Services and instructions

1. Log in to our e-service (asiointi.findata.fi).
2. From the top menu select “Submit application”
3. Scroll down and select “Order or update of the Kapseli operating environment or the data storage service” from under Select a new application form from below and click “Fill in the application”.
4. Complete the application form
   • Enter your own name in the applicant field
   • After this, using the “Invite a member” button add all the persons and email addresses that need user rights to Kapseli
   • The invited persons will join using multi factor authentication
   • Complete the rest of the form
   • Please note, that R-Tools is not automatically installed in Kapseli. If you need R-Tools, indicate this in the additional information section of the form.
5. Finally, select Send application from the “Actions” section.

Before logging in, please make sure that your username is registered and ready to use. If you are not sure whether your account is ready for use, contact your Findata contact person or the Kapseli helpdesk: kapseli@findata.fi.

How to log in to Kapseli

1. Install Duo Mobile app (duo.com) to your phone and activate it. The developer is Duo Security Inc. If you’ve already installed and activated the app go to point 2.
   • Installing: find Duo Mobile from your phones app store and install it.
   • Activating: the phone numbers reported when ordering Kapseli will get an automatic activating message for Duo Mobile. The app is activated by clicking the link in the activating message.
2. Log in Kapseli at kapseli.findata.fi using your computers browser.
   • Choose the identification method from the list that you chose while registering.
3. Choose the operating environment you’re going to use. If you have just one operating environment in use go to the next section.
   • After choosing the environment the system goes to the second phase of identification.
4. The second phase of identification.
   • Log in the operating environment.
   • You’ll get a notification about logging in to Duo Mobile. To approve the log in choose ‘Approve’ in Duo Mobile.

Data referred to in the Act on the Secondary Use of Health and Social Data can be combined to other information, such as data a person has collected themselves or data accessed with some other permit. As a rule, Findata or a statistics authority combines the data.

If you wish to combine data later on to data you have received via Findata, send an amendment application for the data to be combined. For more information please see the Amendment permits -page.

If you are applying to have data accessed with an individual’s consent to be combined with data that Findata has issued a permit for, the research subject’s notification and consent models must be attached to the application.

If the data have been accessed with the permission of other actors, list the following information in the application:

• Permit record number, issuer, date of decision.
• If the permit process is pending, the party to whom the application was submitted and the permit process start date.
• A brief description of the information content of other data.
• Do not attach permits for other data to the application. The application processor will ask for these separately of necessary.

See the instructions for sending data on the page Data transfers to Findata.

For instructions on how data controllers can submit extracted data, see the Data transfers to Findata -page.

Free movement of data within the EU is required under the General Data Protection Regulation. However, the law requires that the data is mainly processed in the centralised, secure user environment of the data permit authority for the social and health care sector, and that access rights to the environment may only be granted to authorised persons. The permit holder may also be located elsewhere than in Finland. The provision of a data secure user environment is an essential technical measure to safeguard the protection of personal data.

If necessary, the data may be disclosed to another secure environment indicated by the permit holder. However, this other environment must meet the criteria of the Findata order, it must be audited against the requirements of the order, and its audit certificate must be valid. Valvira maintains the Astori register, and in these cases also the information should only be used for the purpose for which it was disclosed to the permit holder. The EU’s General Data Protection Regulation specifies the conditions under which data can be disclosed outside the EU.

Health and social data may not be used for marketing or the determination of individual commercial services, such as insurance premiums.

No. Findata is the Health and Social Data Permit Authority that grants temporary permits for the secondary processing of social and health care data provided that the statutory permit conditions are met.

Everyone has the right to their personal data, including the right to object to the processing of their data. Once you submit an objection request, Findata will no longer disclose your data for secondary use.

• The objection is valid indefinitely from the date it is processed.
• The objection is not retroactive: your data will not be removed from data resources that have already been disclosed to permit holders before the objection was submitted.
• You can submit the objection request via Findata’s e-service, by post or by visiting the Finnish Institute for Health and Welfare (THL) in person.

Instructions on how to exercise your rights: Your data rights

Please note that an objection submitted to Findata does not prevent other data controllers listed in the Act on the Secondary Use of Health and Social Data from disclosing your data for secondary purposes.

There is currently no centralised system in Finland that would allow you to object to the secondary use of your data in a way that would be binding on all controllers. Therefore, objections must be submitted separately to each controller.

• Read more: What data do my rights cover?
• Information on data controllers and the contents of their registers: Data
• Guidance from the Office of the Data Protection Ombudsman on how to object to the use of your data: If you do not want your data processed (tietosuoja.fi)

Primary use means the purpose for which the data was originally saved in the customer register and/or patient register.

The primary purpose may be, for example,

• examination, treatment and rehabilitation of the patient,
• the service received by a social welfare customer,
• or the processing of benefits by the Social Insurance Institution of Finland (Kela).

Secondary use means the use of the same data for purposes other than the primary use.

Legitimate secondary purposes of use include

• scientific research,
• statistics,
• development and innovation activities,
• education,
• knowledge management,
• steering and supervision by authorities and
• the planning and reporting duty of an authority.

Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.

Yes, you can, if this is okay with the controller. The controller has the right to determine independently the manner in which it carries out the extraction, and it has the right to use an external processor to carry out the data extraction.

If such processors are used, the EU General Data Protection Regulation (GDPR) requires that a data protection agreement (DPA) covering the processing of personal data is signed with them. The controller is ultimately responsible for ensuring that the personal data is processed in a legal manner. The processor, meanwhile, is responsible for ensuring that it complies with the terms of the DPA and the instructions of the controller.

The collected data must be delivered to Findata securely via the transfer service Nextcloud, after which we combine and pre-process them.

This depends on the controller. The data controllers determine their own collection fees on the basis of their own regulations.

Findata’s prices are based on the decree of the Ministry of Social Affairs and Health on charges for work carried out by the Health and Social Data Permit Authority.

With the exception of Kapseli, the service prices are for actions under public law that are based on cost value (VAT 0 %). The prices for Kapseli’s services are commercially priced paid services with 25,5% VAT.

The data controllers determine their own costs on the basis of their own regulations.

On the page Average costs estimates (in Finnish), you can find the average, range and median calculated from the maximum cost estimates. The data is updated quarterly.

You can find the average, the range and the median calculated from the maximum cost estimates for data extractions in Finnish on the Average Cost Estimates page. We update the data quarterly.

Possibly. Any inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the ‘Additional information’ section.

E-invoicing is the primary invoicing method. Paper invoices are only possible in exceptional cases. As a rule, however, the invoice recipient are organisations that only accept e-invoices. If necessary, ask for more information from your organisation’s financial department.