All news and press releases

Disclosure of anonymised data outside a secure processing environment

Under section 51 d of the Secondary Use Act, Findata may, for a specific reason, grant a data permit allowing anonymised data to be disclosed outside a secure processing environment.

A permit for anonymised data may be granted if all three of the following conditions are met:

  1. the data cannot, for justified reasons, be processed in a secure processing environment
  2. the risks related to the data are considered low
  3. the data can be anonymised reliably

In the application, the applicant must explain why the data cannot be processed in a secure processing environment compliant with the Secondary Use Act. The application must include sufficient information for Findata to assess whether the conditions are met.

If the application does not meet the required conditions, it will be processed as a standard data permit application. In that case, the data will be disclosed to a secure processing environment in accordance with section 20 of the Act.

How to apply

  1. Apply for a data permit for anonymised data in Findata’s e-service using the standard data permit application form.
  2. In the application, indicate that you are applying for disclosure of anonymised data under section 51 d of the Secondary Use Act.
  3. Complete and attach the supplementary information form:
  4. In the form, describe:
    • why the data cannot be processed in a secure processing environment
    • why the risks related to the data are considered low
    • how the data can be anonymised reliably
  5. You may also attach a separate anonymisation plan to the application.
  6. Findata will assess the application and may request additional information if needed.
  7. Once the permit has been granted, Findata will deliver the data to the permit holder either by email or through the secure Tunneli transfer service.

Please note that anonymised data does not provide the same level of usability as personal data. If the data cannot be anonymised reliably, it will instead be disclosed to a secure processing environment. For this reason, the application must also specify the secure processing environment to which the data will be disclosed in such cases.