Legislation

What is the Secondary Use Act?

The Secondary Use Act is a separate act which is officially called the Act on the Secondary Use of Social and Health Data. The Parliament passed the Act at its plenary session on 13 March 2019 and the President approved it on 26 April 2019.

The objective of the Secondary Use Act is to enable efficient and secure processing of personal data collected during the provision of social and health care as well as personal data collected for the purpose of steering, supervision, researching and collecting statistics within the social and health care sector. The Act also seeks to secure the legitimate expectations, rights and freedoms of individuals when processing personal data.

Find out more about the Secondary Use Act:

How does the Secondary Data Act improve data protection?

In Finland, social welfare and health data have been used for secondary purposes for decades. Previously, the use of the data has been authorised by an individual controller, the Ministry of Social Affairs and Health or the Finnish Institute for Health and Welfare, and there has been no uniform practices for the processing of data.

The new, centralised authorisation procedure and processing of data will improve data security and citizens’ data protection. The secure, closed Kapseli user environment has been built to serve the work of Findata. When the data is compiled in a centralised manner, its use is better protected and more efficient.

The Secondary Use Act (552/2019) has been drawn up based on the national-level freedom of action provided for by the EU’s General Data Protection Regulation (GDPR). The Constitutional Law Committee and the Social and Health Committee have taken care to ensure that the Secondary Use Act does not contravene the GDPR. Representatives of the Office of the Data Protection Ombudsman have participated in the drafting workgroup for the Act, and the Data Protection Ombudsman has also been given a hearing by the Parliament.

The Secondary Use Act sets the conditions for a data secure environment in which permit holders may process data.

  • Primarily, the data is disclosed to the individuals marked in the data permit via a remote access connection and in such a way that the data remains within the Findata data secure user environment.
  • In some cases, however, there is no alternative to handing the data over to the permit holder. Disclosure by means other than use of Kapseli is only possible if the operating environment in question has been audited and its data security has been verified in accordance with the Secondary Use Act.

The Secondary Data Act requires that the Information Systems record log data, which means the processing and event history of the data. The log shows, for example, who processed the data, how the data was processed, and when the data was processed. Log data is collected for the work done by data-processing authorities, data controllers, and those processing the data based on a data permit.

How is the implementation of data protection monitored?

Authorisation to process data for purposes permitted by the Secondary Use Act is given through an official decision made by Findata or another authority referred to in the Secondary Act. The decision is legally binding and includes the terms of the permit, the data to be processed, the persons entitled to process the data and the processing environment.

Findata’s operations and the operations of other controllers that issue data permits are supervised by, among others, the Parliamentary Ombudsman, and processing of personal data is monitored by the Data Protection Ombudsman. Findata and other authorities that grant data permissions also have the right to request a statement from the Data Protection Ombudsman before granting the data permit.

Those issuing data permits must give an annual report to the Data Protection Ombudsman regarding the processing of health and social data and the related log data.

The National Supervisory Authority for Welfare and Health Valvira monitors data secure user environments.

What can personal data be used for?

Finland has, for a long time, collected unique register and research data that can be used to promote the health and welfare of citizens.

Secondary use of health and social data means that client and register data of social welfare and health care activities is used for purposes other than the primary purpose for which it was originally stored. Primary purposes relate to, for example, treatment provided to a patient or the processing of benefits.

The Secondary Use Act lays down the uses for which authorisation may be granted. According to section 2 of the Act, data may be disclosed for the compilation of statistics, scientific research, development and innovation activities, education, knowledge management, steering and supervision of social and health care by authorities and the planning and reporting duty of an authority. Information can be obtained only for these permitted purposes.

Social and health data have been used for secondary purposes also before the introduction of the Secondary Act. Prior to the Secondary Use Act, corresponding information has been disclosed for scientific research, statistics and educational use, and the permit has been issued by an individual social welfare and health care authority or, if the data has been gathered from more than one location, by the Ministry of Social Affairs and Health and, later, by the Finnish Institute for Health and Welfare (THL).

Individual public data controllers will also continue to be competent to grant permits and provide data in certain cases. You can read more about permit authorisations on the  Permits page under Which authority should a permit application be submitted to?.

You can find more information on how Findata processes personal data in the Personal data processing statements.

What are the sources of the data?

Findata does not itself possess the personal data but rather collects it from social and health care sector operators and authorities regulated by the Secondary Use Act. The Secondary Law also regulates what kind of data the permit applicant can receive.

You can find a general description of the social and health care data available through Findata on the Data page. Furthermore, Findata does not collect data from individuals themselves. Instead, all the data it processes is received from the registers of operators regulated under the Secondary Data Act.

Key concepts

Secondary purpose

Secondary purpose of personal data refers to the processing of personal data for a purpose other than its primary purpose. The secondary purposes permitted under the Act are

  • scientific research
  • statistics
  • development and innovation operations
  • education
  • knowledge-based management
  • steering and supervision by authorities and
  • authorities’ planning and reporting duties.
Statistical data

In statistical data, individual personal data is combined and added together. Statistics describe groups of individuals rather than particular individuals. The data for these groups is formed in such a way that the individuals cannot be identified.

Data request

A data request is a request to obtain aggregated statistics created from personal data for use in accordance with the Secondary Use Act. Any request for information under the Secondary Use Act must to submitted to Findata.

Data permit

A data permit is a permit issued in accordance with the Secondary Use Act for the processing of the secret personal data specified in the permit for the purpose described in the permit.

Data permit authority

Findata is the data permit authority for the social and health care sector which makes data permit and data request decisions regarding the data of other controllers. Findata is responsible for the gathering, combining, previewing and disclosing of data for secondary use in accordance with the decisions it makes.

Findata also monitors compliance with the conditions of the permits it issues. It may cancel the data permit if the permit holder either fails to comply with the law or violates the conditions of the permit.

Data utilisation plan

Data utilisation plan refers to a research plan, project plan or similar plan.

The plan must detail

  • the intended purpose of the data referred to in the permit application
  • the controller and processors of the data
  • the legal ground for the processing and

the essential elements of data protection and data security related to the processing throughout the life-cycle of the data (data storage, erasure or archiving)

Controller

Individual, community, institution or foundation

  • for which the person register was established and
  • has the right to determine the use of the person register

or

  • has the legal duty of maintaining the register.

Data utilisation plan

Data utilisation plan refers to a research plan, project plan or similar plan.

The plan must detail

  • the intended purpose of the data referred to in the permit application
  • the controller and processors of the data
  • the legal ground for the processing and
  • the essential elements of data protection and data security related to the processing throughout the life-cycle of the data (data storage, erasure or archiving)
Service organizer

A social and health care service provider that has an obligation as an authority to ensure that the customer gets the service of benefit that is due to them based on the law or an official decision. The obligation of a private service provider is to ensure that the customer who purchases the service privately is provided with the service that is due to him or her under the regulations on customer protection.

Personal data

Personal data refers to all data which refer to an identified or identifiable individual.

Primary purpose

The primary purpose of the customer data is the purpose for which the data was originally saved in the customer register and/or patient register. The primary purpose may be, for example, examination, treatment and rehabilitation of the patient, the service received by a social welfare customer, or the processing of benefits by the Social Insurance Institution of Finland (Kela).

Customer data

By law, customer data is confidential personal data covered by the General Data Protection Regulation which has been stored in a customer register or an associated administrative register as a result of social and health care customership or for processing of benefits.

Aggregated data

Aggregation is a statistical procedure through which data is combined and added together. Aggregated data describes a group of individuals rather than one particular individual. The data for these groups is formed in such a way that the individuals cannot be identified.

Knowledge management

Knowledge management refers to the processing of data carried out by a service provider in their customer, service and production processes for the purpose of supporting

  • operations, production and financial control
  • management and
  • decision-making.
Development and innovation operations

Development and innovation operations refers to application and use of technical and business data and other existing data together with the personal data referred to in the Secondary Data Act for the purpose of developing new or significantly improved products, processes or services.

In addition, the purpose of the operations must be to

  • promote national health or social security
  • develop social welfare and health care services for service systems
  • protect individuals’ health or well-being or
  • secure for them their related rights and freedoms.

See also:

Data

See which controllers data you can apply for via Findata. Read more Data

Permits

Read about the permits for which you can apply. Read more Permits

Data protection and the processing of personal data

Read how Findata takes care of data. Read more Data protection and the processing of personal data