Pre-processing of data under data permit

Purpose of use

We issue permits for the secondary use of social and health data when the application applies to

data from numerous public social and health sector controllers
data maintained by a single public controller, that has transferred the right to issue permits to Findata
- See the list of controllers who have transferred their right to issue permits to Findata
register data from one or numerous private social welfare and health care service organisers, or
customer data saved in the Kanta Services.

Data permits can be issued for the purposes of

scientific research
statistics
education
planning and reporting duties of an authority

Once the data permit has been issued, we combine and pre-process the data and transfer the pre-processed data to the data recipient for the purpose described in the permit.

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we hand it over to the data recipient. In pre-processing, we aggregate, combine, pseudonymise, and anonymise data.

In principle, we pseudonymise the data before handing it over. Pseudonymisation refers to the processing of data so that it cannot be directly linked to individuals. We disclose information in an identifiable form only for a particularly justified and necessary reason.

We store the identifiers of pseudonymised data securely. We store the identifiers in a way that the data can be made identifiable and the same data can be produced again with the help of identifiers.

The purpose of the pre-processing of personal data is to create data sets in accordance with the issued permit from the data controllers referred to in the Secondary Use Act.

We do not use automated decision-making or profiling in the processing of data.

Data processed and data sources

Each data permit specifies which data can be processed based on it.

In the pre-processing of data permit, we process the social and health data from controllers within the scope of the data permit to the extent that they have been estimated to be necessary for each project. We store identifiers that allow us to identify the individuals whose data has been processed in the projects.

We do not issue permits for all materials of all data controllers that are subject to the Secondary Use Act. For more detailed restrictions on data, see the Secondary Use Act (in Finnish, finlex.fi).

Data controllers within the scope of the Secondary Use Act:

Data saved in Kanta services
Digital and Population Data Services Agency (DVV)
Finnish Centre for Pensions (ETK)
Finnish Institute for Health and Welfare (THL)
Finnish Institute of Occupational Health (TTL)
Finnish Medicines Agency Fimea
National Supervisory Authority for Welfare and Health Valvira
Public and private service providers of social welfare and health care
Social Insurance Institution of Finland Kela
Statistics Finland
Regional state administrative agencies (AVI)

The data is transferred to Findata and on to the data recipient via a secure transfer service.

See the list of the issued data permits

Regular disclosure of data

We disclose the material formed on the basis of the data permit to the data recipient. The recipient then becomes the controller of the transferred data.

According to the Secondary Use Act, the data can only be disclosed for processing in a secure operating environment.

Recipients of personal data

We will disclose the pre-processed data to the data recipient. In the vast majority of data permits we grant, the recipients use the data for scientific research.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development of the information system (Viranomaisen tietoturvallinen käyttöympäristö) we use in pre-processing. CSC acts as a processor of personal data on behalf of Findata.

Data retention period

We will retain the data obtained from data controllers and the material formed in the pre-processing for four months after we have disclosed the data to the data recipient. During the retention period, we use the data to correct any possible errors made in the pre-processing of the material.

In the case of a rolling data permit, i.e. a data permit that entitles the data recipient to receive updates to the data, the latest data is retained until the new is formed. If the formation of new data set is based on all previously submitted material, we will retain all material for the duration of the permit.

It should be noted that the data recipient retains the data longer than Findata. The permit specifies its period of validity. The controller of the processing is defined in the data permit.

We retain the identifiers of pseudonymised materials for as long as it is necessary to carry out the research and to ensure the validity of its results, in principle for 12 years.

Transfer and disclosure of personal data to non-EU or EEA countries

As a rule, we do not disclose personal data outside the EU or EEA or to international organisations. According to the Secondary Use act, the data must be transferred to a secure operating environment that cannot be located outside the EU and EEA. If we in a specified individual case transfer personal data outside the EU and EEA or to an international organisation on the basis of another law, we will use the transfer basis chosen in accordance with the General Data Protection Regulation (GDPR), depending on the country and organisation of destination.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

Rights of the data subject

The data subject refers to the person to whom the original social and health information relate. When we process personal data as a data controller, the data subject has the following rights:

Right to information about the processing of personal data (Article 14 of the GDPR)
Right of access to one’s personal data (Article 15 of the GDPR)
Right to rectify one’s data (Article 16 of the GDPR)
Right to restrict the processing of one’s data (Article 18 of the GDPR)
Right to object to the processing of one’s data (Article 21 of the GDPR)

The data subject has the right to object to the processing of personal data by us at any time on grounds relating to their particular situation. In this case, we shall no longer process the data relating to this person, unless there are substantial and legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Legal basis of processing personal data

The processing of personal data in the pre-processing of data under a data permit is based on the following laws:

Act on the Secondary Use of Social and Health Data, Sections 14, 44, and 51,
Data Protection Act, Section 4(2), and
in the case of special categories of personal data, Data Protection Act, Section 6(1)(2), and General Data Protection Regulation, Article 9(2)(g).

Cookie	Duration	Description
_pk_id	13 months	Matomo cookie. Used to store a few details about the user such as the unique visitor ID.
_pk_ses	30 minutes	Matomo cookie. Short lived cookies used to temporarily store data for the visit.