Frequently asked questions about the Act on Secondary Use of Health and Social Data

The primary use of customer data means that data is used for the purpose for which the data was originally saved for in the customer and/or patient register. Primary use can include, for example, the examination, care or rehabilitation of a patient or the services provided to a customer by social services or the processing of Kela’s social benefits.

The secondary use of customer data refers to the use of the same information in other contexts than in primary use. The secondary uses outlined in the Act include scientific research, compiling of statistics, development and innovation activities, teaching, knowledge management, steering and supervision of authorities, and the planning and reporting duties of authorities.

Different provisions apply to the different uses of data. Only aggregate data from which individuals cannot be identified may be used in the development and innovation activities.

Aggregation is a statistics method, which is used in the collation and summing up of information. Aggregated statistics data illustrates a group of people instead of an individual. Data on groups of people is created in a way that makes it impossible to identify individuals

Previously, the processing of data permit applications has at times taken years, as permit applications had to be sent to numerous controllers. This has led to the under-utilisation of valuable data materials. The Act eliminates overlapping administrative burden related to the processing of permits, speeds up permit processing and ensures the smoother collation of data from different registers.

For example, medical research often requires access to data from different health care units, the National Institute for Health and Welfare’s and Kela’s registers, the Population Register Centre, the Finnish Centre for Pensions (ETK) and Statistics Finland. In the future, data permits will be granted by the health and social sector’s data permit authority when data from different controllers must be combined.

Once comprehensive register data is more easily available to researchers and service providers, research and knowledge management will be more efficient and

• better services and more effective medicines can be produced for people
• health promoting and care supporting applications and health technology can be developed
• processes and service systems can be developed so they are more efficient and meet with customers’ needs better than before.
• Tools that are more agile can be developed for supervision and e.g. for the research of the adverse effects of drugs.

This will mean that citizens receive better and more effective care and treatment than before and that wellbeing and health differences will be minimised.

The data permit authority grants data permits, when data from various controllers must be collated or when data from private health and social services is needed or when a request for information applies to data saved in the Kanta services.

If data is needed from only one of the controllers referred to in the Act, the controller can grant permission for its use as it has previously. However, the controller can enter an agreement with the data permit authority where it states that the authority can handle the task on behalf of the controller. 

The health and social sector data permit authority will be established as a separate unit at the National Institute for Health and Welfare’s. The unit will be completely separate from the institute’s other activities.

Parliamentary Ombudsman and Data Protection Ombudsman hold responsibility for overseeing the activities of the data permit authority as well as the activities of controllers who grant data permits. Parties, who grant data permits, must submit a report once yearly to the Data Protection Ombudsman on the processing of health and social data and their log files. The National Supervisory Authority for Welfare and Health (Valvira) oversees the security of user environments.

The activities of the data permit authority are steered and developed by a steering group comprising representatives of various controllers. The members of the steering group will be appointed from among representatives of the Ministry of Social Affairs and Health, the National Supervisory Authority for Welfare and Health, Kela, the Finnish Centre for Pensions, the Population Register Centre, Statistics Finland, the Finnish Institute of Occupational Health, Finnish Medicines Agency Fimea as well as social welfare and health care service providers.

It is expected that research will be easier m as the permit procedure for data needed for research becomes more streamlined and researchers gain access to readily combined data.

The health and social service data permit authority will make centralised decisions on data permits that apply to several controllers, and deadlines have been set for the supply of data.

The data permit authority can form ready materials, which will speed up supply of information for research. Researchers will receive pre-collated data, which will make it easier and faster for them to carry out analyses meaning their own work.

Additionally, the controller and the data permit authority must arrange an advisory service for health and social service customer data users- Advisory services, descriptions of data materials and the more efficient services of the permit authority will improve conditions for research and the opportunities of researchers to utilise data.

Researchers will hold less responsibility for the protection of data, as researcher will carry out analyses in the secure user environment provided by the data permit authority from materials prepared by the data permit authority.

Research themes and hypotheses can also be researched more effectively before the start of actual research work, and data analytics, machine learning, algorithms and other more agile tools can be utilised in work.

The data permit authority always supplies data in a manner that maximises the protection of personal data in each situation.  Additionally, only the minimum amount of data that is necessary for the instance in question is supplied.

After a data permit has been granted, the data permit authority collects data saved by the various controllers, combines these and supplied them to the applicant for use in a secure user environment.

The Act also lays down provisions on the secure user environment where permit recipients can process data.  As a rule, the data is supplied to a permit recipient for processing via a remote connection, so that the data remains in the data permit authority’s secure user environment.

In some situations it is necessary to hand over the data to the permit recipient. In these instances, the recipient must prove that they will handle the data as laid down in the Act in a controlled manner, in an environment that meets with data security requirements.

Additionally, the Act requires that information systems store the processing and event history of data, meaning the systems create a log on various events. This will specify, for example, who has processed the data, how and when.

In accordance with the principle of data minimisation, the data permit authority only supply as little data as is necessary in each instance of data use. Additionally, the data permit authority combines the data and supplies it in the following order of priority according to the requirements of the instance in question:

• as aggregate data, wherein data describes a group of people instead of individuals and groups have been formed in a manner that makes it impossible to identify individuals
• as an anonymous personal data entity
  • the individual in question cannot be identified from the data even indirectly
• personal data that does not contain identifiers meaning the data that would directly identify a person, such as their name and address, have been removed
• pseudonymised personal data in which data that would directly identify a person has been replaced with number codes
  • the individual cannot be identified without additional data
• the data can only contain personal identifiers in exceptional circumstances for a well-justified reason.

Free public access is only provided to aggregate data. All personal data is always processed in a secure user environment.

The data recipient is not able to relinquish the data to third parties, and it is safe for the recipient to analyse the data without fear that outsiders can access the data or force their way into the system. 

The Act ensures that information system administrators follow the best available practices in continuously ensuring data security.

Anonymous data is personal data from which all identifiers have been removed so that it is no longer possible to identify the person in question.

It is not always possible to anonymise data just by removing names, addresses and other direct personal identifiers. Data on the basis of which an individual can be indirectly identified must also be removed. This data can include information on a rare disease or on receiving a certain social welfare service.

Therefore, an individual cannot be identified even indirectly from anonymous data. As long as an individual can be identified even indirectly from data or the data can be changed back to the form in which it contained identifiers, the data in question is personal data. For example, genome data is data that cannot in practice be anonymised.                                   

A data protection working party (WP29) in the European Union has given a statement related to methods for anonymisation.  It lists the aspects that must be taken into consideration in anonymisation.                         

Data can be supplied depending on its intended use in a form where it is impossible for the recipient to identify the data subject or a form in which the individual can be identified. The premise of this Act is that data, which contains identifiers, will only be supplied in exceptional circumstance and its disclosure to third parties will be prevented.

A data permit can be granted for scientific research, teaching and the planning and reporting duties of authorities. A permit is only granted it is evident that supplying the data in question will not violate the interests for the protection of which the duty to secrecy has been laid down. Additionally, the permit will stipulate the measures necessary for the protection of an individual’s privacy. A permit is always granted for a fixed period of time.

Even when it is important that different pieces of data concerning one person are collated, for example using their personal identity code the data is, as a rule, supplied to the recipient in anonymised or pseudonymised form. Pseudonymised means that before the collation of data, the personal data that can be connected to a certain person are replaced with, for example number codes or it is changed to a form from which the person can no longer be identified without additional data.

The data recipient duty to maintain the secrecy of the data pursuant to the Act and data permit conditions. If the recipient of a data permit violates data permit conditions, the data permit can be cancelled and the person who has disclosed data can be sentenced under the Criminal Code of Finland for a secrecy offence or secrecy violation.

The data permit authority for the health and social sector will keep the additional data that enable identification in its possession separately from the other data. The permit authority ensures that it is the only party that has the technological and administrative ability to later link up supplied data to register data and only in situations permitted by law.

If information is requested in a format where the data subject cannot be identified even indirectly, the data permit authority has the right under its responsibilities as an authority without a separate data permit to combine, collate and supply information to the recipient as aggregate data from which the individual cannot be identified.

Currently, research and collection of statistics based on register data are carried out without separate permission from data subjects. In the future, this practice will continue, and data can be utilised for research and compilation of statistics, steering and supervision of authorities, the planning and reporting duties of authorities, teaching and knowledge management.  However, the data permit authority only supplies the minimum amount of data necessary in each case, and all identifiers will be removed from the data.

Additionally, the protection of personal data will improve, as, in the future, personal data may only be processed in secure environments and the data permit authority will only supply pre-collated statistical data maximising privacy.

Innovation and development activities will become easier as companies will be able to receive ready-combined aggregate data for these purposes more comprehensively and quickly. 

The Act creates a clear legal basis for the use of register data in innovation and development activities. This will create the conditions for the development and enhancement of innovation activities, which will improve the operating conditions of companies, create more jobs and bring revenue to the national economy.

It is easier for health and social service providers to monitor the use and effectiveness of services, and to compare and develop services when data can be utilised in real-time in knowledge management. 

The Act improves the conditions for health and social sector development and innovation activities, which will facilitate the development of new tools for use in knowledge management.

A data permit is not required if the researcher uses aggregate data. Individuals cannot be identified from data that is aggregated.

Pursuant to the Act, data that contains identifiers can only be used for secondary purposes without a data permit for knowledge management and regulatory steering and control.

Social welfare and health care service providers have the right to use and collate data that it has saved in the scope of its own activities, if this is necessary for the provision, monitoring, assessment, planning, development, management and own checks of the services for which the service provider is responsible. Even then, the data should be used when possible in a form that does not contain identifiers.

Additionally the supervisory authority has the right to receive data that contains identifiers from the data permit authority for the purposes of steering and supervision of authorities, if it requests these on the basis of the right of access it is provided in another law.  In this case, supervision does not focus on customers by on health and social service professionals or service providers. The aim is for data that is necessary for supervision to be available directly from the data permit authority so there is no need to request them from numerous different parties. 

Data cannot be used for marketing or for determining insurance policy costs.

The use of personal data for scientific research is permitted pursuant to the EU’s General Data Protection Regulation.  According to the Regulation, scientific research can include not only academic research, but also the development and presentation of technology, basic research, advanced research and research financed with private funds. It will no longer be possible to determine what is considered scientific research at a national level, as the interpretation must be made according to the Regulation as specified above.

The Act also facilitate the use of data for development and innovation activities that do not meet with the criteria for scientific research. However, in this case, data is only supplied as aggregated statistical data, from which personal data cannot be discerned.

A fee is charged for access to data, but prices will be kept reasonable. The charged fees will cover costs resulting from granting the permit and the collation of materials. Costs and grounds for costs will be determined according to the Ministry of Social Affairs and Health Decree on charges pursuant to the Act on Criteria for Charges Payable to the State.

The General Data Protection Regulation requires the free movement of data in the EU. However, the Act has been drawn up in a manner that that specifies that data will, as a rule, be processed in a centralised secure user environment maintained by the health and social sector’s data permit authority, which can only be accessed by those with access rights. A permit recipient can be located elsewhere than in Finland, but the data will remain in Finland. A secure user environment is the key technological method also for ensuring the protection of personal data. 

Data could only be supplied to another secure user environment specified by the permit recipient in exceptional circumstances. Even then, the data could only be used for the purpose for which it has been supplied to the permit holder. The EU’s General Data Protection Regulation determines the conditions according to which data can be supplied to parties outside the EU.

In its statement, the Constitutional Law Committee drew attention, in particular, to ensuring the protection of personal data of individuals. On the basis of this statement, provisions contained in the government proposal that applied to the anonymity of data for development and innovation activities and the assurance of data anonymity in publications were made more stringent.

• Anonymised personal data may only be processed in a secure user environment, as the development of technology will make it impossible to ensure that anonymity can be decoded.
• Only aggregate data is supplied for development and innovation activities, if the development and innovation activities are not part of scientific research.
• The Act includes provisions on a procedure for the assurance of anonymity for data presented as part of a publication.

Scientific publications are drawn up using health and social data that contains personal data. The publications include analyses and summaries of source data. Provisions on the anonymity assurance procedure laid down in the Act will allow the researcher and data permit authority to ensure that the information included in the publication does not contain any details that could reveal the identity of single individual.