Joint controller
The Social Insurance Institution of Finland
Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11
Person responsible for register-related issues or contact person
Client enquiries about the data file of the Information Management System can be addressed to Kanta Services customer support at asiakaspalvelu@kanta.fi.
In matters concerning the rights of data subjects, please email your enquiries to the Kanta Services’ Data Protection Officer at tietosuoja@kanta.fi.
Name of register
Information Management Service
Purpose of processing personal data / purpose of use of the register
The Information Management Service is a national data system service used to compile, from archived client data, current information important for the patient's care or processing a client's case. In addition, the service manages the documents to be maintained.
Each social and healthcare service provider and the Social Insurance Institution of Finland (hereinafter Kela) are the joint controllers of the Information Management Service.
Kela is responsible for the usability of the Kanta Services and the data stored therein. Kela is responsible for storing the data recorded in Kanta, and in connection is responsible for the integrity, destruction and non-repudiation of the data stored in Kanta. In addition, Kela is responsible for ensuring the destruction of data after the expiry of the retention period (Act on the Processing of Client Data in Healthcare and Social Welfare 703/2023, sections 23 and 66). The service providers that enter the data to be compiled in the Information Management Service are responsible for the correctness of the data being entered, as well as for all other obligations of the data controller.
Kela acts as contact point in accordance with Article 26 (1) of the EU General Data Protection Regulation. As contact point, Kela is responsible for fulfilling and implementing the obligation to provide information, imposed on data controllers by the data protection legislation, with regard to the Information Management Service. In addition, Kela acts as the primary contact point for requests for the exercise of data subjects' (clients) rights and forwards the request to the correct party, if necessary.
The legislation on joint controllership and the procedures to be followed under joint controllership are discussed in the relevant document Description of joint controllership of services related to Kanta Services (pdf, in Finnish).
Kela processes personal data in accordance with the EU General Data Protection Regulation and other laws regulating the processing of personal data.
Health care service providers may use the data stored in and available through the Information Management System for the implementation and organisation of patient care. The service provider has the right to process data through the Information Management System as laid down in the Client Data Act (703/2023). Please see, for example, Chapter 8, section 9 of the Client Data Act.
Data concerning consents and declarations of intent recorded in the Information Management Service may be utilised in scientific research, reporting and compiling of statistics under conditions provided in the law.
The retention periods of patient documents are determined in accordance with the appendix to the Client Data Act.
Patient data entered in the Information Management System is retained for 12 years after the patient’s death. If the date of death is not known or if the patient is a child who was under the age of 18 at the time of death, the data will be stored for 120 years after the patient’s birth.
Data content of the register
Patient records are used by the Information Management Service to compile patient data that are important for the implementation of healthcare and to provide summaries thereof to service providers for the implementation of patient care.
Key patient data include diagnoses and reasons for visit, risks, laboratory test results, vaccinations, procedures, medication data, physiological measurements and imaging examinations recorded using the procedural codes, data related to physical capacity, appointment data, and a plan of the patient's examinations, treatment or rehabilitation or other similar plan, as provided in Section 4a of the Act on the Status and Rights of Patients (785/1992).
Regular information sources
Healthcare providers that have joined the Kanta service enter patient documents in the Patient Data Repository. Key patient data is compiled from the patient records stored in the Patient Data Repository.
Regular disclosure of data and transfer of data to outside the EU or the European Economic Area
Healthcare providers can use the summaries of patient data in the Information Management Service to implement patient care. Data which the patient has not consented for disclosure is not shown through the Information Management Service.
Data may be shared through the Information Management Service as provided in the Client Data Act. The sharing of data requires the patient’s consent to data sharing and that the treatment relationship between the patient and the operator issuing the request for data sharing is ensured through information technology.
Patient data included in the Information Management System may be disclosed to health care service providers in EU countries via the Kanta Services on the basis of the patient’s consent for the purpose of organising and implementing electronic health care services. (Client Data Act, Section 60)
Appendix 1 at the end of the report contains the situations for disclosure of the data in the Information Management Service under the Client Data Act and other legislation, the grounds for disclosure of the data and the method of disclosure.
Data shall not be transferred to outside the EU or the European Economic Area.
Principles of protection of the register
The data recorded in the Information Management Service is confidential data concerning the person’s health and medical care.
Organisational protection principles
Kela and the social welfare and health care service providers must have a data security plan to ensure data protection and security. Kela and the social welfare and health care service providers must have a Data Protection Officer appointed.
Kela’s social welfare and health care service providers shall provide written instructions on the processing of client data and the procedures to be followed, and ensure that personnel have sufficient expertise and capabilities to process client data in their operations.
Data controllers must take the necessary measures on their own initiative if someone has unlawfully accessed, used or shared information stored in the Information Management System.
In order to carry out monitoring and supervision, a social welfare and health care service provider using the Information Management System has the right to receive log data from Kela to the extent that the personnel of the relevant unit have accessed and processed the data in the Information Management System.
Technical protection principles
Browsing, recording and other processing of data in the patient data management system and accessible via the system require strong authentication that identifies the processor, as well as access rights management related to the system by both the healthcare service provider and Kela.
The Digital and Population Data Services Agency is responsible for the identification and certification services for the Kanta Services.
The healthcare service provider and Kela are responsible for the management of access rights for their own parts.
Log data on all viewing, processing, and disclosure of Information Management System data in social welfare and health care services is stored in the Information Management System.
Kela is obligated to carry out statutory tasks and necessary maintenance tasks, the implementation of which requires that Kela’s technical administrator has limited access rights to the Information Management System data file. Kela is responsible for managing the access rights of the Information Management System administrator.
Physical protection principles
The data recorded in the Information Management Service is technically protected against editing and deleting.
Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have restricted access to the IT areas when the management of their duties requires access to these areas.
Data subject’s right of access to their data
In accordance with Article 15 of the EU General Data Protection Regulation (2016/679), the data subject has the right to access their data stored in the Information Management System.
The client is able to view a summary of the information stored in the Information Management Service through MyKanta.
The service provider is the data controller of the data generated through its operations and, as joint controller, is responsible for the correctness of the data compiled for the Information Management Service. If the client exercises their right of inspection, the request should be addressed to the service provider who is responsible for the correctness of the recorded data, as well as other obligations of the data controller. The service provider must provide the client with the information stored about them in accordance with the Data Protection Regulation.
If the request to access concerns patient data compiled by the Information Management System, the request must be addressed to the service provider in whose operations the patient data was created and to whose data file they belong. If necessary, Kela may forward a request to access data submitted to it to the competent authority. A request for data may be made by phone or email. The request should be addressed to Kela’s registry (kirjaamo@kela.fi) or Kela Registry, P.O. Box 450, FI-00056 Kela.
The reply to the request will be provided within a month of the arrival of the request for processing. If, for justified reasons, it is not possible to provide the information within this period, the processing of the request may be extended for a maximum period of two months.
As a rule, the reply to an inspection request is provided free of charge.
Right to request the rectification of inaccurate data
According to Article 16 of the EU General Data Protection Regulation (2016/679), the data subject has the right to obtain the rectification of inaccurate personal data concerning them.
A person may act using a power of attorney or as a legal representative on behalf of an adult and request the rectification of inaccurate personal data. A guardian may request the rectification of inaccurate personal data on behalf of a minor.
Inaccurate patient data is rectified by the health care unit or social welfare services provider where the inaccurate records were created. Service providers are always responsible for the content and accuracy of the data
they record. Requests for rectification of inaccurate information can be addressed to the health care and social welfare provider’s data protection officer.
Kela acts as the contact point for the data subject in its role as the joint controller of the Information Management System. Kela accepts requests for the rectification of inaccurate data and forwards them to the health care service provider who recorded the inaccurate data for rectification. Rectification requests can be submitted in writing by email to Kela’s registry (kirjaamo@kela.fi) or by post (Kela Registry, P.O. Box 450, FI-00056 Kela).
If the request for rectification cannot be granted, Kela will issue the client a certificate of refusal. The certificate of refusal states the reasons why the client’s or legal representative’s claim was refused. After receiving the certificate of refusal, the client may still refer the matter to the competent supervisory authority for processing.
Right to lodge a complaint to the regulatory authority
If the client considers that the processing of their personal data violates the applicable data protection regulations, they have the right to lodge a complaint with the competent regulatory authority, under Article 77 of the EU General Data Protection Regulation and Section 21 of the Data Protection Act. In Finland, the regulatory authority is the Data Protection Ombudsman.
Other rights related to the processing of personal data
In MyKanta, the client can view the data compiled for the Information Management Service and see with which service provider it has been shared.
The client has the right to know to whom information on them stored in the Information Management Service has been disclosed by making a log data request to Kela.
Log data requests can be made using the log data request form, which is available from health care units that have joined the Kanta Services, Kela’s offices and the www.kanta.fi website. Requests for log data are addressed to Kela. A request for log data may also be made by phone or email. The request should be addressed to Kela’s registry by email (kirjaamo@kela.fi) or by post (Kela Registry, P.O. Box 450, FI-00056 Kela).
Clients do not have the right to obtain log data older than two years without a specific reason. The client may not use or disclose the received log data for any purpose other than to determine and exercise their rights regarding access to or processing of their own client information.
If, on the basis of the log data, the client considers that their data has been unjustifiably accessed or processed, they may request clarification from the service provider concerned.
The client is entitled to receive the same data again if there is a valid reason for it in order to fulfil the client's interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to information that is provided a second time.
Kela’s operations and the maintenance of the Kanta Services are based on national legislation. For these reasons, the data subject’s right to erasure pursuant to Article 17 of the EU General Data Protection Regulation and the data subject’s right to data portability pursuant to Article 20 of the General Data Protection Regulation do not apply to the data in the Information Management System. National legislation provides for the retention period for data stored in the Information Management System, after which the data are destroyed.