Impacts of the EU General Data Protection Regulation on Kanta Services

On 25 May, the application of the EU General Data Protection Regulation (GDPR) will become mandatory in all member states of the European Union. The GDPR applies to all operators processing personal data. Patient and prescription data as well as social welfare data are processed in the Kanta Services, and therefore the regulation also has a direct impact on Kanta.

“The data protection and data security of the Kanta Services are already at a good basic level. Personal data processed by the Kanta Services, such as prescription and patient data, has been covered by legislation ever since the building of the Kanta system was started ten years ago.  On this basis, the application of the GDPR mainly means updating the current functions to comply with the new EU regulations,” says Project Manager Kari Toivola of Kela’s Kanta Services.

Sensitive data is strictly protected

Personal data is divided into ordinary and sensitive data. According to the GDPR, health-related data is regarded as sensitive and is subject to more specific data protection rules than ordinary personal data. Sensitive personal data must be protected and the log data must be recorded according to an even stricter set of rules.

In the Kanta Services, a working group has made preparations for the introduction of the GDPR for over a year. Of the shortcomings identified, the most important ones will be rectified by 25 May, and the rest will be implemented according to plan as soon as possible.

“In fact, the real work will not begin until after 25 May when we start applying the requirements of the regulation in practice. The standard of data protection will rise to a higher level on a permanent basis, and this requires constant maintenance, monitoring and observation of the requirements of the GDPR. The rolling out of data protection practices and the resourcing, definition of tasks and organisation of the increased level of data protection may take a long time,” Toivola explains.

The GDPR brings new processes

At Kela and in the Kanta Services, the rolling out will take place systematically at least until the end of 2018. Every employee should have a firm understanding of the principles of the GDPR, especially with regard to the requirements concerning their own area of competence. As a result of the regulation, some completely new processes will be introduced. The most important of these include, e.g. the observation and notification of data protection breaches, risk assessment in terms of citizens’ rights, making impact assessments on the systems, and taking data protection into account in all activities, starting from the planning stage. In addition, Kela has appointed a Data Protection Officer, and the tasks of the data controller and processor have been specified further.

“The principle of accountability is also important, requiring detailed documentation of activities related to personal data and keeping the documents up-to-date. Everyone must also be able to demonstrate compliance with the documents in practice,” Toivola adds.

Kanta.fi website will be updated to comply with the GDPR

The changes introduced by the GDPR will have little impact on how the citizens use the Kanta Services. It is mainly a case of specifying the citizens’ rights to their own personal data and tightening the requirements for those processing the data. This will be reflected in the form of information for citizens.

“We will update, e.g. the privacy statements of data recorded in the Kanta registers. These statements explain what kind of data is recorded in the registers, how it is processed and what rights the citizen has with regard to their data. The Kanta.fi website will be updated in its entirety during June,” Toivola says.

The GDPR also directly concerns the social welfare and healthcare operators, each of which will start applying the regulation independently for their own part. The mutual relationships between the Kanta Services and SOTE operators will not be affected by the regulation. Only minor changes have been made to the service descriptions and general terms of delivery between the Kanta Services and the social welfare and healthcare services and pharmacies.

The EU General Data Protection Regulation in a nutshell

• The regulation has been in force since 2016, but its application becomes mandatory on 25 May 2018 in all EU member states.
• The objective is to harmonise and clarify the processing of personal data in the EU area.
• Citizens’ rights will be increased and the responsibilities of the controller and processor of personal data will be made stricter.
• The GDPR will affect all private and public sector operators handling personal data.
• The GDPR will be supplemented by the Data Protection Act, which will become effective. After that, the GDPR and the Data Protection Act will be interpreted together.
• The GDPR specifies the key data protection principles, which must be complied with in the processing of personal data. It must be possible to demonstrate the compliance, for example, with documentation.
• The data protection principles protect the citizens’ privacy and rights to their own data and create clear rules for those processing personal data.
• Further information: www.tietosuoja.fi, www.gdpr.eu and vm.fi/juhta-vahti-yhteishankkeiden-materiaalit.