Permits

1. Applicant contacts the controllers before submitting the application
   • Contact controllers directly for additional information on data or variables.
   • Request cost estimates and feasibility details from controllers.
   • Use the extraction description form (Word document, 56 KB)
   • If you are applying for a statistical data with a data request, describe the statistics generation in the Tabulation plan (Excel file, 19,2 kB)
   • If you arrange special data extraction agreements with the controller, include this in the Additional Information section of your application.
     • For example, if a clinician from the research team will perform the extraction free of charge, include details in the Additional Information section about who agreed to this and under what conditions.
2. Applicant submits the application to Findata
   • Submit your application or any requested additional information via our e-service (asiointi.findata.fi)
   • If only additional information is required, clarifications may be submitted by email on a case-by-case basis.
3. Findata reviews the application and invites the applicant to a remote meeting for personal consultation
   • We review data permit approximately within a week of receipt.
   • We invite the applicant to a remote Teams meeting to discuss the content of the application and to ask clarifying questions.
   • The applicant provides more information or clarification if needed.
4. Findata sends requests for cost estimates to data controllers
   • Findata sends requests for additional information and maximum cost estimates to the controllers, who provide the data.
   • Controllers have 15 working days to respond.
   • We will forward any additional questions from controllers to the applicant.
5. Findata sends the cost estimates of the controllers’ extraction and Findata’s data processing to the applicant for approval
   • Once we have received the cost estimates from the data controllers, we assess the working time required for processing the data and estimate the maximum total cost.
   • We provide the cost estimates for the applicant to review and accept.
   • Note that you cannot change the extraction conditions after approval. Any modifications to the extracted data will require a new application.
6. Findata issues a decision
   • Data permits are for a fixed period.
   • If you need to store the data for purposes such as research verification, or if you plan to renew your permit or require regular updates, include these needs in your application.

7. Findata sends data extraction requests to controllers who extract the data
   • Each controller has 30 working days to submit the requested data to Findata.
   • The extraction may involve multiple steps, such as:
     • Extraction of the target group
     • Extraction of controls
     • Extraction of additional data
   • Each step can take up to 30 working days, potentially totaling up to 90 working days.
8. Findata pre-processes the extracted data
   • We will review, combine, and pseudonymise the data or generate statistics according to the data request.
9. Findata delivers the data to the permit holder
   • The processed data will be provided to a secure processing environment, typically in CSV format.
   • Findata’s secure processing environment, Kapseli, is the primary option. Data may be disclosed to other environments if necessary.
   • The target time for delivering the data is 60 working days.
     • This timeframe may be extended if the target group is not provided immediately, if extraction is conducted in multiple stages, if there are delays from controllers, or if the data is particularly complex.
10. Permit holder reviews the data
    • You have three months to review the data and notify Findata of any discrepancies or comments.
    • Thoroughly check the data, as errors can lead to additional work.
      • For example, errors that occur during extraction can accumulate, such as if the target group is formed incorrectly, requiring additional extractions from other controllers.
    • If you find omissions or errors, email Findata at data@findata.fi with detailed descriptions of how your data differs from the extraction description.
11. Findata deletes the data from its own processing systems once the retention period has expired.
    • We remove the datasets from our systems four months after delivery.
    • We retain the code keys for pseudonymised data to allow reproduction if needed.
    • Data permits are for a fixed period.
      • If you need to save data for purposes like research verification, plan to renew the permit, or require regular updates, include these needs in your application.

Submit your data permit or amendment permit application to Findata if you want to apply for:

• Data from several public social and health sector controllers covered by the Secondary Use Act.
• Data from a single public controller that has transferred the right to issue permits to Findata (see the list).
• Data from one or more private social welfare and health care service organisers.
• Customer data saved in the Kanta Services.
• Findata’s ready-made dataset.

If you need statistical aggregated data, send data request to Findata.

Unsure where to send your application? Use Application Assistant!

A data controller is a person or organisation that decides on the processing of personal data. They are responsible for ensuring that data processing is carried out securely and appropriately, and that the data is either destroyed or archived properly once the research is completed.

If the researcher is employed by the organisation conducting the research, that organisation acts as the data controller. However, an independent researcher or research group can act as the data controller themselves.

If multiple organisations jointly decide on the processing of personal data, they act as joint data controllers. In such cases, it is important to clearly agree on the responsibilities of each party.

Data provided under the Secondary Use Act can be combined with other information, such as data collected by an individual themselves or data obtained with a separate permit. As a rule, the combining of data must be carried out by Findata or a statistics authority.

Read more: Combining other data with data applied from Findata

Data controllers deliver the extracted datasets to Findata via secure Tunnel and Supertunnel transfer services.

Instructions for data controllers on delivering extracted datasets: Data transfers

You can apply for data from Findata for your thesis if you are working on a thesis for at least a higher university degree. In your application, please specify your educational institution, the degree being pursued, the thesis author, and the thesis supervisor.

The licence fees for theses are reduced. The reduced thesis licence fee applies when producing a single thesis. If the project produces multiple theses or other outputs unrelated to the thesis, the normal or extended licence fee will apply.

1. Consider necessity: Determine if textual data is essential for conducting your research.
   • The need for unstructured data must always be justified. Often, similar information can be extracted in a structured format.
   • We mask direct identifiers in textual data, which affects the usability of the data.
   • Processing textual data takes time and significantly increases costs.
2. Request insights from the data controller on appropriate keywords.
   • The data controller is best positioned to assess which keywords will yield the most comprehensive results without extraneous information.
   • For example, the keyword pressure will produce all records related to pressure, such as blood pressure, eye pressure, etc. If the research focus is on blood pressure, the extracted textual data will contain a substantial amount of unnecessary information.
3. Specify the length of the text snippet to be extracted on a variable-by-variable basis.
   • The text snippet should be as short as possible.
   • Request the data controller’s view on the length of the text to be extracted.
     • For instance, keyword +/- 50 characters.
4. Ensure the extraction is scoped appropriately.
   • If the extraction can be limited to the information from a specific department or field of treatment instead of the entire healthcare district’s database, the amount of text to be extracted and the processing costs will be significantly lower.

Applications received by Findata are confidential, while Findata’s decisions are public. If a data controller has a statutory right to access information about the application’s contents, Findata may, on a case-by-case basis, provide the data controller with information about the data to be extracted and the formation of the target group.

A data utilisation plan refers to a research plan, project plan, or a similar plan.

The plan must specify:

• the purpose of using the data as stated in the permit application,
• the data controller and processors,
• the legal basis for processing, and
• essential aspects related to data protection and information security covering the entire data lifecycle (storage, disposal, or archiving of data).

The essential elements of the data utilisation plan are addressed in Findata’s application forms.

Common criteria for scientific research include, for example:

• the research is based on an appropriate research plan,
• the research has a responsible person or a responsible group,
• the research participates in scientific discourse, meaning the results are intended to be published according to scientific principles, for example in scientific journals or as a thesis,
• the research produces new knowledge or promotes public health or wellbeing,
• the research has a research permit granted by the relevant organisation, if such a permit is required,
• medical research has a favourable statement from an ethics committee.

An appropriate scientific research plan typically includes, for example:

• background information,
• definition of the information needs the research aims to address,
• setting goals and research questions,
• description of the required data and methods, and
• consideration of ethical perspectives.

Processing time for your application depends on several factors, including the clarity of your application, our current processing load, and response times from data controllers. To expedite the process:

• Complete the application carefully ensuring all sections are filled out thoroughly and accurately.
• Attach all previous permit decisions to your application.
• Attach to your application all previous non-disclosure agreements (NDA). Each person handling the material to be added must have their own NDA.
• Use Findata’s advisory service for additional support and clarification.

For more information, visit the Data page or check the Data Resources Catalogue (aineistokatalogi.fi).

The European Health Data Space (EHDS) is a regulation of the European Union that establishes a common framework for the use and exchange of health data in EU countries. The aim of the regulation is to strengthen citizens’ rights to their own electronic health data and to enable the secure cross-border secondary use of health data.

The EHDS regulation is similar to the current Finnish Secondary Use Act, but it also introduces changes. The regulation includes partly different purposes of use, some of which are reserved only for public or EU entities. In addition, new operating models will be introduced for processing data requests and permit applications.

The regulation entered into force in March 2025 and will be implemented gradually over the coming years. The parts concerning secondary use will begin to apply in March 2029.

Personal data are pieces of information that can be used to identify an individual either directly or indirectly.

Examples of personal data that allow direct identification include:

• name,
• personal identity code,
• email address based on the person’s name, and
• biometric identifiers such as fingerprints, facial images, voice, and iris patterns.

Examples of personal data that allow indirect or partial identification include:

• gender,
• age,
• education, and
• nationality.

Indirect or partial identifiers can also be combined to identify a person. Therefore, removing or replacing direct personal identifiers does not necessarily mean that the data no longer contains personal data.

Special categories (or sensitive) personal data include, for example:

• ethnic origin,
• sexual orientation or behaviour,
• health data,
• biometric data, and
• genetic data.

Highly protected personal data include, for example:

• psychiatric data,
• social welfare data, and
• data related to sexually transmitted diseases and medical genetics.

For instructions on how data controllers can submit extracted data, see the Data transfers to Findata -page.

Anonymisation means the transformation of personal data into a form that irreversibly prevents the identification of an individual person. This may mean, for example, removing direct identifiers and simplifying the data to a general level so that personal data cannot be reconstituted in any way.

Pseudonymisation refers to the transformation of personal data, for example into a coded form. In this case, names and personal identifiers can be removed and replaced by another unique identifier, i.e. a code. Often a code key is kept to restore direct personal data to the data. Pseudonymised data are still personal data.

Yes, you can, if this is okay with the controller. The controller has the right to determine independently the manner in which it carries out the extraction, and it has the right to use an external processor to carry out the data extraction.

If such processors are used, the EU General Data Protection Regulation (GDPR) requires that a data protection agreement (DPA) covering the processing of personal data is signed with them. The controller is ultimately responsible for ensuring that the personal data is processed in a legal manner. The processor, meanwhile, is responsible for ensuring that it complies with the terms of the DPA and the instructions of the controller.

The collected data must be delivered to Findata securely via the transfer service Tunneli, after which we combine and pre-process them.

Unfortunately, you cannot yourself modify an application after it has sent.

If you want to supplement an application that has already been sent, send us an email to info@findata.fi and tell us your application’s ID (e.g. 2022/53). We will return the application so you can supplement it.

The processing time for applications depends on several factors: the accuracy of the data extraction description, the current backlog at Findata, and the response times of data controllers.

By following the following guidelines, you can help ensure that your application is processed as quickly and efficiently as possible.

1. Verify Findata’s authority:
   • Ensure Findata is the competent authority to issue a permit for the data you need.
   • Use the application assistant to help determine this.
   • Note that the Digital and Population Data Services Agency, the Finnish Centre for Pensions, and Statistics Finland handle their own data and permit decisions. If you need information from these controllers, contact them directly.
2. Consult Findata’s help desk:
   • If unsure about where to send your application, contact Findata’s help desk service at info@findata.fi before submitting it.
3. Contact data controllers directly:
   • If you need more information about the data or variables, contact the relevant data controllers. Data controllers provide advisory services for their data and can guide you on data extraction methods. You can also make an agreement on the implementation of data extraction in a certain manner with the controller.
   • In your application, mention the contact person with whom you have discussed the data extraction.
   • See information and contact details for controllers: Links to data controllers’ websites and data descriptions
4. Use the Data Resources Catalogue:
   • You can refer to the Data Resources Catalogue (aineistokatalogi.fi) for additional information.
5. Describe your information needs accurately:
   • Clearly define the information needed and specify the register-specific data extractions in your application.
   • If the extraction involves multiple steps, describe the order of extraction using the extraction description form (download Word file, 51.2 kb).
   • If you are applying for a statistical data with a data request, describe the statistics generation in the Tabulation plan (Excel file, 19,2 kB)
   • Ensure that the data extractions and the data you request are essential and justified.
6. Apply the GDPR minimisation principle:
   • Only request data that is essential for your purposes. The principle of minimisation as defined in the GDPR will be applied, meaning that only necessary data will be disclosed.
7. Complete the application carefully:
   • Pay attention to entering basic data such as the applicant’s details, the data controller, invoicing details, and any other data to be combined.