Updated 28.09.2023

Services and instructions

All our services are related to the secondary use of health and social data. This page contains summaries on our services, a list of instructions and a list of most frequently asked questions.

We provide services to those who need information meaning our customers and parties who control data meaning controllers. In addition, we provide information and advice to citizens on where register data are used, on each citizens’ rights under the GDPR and on how we ensure that data protection is implemented.

Services for customers

Advice

  • We provide advisory services on this website and via email at info@findata.fi.
  • We provide advice on issues such as question related to application for data permits, data requests and amendment permits. In addition, we provide general advice on the matters related to Act on the Secondary Use of Health and Social Data.
  • When requiring information content from registers or individual pieces of data, it is best to contact the controller directly, as they are the best experts when it comes to their own data and can provide statutory advisory services on their secondary use. See the Data page for controller’s contact details.
  • Read more on the Contact us page

Data permits, amendment permits and data requests

  • We issue data permits for data on individuals, when information is needed from numerous public controllers, the private sector or the Kanta Services. We combine and pre-process data while ensuring the privacy of citizens.
  • We issue amendment permits for previously issued permits, when an amendment applies permits issued by numerous public controllers, Findata or an authority who has transferred their right to issue permits to Findata.
  • We make decisions on data requests, meaning on access to statistical data when the information is needed from a controller within the scope of the Act on the Secondary Use of Health and Social Data.
  • Read more on the Permits page

Combining and pre-processing of data

  • We collect register data from controllers.
  • We pre-process the data disclosed to the permit holder, meaning we combine and pseudonymise, anonymise or produce statistical data of the data compiled from the controller.
  • We convert and combine the permit holder’s own data to the data obtained through Findata.
  • Read more on the Data page

Secure Kapseli operating environment

  • We provide a secure environment, Kapseli for the processing of data on individuals, where the software required for the analysis of key data are available.
  • According to the Act on Secondary Use of Health and Social Data, starting on 1 May 2022 the analysis of data accessed with a data permit will only be permitted in operating environments that meet the requirements of the regulation.  The requirements specify the same level of data security as is required in Kapseli.
  • Read more on the Kapseli page

Instructions for customers

Services for controllers

Counselling service

  • We provide advisory services on this website and via email at info@findata.fi.
  • We provide answers to questions concerning such things as the submission of data, data descriptions and general questions concerning the Act on the Secondary Use of Health and Social Data

Read more on the Contact us page

Support for creating data descriptions

  • Organisations within the scope of the Act on the Secondary Use of Health and Social Data in their role as controllers have a statutory obligation to draw up data descriptions on the information content in their information resources in accordance with the Findata Regulation. This is important so that those who need data can assess the suitability of the data for secondary use.
  • We provide free tools for controllers: Data editor, with which data descriptions can be drawn up and a Data catalogue where data descriptions can be published.
  • In addition, we help controllers in creating data descriptions by providing training on the use of the aforementioned tools.

Read more on the Regulation on data descriptions page

Anonymisation service

  • If the secondary data use application relates to only one public social and health sector controller, that controller is themselves responsible for processing the data permit application and making the permit decision. However, if the data is disclosed to the permit holder in anonymised form, we will anonymise the data on behalf of the controller and deliver it for the permit holder’s use.

Read more on the Data permits page

Processing of data permit and amendment applications by the controller

  • Public controllers may authorise Findata to carry out on their behalf, as detailed in the Secondary Data Act, services other than advice and data description services. In such cases, we also process on behalf of the controller those data permit and amendment applications which relate only to the content of the controller’s own registers.
  • For information on controllers who have transferred their authority to issue permits, see the Data page section titled Transferred right to issue permits

Read more on the Data page

Instructions for the controller

Other services and obligations

Rights of data subjects pursuant to the EU General Data Protection Regulation

  • Everyone has the right to their personal data and the right to access information on the use of their personal data With regard to Findata’s activities, information on this is available on this website and specifically on the Data protection and processing of personal data page.
  • For information on projects that have been issued a permit, see the Issued permits page. If necessary, you can also contact our advisory service.
  • In addition to receiving information, the data subject has the following rights to their data as regards the data held by Findata:
    • Right of access to one’s personal data
    • Right to rectify one’s data
    • Right to restrict the processing of one’s data
    • Right to object to the processing of one’s data.
  • If you wish to exercise you rights pursuant to the GDPR, see the instructions here: How can I exercise my rights?

Read more on the page Data protection and processing of personal data

  • The Act on the Secondary Use of Health and Social Data obliges Findata to provide specifying regulations on matters such as secure operating environments, data descriptions and data permit applications and data utilisation plans.
  • The regulations are changing in nature and will be updated as necessary.

Read more on the Regulations page

Frequently asked questions

Can my information be disclosed abroad?

Free movement of data within the EU is required under the General Data Protection Regulation. However, the law requires that the data is mainly processed in the centralised, secure user environment of the data permit authority for the social and health care sector, and that access rights to the environment may only be granted to authorised persons. The permit holder may also be located elsewhere than in Finland. The provision of a data secure user environment is an essential technical measure to safeguard the protection of personal data.

If necessary, the data may be disclosed to another secure environment indicated by the permit holder. However, this other environment must meet the criteria of the Findata order, it must be audited against the requirements of the order, and its audit certificate must be valid. Valvira maintains the Toini register, and in these cases also the information should only be used for the purpose for which it was disclosed to the permit holder. The EU’s General Data Protection Regulation specifies the conditions under which data can be disclosed outside the EU.

Health and social data may not be used for marketing or the determination of individual commercial services, such as insurance premiums.

Will my data be sold to third parties?

No. Findata is the Health and Social Data Permit Authority that grants temporary permits for the secondary processing of social and health care data provided that the statutory permit conditions are met.

How can I prohibit the secondary use of my data?

Everyone has the right to their personal data and the right to object to the processing of the data. We have compiled instructions on how to exercise your right of objection on the webpage ‘Data protection and processing of personal data’.

It should be noted that Findata is not the original controller of health and social data. Thus, for example, a request submitted to Findata to object to the use of personal data does not prevent the disclosure of the data for secondary use by one of the controllers referred to in the Act on the Secondary Use of Health and Social Data (Secondary Use Act), Section 6.

Unfortunately, Finland does not have a centralised system through which the secondary use of data can be banned once and for all in a way that is binding on all parties.

You can submit a objection request directly to the other actors referred to in Section 6 of the Secondary Use Act:

  • social welfare and health care service providers,
  • the Ministry of Social Affairs and Health,
  • the Finnish Institute for Health and Welfare (THL),
  • the Social Insurance Institution of Finland (Kela),
  • the National Supervisory Authority for Welfare and Health,
  • the Regional State Administrative Agencies,
  • the Finnish Institute of Occupational Health,
  • Fimea,
  • Statistics Finland,
  • the Central Pension Insurance Institute and
  • the Digital and Population Data Services Agency.
What is the difference between primary and secondary use of health and social data?

Primary use means the purpose for which the data was originally saved in the customer register and/or patient register.

The primary purpose may be, for example,

  • examination, treatment and rehabilitation of the patient,
  • the service received by a social welfare customer,
  • or the processing of benefits by the Social Insurance Institution of Finland (Kela).

Secondary use means the use of the same data for purposes other than the primary use.

Legitimate secondary purposes of use include

  • scientific research,
  • statistics,
  • development and innovation activities,
  • education,
  • knowledge management,
  • steering and supervision by authorities and
  • the planning and reporting duty of an authority.

Different purposes of use are subject to different regulations. Only aggregated statistics from which individuals cannot be identified may be obtained for development and innovation activities.

Can I collect the data myself from my own hospital and thus avoid the data controller’s collection fee?

Yes, you can, if this is okay with the controller. The controller has the right to determine independently the manner in which it carries out the extraction, and it has the right to use an external processor to carry out the data extraction.

If such processors are used, the EU General Data Protection Regulation (GDPR) requires that a data protection agreement (DPA) covering the processing of personal data is signed with them. The controller is ultimately responsible for ensuring that the personal data is processed in a legal manner. The processor, meanwhile, is responsible for ensuring that it complies with the terms of the DPA and the instructions of the controller.

The collected data must be delivered to Findata securely via the transfer service Nextcloud, after which we combine and pre-process them.

Do the collection fees charged by the controllers include VAT?

This depends on the controller. The data controllers determine their own collection fees on the basis of their own regulations.

Why is the VAT rate 0% for some payments and 24% for others?

Findata’s prices are based on the decree of the Ministry of Social Affairs and Health on charges for work carried out by the Health and Social Data Permit Authority.

With the exception of Kapseli, the service prices are for actions under public law that are based on cost value (VAT 0 %). The prices for Kapseli’s services are commercially priced paid services with 24% VAT.

The data controllers determine their own costs on the basis of their own regulations.

On average, how much are Findata’s data processing charges?

On the page Average costs estimates (in Finnish), you can find the average, range and median calculated from the maximum cost estimates. The data is updated quarterly.

What are the average collection fees for data controllers?

You can find the average, the range and the median calculated from the maximum cost estimates for data extractions in Finnish on the Average Cost Estimates page. We update the data quarterly.

Can someone other than the permit holder receive the invoices?

Possibly. Any inconsistencies between the applicant and the invoiced party (e.g. the payer is not the applicant) can be clarified where necessary in the ‘Additional information’ section.

Can I receive a paper invoice?

E-invoicing is the primary invoicing method. Paper invoices are only possible in exceptional cases. As a rule, however, the invoice recipient are organisations that only accept e-invoices. If necessary, ask for more information from your organisation’s financial department.

News

Changes in Findata’s e-service: old draft applications will be deleted six months after the last edit

22.06.2023
In September, we will introduce a feature in the e-service to automatically… Read more Changes in Findata’s e-service: old draft applications will be deleted six months after the last edit

Findata’s application forms have been renewed

29.05.2023
We have renewed all our application forms during March-May 2023. The goal… Read more Findata’s application forms have been renewed

Reimbursement for Kapseli network drive disruptions

24.05.2023
We at Findata are announcing a compensation plan for the recent Kapseli… Read more Reimbursement for Kapseli network drive disruptions