Our policy on authorities’ competence has been clarified. Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.
“Data permits have been applied for from individual controllers one at a time, although the intention has been to combine this requested data. As a result, we have received inquiries from data controllers about who combines this data and how to deal with pseudonymization keys, ”says Johanna Seppänen, Director of Findata.
The aim of the policy is to clarify matters of competence. Findata is responsible for the application whenever data subject to secondary law is combined, even if permit is sought for the data of only one data controller. The only exceptions to this are situations where only data from Digital and Population Data Services Agency (DVV), Finnish Centre for Pensions (ETK) and / or Statistics Finland are requested, and according to the data utilization plan, they will not be combined with other data subject to the Act.
The wording used in the Act “when the application for a data permit applies” will therefore be interpreted more broadly: if the application or data utilization plan mentions other data under the Act to be combined with the requested data, the application applies also to this additional data.
An individual public data controller may continue to grant permission if the requested data is not combined with other data subject to the Act.