Processing of data

This privacy notice explains how Findata processes social and health care client and registry data when granting permits for the secondary use of social and health data. In this privacy notice, “data subject” refers to an individual whose original health and social data is concerned.

“Personal data” means any information relating to a data subject that can be identified directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679, GDPR).

Findata complies with the GDPR, the Act on the Secondary Use of Health and Social Data, as well as other applicable data protection legislation and good data processing practices when handling personal data.

Controller

Findata – Social and Health Data Permit Authority
P.O. BOX 30, FI-00301 Helsinki, Finland
info@findata.fi

Data Protection Officer
tietosuojavastaava@findata.fi

Purpose of processing of personal data and legal basis for processing

Data permits

We issue permits for the secondary use of social and health data when the application applies to

• data from numerous public social and health sector controllers
• data maintained by a single public controller, that has transferred the right to issue permits to Findata
  • See the list of controllers who have transferred their right to issue permits to Findata
• register data from one or numerous private social welfare and health care service organisers, or
• customer data saved in the Kanta Services.

Data permits can be issued for the purposes of

• scientific research
• statistics
• education
• planning and reporting duties of an authority

Once the data permit has been issued, we combine and pre-process the data and transfer the pre-processed data to the data recipient for the purpose described in the permit.

Pre-processing refers to the actions that are taken on data disclosed to Findata by different controllers before we hand it over to the data recipient. In pre-processing, we aggregate, combine, pseudonymise, and anonymise data. In principle, we pseudonymise the data before handing it over. Pseudonymisation refers to the processing of data so that it cannot be directly linked to individuals. We disclose information in an identifiable form only for a particularly justified and necessary reason.

We process the materials in the authority’s processing environment. For managing identifiers, we use an identifier management application. In handling unstructured text data, an AI model processing within the authority’s processing environment is used to reduce the risk of direct identifiers in the text data being disclosed to unauthorised parties. The processing of personal data may also occur in the result inspection tool.

The purpose of the pre-processing of personal data is to create data sets in accordance with the issued permit from the data controllers referred to in the Secondary Use Act.

We do not use automated decision-making or profiling in the processing of data.

The processing of personal data in the pre-processing of data under a data permit is based on the following laws:

• Act on the Secondary Use of Social and Health Data (552/2019), Sections 6 a, 14, 51, and 51a,
• General Data Protection Regulation Articles 6(1)(c) and 6(1)(e)
• Data Protection Act (1050/2018), Section 4(2), and
• in the case of special categories of personal data, Data Protection Act, Section 6(1)(2), and General Data Protection Regulation, Article 9(2)(g).

Data requests

You can obtain statistical data from data controllers covered by the Secondary Use Act with a data request. Once we have made a positive data request decision, we combine and pre-process the data needed for the project and hand over the statistical-level data to the data recipient.

Data requests can be issued for the purposes of

• scientific research
• statistics
• planning and reporting duties of an authority and/or guidance and supervision of a social and healthcare authority
• education
• development and innovation operations
• knowledge management (comparative data)

The purpose of the processing of personal data is to form statistical data of the social and health data received from one or more controllers under the scope of the Secondary Use Act. We provide only anonymous statistical data on the basis of a data request.

In statistical-level data, individual personal data have been combined and summarised. The statistics describe groups of persons rather than an individual person. The data of the groups of persons is formed in such a way that individuals cannot be identified or traced.

We do not use automated decision-making or profiling in the processing of data.

The processing of personal data in the pre-processing of the data under a data request is based on the following laws:

• Act on Secondary Use of Social and Health Data, Sections 14, 45, 51 and 51a
• General Data Protection Regulation, Articles 6(1)(c) and 6(1)(e),
• Data Protection Act, Section 4(2) and,
• in the case of special categories of personal data; Data Protection Act, Section 6(1)(2) and General Data Protection Regulation, Article 9(2)(g).

Personal data processed and sources of data

Each data permit specifies which data can be processed based on it. Each data request decision specifies the basis on which the statistics are to be compiled.

In the pre-processing of data permits and data requests, we process the social and health data received from controllers under the scope of the Secondary Use Act to the extent that they have been estimated to be necessary for each project.

We do not compile statistics on all materials of all data controllers within the scope of the Secondary Use Act. For more detailed restrictions on data, see the Secondary Use Act, Section 6 (finlex.fi).

Data controllers within the scope of the Secondary Use Act:

• Data saved in Kanta services
• Digital and Population Data Services Agency (DVV)
• Finnish Centre for Pensions (ETK)
• Finnish Institute for Health and Welfare (THL)
• Finnish Institute of Occupational Health (TTL)
• Finnish Medicines Agency Fimea
• Finnish Supervisory Agency (LVV)
• Ministry of Social Affairs and Health
• Public and private service providers of social welfare and health care
• Social Insurance Institution of Finland Kela
• Statistics Finland

The data is transferred to Findata and, in the case of data permits, further to the data recipient via a secure transfer service.

See the list of the issued data permits

Regular disclosures of personal data and categories of recipients

We disclose the material formed on the basis of the data permit to the data recipient. The recipient then becomes the controller of the transferred data. In the vast majority of data permits we grant, the recipients use the data for scientific research.

According to the Secondary Use Act, the data authorised by a data permit may be disclosed for processing in a secure processing environment as specified in Section 20 of the Secondary Use Act or for other specific reasons, to another secure processing environment under Section 51 c of the Act. Furthermore, under Section 51 d of the Act, Findata may, for special reasons, grant a data permit to receive data in anonymised form outside the secure processing environment referred to in Section 20.

Read more about secure processing environments.

We disclose only statistical level data based on data requests. We do not disclose personal data.

We use Tieteen Tietotekniikkakeskus Oy (CSC) to carry out the technical maintenance and development of the information systems we use to transfer the data and compile the statistics. CSC acts as a processor of personal data on behalf of Findata.

Retention period for personal data

Data permits

We will retain the data obtained from data controllers and the material formed in the pre-processing for four months after we have disclosed the data to the data recipient. During the retention period, we use the data to correct any possible errors made in the pre-processing of the material.

In the case of a rolling data permit, i.e. a data permit that entitles the data recipient to receive updates to the data, the data from each delivery are retained for four months from the date the data was provided to the recipient. If the creation of new data is based on all previously delivered data, we retain all data for four months from the date of the last delivery to the recipient.

It should be noted that the data recipient retains the data longer than Findata.

We retain the identifiers of pseudonymised materials for as long as it is necessary to carry out the research and to ensure the validity of its results, in principle for 12 years.

Data requests

We retain data from controllers for a period of six months after we have disclosed the statistics we have compiled to the data recipient. During the retention period, we use the data to correct any possible errors in the compilation of statistics.

In the case of a rolling data request, i.e. statistics are compiled and delivered at regular intervals on the basis of updated data, we will retain for six months from the delivery of each statistical dataset to the requester.

Transfer and disclosure of personal data to non-EU or EEA countries or to international organisations

As a rule, we do not disclose personal data outside the EU or EEA or to international organisations. According to the Secondary Use act, the data must be transferred to a secure processing environment that cannot be located outside the EU and EEA. According to section 51 c of the Secondary Use Act, the data permit authority may, for a specific reason, grant a data permit that allows the data to be disclosed to another secure processing environment. If we in a specified individual case transfer personal data outside the EU and EEA or to an international organisation on the basis of another law, we will use the transfer basis chosen in accordance with the GDPR, depending on the country and organisation of destination.

If the data recipient as the controller wishes to enable the processing of their data from outside the EU and EEA, they must apply to Findata for permission to allow the processing. If we grant permission, the controller must ensure that the material is transferred in accordance with Chapter V of the GDPR, when applicable.

The statistics compiled on the basis of the data request do not contain personal data, so they can also be disclosed outside the EU member states.

Rights of the data subject

In this privacy notice, “data subject” refers to the person to whom the original social and health data relate to. For more information about the rights of data subjects, see the section “Rights of the data subject” above on this page.