The operation of Kanta Services is based on compliance with the statutory obligations. Kanta Services ensure secure and reliable processing of data.
In addition, citizens’ rights laid down in both the national legislation and the EU General Data Protection Regulation are taken into account in the operation of Kanta Services.
Citizens have the following rights in relation to the Kanta Services:
- right to be informed
- right to decide on the sharing of their data
- right to access their personal data
- right to obtain log data
- right to demand that inaccurate data is rectified
Citizens’ rights are explained in further detail in the following.
Information on Patient Data Archive, patient data management service and the Common Register
Patients must be informed about the Patient Data Repository at the time of the first service when the Patient Data Repository is deployed in the healthcare system. They must be told about the conditions of disclosing information stored in the Patient Data Repository, as well as how they can influence how their records are handled and other issues important for the patient.
The Common Register is the communal aggregate of patient records registers of all municipal healthcare register controllers in the Healthcare District. Medical records from various operational units stored in the Common Register may be disclosed without patients' consent after they have been informed about the Common Register, and when they have a treatment relationship with the unit requiring the information.
Patients must be informed about the right to refuse to have their medical records passed between different operational units belonging to the Common Register. The information can be provided either verbally, in writing or via online services. The procedures vary between units. The patient him/herself can acknowledge receipt of the information in the My Kanta Pages.
Handling information stored in Patient Data Repository
Medical records stored in the Patient Data Repository are available to the operational unit that has entered the information. Medical records stored in the Patient Data Repository may only be used by healthcare employees who have access rights to the archive. The treatment relationship is also verified electronically.
If patient records are retrieved from another unit's patient register, it constitutes disclosure, for which the patient's consent is also required. Medical records from various operational units stored in the Common Register may be disclosed without patients' consent after they have been informed about the Common Register, and when they have a treatment relationship with the unit requiring the information.
Consent and refusal to share patient data
A consent given by the patient is valid until further notice and covers all medical records already held in the Patient Data Repository, as well as any records entered into it later. Before giving their consent, patients must be given information about the records stored in the national archive service and their use, and the fact that patients can limit disclosure of their information.
Patients may limit the coverage of their consent by entering a refusal. They can refuse the use of e.g. records relating to a specific treatment visit or a certain healthcare unit in the public sector.
A consent or a refusal can be made in person in a healthcare unit or at the internet through My Kanta pages. Consents connected with the Patient Data Repository must be given in writing and they have to be signed by hand. Official consent forms are available from healthcare services.
A consent and a refusal are in force until further notice and can be cancelled at any time.
Right to access personal data and right to obtain log data
By virtue of the EU General Data Protection Regulation, citizens have the right to access their personal data. Therefore, they have the right to know what data has been recorded on them in various registers so that they can ensure that the data collected on them is accurate.
Citizens also have the right to know what data about them has been recorded in the Kanta Services.
Moreover, by virtue of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare and the Act on Electronic Prescriptions, citizens have the right to know who have processed their data recorded in the Kanta Services or whom the data has been shared with.
The log data concerning data recorded in the Kanta Services or the log data concerning the processing of this data can be requested from the controller of the data in question. Controllership of each Kanta service and the data recorded in this service has been specified in legislation.
Kela acts as controller of the Prescription Centre and the patient data management service. Information about prescriptions is recorded in the Prescription Centre and a record of information given, consents, refusals and declarations of intent is saved in the patient data management service.
Patient data recorded by various healthcare service providers is saved in a collective form in the Patient Data Repository of the Kanta Services. The law sets the healthcare service provider as the controller of patient data. Therefore, the log data concerning patient data or the processing of patient data can be requested from the healthcare service provider that has recorded the data or if there is a need to investigate the data processing it has carried out. Kela’s Kanta Services do not have the right to share patient data.
Further information: Data requests in Kanta Services
Right to demand that inaccurate data is rectified
If a citizen notices inaccurate or insufficient information in their prescription, patient or client data, they have the right to demand that the inaccurate data is rectified by virtue of the EU General Data Protection Regulation.
Social welfare and healthcare service providers and pharmacies are always responsible for the contents and accuracy of the prescription, patient or client data they have recorded.
Therefore, citizens can submit their reasoned request to rectify inaccurate data to the social welfare or healthcare service provider or pharmacy that has made the inaccurate entry.
It is not possible to rectify data through the Kanta Services. My Kanta Pages can only show the data in the format it has been recorded in the Kanta Services by the social welfare or healthcare service or pharmacy. Patients cannot rectify their personal data themselves in the My Kanta Pages service, either.
Rights of the data subject (GDPR)
The EU General Data Protection Regulation, i.e. new legislation governing the processing of personal data, became applicable in all EU countries as from 25 May 2018. One of the objectives of the regulation is to improve personal data protection and data protection rights.
The General Data Protection Regulation provides for the rights of the data subject, i.e. the person subject to personal data processing. The rights of the data subject provided for in the regulation include access to their personal data, the right to demand that inaccurate data is rectified, the right to be forgotten and the right to the erasure of personal data.
It must be noted that in certain sectors and with certain respects the EU member state’s own national legislation may supersede the provisions in the General Data Protection Regulation. For example, the processing of personal data by the authorities is primarily based on the provisions of national legislation in Finland.
The operation of Kela’s Kanta Services is also based on national special legislation. Not all of the rights of the data subject presented in the Articles of the EU General Data Protection Regulation are applicable as such to the data recorded in the Kanta Services.
The maintenance of national information system services in social welfare and healthcare, i.e. the Kanta Services, is a statutory task of Kela.
The social welfare and healthcare service providers and pharmacies record data concerning prescriptions in the Prescription Centre of the Kanta Services in accordance with the law. Healthcare service providers, on the other hand, are legally obliged to record the patient data of their own clients in the Patient Data Repository of the Kanta Services as well as in their own patient data systems.
In addition, a record of providing information to the patient and of their consents and refusals to share data must be saved in the patient data management service, which is part of the Patient Data Repository. Any declarations of intent, i.e. living wills and opinions on organ donation, are also saved in the patient data management service.
The required storage period of the data is also specified in national legislation. On the basis of legislation, it is not possible to erase the data on the client’s request (except in the case of inaccurate data) or by reference to the General Data Protection Regulation, and the data will be erased after the storage periods defined by law have come to an end.