The amendments to the Finnish Secondary Use Act entering into force on 1 May 2026 will affect data permit processes as well as the processing and disclosure of social and health data in Finland. Despite these changes, Findata’s services will remain largely unchanged.
The reform introduces changes to permit procedures and to the way social and health data are accessed, combined and disclosed for secondary use.
The most significant change is the shift from a centralised permit model to a decentralised hybrid model. In practice, this means that permits covering data from multiple data controllers can now be applied for either through Findata or separately from the individual data controllers.
Findata will continue to offer a centralised application process for permits concerning the secondary use of social and health data. We will also remain the permitting authority when data are required from private service providers, the Kanta services, or organisations that have transferred their permit authority to Findata.
Below is an overview of the key changes.
Changes related to clinical research
Legislative amendments concerning clinical research entered into force on 1 January 2026, meaning that the Secondary Use Act no longer applies to data governed by legislation on clinical drug trials, medical devices, or medical research.
Such data may still be processed in environments compliant with the Secondary Use Act or transferred to other environments, provided that all relevant legal requirements are met. However, it is no longer possible to apply through Findata for access to data that fall outside the scope of the Act.
Permit applications and data compilation in a decentralised model
From 1 May onwards, applicants may continue to apply for permits through Findata as usual, or alternatively apply separately to public data controllers.
Findata will continue to provide a centralised permit service in cases where a project involves data from two or more public data controllers and the data are combined into a single dataset.
In addition, Findata will act as the permitting authority in the following cases:
- data are requested from the Kanta services
- data are requested from private service providers
- data are requested from organisations that have transferred their permitting authority to Findata
- data are requested from Findata’s ready-made data resources
In these cases, Findata will also be responsible for compiling the data.
Permit authority has been transferred to Findata by the Finnish Institute for Health and Welfare (THL), the The Finnish Supervisory Agency, and the wellbeing services county of Eastern Uusimaa.
Where permits are obtained separately from multiple public data controllers, the organisations concerned will agree on a case-by-case basis on who is responsible for compiling the data. This responsibility may be assigned either to Findata or to one of the permitting organisations.
Invoicing will also follow a decentralised model. Each organisation will invoice separately for its own contribution. As a result, for decisions issued after 1 May, permit holders will receive one invoice from Findata and separate invoices from the data controllers that have extracted the data under the permit.
A risk-based approach to ensuring anonymity of results
A new risk-based approach will be introduced for ensuring the anonymity of results. Updated guidance and a new notification form will be published on our website.
We will also continue to develop processes for producing individual-level anonymous data and explore the introduction of differential privacy.
New regulations on permits, applications and anonymisation
During 2026, Findata will issue new regulations and update existing ones.
A regulation defining the content of data permit and data request decisions will be published by 1 May. Additional regulations concerning the anonymisation of results, data permit applications, data utilisation plans, and data request applications will be issued later in the year.
These regulations aim to ensure consistent practices across all organisations referred to in Section 6 of the Secondary Use Act within the decentralised model.
Data permits for processing in secure environments located abroad
The amended Section 51c of the Secondary Use Act enables data disclosed under a data permit to be processed in secure environments located abroad. Such environments must be operated by a trusted organisation, such as a recognised foreign university or university hospital.
This type of permit requires that the risks associated with the data are low, that a Finnish research organisation is involved, and that an adequate level of data protection and information security is ensured. A risk assessment will be carried out for each project.
A data permit for processing data outside environments compliant with the Secondary Use Act must always be applied for from Findata. Detailed guidance will be made available on our website.
