Updated 26.07.2024

Permits

We issue permits for the secondary use of social and health data, combine data that is subject to a permit in a secure manner and pre-process these ensuring the privacy of citizens.

Book a time for personal consultation

Our personal consultation service will be on summer holiday from 1 June to 18 August 2024. Findata’s Help Desk will be serving you by e-mail as usual throughout the summer. See contact details for our Help Desk.

You can book a time for personal consultation with an expert from Findata. Appointments are available three days a week and last for 20 minutes. The meetings are held remotely via Teams.

We offer help in the following topics:

  • General consultation on Findata’s services
  • Data permit applications, amendments, and data requests
  • Extraction description form and other forms
  • Ordering Findata’s secure processing environment Kapseli, pausing, and data storage service

You can see the available times below.

After booking, you will receive a confirmation email and a downloadable calendar reminder. We will send the link to the Teams meeting later.

The personal consultation service is provided as a part of the FinHITS project funded by the European Union.

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Resources Catalogue (aineistokatalogi.fi) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.

Check from the application assistant which authority the application should be sent to.

Before applying

What data use can permits be issued for?

A permit can be issued for the purposes laid down in law, which are listed below. Data on individuals will be sent to a secure operating environment for analysis, while statistical data can be sent to the applicant.

Pursuant to the Act on the Secondary Use of Health and Social Data, information can be used without a separate permit also for knowledge management and social welfare and health care official management and supervision.

Individual-level material

  • scientific research
  • statistics
  • education
  • planning and reporting duties of an authority

In addition, under the Secondary Use Act, controllers can use their own data for knowledge management without permission from Findata.

Statistical data

  • scientific research
  • statistics
  • planning and reporting duties of an authority and/or guidance and supervision of a social and healthcare authority
  • education
  • development and innovation operations
  • knowledge management (comparative data)

Note that as a rule, the Secondary Use Act applies to register-based studies. A register-based study is a study which utilises register data usually collected for other purposes or national registers. For example, the Secondary Use Act does not apply to clinical trials reported to Finnish Medicines Agency Fimea or to medical trials under the Medical Research Act.

What data can permits be issued for?

The data you can access via Findata are from social and health sector controllers on which you can find more information on the Data page.

Please note that we cannot issue permits for the data of all controllers within the scope of the Secondary Use Act. More details on these data restrictions can be found in the Secondary Use Act (finlex.fi, in Finnish).

See a list of the controllers within the scope of the Act on Secondary Use of Health and Social Data
  • Data saved in Kanta services
  • Digital and Population Data Services Agency
    • The Finnish Digital Agency, individual’s basic details, family relations, place of domicile and building details
  • Finnish Centre for Pensions
    • Work and earnings data, benefits and the bases for them
  • Finnish Institute for Health and Welfare
    • Does not apply to data collected for statistical purposes
  • Finnish Institute of Occupational Health
    • Occupational illnesses, exposure tests and patient registers
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland
    • Benefits and prescriptions
  • Statistics Finland
    • To the extent that access is required to data covered by the act on the investigation of the causes of death
  • Regional state administrative agencies
    • Matters relating to social welfare and health care)

Data descriptions and additional information

In accordance with the Secondary Use Act, data controllers provide advisory services concerning their own data and are the best placed to do so. If you need more information on the variables in a certain controller’s data, contact the controller in question.

You can also make an agreement on the implementation of data extraction in a certain manner with the controller. In the application you send to us, specify the person with whom you have agreed to on the matter.

The National Data Resources Catalogue at aineistokatalogi.fi contains descriptions of some of the data in the scope of the Secondary Use Act.

Which authority should a permit application be submitted to?

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Secondary Use Act. The assessment of the competent authority must therefore consider all the data related to the application.

Submit the application to Findata when it applies to

  1. data from several public social and health sector controllers
  2. data maintained by a single public controller, that has transferred the right to issue permits to Findata
  3. register data from one or numerous private social welfare and health care service organisers, or
  4. customer data saved in the Kanta Services.

Under the law, statistical, aggregated data subject to a data request can only be accessed via Findata.

See the bottom of this page for the application assistant. The assistant can help in determining which authority you should send you data permit or amendment application to. Click here to go to the application assistant.

The Secondary Use Act does not apply to clinical trials reported to Fimea, so these are not within Fimea’s competence. The definitions for interventional clinical trial and noninterventional study can be looked up in Finnish at Fimea Regulation 8/2019 (PDF file, 196 kB). When necessary, Fimea will provide advice on whether a study is considered a clinical trial.

Read more on data permit processing related competences in Finnish in section 44 of the The Secondary Use Act (2019/552, finlex.fi).

Under the Secondary Use Act, public sector social and health controller are divided into two groups. Below is the more detailed division of these groups and their differences in competence.

Public sector controllers: Group 1

  • Regional State Administrative Agencies (AVI)
  • Social Insurance Institution (Kela)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public service providers of social welfare and health care
  • Ministry of Social Affairs and Health (STM)
  • Finnish Institute for Health and Welfare (THL)
  • Finnish Institute of Occupational Health (TTL)

We are responsible for data permits and amendment permits when the application concerns the information of at least controllers in this group.

This is also applies in a situation where another party could be believed to have already accessed data or to have their own data. If for example, a wellbeing services county needs data from Kela in addition to their own data for a study, the application in this case concerns the data of two controllers. In this case, Findata is the competent authority.

If the application or the data utilisation plan mentions other data under the Secondary Use Act which is to be combined with the data to be retrieved, the application applies to this combined data as well.

Public sector controllers: Group 2

  • Digital and Population Data Services Agency (DVV): A person’s basic personal data (e.g. birthdate, date of death, personal identity code), family relations, place of residence and building details. If other information is needed, DVV is responsible for processing applications and making permit decisions.
  • Finnish Centre for Pensions (ETK): People’s employment and income data, granted benefits and their grounds including diagnoses concerning disability pensions. If other information is needed, the ETK is responsible for processing applications and making permit decisions.
  • Statistics Finland: Information to help in determining cause of death. If other information is needed, Statistics Finland will be responsible for processing applications and making permit decisions.

We are responsible for the data permits and amendment permits of the Finnish Centre for Pensions, the Digital and Population Data Service Agency and Statistics Finland, if in addition to them the application also concerns

  • information from one or more public sector controllers in Group 1
  • information from one or more private social welfare and health care service organisers, or
  • data saved in the Kanta Services

Applying

Logging into the e-service

All applications to Findata are sent in our e-service with an online form. Log into the service at asiointi.findata.fi using Suomi.fi e-Identification or Haka log in.

Always log in using the same identification methods, so that you can see the applications you have sent and the decisions that have been given.

If you encounter any problems, contact Findata’s advisory service: info@findata.fi

For more information on logging in see the Logging into services page.

Selecting and completing an application form

There are different application forms for different information needs

  • Data permit application, when you need data on individuals, the analysis of data subject to a data permit will only be possible in audited, secure operating environments.
  • Data request, when you need statistical data The statistical data accessed with a data request will be sent to the applicant.
  • Amendment application, when you are applying for an amendment to a valid data permit See the Amendment permits page for information on what amendments you can apply for with an amendment application.

Complete the application form carefully. Shortcomings in the application will lead to a request for more information and the return of the application to the applicant.

For detailed instructions on the completion of different application forms see the pages for different types of permits:

If you do not know what information to enter into an information field on the form, ask for help well in advance from within your organisation or from our advisory service.

Help Desk

General guidance & advice

How to expedite the processing of application

The processing time for applications depends on several factors: the accuracy of the data extraction description, the current backlog at Findata, and the response times of data controllers.

By following our guidelines, you can help ensure that your application is processed as quickly and efficiently as possible.

How to speed up the processing of your application:

  1. Verify Findata’s authority:
    • Ensure Findata is the competent authority to issue a permit for the data you need.
    • Use the application assistant to help determine this.
    • Note that the Digital and Population Data Services Agency, the Finnish Centre for Pensions, and Statistics Finland handle their own data and permit decisions. If you need information from these controllers, contact them directly.
  2. Consult Findata’s help desk:
    • If unsure about where to send your application, contact Findata’s help desk service at info@findata.fi before submitting it.
  3. Contact data controllers directly:
    • If you need more information about the data or variables, contact the relevant data controllers. Data controllers provide advisory services for their data and can guide you on data extraction methods. You can also make an agreement on the implementation of data extraction in a certain manner with the controller.
    • In your application, mention the contact person with whom you have discussed the data extraction.
  4. Use the Data Catalogue:
  5. Describe your information needs accurately:
    • Clearly define the information needed and specify the register-specific data extractions in your application.
    • If the extraction involves multiple steps, describe the order of extraction using the extraction description form (download Word file, 51.2 kb).
    • Ensure that the data extractions and the data you request are essential and justified.
  6. Apply the GDPR minimisation principle:
    • Only request data that is essential for your purposes. The principle of minimisation as defined in the GDPR will be applied, meaning that only necessary data will be disclosed.
  7. Complete the application carefully:
    • Pay attention to entering basic data such as the applicant’s details, the data controller, invoicing details, and any other data to be combined.

If you want to complete the application you have already sent, ask us to return your application by sending an email to info@findata.fi. Write in the subject line Return of application and the diary number of your application (e.g. Return of application THL/XXXX/14.0X.00/202X).

Tips for defining the extraction of textual data

  1. Consider necessity: Determine if textual data is essential for conducting your research.
    • The need for unstructured data must always be justified. Often, similar information can be extracted in a structured format.
    • We mask direct identifiers in textual data, which affects the usability of the data.
    • Processing textual data takes time and significantly increases costs.
  2. Request insights from the data controller on appropriate keywords.
    • The data controller is best positioned to assess which keywords will yield the most comprehensive results without extraneous information.
    • For example, the keyword pressure will produce all records related to pressure, such as blood pressure, eye pressure, etc. If the research focus is on blood pressure, the extracted textual data will contain a substantial amount of unnecessary information.
  3. Specify the length of the text snippet to be extracted on a variable-by-variable basis.
    • The text snippet should be as short as possible.
    • Request the data controller’s view on the length of the text to be extracted.
      • For instance, keyword +/- 50 characters.
  4. Ensure the extraction is scoped appropriately.
    • If the extraction can be limited to the information from a specific department or field of treatment instead of the entire healthcare district’s database, the amount of text to be extracted and the processing costs will be significantly lower.

Transfer of personal data outside the EU/EEA

The processing of personal data abroad is counted as a transfer of personal data even if the data is in a remote access environment.

Under the EU’s General Data Protection Regulation, data can be transferred within the European Economic Area on the same grounds as within Finland. Countries belonging to the European Economic Area include the EU Member States and Norway, Liechtenstein and Iceland.

If data is to be transferred or processed outside the aforementioned countries, i.e. in so-called third countries, there must be a legal basis for this in keeping with Chapter V of the GDPR.

The acceptable legal bases are listed below. It is sufficient that just one of these bases for data transfer is met.

Commission decision in the adequacy of data protection under Article 45
Standard contractual clauses on data protection pursuant to Article 46(2)
  • Standard contractual clauses (SCC) are standard contractual clauses approved by the European Commission that can be used in contracts between two controllers or between a controller and a processor.
  • These standard clauses can be viewed on the website of the Data Protection Ombudsman (tietosuoja.fi).
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA subject to this condition and only after the applicant or permit holder has submitted to Findata the signed standard contractual clauses. The use of standard clauses will also require additional examination of the adequacy of data protection.  Please note that standard contractual clauses may not be modified or added to, but must be approved as they are.
Binding corporate rules pursuant to Article 47
  • Binding corporate rules (BCR) refer to shared, binding rules for the transfer of personal data to third countries within a corporate group or group of companies engaged in joint economic operations.
  • For more information, see the website of the Data Protection Ombudsman (tietosuoja.fi).
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA area subject to this condition and only after the applicant or permit holder has notified the Findata of the code of conduct in question, which must have been appropriately approved by a data protection ombudsman of an EU Member State.
Exceptions and safeguards under Article 49

Exceptions and safeguards under Article 49, such as the explicit consent of the subject to the proposed transfer after being informed of the risks associated with the transfer. This basis for transfer can only be used in exceptional cases.

Further information on the transfer of data to the United Kingdom following Brexit can be found on the website of the Data Protection Ombudsman (tietosuoja.fi).

Permit fees and other costs

A fee will be charged for decisions concerning data permit applications, data requests and amendment applications and the related processing of data. The price of our services comprises the price of the decision and an hourly fee, which will be determined according to the working hours spent on combining and processing the data.

In addition to the fees charged by Findata, the final price is affected by the data extraction and delivery fees based on
decrees concerning the controllers.

When we process applications, we will ask the controller for a maximum cost estimate for extracting the necessary data. We will also give a maximum cost estimate on data processing by Findata.

We will forward these estimates to the applicant before making a decision on the permit. The final price of the data resource is confirmed after disclosing the data. A separate processing fee is charged for any expired and negative decisions.

See the Pricing page for more information.

After applying

How does an application’s processing proceed?

The processing of applications can be divided into five stages, which can be preceded by the applicant independently contacting to a controller. The process is shown in text after the graph.

  1. Contact controllers directly before sending an application, if you need additional information on the data or variables or help with drawing up an extraction description.
    • The applicant can also make an agreement on the implementation of data extraction in a certain manner with the controller. If the customer and the controller’s contact person have agreed for example that a clinician, who is part of the research team will extract the data free of charge, the application’s Additional information section should include information on who this was agreed on with and in what context.
  2. Submit your application or requested additional information to Findata in our e-service.
    • If you are only submitting additional information, the clarifications can, depending on the case, also be submitted by e-mail.
  3. Our application processors check your application and its appendices to ensure that they contain all the necessary information.
    • Where necessary, we will return an incomplete application for completion or we will submit a request for further clarification to the applicant.
    • Data permit applications are reviewed within a week or so of receipt and are divided into those that can be processed and those that need to be completed.
  4. When all the extraction descriptions have been completed, we will send additional information and cost estimate requests to the controllers whose data is requested in the application.
    • The purpose of the request is to determine the feasibility of the requested extraction and the maximum cost estimate for the extraction.
    • The controllers have 15 working days to respond to this request. Where necessary, controllers may ask for additional details to the request, in which case we will forward the questions to the applicant.
    • At this stage, we will also determine Findata’s internal cost estimate, which comprises our own data processing costs.
  5. Once all the cost estimates have been received, you will be presented with a final extraction description and a maximum cost estimate for approval.
    • You must accept both in order for the permit to be granted.
    • Note that it will not be possible to change the extraction conditions after this, and that changes made to the extracted data later on will require a separate application.
  6. We will issue a positive data permit or data request decision.
    • Note that data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, include these needs in your application.

How will the compilation of the applied for data proceed?

Once we have issued a data permit or made a decision on a data request, there are five different staged for the compilation of data and its pre-processing. The process is shown in text after the graph.

  1. We will send the data requests to the controllers so that extraction can begin. Each controller has 30 working days to submit the requested data to Findata.
    • Depending on the nature of the project and the extraction, this phase may include several consecutive parts, such as 1. extraction of the target group; 2. extraction of the controls; 3. extraction of data. As each controller has 30 working days, these three steps can take a total of 3 x 30 = 90 working days.
  2. We will begin to process the sent data. As agreed on for each project, we will check, combine and pseudonymise the data or make statistics on them in accordance with a data request.
  3. The completed data will be handed over to the permit holder in an agreed-upon secure operating environment in CSV format.
    • Findata’s secure remote processing environment Kapseli is the statutory primary option. The data can be disclosed to other processing environments, if this is necessary for the completion of the project.
    • The target time for the handing over of data is 60 working days. The target time will not be possible if a target group is not given immediately after the decision has been made, data extraction is carried out in several stages, deliveries by data controllers are delayed or the data is exceptionally complex.
  4. You have three months to review the material. You must notify Findata within this given time period of any comments they wish to make on the material.
    • Check the data thoroughly as soon as possible. Errors that occur during extraction can accumulate, if, for example, the target group has been formed incorrectly and other controllers must carry out their own extractions all over again for this reason.
    • If you notice any omissions or errors, send a message to Findata at data@findata.fi. In your message, describe as precisely as possible how your data differs from the data described in the extraction description.
  5. We will remove the data from our own systems four months after it has been handed over. We retain the code keys for pseudonymised data that will enable the data to be reproduced.
    • Data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, include these needs in your application.

Do the following if you find errors in your data

  1. Once you have received the material covered by a data permit or request, please check it as soon as possible, but within three months at the latest.
  2. If you notice any omissions or errors, send a message to Findata at data@findata.fi.
  3. In the message, explain as precisely as possible how your data differs from the data described in the extraction description.

Extractions under a data permit or data request are always made on the basis of the extract description.

If the extraction description you have provided is incomplete, you can complete the extraction by submitting an amendment application or a new application for a data permit to Findata.

The maximum price estimates given are based on the extraction description you have provided. If the extraction needs to be completed, a new maximum price estimate will be submitted with the new permit.

Where can the data be analysed?

Data can be accessed with different types of permits. Different conditions apply to data obtained under different permits as to where they may be used and analysed.

The aggregated statistical data accessed via a data request is sent to the customer, and it can be analysed freely in accordance with a data utilisation plan. The statistical data is sent to the customer primarily via the Nextcloud transfer service. If necessary, order Nextcloud credentials from our e-service.

Data on individuals that require a data permit can only be analysed in a secure environment. As a rule, the data will always be disclosed to Findata’s secure processing environment Kapseli. However, the Secondary Use Act makes it possible to disclose information to other processing environments, if necessary. Data received from a controller other than Findata will also always be disclosed in a secure processing environment.

Read more below in the section: Findata’s regulation sets information security requirements for environments.

Amendment permits are also officially data permits (decisions to amend data permits), meaning the same requirements apply to these as to data permits. Read more on the page Amendment Permits.

Findata’s regulation sets information security requirements for environments

We have issued a regulation in accordance with the Secondary Use Act, which describes the requirements laid down other service providers’ secure operating environments.

The regulation concerns the secondary use of social and health data, and it will be applied to all the purposes provided in the Act for which a data permit is required. These purposes include scientific research, statistics, teaching and the planning and investigation tasks of the authorities. With regard to teaching, the regulation pertains to the preparation of teaching materials, not actual teaching.

According to the regulation, data can only be disclosed for processing in a secure environment other than Findata’s secure Kapseli environment if the environment complies with the requirements of the regulation. In addition, the environment must be assessed by an information security assessment body and a certificate of assessment must be provided. These requirements have entered into force on 1 May 2022.

The entry into force of the requirements does not affect existing, valid permits. If data are processed on the basis of a valid permit previously granted, the processing of that data may continue in the same environment after 1 May 2022.

The requirements take into account the solutions in existing environments and enable the utilisation of different technical solutions. At its simplest, a secure environment can be a physically and technically secure space with a terminal device for analysing data that is isolated from the Internet and other devices. On the other hand, technical solutions based on cloud services are also possible, as long as the service provider ensures the required level of data security. The operating environments of foreign researchers must also meet the data protection and security requirements.

Read more on the page Regulation on secure operating environments

Clinically significant findings

Based on the Section 55 of the Secondary Use Act, a data recipient can contact Findata if they make a clinically significant finding where a health-related risk could be prevented or the quality of their treatment improved.

Findata establishes who the finding concerns and then submits the information to a specialist at the Finnish Institute for Health and Welfare (THL). THL’s appointed specialists assess the significance of the data and the expected benefits of taking action. If the benefit is assessed to be so clear that it would be important for the patient to receive treatment, the information is then disclosed to the wellbeing services county responsible for the patient’s treatment. An employee of the wellbeing services county contacts the patient.

Everyone has the right to object to being contacted based on section 55 of the Secondary Use Act. This objection can be done in any operating unit that provides public health care and online via My Kanta. Contact prohibitions cannot be set up via Findata, Kela or THL.

How to report a clinically significant finding to Findata
  1. Send an email to data@findata.fi with a message stating that you wish to report a significant clinical finding.
    • Do not send personal data by email!
    • Please write “Clinically significant finding” in the subject line of the email.
  2. You will receive a reply with instructions on how to submit the information to Findata.
    • Personal data will be transferred securely via Nextcloud.
    • If you do not have Nextcloud account, create one by following the instructions on the page Data transfers to Findata.
      • See the section ‘Open the Nextcloud connection’.
      • Enter the diary number of the data permit from which you have made the clinically significant finding (enter ‘section55’ in the identifier-field)
    • If you already have Nextcloud connection, we will share a Nextcloud folder with you for data transfer. You can transfer data following the instructions on the page Data transfers to Findata.
      • See the section ‘Encrypt your data and transfer it to Nextcloud’.
      • Once you have submitted your data, please let us know at data@findata.fi.
  3. Submit the following data to Find
    • The diary number of the data permit and the issuer.
    • The pseudo-code or personal identification number of the person with a significant clinical finding.
    • Information about the clinically significant finding that THL can use to assess the significance of the information.
    • The name and contact details of the contact person of the data permit, that can be provided to the THL for any further questions.

Verifying the anonymity of results

The processor of personal data must produce the results of the analysis in an anonymous format that does not reveal the data or characteristics of an individual.

We ensure anonymity in line with the Secondary Use Act. This applies to all data that have been authorised under the Act. We do not charge a fee to ensure anonymity.

You can find criteria for ensuring the anonymity of results and examples of the most common types of analysis on the page Producing anonymous results

Publishing results

Publication in this context means bringing information to the public and disseminating it to the surrounding society. Publication is defined as the presentation of results outside the working group.

Publication can take the form of a scientific or other journal, a thesis, a textbook or manual, a conference presentation or abstract, a report, a survey or some form of internet publication.

Publishing results from Kapseli

Data processing is done in Kapseli-environment and only the final analysis results are exported from Kapseli. The user produces the results in an anonymous format and Findata ensures the anonymity of the results in accordance with the Secondary Use Act.

  1. Verify the anonymity of the results intended for publication using the instructions found the page Procucing anonymous results.
  2. Transfer the results and the summary form to Findata via the Output (O:) drive in Kapseli.
    • The summary form for the verification of the anonymity of results can be found in the Kapseli D-folder from folder named “Käyttöohjeet_User_guide_05062023”.
    • Compress the files and the summary form into a zip folder and name it as follows:
      • “Results_[Record_number_of_permit_decision]_[Kapseli_ID]_[Delivery_date]” (e.g., “Results_ THL_1234_14.02.00_2020_a01_15032021”).
      • Note: write the date in format ddmmyyyy.
    • Create an empty text file named as ZZZ_READY.txt to the Output drive. This will initiate an automatic transfer of the zip folder. Make sure to double check the spelling of the ZZZ_READY.txt file. Transfers take place on the hour and in every 30 minutes. Transferred files will be automatically deleted from the Output drive.
    • You can notify Findata of your transfer (data@findata.fi) if you wish and we will get back to you if we do not receive your transfer. There will be no verification that the transfer succeeded.
  3. Findata will review the requests within 5 working days and submit the results via Nextcloud to the permit holder. The permit holder will be contacted if further information is needed.
    • If you don’t have a Nextcloud account, fill in the form “Order a new Nextcloud account” in Findata’s E-service (asiointi.findata.fi).
    • Note that if your result files are very large, the verification process may exceed the usual 5-day time limit. The time limit also applies only to the verification of the anonymity of results, not to the import of other files out of Kapseli (e.g. code files).

Publishing results from other secure operating environments

If you are processing data in a secure operating environment other than Findata’s Kapseli and are ready to publish the results, follow the instructions below.

  1. Download the summary form and fill in the requested information: Summary form – verifying the anonymity of the results (Word-file, 40 kB).
  2. Compress the files and the summary form into a zip folder and name it as follows:
    • “Results_[Record_number_of_permit_decision]_[Kapseli_ID]_[Delivery_date]” (e.g., “Results_ THL_1234_14.02.00_2020_a01_15032021”).
    • Note: write the date in format ddmmyyyy.
  3. You can deliver the results to Findata in two ways:
    • If you have a Nextcloud-account, transfer the results via Nextcloud
    • If you do not have a Nextcloud-account transfer the results via secure e-mail
    • Note: do not send the result files to Findata as an attachment to a regular, non-secure e-mail.
  4. Contact Findata at data@findata.fi
    • Name the subject of your e-mail as “Ensuring the anonymity of results”
    • Specify in your e-mail whether you are transferring the results via Nextcloud or via secure email.
    • If you are using Nextcloud, please include the diary number of the data permit and your Nextcloud ID. Findata will provide you with the name of the folder where you can transfer your results and a zip folder containing the summary form.
    • If you transfer your results by secure email, you will receive a secure e-mail from Findata to which you can reply to securely transfer the zip folder containing your results and the summary form.
    • For more information on encryption and how to transfer data via Nextcloud, see the page Data transfers to Findata.
  5. If there are any concerns about the anonymity of the results, we will be in touch within seven working days of the results being submitted.
    • If you do not hear from us within seven working days of submitting your results, you can proceed with the publication of your results.

Apply for a data permit

Do you need data on individuals? Apply for a data permit when you need data on individuals from multiple public sector social and health controllers or the private sector. Data permits Apply for a data permit

Submit a data request

Do you need anonymous statistical data? Submit a data request to use, when you need aggregated statistical data in table format or key figures from a social and health sector controller. Data requests Submit a data request

Apply for an amendment permit

Is your permit period about to expire or have there been changes to the processors of personal data? Apply for an amendment permit from us when an amendment concerns a controller’s permits or information. Amendment permits Apply for an amendment permit

Check the correct address for the application

Select the controllers from which the data will be retrieved

Apply permit from the controller in question. The exception is those controllers who have delegated permit jurisdiction to Findata.

Please note that Findata is responsible for data permit and amendment applications whenever the data of data controllers covered by the Act on secondary use is combined. When evaluating the competent authority, all data related to the application under the Act must be taken into account.

Apply permit (s) from the controllers in question.

Findata is responsible for data permits of the Finnish Center for Pensions (ETK) and the Finnish Digital Agency (DVV) and / or Statistics Finland if the data are combined with

  • data of other public organizations under the Act on Secondary Use of Health and Social Data (For Statistics Finland, at least two other organizations are needed, for DVV and ETK, one is sufficient)
  • data stored on Kanta services or
  • to the register data of a private social or health care service provider.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Apply permit from Findata.

The Regional Administrative Agencies (AVI) have delegated the jurisdiction to Findata.

Apply permit from Findata.

National Supervisory Authority for Welfare and Health Valvira have delegated the jurisdiction to Findata.

Apply for a data permit

Finnish Institute for Health and Welfare (THL) has delegated the jurisdiction to Findata. As far as THL is concerned, the delegation of jurisdiction does not apply to its

  • internal permit management
  • the transfer of samples and data transferred to THL Biobank.

Permit is applied from Statistics Finland and the respective data controller. Exceptions are the registrars who have delegated the jurisdiction to Findata.

We are responsible for data permits for data subject to the Secondary Act of Statistics Finland when they are combined

  • to the information of at least two public organizations covered by secondary laws
  • to data stored in Kanta services or
  • to the register data of a private social or healthcare service organizer.

Apply permit from Findata.

Findata is responsible for processing and making decisions concerning data permit and amendment applications, when the application applies to:

  • data from numerous public social and health sector controllers
  • register data from one or numerous private social welfare and health care service organisers, or
  • customer data saved in the Kanta Services.

Please select at least one data controller or group.