All news and press releases

Concerned about the FinRegistry ready-made dataset? Read more about the dataset and how to object to the processing of your data

News

Findata’s FinRegistry ready-made data set has sparked discussions about the secondary use of social and healthcare data and the privacy of citizens. In this article, we have compiled answers to questions raised by the recent news coverage.

Finnish broadcasting company Yle reported on Saturday, June 15, 2024 (yle.fi) and Sunday, June 16, 2024 (yle.fi) about the FinRegistry ready-made dataset, for which Findata, as a data permit authority, can issue data permits.

The data set consists of registry data collected in the FinRegistry research project by THL and the Institute for Molecular Medicine Finland (FIMM) at the University of Helsinki, and the research data derived from it. It includes information from DVV, ETK, Kanta Services, Kela, the Cancer Registry, THL, and Statistics Finland. Data descriptions can be found in the Data Resources Catalogue (aineistokatalogi.fi).

In addition to ready-made data sets, we grant permits for the secondary use of social and healthcare data when data is needed from multiple public data controllers, the private sector, or Kanta Services.

Findata has not yet issued any permits for the FinRegistry dataset, meaning no data has been provided to anyone from the dataset.

Secondary use of social and health data means that client and register data from social and health care services are used for purposes other than the primary reason for which they were originally collected. In Finland, secondary use, such as scientific research, has promoted the health and well-being of citizens for decades.

Findata is the data permit authority for the social and health sector, and its operations are based on the Act on the Secondary Use of Health and Social Data, also known as the Secondary Use Act.

A data permit is a temporary permit for processing pseudonymized, confidential personal data. The data is provided to the permit holder in a secure processing environment.

Does Findata sell Finnish social and health care data?

No, we do not sell anyone’s social and health care data or engage in commercial activities.

Findata is a data permit authority that issues temporary permits for the secondary use of social and health care data when the conditions stipulated in the Secondary Use Act are met. When the permit expires, the permit holder no longer has access to the data.

The permit is always granted for a specific purpose, and the permit names the individuals who have the right to process the pseudonymized data in a closed remote access environment. Other individuals cannot see the data. The permit process always includes an application review and careful consideration. All Findata employees have had a security clearance from the Finnish Security and Intelligence Service. The permit holder accepts the permit conditions, which specify how the data may be processed.

Permits are public government decisions, and information about them can be found on the Issued Permits page.

We do not provide the FinRegistry data set or any other registry data sets as a whole to permit applicants; only the data necessary for conducting the research is extracted. For example, when it comes to birth dates, we assess whether the birth year or month would suffice instead of the exact birth date. We also evaluate whether individual-level data needs to be disclosed or if anonymous statistical data would be sufficient for the research.

Why didn’t Findata conduct a Data Protection Impact Assessment (DPIA) for the FinRegistry data set?

Yle reported that no DPIA was done for the FinRegistry ready-made data set. However, the risks associated with processing the data have been and are being assessed at various stages:

  • The FinRegistry research project, which compiled the data, conducted a DPIA on the processing of personal data in the research project.
  • Findata has conducted a DPIA of the processing environment where the ready-made data set and other data are processed.
  • Findata is also conducting a DPIA on Findata’s processing activities related to the FinRegistry ready-made data set to ensure that risks specific to this data set are considered.
  • Additionally, permit applicants conduct a DPIA on the planned processing of FinRegistry data.

How does Findata ensure data privacy in the processing of personal data?

As with all personal data sets permitted by Findata, the FinRegistry data set can only be processed in an audited secure remote access environment without internet connectivity. These remote access environments are closed, meaning users cannot transfer data in or out.

The processing environments record data processing and event history. These logs show, for example, who processed the data, how the data was processed, and when it was processed. Log data is collected both from the processing done by the authorities and data controllers and from the processing performed under the data permit.

Once the connection to the processing environment is terminated, permit holders have no means to access the data anymore.

How to object to the secondary use of your data at Findata?

You can object to the use of your data by sending us a request. Your objection will be valid indefinitely from the day the request is processed. We maintain a separate registry of individuals who have submitted an objection request.

This objection applies to data managed by Findata and data that passes through Findata. An objection request to Findata does not prevent other data controllers mentioned in the Secondary Use Act, such as wellbeing services counties, from disclosing data for secondary use.

You can find information about your rights regarding the processing of data at Findata on the Rights to Your Data page.

You can exercise your rights regarding the data processed by Findata through Findata’s e-service. Choose the form based on the right you wish to exercise. If you want to exercise multiple rights or act on behalf of others, complete and submit all relevant forms separately for each person.

Findata must verify the identity of the person exercising their rights to ensure that actions are directed at the correct individual’s data. For this reason, we use Suomi.fi authentication in our e-service.

Suomi.fi authentication is a strong identification service that allows you to log into Finnish public administration e-services using online banking credentials, a mobile certificate, or a smart card. Using electronic services is secure when your identity has been verified. You can find more information at suomi.fi.

How to exercise your rights in Findata’s e-service

  1. Go to asiointi.findata.fi.
  2. Click “Login”.
  3. Select Suomi.fi as the authentication method.
    • If you are logged in using another method, log out first.
  4. Authenticate using online banking credentials, a mobile certificate, or a smart card.
  5. After authentication, click “Continue to service”.
  6. Select the appropriate form from the list by clicking the blue “Fill in the application” button.
    • To object to the processing of personal data, select “GDPR –Request to object to the processing of personal data”.
    • To request access to your personal data, select “GDPR – Request to access your personal data”.
  7. Fill in the form carefully.
    • If you are submitting a request on behalf of a minor child or a person under guardianship, select “No” under “Is the personal identification number of the person who completed the application?” and complete the form accordingly.
  8. Finally, click the blue Submit application” button.
    • Depending on your device, the button may be on the right side or below the form.

To receive notifications about your request:

  1. Click your name at the top of the e-service.
  2. Add your email address.
  3. Click “Save”.

If you are unable to use the Suomi.fi authentication or service, you can personally visit the reception of the National Institute for Health and Welfare in Helsinki or Kuopio. You can find the addresses of the THL offices on the THL website (thl.fi). We will verify your identity, so please bring an identity document with you.

If you are sending the form by mail, your signature must be certified by a public notary. For more details, visit the Digital and Population Data Services Agency’s website at dvv.fi.

Use these forms only if you can not use Findata’s e-service:

Frequently asked questions about the secondary use of social and health data

What is a data permit?

A data permit is a fixed-term authorisation granted by a public authority to use individual-level personal data for a specific purpose, for example, for research, compiling statistics or carrying out official duties.

Once a data permit is granted, the dataset is delivered to the processor in a pseudonymised format. This means that identifying information has been replaced with codes, so individuals cannot be directly identified. The data may only be processed in a secure processing environment with no direct internet access.

Data permits are particularly important in registry-based research, where data originally collected in social and healthcare client or patient registers is used for secondary purposes.

Read more:

What is Findata?

Findata is the social and health data permit authority in Finland. It was established in 2019, and its operations are based on the Act on the Secondary Use of Health and Social Data, commonly known as the Secondary Use Act.

We grant data permits for the secondary use of health and social data when the data is needed from multiple public data controllers, from the private sector, from Findata’s ready-made datasets, or from the Kanta Services. We compile and preprocess the datasets with strict attention to protecting individuals’ privacy.

Findata also maintains the secure Kapseli® processing environment, where individual-level data is processed safely.

Can individuals be identified from the data?

When we grant a data permit, we provide pseudonymised individual-level data. This means that, for example, names and personal identity numbers are replaced with codes, so the data cannot be directly linked to individuals. We only release identifiable data for particularly justified and necessary reasons.

Pseudonymised data is still personal data. It may only be processed in a secure environment with no direct internet access. The data permit holder or data processor commits to conditions that prohibit attempts to identify individuals from pseudonymised data.

The data processor must produce published results in an anonymous form, from which individual persons or their characteristics cannot be identified. Findata ensures that the results meet the anonymity requirements set out in the Secondary Use Act.

If the permit concerns statistical-level data (data request), we provide anonymous data that describes population groups rather than individuals. Statistical data cannot be traced back to or used to identify individuals.

Read more:

For what purposes can social and health data be used?

The secondary use of social and health data is only permitted for purposes defined by law, such as:

  • Education
  • Scientific research
  • Statistics
  • Planning and reporting duty of an authority
  • Development and innovation activities
  • Knowledge management
  • Steering and supervision of social and health care by authorities

Different types of data are available for different purposes:

  • Individual-level, pseudonymised data is available for research, statistics, planning and reporting tasks of public authorities, and education.
  • Anonymous, aggregated statistical data is available not only for the above-mentioned purposes, but also for development and innovation activities, knowledge management, and the steering and supervision of social and healthcare services.

In addition, wellbeing services counties and other service providers may use the data recorded in their own registers without a separate permit for purposes such as planning and evaluating their operations.

All data permit and data request decisions made by Findata are public. You can view them here: Issued permits

What types of data can be used with a permit from Findata?

Findata grants permits for the use of register-based data collected from various sources. This refers to information stored in registers maintained by public authorities, private service providers or other data processors.

Information about every Finnish resident is collected in different social and healthcare registers. In Finland, this data can be used for secondary purposes – for example, research aimed at improving public health and wellbeing.

We grant permits when data is needed from several public data controllers, private operators, Findata’s ready-made datasets or from the Kanta Services. Some data controllers have authorised Findata to issue permits on their behalf.

All permits comply with the data minimisation principle under the EU General Data Protection Regulation (GDPR): a permit can only be granted for data that is clearly and justifiably necessary for the stated purpose.

Before any data is released, it is pseudonymised. This means that directly identifying information – such as names or personal identity codes – is removed or replaced with a unique code, so that individuals cannot be directly identified.

Read more: Data

Can anyone get a permit to use social and health data?

The law does not specifically restrict who can apply for a permit to use social and health data. However, Findata does not grant permits to just anyone or for any purpose. A permit can only be issued for the purposes defined in the Act on the Secondary Use of Health and Social Data and for projects that meet the legal criteria for approval.

Each permit application is assessed individually. Before a permit is granted, the application undergoes a careful review. Under the EU General Data Protection Regulation (GDPR) and the data minimisation principle, a permit can only be granted for the use of data that is essential for the execution of the project.

Data permits are official administrative decisions. The decision process has two stages: the application handler acts as the presenter, and the Director of Findata or their deputy makes the final decision. The proposed decision does not always lead directly to a permit being granted: sometimes the application is returned for further preparation or requires modifications.

Read more: Conditions of data permit

Which laws regulate the secondary use of health and social data?

The secondary use of health and social data is governed by several laws that safeguard data protection and define the conditions under which the data may be processed.

The EU General Data Protection Regulation (GDPR) establishes the general principles for processing personal data across the EU. It is complemented by national legislation, such as the Act on the Secondary Use of Health and Social Data (the “Secondary Use Act”), which specifically regulates the secondary use of health and social data in Finland.

The Secondary Use Act centralises the issuance of data permits to Findata and defines in detail the permitted purposes for data use as well as the requirements for data security and oversight.

In the coming years, the European Health Data Space (EHDS) regulation will harmonise the use of health data and permit procedures for secondary use across the EU. EHDS will strengthen individuals’ rights to their data and promote the secure and efficient cross-border use of health data. The provisions concerning secondary use will apply starting in March 2029.

Other key laws include:

  • Data Protection Act (Tietosuojalaki)
  • Act on the Processing of Client Data in Healthcare and Social Welfare
  • Medical Research Act
  • Clinical Trials on Medicinal Products for Human Use Act
  • Act on the Medical Use of Human Organs, Tissues and Cells
  • Biobank Act

Read more:

What are the benefits of the secondary use of health and social data for citizens?

The secondary use of health and social data means using already collected client and patient data for purposes other than their original use, such as research, statistics, and service development.

When researchers, authorities and service providers are able to use reliable and comprehensive register data, it generates information that support decision-making and improve the quality of services. This leads to several concrete benefits for citizens:

  • Better services and more effective care
    • Data can be used to develop health and social services that better meet people’s needs.
  • More effective medicines and health technology
    • Extensive registry data supports medical research and the development of new treatments. It also enables the creation of health-promoting applications and supportive technologies.
  • Safer and more agile tools for supervision
    • Data can be used to monitor, for example, adverse effects of medicines and to improve oversight in healthcare.
  • Smoother service processes
    • Data enables the development of service systems that are more efficient and customer-oriented.
  • Promoting public health and reducing wellbeing gaps
    • Research-based information supports legislation and policymaking, helping to promote health and reduce inequality.

The secondary use of health and social data is strictly regulated. Citizens’ privacy is protected through measures such as pseudonymisation and secure processing environments.

See what types of projects Findata has granted permits for: Issued permits

How does the Secondary Use Act improve data protection?

The Act on the Secondary Use of Health and Social Data (also known as the Secondary Use Act) strengthens the protection of personal data by clearly defining how and under what conditions health and social data can be used for purposes other than their original use, such as research and statistics.

Prior to the implementation of the Secondary Use Act in 2019, the processing of data involved several risks:

  • Permit applications were not centralised
    • Permits were granted by individual data controllers, the Ministry of Social Affairs and Health, or the Finnish Institute for Health and Welfare (THL). Practices varied, and there was no consistent process.
  • Data could be transferred on physical storage devices
    • Datasets were sometimes delivered directly to permit holders via USB sticks or CDs. This made it impossible to ensure data security or monitor how the data was used.
  • There was no way to monitor data usage afterwards
    • There was no way to track whether datasets had been deleted after the permit expired.

The Act has enhanced data protection in several key ways:

  1. Centralised permit process at Findata
    • Under the Act, all data permits are issued by Findata, the Finnish Health and Social Data Permit Authority. This has improved both data security and the protection of personal data.
    • Centralised data combining ensures safer processing and enables more effective oversight.
  2. Pseudonymisation of datasets
    • Datasets issued under the Act are pseudonymised, meaning direct identifiers are removed before the data is delivered to the permit holder.
    • Pseudonymisation prevents the direct identification of individuals.
  3. Secure processing environment
    • Data may only be analysed in a secure processing environment that has no direct internet access. These environments offer strong safeguards:
      • Only users named in the permit may access the data
      • Users log in using two-factor authentication
      • External data cannot be uploaded to the environment
      • Data cannot be exported without Findata’s review
      • Access to the data is terminated once the data permit is no longer valid
  4. Enhanced oversight
    • Findata’s operations are overseen by the Parliamentary Ombudsman and the Data Protection Ombudsman
    • Findata may request a statement from the Data Protection Ombudsman before granting a permit
    • Findata submits an annual report to the Data Protection Ombudsman on the processing of social and health data and related logs
    • The National Supervisory Authority for Welfare and Health (Valvira) monitors the security of the processing environments
How is Findata’s operation supervised?

Several authorities supervise Findata’s operation to ensure that the granting of data permits and the processing of data are carried out in accordance with the law.

  • Data Protection Ombudsman
    • Supervises the processing of personal data and ensures that Findata complies with data protection legislation.
    • Receives an annual report from Findata on the processing of social and health data and the related log data.
    • May issue statements at Findata’s request before a data permit is granted.
  • Parliamentary Ombudsman
    • Oversees the lawfulness of Findata’s activities.
  • Valvira (The National Supervisory Authority for Welfare and Health)
    • Supervises the secure operating environments where data granted by Findata are processed.

In addition, Findata’s operation is guided and developed by a steering group appointed by the Ministry of Social Affairs and Health (STM). The group includes representatives from STM and various data controllers.

How is the right to object implemented at Findata?

When you object to the secondary use of your data through Findata:

  • Your request is recorded in the case management system maintained by the Finnish Institute for Health and Welfare (THL).
  • Your data will be removed from datasets received by Findata based on your personal identity code. Therefore, we must retain and process your personal identity code to implement the request.
What is the EHDS?

The European Health Data Space (EHDS) is a regulation of the European Union that establishes a common framework for the use and exchange of health data in EU countries. The aim of the regulation is to strengthen citizens’ rights to their own electronic health data and to enable the secure cross-border secondary use of health data.

The EHDS regulation is similar to the current Finnish Secondary Use Act, but it also introduces changes. The regulation includes partly different purposes of use, some of which are reserved only for public or EU entities. In addition, new operating models will be introduced for processing data requests and permit applications.

The regulation entered into force in March 2025 and will be implemented gradually over the coming years. The parts concerning secondary use will begin to apply in March 2029.

What are the laws on which Findata bases the processing of personal data?

Findata’s legal basis for processing personal data are:

  • Article 6, (1)(e) of the EU’s General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Article 4(1)(2) of the Data Protection Act: processing of data that is provided for by the law or that is directly attributable to the controller for the task prescribed by the law

We also process data belonging to special categories of personal data, formerly known as sensitive data. Such data includes, for example, a person’s health data.

The grounds for processing this kind of personal data are:

  • Article 9(2)(g) of the EU General Data Protection Regulation: processing is necessary for the performance of a task carried out in the public interest or the exercise of public authority
  • Section 6(1)(2) of the Data Protection Act: processing is necessary and proportionate for the performance of a task carried out in the public interest by a public authority

See more information on how we process personal data

What is anonymisation and pseudonymisation?

Anonymisation means the transformation of personal data into a form that irreversibly prevents the identification of an individual person. This may mean, for example, removing direct identifiers and simplifying the data to a general level so that personal data cannot be reconstituted in any way.

Pseudonymisation refers to the transformation of personal data, for example into a coded form. In this case, names and personal identifiers can be removed and replaced by another unique identifier, i.e. a code. Often a code key is kept to restore direct personal data to the data. Pseudonymised data are still personal data.

Does Findata transfer data abroad?

Findata grants most permits to projects based in Finland. However, under the EU General Data Protection Regulation (GDPR), personal data must be able to move freely within the EU. This means that the permit holder may also be located in another EU or EEA country. Even in such cases, the data must be processed in an audited and secure environment, with access granted only to the individuals specified in the permit.

According to the Secondary Use Act, the secure processing environment must not be located outside the EU or EEA. Therefore, Findata does not, as a rule, transfer personal data outside the EU/EEA or to international organisations.

If data is to be transferred to or processed in countries outside the EEA (so-called third countries) a legal basis is required under Chapter V of the GDPR. It is important to note that processing personal data from outside the EEA is considered a data transfer, even if the data remains in a secure remote access environment.

Read more:

Does Findata sell my data?

Findata does not sell data. As the data permit authority, we grant fixed-term permits for the secondary use of social and health data only when the conditions set out in the Act on the Secondary Use of Health and Social Data are met.

Each permit is granted for a specific purpose, and it defines which individuals are allowed to process the pseudonymised dataset. Those who process the data must produce analysis results in anonymous form, so that no individual’s information or characteristics can be identified.

Findata is responsible for ensuring the anonymity of results, in accordance with the Secondary Use Act. This applies to all datasets covered by a permit.

When the permit expires, the permit holder’s access to the data is revoked and the dataset is destroyed.

Read more: Conditions of data permit

How can I object to the secondary use of my data?

Everyone has the right to their personal data, including the right to object to the processing of their data. Once you submit an objection request, Findata will no longer disclose your data for secondary use.

  • The objection is valid indefinitely from the date it is processed.
  • The objection is not retroactive: your data will not be removed from data resources that have already been disclosed to permit holders before the objection was submitted.
  • You can submit the objection request via Findata’s e-service, by post or by visiting the Finnish Institute for Health and Welfare (THL) in person.

Instructions on how to exercise your rights: Your data rights

Please note that an objection submitted to Findata does not prevent other data controllers listed in the Act on the Secondary Use of Health and Social Data from disclosing your data for secondary purposes.

There is currently no centralised system in Finland that would allow you to object to the secondary use of your data in a way that would be binding on all controllers. Therefore, objections must be submitted separately to each controller.

What is the difference between primary and secondary use of health and social data?

Primary use means the purpose for which the data was originally saved in the customer register and/or patient register.

The primary purpose may be, for example,

  • examination, treatment and rehabilitation of the patient,
  • the service received by a social welfare customer,
  • or the processing of benefits by the Social Insurance Institution of Finland (Kela).

Secondary use means the use of the same data for purposes other than the primary use.

Legitimate secondary purposes of use include

  • scientific research,
  • statistics,
  • development and innovation activities,
  • education,
  • knowledge management,
  • steering and supervision by authorities and
  • the planning and reporting duty of an authority.

Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.

Contact details

Data Protection Officer

Help Desk

General guidance & advice

See also

Your data rights

On this page you will find general information about the secondary use of social and health data, as well as information about your rights as a data subject Read more Your data rights

Our privacy policy

On this page you will find information about how we process personal data. Read more Our privacy policy

Issued permits

On this page you’ll find data permits, amendment permits and decisions on data requests issued by Findata. Read more Issued permits