All news and press releases

How does the Secondary Use Act improve data protection?

The Act on the Secondary Use of Health and Social Data (also known as the Secondary Use Act) strengthens the protection of personal data by clearly defining how and under what conditions health and social data can be used for purposes other than their original use, such as research and statistics.

Prior to the implementation of the Secondary Use Act in 2019, the processing of data involved several risks:

  • Permit applications were not centralised
    • Permits were granted by individual data controllers, the Ministry of Social Affairs and Health, or the Finnish Institute for Health and Welfare (THL). Practices varied, and there was no consistent process.
  • Data could be transferred on physical storage devices
    • Datasets were sometimes delivered directly to permit holders via USB sticks or CDs. This made it impossible to ensure data security or monitor how the data was used.
  • There was no way to monitor data usage afterwards
    • There was no way to track whether datasets had been deleted after the permit expired.

The Act has enhanced data protection in several key ways:

  1. Centralised permit process at Findata
    • Under the Act, all data permits are issued by Findata, the Finnish Health and Social Data Permit Authority. This has improved both data security and the protection of personal data.
    • Centralised data combining ensures safer processing and enables more effective oversight.
  2. Pseudonymisation of datasets
    • Datasets issued under the Act are pseudonymised, meaning direct identifiers are removed before the data is delivered to the permit holder.
    • Pseudonymisation prevents the direct identification of individuals.
  3. Secure processing environment
    • Data may only be analysed in a secure processing environment that has no direct internet access. These environments offer strong safeguards:
      • Only users named in the permit may access the data
      • Users log in using two-factor authentication
      • External data cannot be uploaded to the environment
      • Data cannot be exported without Findata’s review
      • Access to the data is terminated once the data permit is no longer valid
  4. Enhanced oversight
    • Findata’s operations are overseen by the Parliamentary Ombudsman and the Data Protection Ombudsman
    • Findata may request a statement from the Data Protection Ombudsman before granting a permit
    • Findata submits an annual report to the Data Protection Ombudsman on the processing of social and health data and related logs
    • The National Supervisory Authority for Welfare and Health (Valvira) monitors the security of the processing environments