public controllers, public service providers and the Kanta Services.

What data are available via Findata?

You can apply for access to the data maintained by the controllers listed below via Findata. More details on these data restrictions can be found in the Act on the Secondary Use of Health and Social Data.

Controllers create data descriptions for their register content so that those requiring data are able to assess the suitability of the register’s data for secondary use. You can obtain more information about the available data directly from the controllers.

We have initiated cooperation with controllers to standardise data descriptions.

Can data be combined to other information?

Data referred to in the Act on the Secondary Use of Health and Social Data can be combined to other information, such as data a person has collected themselves or data accessed with some other permit. As a rule, Findata or a statistics authority can combine the data.

If you wish to combine data later on to data you have received via Findata, send an amendment application for the data to be combined. For more information please see the Amendment permits page.

If you are applying to have data accessed with an individual’s consent to be combined with data that Findata has issued a permit for, the research subject’s notification and consent models must be attached to the application.

If the data have been accessed with the permission of other actors, list the following information in the application:

• Permit record number, issuer, date of decision.
• If the permit process is pending, the party to whom the application was submitted and the permit process start date.
• A brief description of the information content of other data.
• Do not attach permits for other data to the application. The application processor will ask for these separately of necessary.

See the instructions for sending data on the page Submitting data to Findata (in Finnish).

Where can the data be analysed?

The aggregated statistical data accessed via a data request is sent to the customer, and it can be analysed freely in accordance with a data utilisation plan.

Data on individuals that require a data permit can only be analysed in a secure environment.

As a rule, the data will always be disclosed to Findata’s secure operating environment Kapseli. However, the Act on the Openness of Government Activities makes it possible to disclose information to other operating environments, if necessary. Read more below in the section: Findata’s regulation sets information security requirements for environments.

If an individual controller within the scope of the Act on Secondary Use has made a decision on a data permit concerning data included in their own registers, they must disclose the data to a secure environment referred to in the Act on Secondary Use as well.

Amendment permits are also officially data permits (decisions to amend data permits), meaning the same requirements apply to these as to data permits. The exception to this is changes to personal data processors.

National Supervisory Authority for Welfare and Health Valvira Valvira maintains a public register of the compliant operating environments notified to it. Read more on Valvira’s website: Database of secondary-use environments

On the page you’ll also find information about registering in the database and registration fees.

Findata’s regulation sets information security requirements for environments

We have issued a regulation in accordance with the Act on the Secondary Use of Health and Social Data, which describes the requirements laid down other service providers’ secure operating environments.

The regulation concerns the secondary use of social and health data, and it will be applied to all the purposes provided in the Act on the Secondary Use of Health and Social Data for which a data permit is required. These purposes include scientific research, statistics, teaching and the planning and investigation tasks of the authorities. With regard to teaching, the regulation pertains to the preparation of teaching materials, not actual teaching.

As of 1 May 2022, the implementation of the requirements laid down in the regulation is a prerequisite for the disclosure of data to be processed by the permit holder for secondary purposes in an environment other than Findata’s secure operating environment Kapseli. In addition, the operating environment must be assessed by a data security assessment body that must issue a certificate on the assessment.

The requirements take into account the solutions in existing environments and enable the utilisation of different technical solutions.

At its simplest, a secure environment can be a physically and technically secure space with a terminal device for analysing data that is isolated from the Internet and other devices. On the other hand, technical solutions based on cloud services are also possible, as long as the service provider ensures the required level of data security.

The operating environments of foreign researchers must also meet the data protection and security requirements laid down in the regulation. Their validity can be demonstrated by means of certificates based on international audits, the compliance of which is verified by an assessment body approved in Finland.

Read more on the regulation on the page Regulation on operating environments

Where do I send an application for a permit?

• Under the law, statistical, aggregated data subject to a data request can only be accessed via Findata.
• In addition to Findata, public controllers can issue data permits, if the application is related only to data maintained by the controller in question.
• Amendment permits are also officially data permits (decisions to amend data permits), meaning the authority for issuing these is determined in the same manner as for data permits.

Findata is responsible for the application and the permit decision whenever the data of data controllers covered by the Secondary Act are combined. Submit an application for a permit or change to Findata if it concerns:

1. data from numerous public social and health sector controllers
2. register data from one or numerous private social welfare and health care service organisers, or
3. customer data saved in the Kanta Services.

Transferred right to issue permits

Public controllers may authorise Findata to carry out on their behalf, as detailed in the Secondary Data Act, services other than advice and data description services. In practice, this means the transfer of authority for the issuing of permits referred to in the Act on the Secondary Use of Health and Social Data. Exceptions to this rule are the Digital and Population Data Services Agency, the Finnish Centre for Pensions and Statistics Finland, which cannot transfer their authority to issue permits.

We also process data permit applications and amendment applications that apply only to the information content of the specific controller’s registers for controllers who have transferred their authority to issue data permits.

At the moment, the following controllers have transferred the right to issue permits to Findata:

• Finnish Institute for Health and Welfare THL, excluding its internal permit administration, the data it collects as a statistics authority as well as the permit administration for the disclosure of samples and information transferred to the THL Biobank.
• Rauma City social welfare and health care sector
• Pori City Social and Health Care Centre
• Turku City Welfare Services Division register data that contains personal data (Effica, Pegasos, and WinHit Registers)

See also

Application assistant