All our services are related to the secondary use of health and social data. This page contains summaries on our services, a list of instructions and a list of most frequently asked questions.
We provide services to those who need information meaning our customers and parties who control data meaning controllers. In addition, we provide information and advice to citizens on where register data are used, on each citizens’ rights under the GDPR and on how we ensure that data protection is implemented.
Book a time for personal consultation
You can book a time for personal consultation with an expert from Findata. Appointments are available three days a week and last for 20 minutes. The meetings are held remotely via Teams.
We offer help in the following topics:
- General consultation on Findata’s services
- Data permit applications, amendments, and data requests
- Extraction description form and other forms
- Ordering Findata’s secure processing environment Kapseli, pausing, and data storage service
You can see the available times below.
Make sure you have written your email address correctly. After booking, we will send a confirmation to your email and a downloadable calendar reminder. We will send the link to the Teams meeting later.
If you have not received a confirmation or Teams link, email us at info@findata.fi.
The personal consultation service is provided as a part of the FinHITS project funded by the European Union.
On this page
Forms for customers Services for customers Instructions for customers Services for controllers Instructions for the controller Other services and obligations Frequently asked questionsForms for customers
- Extraction description form (download Word-file, 51 kB)
- The extraction description form is intended for use by applicants, data controllers and Findata. The extraction description form allows the applicant to request advice from the controllers on the feasibility and costs of the planned extraction before submitting an application for a data permit or a data request to Findata.
- Read more: Instructions for completing a data permit application and Instructions for submitting a data request
- Form: Files to be submitted to Kapseli (download Word-file, 26 kB)
- If you have a permit from Findata and you are submitting your own material, files or software to Kapseli, inform us first at data@findata.fi before filling in the form.
- Read more: Delivery of customer’s own files to Findata
- Preliminary inquiry form: Files to be delivered to Kapseli (download Word-file, 37 kB)
- Kapseli can also be used in situations where another authority has authorised the data (e.g. a wellbeing services county or other individual data controller). In these cases, fill in the preliminary inquiry form so that we can make an estimation of the workload and costs.
- Preliminary inquiry form: Files to be combined to data permit (download Word-file, 34 kB)
- With this form we ask for further information on the files to be combined to Findata data permit so that we can make an estimation of the workload and costs.
- Fill in only the parts relevant to your application.
- Summary form: Verifying anonymity of results (download Word file, 43 kB)
- If you are processing data in a secure operating environment other than Findata’s Kapseli and are ready to publish the results, download and fill in the summary form.
- Read more: Verifying the anonymity of results
- Confidential Disclosure Agreement (download Word file, 44 kB)
- If you are applying for an amendment to a data permit to add or change persons authorised to process the data, attach completed and signed confidentiality agreements to the application. Every added personal data processor must have their own confidentiality agreement.
- Read more: Instructions for completing an amendment application
- Order form: Data transfer (download Word file, 53 kB)
- According to the Secondary Use Act, a secure transfer service must be used when transferring personal data. For example, if you need to transfer personal data from an individual data controller to an environment other than Findata’s Kapseli, order the data transfer from Findata.
- Read more: Data transfer
Services for customers
Advice
- We provide advisory services on this website and via email at info@findata.fi.
- We provide advice on issues such as question related to application for data permits, data requests and amendment permits. In addition, we provide general advice on the matters related to Act on the Secondary Use of Health and Social Data.
- When requiring information content from registers or individual pieces of data, it is best to contact the controller directly, as they are the best experts when it comes to their own data and can provide statutory advisory services on their secondary use. See the Data page for controller’s contact details.
- Read more on the Contact us page
Data permits, amendment permits and data requests
- We issue data permits for data on individuals, when information is needed from numerous public controllers, the private sector or the Kanta Services. We combine and pre-process data while ensuring the privacy of citizens.
- We issue amendment permits for previously issued permits, when an amendment applies permits issued by numerous public controllers, Findata or an authority who has transferred their right to issue permits to Findata.
- We make decisions on data requests, meaning on access to statistical data when the information is needed from a controller within the scope of the Act on the Secondary Use of Health and Social Data.
- Read more on the Permits page
Combining and pre-processing of data
- We collect register data from controllers.
- We pre-process the data disclosed to the permit holder, meaning we combine and pseudonymise, anonymise or produce statistical data of the data compiled from the controller.
- We convert and combine the permit holder’s own data to the data obtained through Findata.
- Read more on the Data page
Secure Kapseli operating environment
- We provide a secure environment, Kapseli for the processing of data on individuals, where the software required for the analysis of key data are available.
- According to the Act on Secondary Use of Health and Social Data, starting on 1 May 2022 the analysis of data accessed with a data permit will only be permitted in operating environments that meet the requirements of the regulation. The requirements specify the same level of data security as is required in Kapseli.
- Read more on the Kapseli page
Instructions for customers
Services for controllers
Counselling service
- We provide advisory services on this website and via email at info@findata.fi.
- We provide answers to questions concerning such things as the submission of data, data descriptions and general questions concerning the Act on the Secondary Use of Health and Social Data
Read more on the Contact us page
Support for creating data descriptions
- Organisations within the scope of the Act on the Secondary Use of Health and Social Data in their role as controllers have a statutory obligation to draw up data descriptions on the information content in their information resources in accordance with the Findata Regulation. This is important so that those who need data can assess the suitability of the data for secondary use.
- We provide free tools for controllers: Data editor, with which data descriptions can be drawn up and a Data catalogue where data descriptions can be published.
- In addition, we help controllers in creating data descriptions by providing training on the use of the aforementioned tools.
Read more on the Regulation on data descriptions page
Anonymisation service
- If the secondary data use application relates to only one public social and health sector controller, that controller is themselves responsible for processing the data permit application and making the permit decision. However, if the data is disclosed to the permit holder in anonymised form, we will anonymise the data on behalf of the controller and deliver it for the permit holder’s use.
Read more on the Data permits page
Processing of data permit and amendment applications by the controller
- Public controllers may authorise Findata to carry out on their behalf, as detailed in the Secondary Data Act, services other than advice and data description services. In such cases, we also process on behalf of the controller those data permit and amendment applications which relate only to the content of the controller’s own registers.
- For information on controllers who have transferred their authority to issue permits, see the Data page section titled Transferred right to issue permits
Other services and obligations
Rights of data subjects pursuant to the EU General Data Protection Regulation
- Everyone has the right to their personal data and the right to access information on the use of their personal data With regard to Findata’s activities, information on this is available on this website and specifically on the Data protection and processing of personal data page.
- For information on projects that have been issued a permit, see the Issued permits page. If necessary, you can also contact our advisory service.
- In addition to receiving information, the data subject has the following rights to their data as regards the data held by Findata:
- Right of access to one’s personal data
- Right to rectify one’s data
- Right to restrict the processing of one’s data
- Right to object to the processing of one’s data.
- If you wish to exercise you rights pursuant to the GDPR, see the instructions here: How can I exercise my rights?
Read more on the page Data protection and processing of personal data
Regulations related to the Act on the Secondary Use of Health and Social Data
- The Act on the Secondary Use of Health and Social Data obliges Findata to provide specifying regulations on matters such as secure operating environments, data descriptions and data permit applications and data utilisation plans.
- The regulations are changing in nature and will be updated as necessary.
Read more on the Regulations page
Frequently asked questions
How to order Kapseli
- Log in to our e-service (asiointi.findata.fi).
- From the top menu select “Submit application”
- Scroll down and select “Order or update of the Kapseli operating environment or the data storage service” from under Select a new application form from below and click “Fill in the application”.
- Complete the application form
- Enter your own name in the applicant field
- After this, using the “Invite a member” button add all the persons and email addresses that need user rights to Kapseli
- The invited persons will join using multi factor authentication
- Complete the rest of the form
- Please note, that R-Tools is not automatically installed in Kapseli. If you need R-Tools, indicate this in the additional information section of the form.
- Finally, select Send application from the “Actions” section.
I can’t log in to Kapseli
Before logging in, please make sure that your username is registered and ready to use. If you are not sure whether your account is ready for use, contact your Findata contact person or the Kapseli helpdesk: kapseli@findata.fi.
How to log in to Kapseli
- Install Duo Mobile app (duo.com) to your phone and activate it. The developer is Duo Security Inc. If you’ve already installed and activated the app go to point 2.
- Installing: find Duo Mobile from your phones app store and install it.
- Activating: the phone numbers reported when ordering Kapseli will get an automatic activating message for Duo Mobile. The app is activated by clicking the link in the activating message.
- Log in Kapseli at kapseli.findata.fi using your computers browser.
- Choose the identification method from the list that you chose while registering.
- Choose the operating environment you’re going to use. If you have just one operating environment in use go to the next section.
- After choosing the environment the system goes to the second phase of identification.
- The second phase of identification.
- Log in the operating environment.
- You’ll get a notification about logging in to Duo Mobile. To approve the log in choose ‘Approve’ in Duo Mobile.
Can I combine the data I received via Findata with other information?
Data referred to in the Act on the Secondary Use of Health and Social Data can be combined to other information, such as data a person has collected themselves or data accessed with some other permit. As a rule, Findata or a statistics authority combines the data.
If you wish to combine data later on to data you have received via Findata, send an amendment application for the data to be combined. For more information please see the Amendment permits -page.
If you are applying to have data accessed with an individual’s consent to be combined with data that Findata has issued a permit for, the research subject’s notification and consent models must be attached to the application.
If the data have been accessed with the permission of other actors, list the following information in the application:
- Permit record number, issuer, date of decision.
- If the permit process is pending, the party to whom the application was submitted and the permit process start date.
- A brief description of the information content of other data.
- Do not attach permits for other data to the application. The application processor will ask for these separately of necessary.
See the instructions for sending data on the page Data transfers to Findata.
How does the data controller provide the extracted data to Findata?
For instructions on how data controllers can submit extracted data, see the Data transfers to Findata -page.
Can my information be disclosed abroad?
Free movement of data within the EU is required under the General Data Protection Regulation. However, the law requires that the data is mainly processed in the centralised, secure user environment of the data permit authority for the social and health care sector, and that access rights to the environment may only be granted to authorised persons. The permit holder may also be located elsewhere than in Finland. The provision of a data secure user environment is an essential technical measure to safeguard the protection of personal data.
If necessary, the data may be disclosed to another secure environment indicated by the permit holder. However, this other environment must meet the criteria of the Findata order, it must be audited against the requirements of the order, and its audit certificate must be valid. Valvira maintains the Toini register, and in these cases also the information should only be used for the purpose for which it was disclosed to the permit holder. The EU’s General Data Protection Regulation specifies the conditions under which data can be disclosed outside the EU.
Health and social data may not be used for marketing or the determination of individual commercial services, such as insurance premiums.
Will my data be sold to third parties?
No. Findata is the Health and Social Data Permit Authority that grants temporary permits for the secondary processing of social and health care data provided that the statutory permit conditions are met.
How can I prohibit the secondary use of my data?
Everyone has the right to their personal data and the right to object to the processing of the data. We have compiled instructions on how to exercise your right of objection on the webpage ‘Data protection and processing of personal data’.
It should be noted that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Act on the Secondary Use of Health and Social Data (Secondary Use Act), Section 6.
Unfortunately, Finland does not have a centralised system through which the secondary use of data can be banned once and for all in a way that is binding on all parties.
You can submit a objection request directly to the other actors referred to in Section 6 of the Secondary Use Act:
- social welfare and health care service providers,
- the Ministry of Social Affairs and Health,
- the Finnish Institute for Health and Welfare (THL),
- the Social Insurance Institution of Finland (Kela),
- the National Supervisory Authority for Welfare and Health,
- the Regional State Administrative Agencies,
- the Finnish Institute of Occupational Health,
- Fimea,
- Statistics Finland and
- the Central Pension Insurance Institute.
See general guidelines on how to object to the use of data (tietosuoja.fi)
It is not possible to submit to the Digital and Population Data Services Agency an objection to the disclosure of a person’s data for purposes under the Secondary Use Act. The Act on the Population Information System and the Certificate Services of the Digital and Population Data Services Agency (Section 28) provides for prohibitions on the disclosure of data relating to the Population Information System. Read more in Finnish on the website of the DVV (dvv.fi).
What is the difference between primary and secondary use of health and social data?
Primary use means the purpose for which the data was originally saved in the customer register and/or patient register.
The primary purpose may be, for example,
- examination, treatment and rehabilitation of the patient,
- the service received by a social welfare customer,
- or the processing of benefits by the Social Insurance Institution of Finland (Kela).
Secondary use means the use of the same data for purposes other than the primary use.
Legitimate secondary purposes of use include
- scientific research,
- statistics,
- development and innovation activities,
- education,
- knowledge management,
- steering and supervision by authorities and
- the planning and reporting duty of an authority.
Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.
Can I collect the data myself from my own hospital and thus avoid the data controller’s collection fee?
Yes, you can, if this is okay with the controller. The controller has the right to determine independently the manner in which it carries out the extraction, and it has the right to use an external processor to carry out the data extraction.
If such processors are used, the EU General Data Protection Regulation (GDPR) requires that a data protection agreement (DPA) covering the processing of personal data is signed with them. The controller is ultimately responsible for ensuring that the personal data is processed in a legal manner. The processor, meanwhile, is responsible for ensuring that it complies with the terms of the DPA and the instructions of the controller.
The collected data must be delivered to Findata securely via the transfer service Nextcloud, after which we combine and pre-process them.
Do the collection fees charged by the controllers include VAT?
This depends on the controller. The data controllers determine their own collection fees on the basis of their own regulations.
Why is the VAT rate 0% for some payments and 25,5% for others?
Findata’s prices are based on the decree of the Ministry of Social Affairs and Health on charges for work carried out by the Health and Social Data Permit Authority.
With the exception of Kapseli, the service prices are for actions under public law that are based on cost value (VAT 0 %). The prices for Kapseli’s services are commercially priced paid services with 25,5% VAT.
The data controllers determine their own costs on the basis of their own regulations.
On average, how much are Findata’s data processing charges?
On the page Average costs estimates (in Finnish), you can find the average, range and median calculated from the maximum cost estimates. The data is updated quarterly.
What are the average collection fees for data controllers?
You can find the average, the range and the median calculated from the maximum cost estimates for data extractions in Finnish on the Average Cost Estimates page. We update the data quarterly.
Can someone other than the permit holder receive the invoices?
Possibly. Any inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the ‘Additional information’ section.
Can I receive a paper invoice?
E-invoicing is the primary invoicing method. Paper invoices are only possible in exceptional cases. As a rule, however, the invoice recipient are organisations that only accept e-invoices. If necessary, ask for more information from your organisation’s financial department.