Findata’s FinRegistry ready-made data set has sparked discussions about the secondary use of social and healthcare data and the privacy of citizens. In this article, we have compiled answers to questions raised by the recent news coverage.
Finnish broadcasting company Yle reported on Saturday, June 15, 2024 (yle.fi) and Sunday, June 16, 2024 (yle.fi) about the FinRegistry ready-made dataset, for which Findata, as a data permit authority, can issue data permits.
The data set consists of registry data collected in the FinRegistry research project by THL and the Institute for Molecular Medicine Finland (FIMM) at the University of Helsinki, and the research data derived from it. It includes information from DVV, ETK, Kanta Services, Kela, the Cancer Registry, THL, and Statistics Finland. Data descriptions can be found in the Data Resources Catalogue (aineistokatalogi.fi).
In addition to ready-made data sets, we grant permits for the secondary use of social and healthcare data when data is needed from multiple public data controllers, the private sector, or Kanta Services.
Findata has not yet issued any permits for the FinRegistry dataset, meaning no data has been provided to anyone from the dataset.
Secondary use of social and health data means that client and register data from social and health care services are used for purposes other than the primary reason for which they were originally collected. In Finland, secondary use, such as scientific research, has promoted the health and well-being of citizens for decades.
Findata is the data permit authority for the social and health sector, and its operations are based on the Act on the Secondary Use of Health and Social Data, also known as the Secondary Use Act.
A data permit is a temporary permit for processing pseudonymized, confidential personal data. The data is provided to the permit holder in a secure processing environment.
Does Findata sell Finnish social and health care data?
No, we do not sell anyone’s social and health care data or engage in commercial activities.
Findata is a data permit authority that issues temporary permits for the secondary use of social and health care data when the conditions stipulated in the Secondary Use Act are met. When the permit expires, the permit holder no longer has access to the data.
The permit is always granted for a specific purpose, and the permit names the individuals who have the right to process the pseudonymized data in a closed remote access environment. Other individuals cannot see the data. The permit process always includes an application review and careful consideration. All Findata employees have had a security clearance from the Finnish Security and Intelligence Service. The permit holder accepts the permit conditions, which specify how the data may be processed.
Permits are public government decisions, and information about them can be found on the Issued Permits page.
We do not provide the FinRegistry data set or any other registry data sets as a whole to permit applicants; only the data necessary for conducting the research is extracted. For example, when it comes to birth dates, we assess whether the birth year or month would suffice instead of the exact birth date. We also evaluate whether individual-level data needs to be disclosed or if anonymous statistical data would be sufficient for the research.
Why didn’t Findata conduct a Data Protection Impact Assessment (DPIA) for the FinRegistry data set?
Yle reported that no DPIA was done for the FinRegistry ready-made data set. However, the risks associated with processing the data have been and are being assessed at various stages:
- The FinRegistry research project, which compiled the data, conducted a DPIA on the processing of personal data in the research project.
- Findata has conducted a DPIA of the processing environment where the ready-made data set and other data are processed.
- Findata is also conducting a DPIA on Findata’s processing activities related to the FinRegistry ready-made data set to ensure that risks specific to this data set are considered.
- Additionally, permit applicants conduct a DPIA on the planned processing of FinRegistry data.
How does Findata ensure data privacy in the processing of personal data?
As with all personal data sets permitted by Findata, the FinRegistry data set can only be processed in an audited secure remote access environment without internet connectivity. These remote access environments are closed, meaning users cannot transfer data in or out.
The processing environments record data processing and event history. These logs show, for example, who processed the data, how the data was processed, and when it was processed. Log data is collected both from the processing done by the authorities and data controllers and from the processing performed under the data permit.
Once the connection to the processing environment is terminated, permit holders have no means to access the data anymore.
How to object to the secondary use of your data at Findata?
You can object to the use of your data by sending us a request. Your objection will be valid indefinitely from the day the request is processed. We maintain a separate registry of individuals who have submitted an objection request.
This objection applies to data managed by Findata and data that passes through Findata. An objection request to Findata does not prevent other data controllers mentioned in the Secondary Use Act, such as wellbeing services counties, from disclosing data for secondary use.
You can find information about your rights regarding the processing of data at Findata on the Rights to Your Data page.
You can exercise your rights by filling out the form available for download below and submitting it via the Suomi.fi service. We use the Suomi.fi service due to its strong e-identification, as we must verify the identity of the person exercising their rights to ensure that actions are taken on the correct individual’s data. This objection cannot be made through Findata’s e-service.
If you cannot use the Suomi.fi service, you can visit us in person in Helsinki (Mannerheimintie 166) or Kuopio (Neulaniementie 4) at the reception services of the National Institute for Health and Welfare. In this case, we will verify your identity, so take an ID with you.
We are currently exploring alternative methods of identification in addition to Suomi.fi messages and in-person visits.
1. Download and fill in the form
2. Submit the form on Suomi.fi
- Make sure you have Suomi.fi messaging enabled. Read the instructions on how to enable Suomi.fi messaging (suomi.fi).
- Log in with your personal online banking codes, a certificate card or a mobile certificate.
- Go to ”Compose a message”
- Select ”National Institute for Health and Welfare” as the recipient of the message.
- Select ”Registry” as the recipient’s service or issue.
- Enter ”Findata: rights of a data subject” as the subject.
- List the rights you wish to exercise (you may use the names of the forms) in the message field.
- Attach the completed form(s) by clicking ”Add the attachments here”.
- Finally, click the ”Send the message” button.
As a rule, we process requests within one month of receiving them. We are currently processing more requests than usual, so the processing time may be longer. We will send a reply on the implementation of the request or resolving the matter to the data subject as a Suomi.fi message.
Frequently asked questions about the secondary use of social and health data
What is Findata?
Findata is the data permit authority for the social and health sector, established in 2019. Our operations are based on the Act on the Secondary Use of Social and Health Data, also known as the Secondary Use Act.
We grant permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. We compile and preprocess the data while ensuring the protection of citizens’ privacy. Additionally, we maintain the secure Kapseli® environment where the processing of individual-level data occurs.
Under what law are the data used?
In Finland, the use of social and health data is regulated by several laws, such as:
- The Data Protection Act
- The Act on the Processing of Client Data in Social and Health Care
- The Medical Research Act
- The Act on Clinical Trials on Medicinal Products
- The Act on the Medical Use of Human Organs, Tissues, and Cells
- The Biobank Act
However, the secondary use of social and health sector register data is regulated by the Act on the Secondary Use of Social and Health Data, or the Secondary Use Act, which came into force in 2019. In the same year, the data permit authority Findata was established, centralizing the permit activities.
The Secondary Use Act defines how and under what conditions social and health data can be used outside of their original purpose, for example, in research, statistics, and other purposes not related to patient care or benefit processing. The Act also regulates issues concerning data protection and confidentiality obligations and sets requirements for data processing and security.
Before the Secondary Use Act came into force, permits for data use were granted by individual data controllers, the Ministry of Social Affairs and Health, or the National Institute for Health and Welfare, and there was no uniform practice for processing the data. Centralizing permit activities and data processing to Findata has improved data security and the privacy of citizens. When data is combined centrally, its use is more protected and can be monitored more effectively.
What can the data be used for?
The secondary use of social and health data is permitted only for certain purposes as specified in the Secondary Use Act:
- Education
- Scientific research
- Statistics
- Planning and reporting duties of authorities
- Development and innovation operations
- Knowledge management
- Guidance and supervision of a social and healthcare authority
Different regulations apply to different purposes.
For the education of social and health care professionals, scientific research, statistics, and planning and investigation duties of authorities, it is possible to obtain pseudonymized individual-level data.
For development and innovation operations, knowledge management, and guidance and supervision of a social and healthcare authority, only anonymous, aggregated statistical data, from which individuals cannot be identified, is available.
Additionally, social or health service providers, such as wellbeing services counties, can use the data generated in their operations or stored in their registers for knowledge management without a separate permit. The data can be used for producing, monitoring, evaluating, planning, developing, managing, and supervising service activities.
Data permit and data request decisions are public. See Findata’s data permit and data request decisions.
In what form can the data be used?
We provide pseudonymized individual-level data based on a data permit. In pseudonymized data, names and personal identifiers are replaced with other unique identifiers, so the data cannot be directly linked to individuals. We only provide identifiable data for particularly justified and necessary reasons.
Pseudonymized data is personal data that can only be processed in a secure environment. The processor of personal data must produce analysis results in an anonymous form, from which individual persons’ information or characteristics cannot be revealed. We ensure the anonymity of the results in accordance with the Secondary Use Act.
Based on a data request, we provide anonymous statistical data. In statistical data, individual personal data has been combined and summarized so that the statistics describe groups of people rather than individuals. Individual persons cannot be traced or identified from the statistical data.
What data does Findata grant permits for?
The permits granted by Findata include information extracted from various registers. Register data is information that is stored in a personal data register maintained by an authority, a private service provider, or a personal data processor.
There is information about all Finns in various registers. In Finland, this register data can be used secondarily, for example, in research that promotes the health and well-being of citizens.
Findata grants permits for the secondary use of social and health data when information is needed from multiple public data controllers, the private sector, or Kanta services. Some data controllers have transferred their permit authority to Findata. See the list of these data controllers.
All permits granted by Findata comply with the minimization principle of the General Data Protection Regulation (GDPR), meaning we only grant permits for data that has a justified need.
Can anyone get a data permit for social and health data?
The law does not specifically limit who can apply for a permit. However, Findata does not grant permits to just anyone or for any purpose but only for the purposes defined in the Secondary Use Act and for projects that meet the conditions for receiving a permit.
The granting of permits is always preceded by application processing and careful permit consideration. Permits can only be granted for essential data in accordance with the minimization principle of the EU General Data Protection Regulation.
Permits are administrative decisions involving a two-step process: the application processor acts as the presenter of the decision, and the director of Findata or their deputy approves the decision. The proposed decisions are not necessarily approved directly as is; sometimes they are returned for further preparation.
Does Findata sell my data?
Findata does not sell data. As a data permit authority, we grant time-limited permits for the secondary use of social and health data when the conditions specified in the Secondary Use Act are met.
Permits are always granted for a specific purpose and define the individuals who may process the pseudonymized data. The processor of personal data must produce analysis results in an anonymous form, from which individual persons’ information or characteristics cannot be revealed.
Findata ensures the anonymity of the results in accordance with the Secondary Use Act. This applies to all data for which a permit has been granted under the Secondary Use Act. Find the criteria for ensuring the anonymity of results and examples of common analysis types on the page Producing Anonymous Results.
When the permit expires, the permit holder no longer has access to the data, and it is destroyed.
Can my data be transferred abroad?
The majority of Findatas permits have been granted to Finnish projects. Under the EU General Data Protection Regulation (GDPR), data must move freely within the EU area, meaning the permit holder can also be located within the EU or EEA. Data must still be processed in an audited secure environment, to which only individuals specified in the permit have access.
According to the Secondary Use Act, a secure processing environment cannot be located outside the EU and EEA, so we generally do not transfer personal data outside the EU or EEA or to international organizations. Within the framework of the GDPR, data can be transferred within the European Economic Area (EEA) on the same basis as within Finland. The EEA countries include EU countries as well as Norway, Liechtenstein, and Iceland.
If data needs to be transferred or processed outside these countries, known as third countries, there must be a legal basis for the transfer under Chapter V of the GDPR. Processing personal data from abroad constitutes a data transfer, even if the data is in a secure remote access environment.
Can social and health data be used for marketing or other similar commercial purposes?
Social and health data cannot be used for marketing or for determining individual commercial services, such as insurance premiums.
Data collected under the Secondary Use Act also cannot be provided for use in administrative decision-making or other similar processes concerning an individual without their explicit consent.
How does the Secondary Use Act improve data protection?
Social and health data have been used for secondary purposes in Finland for decades. Before the Secondary Use Act, permits for data use were granted by individual data controllers, the Ministry of Social Affairs and Health, or the National Institute for Health and Welfare. There was no uniform practice for granting permits, transferring, or processing data.
Previously, data could be sent directly to the permit holder in identifiable form on memory sticks or CDs. Post-processing control was practically impossible, although permit holders have undoubtedly handled personal data with the required care.
Centralized permit procedures and data processing improve data security and citizens’ privacy. When data is combined centrally, its use is more protected and can be monitored more effectively.
Regulations have been issued on the requirements for applications and the security of environments used for data analysis. For Findata’s operations, a secure, closed Kapseli environment has been built. Users authenticate in a two-step process, cannot upload any data themselves, and cannot extract anything. Once the connection to the environment is severed, permit holders have no further access to the data.
What are the benefits of broader use of social and health data for citizens?
When comprehensive registry data is more accessible to researchers and service providers, research and data-driven management become more efficient, resulting in:
- Better services for people, more effective medicines, health-promoting and supportive applications, and health technology.
- More efficient processes and service systems that better meet customer needs.
- More agile tools for monitoring and, for example, investigating adverse drug reactions.
Thus, citizens receive better and more impactful care and support, and disparities in health and well-being are reduced.
What are the laws on which Findata bases the processing of personal data?
Findata’s legal basis for processing personal data are:
- Article 6, (1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Article 4(1)(2) of the Data Protection Act: processing of data that is provided for by the law or that is directly attributable to the controller for the task prescribed by the law
We also process data belonging to special categories of personal data, formerly known as sensitive data. Such data includes, for example, a person’s health data.
The grounds for processing this kind of personal data are:
- Article 9(2)(g) of the EU General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or the exercise of public authority
- Section 6(1)(2) of the Data Protection Act: processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority
Contact details
Data Protection Officer
tietosuojavastaava@findata.fi
