Patients must be informed about electronic prescriptions and Patient Data Repository in advance. The law also guarantees that patients are entitled to check the information stored on them. Patients also have the right to information as to where their medical records have been given between healthcare organisations.
There are some differences in the rights between electronic prescriptions and the Patient Data Repository. For the sake of clarity, patients' rights in electronic prescriptions and the Patient Data Repository are on their own respective subpages.
An exception is the Data Management Service, which in the future will be the repository of information, consents and refusals concerning electronic prescriptions, as well as other expressions of patients' wishes (e.g. living will) from the Patient Data Repository.
At the moment, the Data Management Service contains the information, consents and refusals from the Patient Data Repository. That is why the section on the Data Management Service is currently situated under the Patient Data Repository.
Patient rights in Patient Data Repository
You may need treatment somewhere other than your own locality. Your consents and refusals influence how and where your patient records are available when you need medical care.
Patients have the right to be informed about the archiving of their medical records at the stage when the Patient Data Repository is deployed in the healthcare system.
Information on the Common Register
The Common Register is the communal aggregate of patient records registers of all municipal healthcare register controllers in the Healthcare District.
The patient must be informed about the municipal patient records register and the associated possibility that in a treatment situation medical records in various part-registers may be disclosed to other service providers in the Common Register without a specific patient consent being required. Patients must also be informed that they can refuse to have their records passed between register controllers and registers. The information may be given orally or in writing.
Disclosure of information from the Common Register
Medical records from various operational units stored in the Common Register may be disclosed without patients' consent after they have been informed about the Common Register, and when they have a treatment relationship with the unit requiring the information.
Patients have the right to refuse to have their medical records passed between different operational units belonging to the Common Register. Patients may refuse to allow the municipal use of their medical records altogether. They may also limit their refusal so that it concerns records connected with a particular unit, register, in-patient period, or individual visit.
The refusal is in force until further notice and can be cancelled at any time. The refusal can be given in any unit using the Common Register. Later, the refusal can also be entered through My Health Information.
Information on Patient Data Archive and patient data management service
Patients must be informed about the Patient Data Repository at the time of the first service event. They must be told about the conditions of disclosing information stored in the Patient Data Repository, as well as how they can influence how their records are handled and other issues important for the patient. Patients must also be told how their information stored in the Patient Data Repository is protected, operational principles of data systems, and their administrators.
The information can be provided either verbally or in writing. The information may be given by a healthcare receptionist, nurse or doctor. The procedures vary between units. The patient him/herself can acknowledge receipt of the information in the My Kanta service or via another electronic service.
Handling information stored in Patient Data Repository
The national Patient Data Repository will be deployed in phases in different parts of Finland. Patient records will also be transferred into the archive in stages.
Medical records stored in the Patient Data Repository may only be used by healthcare employees who have access rights to the archive. The treatment relationship is also verified electronically.
Medical records stored in the Patient Data Repository are available to the operational unit that has entered the information. If patient records are disclosed to another unit, the patient's consent is required. If patient records are retrieved from another unit's patient register, it constitutes disclosure, for which the patient's consent is also required.
Before giving their consent, patients must be given information about the records stored in the national archive service and their use, and the fact that patients can limit disclosure of their information. A consent given by the patient is valid until further notice and covers all medical records already held in the Patient Data Repository, as well as any records entered into it later.
Refusal of consent to disclosure
Patients may limit the coverage of their consent by entering a refusal. They can refuse the use of e.g. records relating to a specific treatment visit or a certain healthcare unit.
Consents connected with the Patient Data Repository must be given in writing. Official consent forms are available from healthcare services and they have to be signed by hand. A consent or a refusal can be made in person in a healthcare unit or at the internet through My Kanta pages. Because the Patient Data Repository will be deployed in phases, consents can only be given in healthcare units that have already deployed the service.
Right to examine own information
Right to access personal data and right to obtain log data
By virtue of the EU General Data Protection Regulation, citizens have the right to access their personal data. Therefore, they have the right to know what data has been recorded on them in various registers so that they can ensure that the data collected on them is accurate.
Citizens also have the right to know what data about them has been recorded in the Kanta services.
Moreover, by virtue of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare and the Act on Electronic Prescriptions, citizens have the right to know who have processed their data recorded in the Kanta services or who the data has been shared with.
The log data concerning data recorded in the Kanta services or the log data concerning the processing of this data can be requested from the controller of the data in question. Controllership of each Kanta service and the data recorded in this service has been specified in legislation.
Kela acts as controller of the Prescription Centre and the patient data management service. Information about prescriptions is recorded in the Prescription Centre and a record of information given, consents, refusals and declarations of intent is saved in the patient data management service.
Patient data recorded by various healthcare service providers is saved in a collective form in the Patient Data Repository of the Kanta services. The law sets the healthcare service provider as the controller of patient data.
Therefore, the log data concerning patient data or the processing of patient data can be requested from the healthcare service provider that has recorded the data or if there is a need to investigate the data processing it has carried out. Kela’s Kanta services do not have the right to share patient data.
Further information: Data requests in Kanta services
Right to demand that inaccurate data is rectified
If a citizen notices inaccurate or insufficient information in their prescription, patient or client data, they have the right to demand that the inaccurate data is rectified by virtue of the EU General Data Protection Regulation.
Social welfare and healthcare service providers and pharmacies are always responsible for the contents and accuracy of the prescription, patient or client data they have recorded.
Therefore, citizens can submit their reasoned request to rectify inaccurate data to the social welfare or healthcare service provider or pharmacy that has made the inaccurate entry.
It is not possible to rectify data through the Kanta services. My Kanta Pages can only show the data in the format it has been recorded in the Kanta services by the social welfare or healthcare service or pharmacy. Patients cannot rectify their personal data themselves in the My Kanta Pages service, either.
Rights of the data subject (GDPR)
The EU General Data Protection Regulation, i.e. new legislation governing the processing of personal data, became applicable in all EU countries as from 25 May 2018. One of the objectives of the regulation is to improve personal data protection and data protection rights.
The General Data Protection Regulation provides for the rights of the data subject, i.e. the person subject to personal data processing. The rights of the data subject provided for in the regulation include access to their personal data, the right to demand that inaccurate data is rectified, the right to be forgotten and the right to the erasure of personal data.
It must be noted that in certain sectors and with certain respects the EU member state’s own national legislation may supersede the provisions in the General Data Protection Regulation. For example, the processing of personal data by the authorities is primarily based on the provisions of national legislation in Finland.
The operation of Kela’s Kanta services is also based on national special legislation. Not all of the rights of the data subject presented in the Articles of the EU General Data Protection Regulation are applicable as such to the data recorded in the Kanta services.
The maintenance of national information system services in social welfare and healthcare, i.e. the Kanta services, is a statutory task of Kela.
The social welfare and healthcare service providers and pharmacies record data concerning prescriptions in the Prescription Centre of the Kanta services in accordance with the law. Healthcare service providers, on the other hand, are legally obliged to record the patient data of their own clients in the Patient Data Repository of the Kanta services as well as in their own patient data systems.
In addition, a record of providing information to the patient and of their consents and refusals to share data must be saved in the patient data management service, which is part of the Patient Data Repository. Any declarations of intent, i.e. living wills and opinions on organ donation, are also saved in the patient data management service.
The required storage period of the data is also specified in national legislation. On the basis of legislation, it is not possible to erase the data on the client’s request (except in the case of inaccurate data) or by reference to the General Data Protection Regulation, and the data will be erased after the storage periods defined by law have come to an end.