Data protection and data security in Kanta services

1. How is client data security ensured in Kanta services?

Data protection in healthcare services is planned, developed and monitored in many different ways.  The log data of information systems is one way of monitoring the use of the system.

  • Professionals log in to the information systems with a professional card, i.e. using strong electronic identification.
  • Access rights related to various tasks have been defined in the organisations.
  • All data transfers between healthcare services, pharmacies, the Patient Data Repository and the Prescription Centre are encrypted and take place between identified parties.
  • All use of Kanta services leaves a trace, which is called a log. The patient data systems also write a log on the use of patient data. Users of My Kanta Pages can monitor the use of their personal data in the healthcare service and pharmacies.
  • In most cases, it is sufficient to show in My Kanta Pages which unit has handled the data. If the client realises that they have visited a certain service point at a particular time, they will not require further information. However, if the client does not identify the service unit as one they have visited or they otherwise suspect unauthorised viewing of their data, it is an exceptional situation for which there is a special procedure.
  • Every healthcare unit has a data protection officer who can be contacted by the client if unauthorised use of their data is suspected.
  • Moreover, the healthcare organisation also needs to have a self-monitoring plan to ensure that the agreed practices are complied with.
  • The activities of healthcare professionals are governed by strong ethical standards, which all members of the medical profession commit to already during their studies. There is no reason to blame all healthcare professionals if an individual person has acted against the rules.

2. How often has the person viewed the data without a valid reason?

Unauthorised viewing of data is exceptional.

3. Should I be concerned?

In the past few weeks, different perspectives of the Kanta services have been the focus of public attention, but there have been no changes which would be cause for concern from the viewpoint of the service or healthcare services.

4. How can I check who has used my data?

In My Kanta Pages, you can see which healthcare units or pharmacies have processed your prescription or health data. Usually the health data has been processed by, for example, the health centre, occupational health service or, e.g. the laboratory of a private clinic. In terms of e-prescriptions, the persons processing the data are the issuer of the prescription or, in the pharmacy, the pharmacist who has dispensed the medication at your request.

See instructions on the information leaflet: My Kanta Pages and data protection – Would you like to check in My Kanta Pages where your data has been processed? (pdf)

In most cases, it is enough to show in My Kanta Pages the unit that has processed the data if the client recognises having visited the service point at the specified time. If the client does not recognise the service unit as one they have visited on the basis of the information in My Kanta Pages or they otherwise suspect unauthorised viewing of their data, it is an exceptional situation.

If the client wishes to obtain the log data concerning the processing of their patient data, they must contact the healthcare service provider that has drawn up the patient data in question or with whom the patient data has been shared. Kela cannot provide the log data, but by law the data must be provided by the healthcare service provider.

Clients can use the log data request form of the Prescription Centre to request Kela for the log data created in the processing of e-prescriptions. The form is available from healthcare units and pharmacies that have joined the Kanta service, and from Kela’s offices.

5. Why does it not state in the Kanta service who has read my data?

In most cases, it is perfectly sufficient to show in My Kanta Pages which unit has handled the data. If the client realises that they have visited a certain service point at a particular time, they will not require further information. However, if the client does not identify the service unit as one they have visited on the basis of the log data or they otherwise suspect unauthorised viewing of their data, it is an exceptional situation.

The names of persons who have read the data are not disclosed due to the privacy protection of healthcare professionals. The restriction is based on the Prescription Act and the Client Data Act.

6. Will there be more detailed use data available in the future, now that the matter has received a lot of publicity?

Displaying name data in the Kanta services would require a thorough public debate. The issue must be examined from the viewpoint of both the citizen and the professionals. This subject is determined in the Personal Data Act, the Prescription Act and the Client Data Act.

Therefore, it is not due to the information system that individual names are not shown to the user in the log data.

7. Where can I find the privacy policies of Kanta services?

The privacy policies are published in My Kanta Pages, the Prescription Centre, the Prescription Archive and the patient data management service. They are available on the kanta.fi website in Finnish, Swedish and English.

The privacy policy shows the name of the person responsible for the handling of personal data with respect to the register in question, the personal data the register includes, the purpose of its use, and who the data is normally shared with.

The privacy policy also includes information about the access rights a person has to the information in the register and how they can use these rights, as well as the principles of data protection.