Updated 04.11.2024

Permits

We issue permits for the secondary use of social and health data, combine data that is subject to a permit securely and pre-process the data ensuring the privacy of citizens.

Book a time for personal consultation

You can book a time for personal consultation with an expert from Findata. Appointments are available three days a week and last for 20 minutes. The meetings are held remotely via Teams.

We offer help in the following topics:

  • General consultation on Findata’s services
  • Data permit applications, amendments, and data requests
  • Extraction description form and other forms
  • Ordering Findata’s secure processing environment Kapseli, pausing, and data storage service

You can see the available times below.

Make sure you have written your email address correctly. After booking, we will send a confirmation to your email and a downloadable calendar reminder. We will send the link to the Teams meeting later.

If you have not received a confirmation or Teams link, email us at info@findata.fi.

The personal consultation service is provided as a part of the FinHITS project funded by the European Union.

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Resources Catalogue (aineistokatalogi.fi) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

We grant permits for the secondary use of social and health data when the application applies to

  • data maintained by several public social and health sector controllers
  • data maintained by a single public controller, that has transferred the right to issue permits to Findata
  • the register data of one or numerous private social and health service provider, or
  • data saved in the Kanta Services

The assessment of the competent authority must consider all the data related to the application.

Check from the application assistant which authority the application should be sent to.

Before applying

What data use can permits be issued for?

A permit can be issued for the purposes laid down in law, which are listed below. Data on individuals will be sent to a secure operating environment for analysis, while statistical data can be sent to the applicant.

According to the Act on the Secondary Use of Health and Social Data (Secondary Use Act), data can be used without a separate permit also for knowledge management and steering and supervision of social and health care by authorities.

Individual-level material

  • scientific research
  • statistics
  • education
  • planning and reporting duty of an authority

In addition, under the Secondary Use Act, controllers can use their own data for knowledge management without permission from Findata.

Statistical data

  • scientific research
  • statistics
  • planning and reporting duty of an authority
  • steering and supervision of social and health care by authorities
  • education
  • development and innovation activities
  • knowledge management (comparative data)

As a rule, the Secondary Use Act applies to register-based studies. A register-based study utilizes register data usually collected for other purposes or national registers. The Secondary Use Act does not apply to clinical trials reported to the Finnish Medicines Agency (Fimea) or to medical trials under the Medical Research Act.

What data does Findata grant permits for?

We grant permits for data from social and health sector controllers. More information on these controllers is available on the Data page.

However, we cannot issue permits for data from all controllers covered by the Secondary Use Act. Details on these data restrictions can be found in the Secondary Use Act (PDF file, 5.4 mb).

See a list of the controllers within the scope of the Act on Secondary Use of Health and Social Data
  • Data saved in Kanta services
  • Digital and Population Data Services Agency
    • Individual’s basic details, family relations, place of domicile and building details
  • Finnish Centre for Pensions
    • Work and earnings data, benefits and the bases for them
  • Finnish Institute for Health and Welfare
    • Does not apply to data collected for statistical purposes
  • Finnish Institute of Occupational Health
    • Occupational illnesses, exposure tests and patient registers
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland
    • Benefits and prescriptions
  • Statistics Finland
    • To the extent that access is required to data covered by the act on the investigation of the causes of death
  • Regional state administrative agencies
    • Matters relating to social welfare and health care

Data descriptions and additional information

According to the Secondary Use Act, data controllers provide advisory services for their own data. They are the best source for detailed information on their data variables. For more information, contact the specific data controller.

You can arrange with the controller to implement data extraction in a specific manner. In your application to us, specify the contact person with whom you made this arrangement.

Descriptions of some of the data within the scope of the Secondary Use Act can be found in the National Data Resources Catalogue (aineistokatalogi.fi).

When do I submit an application to Findata?

Submit your permit application to Findata if you want to apply for:

  • Data from several public social and health sector controllers covered by the Secondary Use Act.
  • Data from a single public controller that has transferred the right to issue permits to Findata (see the list of such controllers).
  • Data from one or more private social welfare and health care service organisers.
  • Customer data saved in the Kanta Services.

Statistical and aggregated data subject to a data request can only be accessed via Findata.

Public sector social and health controllers are divided into two groups under the Secondary Use Act, each with different competences. The following section explains these groups and their roles.

Public sector controllers: Group 1

  • Finnish Institute of Occupational Health (TTL)
  • Regional State Administrative Agencies (AVI)
  • Social Insurance Institution (Kela)
  • Finnish Medicines Agency (Fimea)
  • National Supervisory Authority for Welfare and Health (Valvira)
  • Public service providers of social welfare and health care
  • Ministry of Social Affairs and Health (STM)
  • Finnish Institute for Health and Welfare (THL)

Findata is responsible for issuing data and amendment permits when the application involves data from at least two controllers in this group.

This includes cases where the applicant wants to combine their own register data with data from other controllers. For example, if a wellbeing services county needs data from both Kela and its own data, Findata grants the permit.

If the application or data utilisation plan includes combining data from this group with data from other sources, Findata grants the permit.

Findata does not grant permits for clinical trial data reported to Fimea.

Public sector controllers: Group 2

  • Digital and Population Data Services Agency (DVV): Basic personal data, family relations, place of residence, and building details.
  • Finnish Centre for Pensions (ETK): Employment and income data, benefits, and disability pension diagnoses.
  • Statistics Finland: Information for determining cause of death.

Findata is responsible for issuing data and amendment permits when the application involves data from DVV and ETK and the application also conserns:

  • Data from controllers in Group 1.
  • Data from private social welfare and health care service organisers.
  • Data saved in the Kanta Services.

If the application involves data from Statistics Finland and more than one other controller, Findata grants the permit.

Statistics Finland will process the application if it concerns only their data on causes of death and data from only one of the controllers covered by the Secondary Use Act.

The Secondary Use Act does not cover clinical trials reported to Fimea, so these are outside Findata’s scope. Definitions for interventional clinical trial and noninterventional study are available in Fimea Regulation 8/2019. Fimea can advise if a study is considered a clinical trial.

Unsure about who the competent authority is? Click here to use the application assistant

Applying

Logging into the e-service

All applications to Findata are sent in our e-service with an online form. Log into the service at asiointi.findata.fi using Suomi.fi e-Identification or Haka log in.

Please use the same identification method each time you log in to view your submitted applications and decisions.

  • If you encounter any problems, contact Findata’s advisory service: info@findata.fi
  • For more information on logging in see the Login page

Selecting and completing an application form

Choose the appropriate form based on your needs:

  • Data permit application: Use this form when you need data on individuals. Analysis of this data will occur only in audited, secure processing environments.
  • Data request: Use this form when you need statistical data. The statistical data will be sent to you directly.
  • Amendment application: Use this form to request changes to an existing data permit.

Complete the application form carefully. Incomplete applications will be returned with a request for additional information.

For detailed instructions on completing each form, refer to the following pages:

If you’re unsure what information to enter into a field on the form, seek help well in advance from within your organization or contact our advisory service.

Help Desk

General guidance & advice

How to expedite the processing of application

The processing time for applications depends on several factors: the accuracy of the data extraction description, the current backlog at Findata, and the response times of data controllers. By following our guidelines, you can help ensure that your application is processed as quickly and efficiently as possible.

How to speed up the processing of your application:

  1. Verify Findata’s authority:
    • Ensure Findata is the competent authority to issue a permit for the data you need.
    • Use the application assistant to help determine this.
    • Note that the Digital and Population Data Services Agency, the Finnish Centre for Pensions, and Statistics Finland handle their own data and permit decisions. If you need information from these controllers, contact them directly.
  2. Consult Findata’s help desk:
    • If unsure about where to send your application, contact Findata’s help desk service at info@findata.fi before submitting it.
  3. Contact data controllers directly:
    • If you need more information about the data or variables, contact the relevant data controllers. Data controllers provide advisory services for their data and can guide you on data extraction methods. You can also make an agreement on the implementation of data extraction in a certain manner with the controller.
    • In your application, mention the contact person with whom you have discussed the data extraction.
  4. Use the Data Catalogue:
  5. Describe your information needs accurately:
    • Clearly define the information needed and specify the register-specific data extractions in your application.
    • If the extraction involves multiple steps, describe the order of extraction using the extraction description form (download Word file, 51.2 kb).
    • Ensure that the data extractions and the data you request are essential and justified.
  6. Apply the GDPR minimisation principle:
    • Only request data that is essential for your purposes. The principle of minimisation as defined in the GDPR will be applied, meaning that only necessary data will be disclosed.
  7. Complete the application carefully:
    • Pay attention to entering basic data such as the applicant’s details, the data controller, invoicing details, and any other data to be combined.

 If you need to supplement a submitted application, email us at info@findata.fi. In the subject line, write “Return of application” followed by your application’s diary number (e.g., “Return of application THL/XXXX/14.0X.00/202X”).

Tips for defining the extraction of textual data

  1. Consider necessity: Determine if textual data is essential for conducting your research.
    • The need for unstructured data must always be justified. Often, similar information can be extracted in a structured format.
    • We mask direct identifiers in textual data, which affects the usability of the data.
    • Processing textual data takes time and significantly increases costs.
  2. Request insights from the data controller on appropriate keywords.
    • The data controller is best positioned to assess which keywords will yield the most comprehensive results without extraneous information.
    • For example, the keyword pressure will produce all records related to pressure, such as blood pressure, eye pressure, etc. If the research focus is on blood pressure, the extracted textual data will contain a substantial amount of unnecessary information.
  3. Specify the length of the text snippet to be extracted on a variable-by-variable basis.
    • The text snippet should be as short as possible.
    • Request the data controller’s view on the length of the text to be extracted.
      • For instance, keyword +/- 50 characters.
  4. Ensure the extraction is scoped appropriately.
    • If the extraction can be limited to the information from a specific department or field of treatment instead of the entire healthcare district’s database, the amount of text to be extracted and the processing costs will be significantly lower.

Transfer of personal data outside the EU/EEA

Processing personal data abroad, including in a remote access environment, is considered a transfer of personal data.

Under the EU’s General Data Protection Regulation (GDPR), data can be transferred within the European Economic Area (EEA) under the same conditions as within Finland. The EEA includes EU Member States, Norway, Liechtenstein, and Iceland.

For data transfers or processing outside the EEA, in so-called third countries, there must be a legal basis as outlined in Chapter V of the GDPR. The acceptable legal bases for such transfers are listed below. It is sufficient to meet just one of these bases.

Commission decision in the adequacy of data protection under Article 45
Standard contractual clauses on data protection pursuant to Article 46(2)
  • Standard contractual clauses (SCC) are standard contractual clauses approved by the European Commission that can be used in contracts between two controllers or between a controller and a processor.
  • These standard clauses can be viewed on the website of the Data Protection Ombudsman (tietosuoja.fi).
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA subject to this condition and only after the applicant or permit holder has submitted to Findata the signed standard contractual clauses. The use of standard clauses will also require additional examination of the adequacy of data protection.  Please note that standard contractual clauses may not be modified or added to, but must be approved as they are.
Binding corporate rules pursuant to Article 47
  • Binding corporate rules (BCR) refer to shared, binding rules for the transfer of personal data to third countries within a corporate group or group of companies engaged in joint economic operations.
  • For more information, see the website of the Data Protection Ombudsman (tietosuoja.fi).
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA area subject to this condition and only after the applicant or permit holder has notified the Findata of the code of conduct in question, which must have been appropriately approved by a data protection ombudsman of an EU Member State.
Exceptions and safeguards under Article 49

Exceptions and safeguards under Article 49, such as the explicit consent of the subject to the proposed transfer after being informed of the risks associated with the transfer. This basis for transfer can only be used in exceptional cases.

For information on transferring data to the United Kingdom following Brexit, visit the Data Protection Ombudsman’s website (tietosuoja.fi).

Permit fees and other costs

Fees are charged for decisions on data permit applications, data requests, and amendment applications, including the related data processing.

The costs consist of the following, depending on your application:

  • Decision fee: Charged according to the pricelist.
  • Hourly fee: For data processing carried out at Findata.
  • Data controller costs: Costs for the extraction and delivery of data, based on each controller’s provisions.
  • Kapseli fee: Costs of secure processing environment Kapseli, where individual-level data is forwarded for analysis

During the application process, we will request a maximum cost estimate from the controller for data extraction and provide a maximum cost estimate for Findata’s data processing. These estimates will be forwarded to the applicant before the permit decision is made. The final price is confirmed after the data is disclosed. A separate processing fee applies to expired and negative decisions.

For more details, visit the Pricing page.

After applying

How does an application’s processing proceed?

The processing of applications involves five stages, which may be preceded by the applicant independently contacting a controller. The process is outlined in detail below the graph.

  1. Contact controllers before submitting the application
    • Contact controllers directly for additional information on data or variables.
    • Request cost estimates and feasibility details from controllers.
    • Arrange any special data extraction agreements with the controller and include this in the Additional Information section of your application. For example, if a clinician from the research team will perform the extraction free of charge, include details in the Additional Information section about who agreed to this and under what conditions.
  2. Submit the application
    • Submit your application or any requested additional information via our e-service (asiointi.findata.fi). Email may be used for additional information if applicable.
  3. Findata reviews the application and its appendices
    • Data permit applications are reviewed within a week of receipt. Applications are divided into those that can be processed immediately and those that need further information.
    • Incomplete applications will be returned for more information or clarification.
  4. Cost estimation:
    • Findata sends requests for additional information and confirmation of cost estimates to the controllers from whom data is being requested in your application. Controllers have 15 working days to respond. We will forward any additional questions from controllers to you.
    • Findata determines its cost estimate for data processing.
  5. Approve the maximum cost estimates:
    • Review the final extraction description and maximum cost estimate.
    • Approve both to proceed with the permit.
    • Note that you cannot change the extraction conditions after approval. Any modifications to the extracted data will require a new application.
  6. Findata issues a decision:
    • A data permit or data request decision will be issued.
    • Data permits are for a fixed period. If you need to save data for purposes such as research verification, or if you plan to renew your permit or require regular updates, include these needs in your application.

How will the compilation of the applied for data proceed?

Once a data permit is issued or a decision on a data request is made, the data compilation process involves five stages. The process is outlined in detail below the graph.

  1. Data controllers extract the data
    • We will send data requests to the controllers to start the extraction process.
    • Each controller has 30 working days to submit the requested data to Findata.
    • The extraction may involve multiple steps, such as:
      • Extraction of the target group
      • Extraction of controls
      • Extraction of additional data
    • Each step can take up to 30 working days, potentially totaling up to 90 working days.
  2. Findata pre-processes the extracted data
    • We will check, combine, and pseudonymize the data or generate statistics according to the data request.
  3. Findata delivers the data to the permit holder
    • The processed data will be provided in a secure processing environment, typically in CSV format.
    • Findata’s secure processing environment, Kapseli, is the primary option. Data may be disclosed to other environments if necessary.
    • The target time for delivering the data is 60 working days. This timeframe may be extended if the target group is not provided immediately, if extraction is conducted in multiple stages, if there are delays from controllers, or if the data is particularly complex.
  4. Review the data
    • You have three months to review the data and notify Findata of any discrepancies or comments.
    • Thoroughly check the data, as errors can lead to additional work.
      • Errors that occur during extraction can accumulate, such as if the target group is formed incorrectly, requiring additional extractions from other controllers.
    • If you find omissions or errors, email Findata at data@findata.fi with detailed descriptions of how your data differs from the extraction description.
  5. Findata’s data retention and disposal
    • Data will be removed from our systems four months after delivery, but code keys for pseudonymised data will be retained to allow reproduction if needed.
    • Note: Data permits are for a fixed period. If you need to save data for purposes like research verification, plan to renew the permit, or require regular updates, include these needs in your application.

Do the following if you find errors in your data

  1. Upon receiving the material covered by a data permit or request, please review it as soon as possible, but no later than within three months.
  2. If you notice any omissions or errors, contact Findata at data@findata.fi.
  3. In your message, explain precisely how your data differs from the data described in the extraction description.

Data extractions under a data permit or request are always based on the extraction description. If the extraction description you provided is incomplete, you can complete the extraction by submitting an amendment application or a new application for a data permit to Findata.

The maximum price estimates given are based on the extraction description you provided. If the extraction needs to be completed, a new maximum price estimate will be submitted with the new permit.

Where can the data be analysed?

Data analysis depends on the type of permit you have:

Data request | Aggregated statistical data

  • This data is sent to the customer and can be analysed freely according to the data utilisation plan.
  • Statistical data is primarily sent via the Nextcloud transfer service. If you need Nextcloud credentials, order them from our e-service.

Data permit and amendment permit | Data on individuals

  • Induvidual-level data can only be analyzed in a secure environment.
  • Primarily, the data will be disclosed to Findata’s secure processing environment, Kapseli.
  • The Secondary Use Act allows for disclosure to other secure processing environments if necessary.
  • Data from controllers other than Findata will also be disclosed in a secure environment.

Note: Amendment permits are considered data permits, so the same security requirements apply.

Findata’s regulation on secure operating environments

Findata has established a regulation in accordance with the Secondary Use Act that outlines the information security requirements for secure operating environments used by other service providers.

This regulation applies to all purposes for which a data permit is required, including:

  • Scientific research
  • Statistics
  • Education (preparation of teaching materials)
  • Planning and reporting duty of an authority

Data disclosure: Data can only be disclosed for processing in a secure environment other than Findata’s Kapseli if it meets the regulation’s requirements.

Assessment and certification: The environment must be assessed by an information security assessment body, and a certificate of assessment must be provided. These requirements have been in force since 1 May 2022.

Existing permits: The new requirements do not affect permits granted before 1 May 2022. Data can continue to be processed in the same environment under previously granted permits.

Technical solutions: Secure environments can range from physically and technically secure spaces with isolated devices to cloud-based solutions, provided they meet required data security levels. Foreign researchers must also comply with data protection and security standards.

For more details, visit the page on Regulation on Secure operating environments.

Clinically significant findings

Under Section 55 of the Secondary Use Act, if a data recipient identifies a clinically significant finding from the data granted by Findata that could prevent a health-related risk or improve treatment quality, they can contact Findata.

Process:

  1. The data recipient notifies Findata of the finding.
  2. Findata determines who the finding concerns and forwards the information to a specialist at the Finnish Institute for Health and Welfare (THL).
  3. THL’s specialists assess the significance of the finding and potential benefits of action.
  4. If the benefit is deemed significant and important for patient treatment, THL informs the relevant wellbeing services county.
  5. An employee from the wellbeing services county will then contact the patient.
How to report a clinically significant finding to Findata
  1. Send an email to data@findata.fi with a message stating that you wish to report a significant clinical finding.
    • Do not send personal data by email!
    • Please write “Clinically significant finding” in the subject line of the email.
  2. You will receive a reply with instructions on how to submit the information to Findata.
    • Personal data will be transferred securely via Nextcloud.
    • If you do not have Nextcloud account, create one by following the instructions on the page Data transfers to Findata.
      • See the section ‘Open the Nextcloud connection’.
      • Enter the diary number of the data permit from which you have made the clinically significant finding (enter ‘section55’ in the identifier-field)
    • If you already have Nextcloud connection, we will share a Nextcloud folder with you for data transfer. You can transfer data following the instructions on the page Data transfers to Findata.
      • See the section ‘Encrypt your data and transfer it to Nextcloud’.
      • Once you have submitted your data, please let us know at data@findata.fi.
  3. Submit the following data to Find
    • The diary number of the data permit and the issuer.
    • The pseudo-code or personal identification number of the person with a significant clinical finding.
    • Information about the clinically significant finding that THL can use to assess the significance of the information.
    • The name and contact details of the contact person of the data permit, that can be provided to the THL for any further questions.

Right to object:

  • Individuals can object to being contacted based on Section 55.
  • Objections can be made at any public health care unit or online via My Kanta.
  • Contact prohibitions cannot be set up through Findata, Kela, or THL.

Verifying the anonymity of results

The processor of personal data must produce results in an anonymous format that does not reveal any individual data or characteristics. Findata ensures anonymity in accordance with the Secondary Use Act for all data authorised under the Act. This process is provided at no additional cost.

For detailed criteria on ensuring anonymity and examples of common types of analysis, please refer to the page on Producing anonymous results.

Publishing results

Publication refers to making information publicly available, which includes presenting results outside your immediate working group. This can be in the form of a scientific journal, thesis, textbook, manual, conference presentation, abstract, report, survey, or internet publication.

Publishing results from Kapseli

  1. Data processing: Data is processed in the Kapseli environment, and only the final analysis results are exported. Results must be in an anonymous format, with Findata ensuring anonymity as per the Secondary Use Act.
  2. Verify anonymity: Use the guidelines on the page Procucing anonymous results to verify the anonymity of results intended for publication.
  3. Transfer results: Transfer the results and the summary form to Findata via the Output (O:) drive in Kapseli.
    • The summary form for verifying anonymity is located in the Kapseli D-folder under “Käyttöohjeet_User_guide_05062023.”
    • Compress the files and the summary form into a zip folder named as follows:
      “Results_[Record_number_of_permit_decision][Kapseli_ID][Delivery_date]” (e.g., “Results_THL_1234_14.02.00_2020_a01_15032021”).
      • Note: Date format should be ddmmyyyy.
    • Create an empty text file named “ZZZ_READY.txt” in the Output drive. This triggers the automatic transfer of the zip folder. Ensure the file name is correct.
      • Transfers occur hourly and every 30 minutes. Files will be deleted from the Output drive after transfer.
  4. Notify Findata (optional): Email Findata at data@findata.fi to confirm your transfer. We will follow up if we do not receive your submission. There will be no confirmation of transfer success.
  5. Review and delivery of results: Findata will review the submission within 5 working days and provide the results via Nextcloud to the permit holder. If additional information is needed, we will contact you.
    • For large result files, the review process might exceed the usual 5-day limit. This time limit pertains only to verifying anonymity, not to other file imports from Kapseli (e.g., code files).
    • If you don’t have a Nextcloud account, request one via the “Order a new Nextcloud account” form in Findata’s e-service.

Publishing results from other secure operating environments

  1. Summary form: Download and complete the form for verifying the anonymity of the results
  2. Compress files: Zip the files and the summary form, naming the folder as follows:
    • “Results_[Record_number_of_permit_decision][Kapseli_ID][Delivery_date]” (e.g., “Results_THL_1234_14.02.00_2020_a01_15032021”).
      • Note: Date format should be ddmmyyyy.
  3. Transfer results:
    • Nextcloud: If you have a Nextcloud account, transfer results via Nextcloud.
    • Secure Email: If you do not have a Nextcloud account, transfer results via secure email. Do not send results via regular, non-secure email.
  4. Contact Findata: Email Findata at data@findata.fi with the subject “Ensuring the anonymity of results.”
    • Indicate whether you are using Nextcloud or secure email for the transfer.
    • If using Nextcloud, include the diary number of the data permit and your Nextcloud ID. Findata will provide the folder name for your transfer and a zip folder with the summary form.
    • If using secure email, Findata will send a secure email for you to reply with your zip folder containing the results and the summary form.
  5. Follow-up: If there are concerns about the anonymity of the results, Findata will contact you within seven working days.
    • If you do not hear from us within this timeframe, you may proceed with publishing your results.

Report published research results to Findata

Use the form below to report articles and publications that have made use of data authorised by Findata. One of the criteria for the issuing of a data permit for the purpose of scientific research is that the results are published as scientific publications. The form can also be used to report publications of data authorised for other uses.

If you have many publications to report, you can send the information as an Excel file to info@findata.fi. In this case, you do not need to fill in the form below.

Reference Guide

If Findata has granted a data permit or made a data request decision for your project, cite Findata in publications as follows: “Sosiaali- ja terveysalan tietolupaviranomainen Findata” or “Finnish Social and Health Data Permit Authority Findata.”

  • Follow the writing guidelines of the scientific publication series.
  • We recommend that references to Findata be made in accordance with its statutory duties. In data permits, these duties include, for example, pseudonymization and ensuring the anonymity of results, and in data requests, the duties include data integration, aggregation, and anonymization.
  • Findata can be referenced in the text, tables, figures, permit lists, acknowledgments, and reference lists.
  • Whenever possible, include the diary number(s) of the data permit or data request in the references.

Examples of in-text citations

“Research data was obtained from the Finnish Social and Health Data Permit Authority Findata with data permit THL/XXXX/14.XX.00/20XX. Findata was responsible for the pseudonymization of the data and ensuring the anonymity of the final results.”

“The statistics were produced by Findata, the Finnish Social and Health Data Permit Authority, with data request THL/XXXX/14.XX.00/20XX. Findata was responsible for data integration and producing the anonymized statistics.”

Example of table citation

DataSource
Research dataFinnish Social and Health Data Permit Authority Findata, data permit THL/XXXX/14.XX.00/20XX

Example of citation in a reference list

Findata. (Year). Data permit THL/XXXX/14.XX.00/20XX. Finnish Social and Health Data Permit Authority Findata.

Apply for a data permit

Do you need data on individuals? Apply for a data permit when you need data on individuals from multiple public sector social and health controllers or the private sector. Data permits Apply for a data permit

Submit a data request

Do you need anonymous statistical data? Submit a data request to use, when you need aggregated statistical data in table format or key figures from a social and health sector controller. Data requests Submit a data request

Apply for an amendment permit

Is your permit period about to expire or have there been changes to the processors of personal data? Apply for an amendment permit from us when an amendment concerns a controller’s permits or information. Amendment permits Apply for an amendment permit

Check the correct address for the application

Select the controllers from which the data will be retrieved

Apply permit from the controller in question. The exception is those controllers who have delegated permit jurisdiction to Findata.

Please note that Findata is responsible for data permit and amendment applications whenever the data of data controllers covered by the Act on secondary use is combined. When evaluating the competent authority, all data related to the application under the Act must be taken into account.

Apply permit (s) from the controllers in question.

Findata is responsible for data permits of the Finnish Center for Pensions (ETK) and the Finnish Digital Agency (DVV) and / or Statistics Finland if the data are combined with

  • data of other public organizations under the Act on Secondary Use of Health and Social Data (For Statistics Finland, at least two other organizations are needed, for DVV and ETK, one is sufficient)
  • data stored on Kanta services or
  • to the register data of a private social or health care service provider.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Apply permit from Findata.

The Regional Administrative Agencies (AVI) have delegated the jurisdiction to Findata.

Apply permit from Findata.

National Supervisory Authority for Welfare and Health Valvira have delegated the jurisdiction to Findata.

Apply for a data permit

Finnish Institute for Health and Welfare (THL) has delegated the jurisdiction to Findata. As far as THL is concerned, the delegation of jurisdiction does not apply to its

  • internal permit management
  • the transfer of samples and data transferred to THL Biobank.

Permit is applied from Statistics Finland and the respective data controller. Exceptions are the registrars who have delegated the jurisdiction to Findata.

We are responsible for data permits for data subject to the Secondary Act of Statistics Finland when they are combined

  • to the information of at least two public organizations covered by secondary laws
  • to data stored in Kanta services or
  • to the register data of a private social or healthcare service organizer.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Please select at least one data controller or group.