Päivitetty 28.04.2022

Permits

We issue permits for the secondary use of social and health data, combine data that is subject to a permit in a secure manner and pro-process these ensuring the privacy of citizens.

What to remember before sending an application

Select the correct application type

There are different types of applications for different information needs

  • Data permit application, when you need data on individuals
  • Data request, when you need statistical data
  • Amendment application, when you are applying for an amendment to a valid data permit other data valid or is the permit process pending?
Describe and limit data

Define the data to be applied for at the variable level and remember the principle of minimisation for other information. Utilise the Data Catalogue (https://aineistokatalogi.fi/) and controller’s advisory services

  • Where from and how do I extract the target group? Is the definition specific enough?
  • Are control subjects/relatives extracted? How will they be defined?
  • From which registers will the data be extracted?
  • What variables will be included in the extraction? 

Other data to be combined

  • Have you made sure that the other data is described on the application?
  • Are the permits for other data valid or is the permit process pending?
Determine the competent authority

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.

Check from the application assistant which authority the application should be sent to: Application assistant

BEFORE APPLYING

What data use can permits be issued for?

A permit can be issued for the purposes laid down in law, which are listed below. Data on individuals will be sent to a secure operating environment for analysis, while statistical data can be sent to the applicant.

Pursuant to the Act on the Secondary Use of Health and Social Data, information can be used without a separate permit also for knowledge management and social welfare and health care official management and supervision.

Individual-level material

  • education
  • scientific research
  • statistics
  • planning and reporting duties of an authority

In addition, under the Act on the Secondary Use of Health and Social Data, controllers can use their own data for knowledge management without permission from Findata.

Statistical data

  • development and innovation operations
  • education
  • scientific research
  • knowledge management (comparative data)
  • statistics
  • planning and reporting duties of an authority

Please note that, as a rule, the Act on the Secondary Use of Health and Social Data applies to register-based studies.  A register-based study is a study which utilises register data usually collected for other purposes or national registers. For example, the Act on the Secondary Use of Health and Social Data does not apply to clinical trials reported to Finnish Medicines Agency Fimea or to medical trials under the Medical Research Act.

What data can permits be issued for?

The data you can access via Findata are from social and health sector controllers on which you can find more information on the Data page.

Please note that we cannot issue permits for the data of all controllers within the scope of the Act. More details on these data restrictions can be found in the Act on the Secondary Use of Health and Social Data (in Finnish).

See a list of the controllers within the scope of the Act on Secondary Use of Health and Social Data
  • Data saved in Kanta services
    • Findata will process applications related to medical record data in the Kanta services from the beginning of 2021, applications related to e-prescription data can be processed already now.
  • Digital and Population Data Services Agency (The Finnish Digital Agency, individual’s basic details, family relations, place of domicile and building details)
  • Finnish Centre for Pensions (work and earnings data, benefits and the bases for them)
  • Finnish Institute for Health and Welfare (does not apply to data collected for statistical purposes)
  • Finnish Institute of Occupational Health (occupational illnesses, exposure tests and patient registers)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public and private service providers of social welfare and health care
  • Social Insurance Institution of Finland (benefits and prescriptions)
  • Statistics Finland (to the extent that access is required to data covered by the act on the investigation of the causes of death).
  • Regional state administrative agencies (matters relating to social welfare and health care)

Data descriptions and additional information

In accordance with the Act on Secondary Use of Health and Social Data, data controllers provide advisory services concerning their own data and are the best placed to do so. If you need more information on the variables in a certain controller’s data, please contact the controller in question.

You can also make an agreement on the implementation of data extraction in a certain manner with the controller. In the application you send to us, specify the person with whom you have agreed to on the matter.

The National Data Catalogue at aineistokatalogi.fi contains descriptions of some of the data in the scope of the Act on Secondary Use of Health and Social Data.

Which authority should a permit application be submitted to?

Findata is responsible for the application and the permit decision whenever data are combined from data controllers covered by the Act on secondary use of health and social data. The assessment of the competent authority must therefore consider all the data related to the application.

Submit the application to Findata when it applies to

  1. data from numerous public social and health sector controllers
  2. register data from one or numerous private social welfare and health care service organisers, or
  3. customer data saved in the Kanta Services.

Under the law, statistical, aggregated data subject to a data request can only be accessed via Findata.

See the bottom of this page for the application assistant. The assistant can help in determining which authority you should send you data permit or amendment application to.

Go to the end of the page and check the correct address for the application

The rights listed below concerning the issuing of data permits and amendment permits also apply when not permit has been issued to any controller’s information. If there is already a valid permit for some of the information, it will then be determined how many controllers have data that the applicant needs to access. In a situation where a permit is only needed for information from one public sector controller, the controller in question will issue the permit.

The Act on the Secondary Use of Health and Social Data does not apply to clinical trials reported to Fimea, so these are not within Fimea’s competence. The definitions for interventional clinical trial and noninterventional study can be looked up at Fimea Regulation 8/2019 (in Finnish). When necessary, Fimea will provide advice on whether a study is considered a clinical trial.

You can read more on data permit processing related competences in section 44 of the Act on Secondary Use of Health and Social Data (2019/552) (in Finnish).

Under the Act on Secondary Use of Health and Social Data, public sector social and health controller are divided into two groups. Below is the more detailed division of these groups and their differences in competence.

Public sector controllers: Group 1

  • Regional State Administrative Agencies (AVI)
  • Social Insurance Institution (Kela)
  • Finnish Medicines Agency Fimea
  • National Supervisory Authority for Welfare and Health Valvira
  • Public service providers of social welfare and health care
  • Ministry of Social Affairs and Health
  • Finnish Institute for Health and Welfare with the exception of the data it has collected for statistical purposes as a statistical authority;
  • Finnish Institute of Occupational Health

We are responsible for data permits and amendment permits when the application concerns the information of at least controllers in this group.

This, in spite of the fact. that the other party could be believed to have already accessed data or to have their own data. If for example, a hospital district needs Kela data in addition to their own data for a study, the application in this case concerns the data of two controllers. In this case, Findata is the competent authority.

If the application or the data utilization plan mentions other data under the Secondary Act which is to be combined with the data to be retrieved, the application applies to this combined data as well.

Public sector controllers: Group 2

  • Digital and Population Data Services Agency: A person’s basic personal data (e.g. birthdate, date of death, personal identity code), family relations, place of residence and building details. If other information is needed, the Digital and Population Data Services Agency will be responsible for processing applications and making permit decisions.
  • Finnish Centre for Pensions (ETK): People’s employment and income data, granted benefits and their grounds including diagnoses concerning disability pensions. If other information is needed, the Finnish Centre for Pensions will be responsible for processing applications and making permit decisions.
  • Statistics Finland: Information to help in determining cause of death. If other information is needed, Statistics Finland will be responsible for processing applications and making permit decisions.

We are responsible for the data permits and amendment permits of the Finnish Centre for Pensions, the Digital and Population Data Service Agency and Statistics Finland, if in addition to them the application also concerns

  • information from one or more public sector controllers in Group 1
  • information from one or more private social welfare and health care service organisers, or
  • data saved in the Kanta Services

APPLYING

Logging into e-services

All applications to Findata are sent in our e-service with an online form. Log into the service at asiointi.findata.fi using Suomi.fi e-Identification or Haka log in.

Please always log in using the same identification methods, so that you can see the applications you have sent and the decisions that have been given.

If you encounter any problems, contact Findata’s advisory service: info@findata.fi

For more information on logging in see the Logging into services page.

Selecting and completing an application form

There are different application forms for different information needs

  • Data permit application, when you need data on individuals As of 1 May 2022, the analysis of data subject to a data permit will only be possible in audited, secure operating environments.
  • Data request, when you need statistical data The statistical data accessed with a data request will be sent to the applicant.
  • Amendment application, when you are applying for an amendment to a valid data permit See the Amendment permits page for information on what amendments you can apply for with an amendment application.

Complete the application form carefully. Shortcomings in an applicant will lead to a request for more information and the return of the application to the applicant.

For detailed instructions on the completion of different application forms see the pages for different types of permits:

If you do not know what information to enter into  an information field on the form, ask for help well in advance from within your organisation or from our advisory service.

Neuvonta

Yleinen neuvonta

How to expediate the processing of application

The processing times for applications are affected by the content of the application, in particular, the accuracy of an extraction description, the backlog at Findata and the response times of controllers.

If there are any ambiguities concerning the completion of your application, contact the controller directly and Findata’s advisory service to expediate processing

How to speed up the processing of your application:

  1. Check whether Findata is the competent authority to issue a permit for the data you need. Use the application assistant (in Finnish) available on our website to help in determining this. The exceptions to Findata’s ‘one-stop shop’ are the Digital and Population Data Services Agency, the Finnish Centre for Pensions, and Statistics Finland. If you need information from the aforementioned controllers, one or more of them, these controllers are responsible themselves for the processing of applications and making permit decisions. If you do not know where you should send an application, contact our advisory service before sending the application: info@findata.fi.
  2. Contact controllers directly if you need more information about the data or variables. In accordance with the Act on Secondary Use of Health and Social Data, data controllers provide advisory services concerning their own data and are the best placed to do so. You can also make an agreement on the implementation of data extraction in a certain manner with the controller. In the application you send to us, specify the person with whom you have agreed to on the matter. Please see the Data page for the contact details of controllers asked about most frequently. You can also contact our advisory services or use the Data Catalogue.
  3. Describe the information need and the register-specific data extractions as accurately as possible before sending the application. Use the linked Word template for describing extractions: Register-specific variable lists and restrictions related to extractions (in Finnish). Incomplete or insufficient descriptions can lead to your application being returned to you.
  4. Identify the restrictions to extractions and applied-for data The principle of minimisation as defined in the GDPR is applied to the disclosure of personal data, meaning that only the essential data is disclosed. The extraction can be extensive provided that there are good grounds for the necessity of the data.
  5. Complete the application carefully. Also pay attention when entering basic data such as the applicant, the controller for the data to be disclosed, invoicing details and possible other data to be combined.

About the transfer of personal data outside the EU/EEA

The processing of personal data abroad is counted as a transfer of personal data even if the data is in a remote access environment.

Under the EU’s General Data Protection Regulation, data can be transferred within the European Economic Area on the same grounds as within Finland. Countries belonging to the European Economic Area include the EU Member States and Norway, Liechtenstein and Iceland.

If data is to be transferred or processed outside the aforementioned countries, i.e. in so-called third countries, there must be a legal basis for this in keeping with Chapter V of the GDPR.

The acceptable legal bases are listed below. It is sufficient that just one of these bases for data transfer is met.

Commission decision in the adequacy of data protection under Article 45
Standard contractual clauses on data protection pursuant to Article 46(2)
  • Standard contractual clauses (SCC) are standard contractual clauses approved by the European Commission that can be used in contracts between two controllers or between a controller and a processor.
  • These standard clauses can be viewed on the website of the Data Protection Ombudsman: https://tietosuoja.fi/en/standard-clauses-adopted-by-the-commission 
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA subject to this condition and only after the applicant / permit holder has submitted to Findata the signed standard contractual clauses. The use of standard clauses will also require additional examination of the adequacy of data protection.  Please note that standard contractual clauses may not be modified or added to, but must be approved as they are.
Binding corporate rules pursuant to Article 47
  • Binding corporate rules (BCR) refer to shared, binding rules for the transfer of personal data to third countries within a corporate group or group of companies engaged in joint economic operations.
  • For more information, see the website of the Data Protection Ombudsman: https://tietosuoja.fi/yritysta-koskevat-sitovat-saannot 
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision. We will make the data available outside the EU/EEA area subject to this condition and only after the applicant / permit holder has notified the Findata of the code of conduct in question, which must have been appropriately approved by a data protection ombudsman of an EU Member State.
Exceptions and safeguards under Article 49

Exceptions and safeguards under Article 49, such as the explicit consent of the subject to the proposed transfer after being informed of the risks associated with the transfer. This basis for transfer can only be used in exceptional cases.

  • For more information, see the website of the Data Protection Ombudsman: https://tietosuoja.fi/erityistilanteita-koskevat-poikkeukset 
  • When appealing to this legal basis when utilising data subject to a permit, the controller or the processor must describe in their report on processing operations the assessment related to the transfer and the appropriate safeguards established: https://tietosuoja.fi/seloste-kasittelytoimista 
  • If this is given as the basis for data transfer, we will take this criterion into account in the data permit decision.

Further information on the transfer of data to the United Kingdom following Brexit can be found on the website of the Data Protection Ombudsman:  https://tietosuoja.fi/en/standard-clauses-adopted-by-the-commission 

Permit fees and other costs

A fee will be charged for decisions concerning data permit applications, data requests and amendment applications and the related processing of data. The price of our services comprises the price of the decision and an hourly fee, which will be determined according to the working hours spent on combining and processing the data.

In addition to the fees charged by Findata, the final price is affected by the data extraction and delivery fees based on
decrees concerning the controllers.

When we process applications, we will ask the controller for a maximum cost estimate for extracting the necessary data. We will also give a maximum cost estimate on data processing by Findata.

We will forward these estimates to the applicant before making a decision on the permit. The final price of the data resource is confirmed after disclosing the data. A separate processing fee is charged for any expired and negative decisions.

See the Pricing page for more information.

AFTER APPLYING

How does an application’s processing proceed?

The processing of applications can be divided into five stages, which can be preceded by the applicant independently contacting to a controller. The process is shown in text after the graph.

  1. The applicant contacts controllers directly before sending an application, if they need additional information on the data or variables or they need help with drawing up an extraction description.
    • The applicant can also make an agreement on the implementation of data extraction in a certain manner with the controller. If the customer and the controller’s contact person have agreed for example that a clinician, who is part of the research team will extract the data free of charge, the application’s Additional information section should include information on who this was agreed on with and in what context.
  2. The applicant submits their application or requested additional information to Findata in the electronic application system at https://asiointi.findata.fi.
    • If the applicant is only submitting additional information, the clarifications can, depending on the case, also be submitted by e-mail.
  3. Our application processors check applications and their appendices to ensure that these contain all the necessary information.
    • Where necessary, we will return an incomplete application for completion or we will submit a request for further clarification to the applicant.
  4. When all the extraction descriptions have been completed, we will send additional information and cost estimate requests to the controllers whose information is requested in the application.
    • The purpose of the request is to determine the feasibility of the requested extraction and the maximum cost estimate for the extraction.
    • According to the Act on the Secondary Use of Health and Social Data, the controllers have 15 working days to respond to this request. Where necessary, controllers may ask for additional details to the request, in which case we will forward the questions to the applicant.
    • At this stage, we will also determine Findata’s internal cost estimate, which comprises our own data processing costs.
  5. Once all the cost estimates have been received, the applicant will be presented with a final extraction description and a maximum cost estimate for approval.
    • The applicant must accept both in order for the permit to be granted.
    • Please note that it will not be possible to change the extraction conditions after this, and that changes made to the extracted data later on will require a separate application.
  6. We at Findata will issue a positive data permit or data request decision.
    • Please note, that data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, please include these needs in your application.

How will the compilation of the applied for data proceed?

Once we have issued a data permit or made a decision on a data permit, there are five different staged for the compilation of data and its pre-processing. The process is shown in text after the graph.

  1. We will send the data requests to the controllers so that extraction can begin. Each controller has 30 working days to submit the requested data to Findata.
    • Depending on the nature of the project and the extraction, this phase may include several consecutive parts, such as 1. extraction of the target group; 2. extraction of the controls; 3. extraction of data.
  2. We will begin to process the sent data. As agreed on for each project, we will check, combine and pseudonymise the data or make statistics on them in accordance with a data request.
  3. The completed data will be handed over to the permit holder in an agreed-upon secure operating environment. Findata’s secure remote operating environment Kapseli is the statutory primary option. The data can be disclosed to other operating environments, if this is necessary for the completion of the project.
    • The target time for the handing over of data is 60 working days. The target time will not be possible if a target group is not given immediately after the decision has been made, data extraction is carried out in several stages, deliveries by data controllers are delayed or the data is exceptionally complex.
  4. The permit holder has 30 working days to review the material. The permit holder must notify Findata within this given time period of any comments they wish to make on the material.
    • Check the data thoroughly as soon as possible. Errors that occur during extraction can accumulate, if, for example, the target group has been formed incorrectly and other controllers must carry out their own extractions all over again for this reason.
  5. We will remove the data from our own systems 6 months after it has been handed over. We will retain the code keys for pseudonymised data that will enable the data to be reproduced.
    • Data permits are always for a fixed period. If data needs to be saved for a purpose such as the verification of research or the you intend to renew your permit or the extractions must be updated at certain intervals, please include these needs in your application.

Where can the data be analysed?

The aggregated statistical data accessed via a data request is sent to the customer, and it can be analysed freely in accordance with a data utilisation plan.

Data on individuals that require a data permit can only be analysed in a secure environment.

As a rule, the data will always be disclosed to Findata’s secure operating environment Kapseli. However, the Act on the Openness of Government Activities makes it possible to disclose information to other operating environments, if necessary. Read more below in the section: Findata’s regulation sets information security requirements for environments.

If an individual controller within the scope of the Act on Secondary Use has made a decision on a data permit concerning data included in their own registers, they must disclose the data to a secure environment referred to in the Act on Secondary Use as well. Amendment permits are also officially data permits (decisions to amend data permits), meaning the same requirements apply to these as to data permits. The exception to this is changes to personal data processors.

Findata’s regulation sets information security requirements for environments

We have issued a regulation in accordance with the Act on the Secondary Use of Health and Social Data, which describes the requirements laid down other service providers’ secure operating environments.

The regulation concerns the secondary use of social and health data, and it will be applied to all the purposes provided in the Act on the Secondary Use of Health and Social Data for which a data permit is required. These purposes include scientific research, statistics, teaching and the planning and investigation tasks of the authorities. With regard to teaching, the regulation pertains to the preparation of teaching materials, not actual teaching.

As of 1 May 2022, the implementation of the requirements laid down in the regulation is a prerequisite for the disclosure of data to be processed by the permit holder for secondary purposes in an environment other than Findata’s secure operating environment Kapseli. In addition, the operating environment must be assessed by a data security assessment body that must issue a certificate on the assessment.

The entry into force of the requirements does not affect existing, valid permits. If data are processed on the basis of a valid permit previously granted, the processing of that data may continue in the same environment after 1.5.2022.

The requirements take into account the solutions in existing environments and enable the utilisation of different technical solutions.

At its simplest, a secure environment can be a physically and technically secure space with a terminal device for analysing data that is isolated from the Internet and other devices. On the other hand, technical solutions based on cloud services are also possible, as long as the service provider ensures the required level of data security. The operating environments of foreign researchers must also meet the data protection and security requirements.

Verifying the anonymity of results

All those who process personal data must provide the results of their analyses in an anonymous form that cannot be used to reveal any data or aspects concerning individual participants.

We ensure anonymity in line with the Act on Secondary Use of Health and Social Data. This applies to all materials that have been authorised under said Act.

Please see the Production of anonymous results page, for the criteria on reviewing results and for example on the most common analysis types.

Apply for a data permit

Do you need data on individuals? Apply for a data permit when you need data on individuals from multiple public sector social and health controllers or the private sector. Data permits Apply for a data permit

Submit a data request

Do you need anonymous statistical data? Submit a data request to use, when you need aggregated statistical data in table format or key figures from a social and health sector controller. Data requests Submit a data request

Apply for an amendment permit

Is your permit period about to expire or have there been changes to the processors of personal data? Apply for an amendment permit from us when an amendment concerns a controller’s permits or information. Amendment permits Apply for an amendment permit

Check the correct address for the application