Administrative court: the requirement for secure operating environments also applies to decisions on the renewal of old permits

The Administrative Court of Eastern Finland has issued a decision in a case concerning the requirement for a secure environment in the processing of research data. Findata rejected a request for rectification, which opposed the transfer of research material granted with a data permit to a secure operating environment.

Findata’s decision was appealed to the Administrative Court. The Administrative Court rejected the appeal and in its decision (27.9.2023) confirmed Findata’s view that the Act on the Secondary Use of Health and Social Data requires an environment that meets the data security criteria for the processing of social and health data.

Tanja Muotka, Findata’s legal advisor and data protection officer, is satisfied with the decision of the Administrative Court: “It is good that more case law can be obtained from the new legislation.”

Background to the complaint

The appeal concerned a situation in which the validity of a data permit granted before the entry into force of the Secondary Use Act was extended. With the decision to amend the data permit, Findata granted the extension, but required that the research data be transferred to a secure operating environment.

However, after receiving a favourable decision on the data permit, the appellant objected to the transfer, among other reasons, because of the financial resources required. The appellant also considered their operating environment to be more secure than the licensed environment. Findata rejected the appeal.

“According to the Secondary Use Act, social and health data can only be disclosed into secure environments,” Muotka emphasises. “A favourable decision to extend the validity of the data permit could therefore only be given if the research data were transferred to an audited environment that meets the requirements of the law.”

Information security requirements also apply to data disclosed before the entry into force of the Secondary Use Act

The request for rectification was appealed to the Administrative Court which rejected the appeal and upheld Findata’s decision. The Administrative Court found that the appellant was unable to demonstrate that their current operating environment met the necessary security requirements.

The information security and operating environment requirements for secondary use of social and health data are based on the Act on the Secondary Use of Health and Social Data.

The Administrative Court confirmed Findata’s interpretation of the fact that, although the secondary legislation refers to the the requirement for an operating environment in the context of disclosing the data, on the basis of the transitional act, it also applies to the data disclosed under a previous data permit. The Administrative Court found that there was a legitimate legal justification for requiring a secure operating environment and that it also safeguards the protection of private life provided for in Article 10 of the Constitution.

The practicalities of transferring the data to the chosen environment, or the amount of work and costs involved, were not relevant to the administrative court’s assessment of the case.


Sini Mickelsson

Data Protection Officer

Read more