This page contains a compilation of frequently asked questions. Click on a question to view the answer.
The answers are based on the website of the Ministry of Social Affairs and Health which provides an extensive description of the secondary use of health and social data. We will update the list as and when required.
Frequently asked questions
- What are the benefits of more extensive use of health and social data for citizens?
- What is the difference between primary and secondary use of health and social data?
- What is the need for the Act on the Secondary Use of Health and Social Data?
- Can I prohibit the secondary use of my data?
- Can my information be disclosed abroad?
- Will my data be sold to third parties?
- May social and health information be used for marketing or other similar commercial purposes?
- Is the access to personal data secure? Is data protection implemented?
What are the benefits of more extensive use of health and social data for citizens?
Providing researchers and service providers with easier access to extensive register data facilitates research and knowledge management, and
- people can be provided with better services, more effective medicines as well as applications and health technology that enhance health and support treatments
- the efficiency of processes and service systems can be improved, and they can be fitted more effectively to customers’ requirements
- more agile tools can be developed for monitoring and, for example, studying the adverse effects of medicines.
This enables citizens to receive better and more effective treatment and care as well as narrows welfare and health gaps.
What is the difference between primary and secondary use of health and social data?
Primary use means the purpose for which the data was originally saved in the customer register and/or patient register. The primary purpose may be, for example, examination, treatment and rehabilitation of the patient, the service received by a social welfare customer, or the processing of benefits by the Social Insurance Institution of Finland (Kela).
Secondary use means the use of the same data for purposes other than the primary use. Legitimate secondary purposes of use include scientific research, statistics, development and innovation activities, education, knowledge management, steering and supervision by authorities and the planning and reporting duty of an authority.
Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.
What is the need for the Act on the Secondary Use of Health and Social Data?
The Act on the Secondary Use of Health and Social Data (552/2019) is required for the improvement of data security and the data protection of citizens. Previously, there was no clear legal basis for the secondary use of health and social data.
The processing of data permit applications may have taken years when permit applications had to be filed with several controllers. This has led to the underutilisation of valuable data. The Act on the Secondary Use of Health and Social Data relieves the overlapping administrative burden associated with permit processing, speeds up permit processing and streamlines the compilation of data from various registers.
For example, in medical research, data is often required from various health care operating units, the registers of the Finnish Institute for Health and Welfare (THL) and Social Insurance Institution of Finland (Kela), the Population Register Centre, the Finnish Centre for Pensions and Statistics Finland. In the future, Findata will issue data permits when it is necessary to combine data from more than one controller.
Can I prohibit the secondary use of my data?
Currently, research and the compilation of statistics based on register data are carried out without separate consent. Consent will not be requested separately in the future, and the data can be used for secondary purposes.
Everyone has the right to their personal data and the right to object to the processing of the data. More information about the right to object is available on the page ‘Data protection and the processing of personal data’.
However, it should be noted that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Act on the Secondary Use of Health and Social Data, Section 6.
Can my information be disclosed abroad?
Free movement of data within the EU is required under the General Data Protection Regulation. However, the law requires that the data is mainly processed in a centralised, secure user environment of the data permit authority for the social and health care sector, and that access rights to the environment may only be granted to authorised persons. The permit holder may also be located elsewhere than in Finland. The provision of a data secure user environment is an essential technical measure to safeguard the protection of personal data.
Data may be disclosed to another data secure user environment indicated by the permit holder only in exceptional cases. In that case, the data may only be used for the purpose for which it was provided to the permit holder. The EU’s General Data Protection Regulation specifies the conditions under which data can be disclosed outside the EU.
Will my data be sold to third parties?
No. Findata is the Health and Social Data Permit Authority, and its task is to issue data permits for the secondary use of health and social data in a centralised manner and to process data requests when data is combined from more than one register or from private service providers.
May social and health information be used for marketing or other similar commercial purposes?
The data may not be used for marketing or the definition of individual commercial services, such as insurance premiums.
Is the access to personal data secure? Is data protection implemented?
The data permit authority always discloses data in such a way that the data protection of the individuals is maximised in each particular use case. Furthermore, only the data required for the specific use is disclosed.
After issuing the data permit, the data permit authority collects the data stored by the controllers, combines them and discloses them to the requestor for use in a secure user environment.
The requirements of data secure environments in which permit holders can process data are specified by the law. Primarily, the permit holder is given access to the data via a remote access connection, such that the data remains within the data permit authority’s data secure user environment.
In some cases, it is necessary to hand the data over to the permit holder. In such cases, the permit holder must demonstrate that the data will be processed in a controlled manner in an environment which fulfils the legal data protection requirements.
In addition, the Act on the Secondary Use of Health and Social Data requires that the information systems record the processing and event history of the data, i.e. collect log data. The log shows, for example, who has processed the data, how, and when.