The Finnish Secondary Use Act is being revised to address the challenges identified during its five years of implementation. Findata highlights the need to safeguard the independence and impartiality of the permit authority and to improve access to individual-level data for research purposes.
This article was first published in Finnish in October 2024.
The Secondary Use Act, which came into force in 2019, has significantly improved data security and privacy practices in the secondary use of social and health data.
Findata has issued approximately 1,300 permit decisions, and there are currently around 1,100 users in the secure Kapseli processing environment. Additionally, Finland now has nine other audited processing environments where sensitive data can be analysed.
Despite considerable progress over the past five years in harmonising practices, enhancing data security, and improving transparency in secondary use, there are still areas that require improvement.
When revising the legislation, particular attention should be paid to the following ten issues:
1. The permit authority must be an independent and impartial body
The authority granting permits should be an organisation separate from research activities. This ensures equal treatment of applicants and guarantees the independence and impartiality of permit decisions.
2. A centralised model should be maintained for permits covering data from multiple controllers
Centralising the permit process ensures uniform handling procedures, enhances data protection, and increases transparency in the secondary use of social and health data.
A centralised permit process ensures that the compiled datasets are appropriate in scope and content, that authorised data processors are consistently defined, and that the same permit conditions apply to all data.
3. Development and innovation activities must have access to individual-level data
Pseudonymised datasets should be processed in secure environments in the same manner as other individual-level data.
4. The requirement for Findata to centrally verify result anonymisation should be removed
Centrally ensuring the anonymisation of results is complex and difficult to implement efficiently and appropriately. Researchers are best equipped to assess the anonymisation of their results when clear guidelines and training are available.
The most effective way to ensure anonymisation is at the point when results are published from secure processing environments.
5. Availability services should be added to the services provided by data controllers and Findata
Availability services would support, in particular, the planning of clinical trials and improve Finland’s attractiveness for international research. These services could include, for example, paid advisory services.
6. The training, development, and testing of algorithms and AI solutions should be included in the permitted use purposes under the Secondary Use Act
The legislation should be updated to enable the development of AI-based solutions aimed at improving the efficiency of the social and healthcare system and enhancing treatment practices.
7. Data controllers should be allowed to produce statistical data based on their own records
When data is required from multiple controllers, the request should continue to be processed centrally by Findata, as is the case with data permits.
8. The processing of individual-level anonymous data should be allowed outside secure environments
Allowing the processing of individual-level anonymous data outside secure environments would bring significant benefits to national research and the development of treatment practices. For example, supercomputers could be used for advanced processing of anonymous image files.
9. In addition to Findata’s secure transfer service, other transfer services should be permitted
Allowing the use of transfer services other than Findata’s in specific situations would facilitate data transfers. To ensure security, regulations should define the security requirements for such services.
To guarantee sufficient capacity, a fee should be allowed for the use of transfer services.
10. Findata’s obligation to act as an intermediary for invoicing should be removed
It is more practical for data controllers to invoice permit holders directly for the costs of data extraction and delivery.
Findata’s current role in collecting and redistributing data-related fees has increased administrative burdens and introduced unnecessary steps into the invoicing process.