Privacy policy for clients using the sandbox environment of Kanta Personal Health Record

Privacy policy for clients using the sandbox environment of Kanta Personal Health Record

This is the effective privacy policy for clients using the sandbox environment of Kanta Personal Health Record, updated on 27 February 2023.

Controller

Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
P.O. Box 450, 00056 Kela
tel. 020 634 11

Person responsible for register issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of the register

Clients using the sandbox environment for Kanta Personal Health Record.

Purpose of processing personal data / purpose of use of the register

By virtue of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) and the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) acts as the organiser of the national information system services (the Kanta Services).

According to section 4 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) (hereinafter the Client Data Act), Kela is the controller of data related to the use of wellbeing data entered in the Kanta PHR service pertaining to the national information system services (Kanta Services) and data related to the use of the service. For the maintenance of the service, Kela offers a sandbox environment for wellbeing application suppliers in support of the development of the integration of their application with the Kanta Personal Health Record service. Kela acts as controller of the client register for the sandbox environment of the Kanta Personal Health Record. The application supplier is responsible for ensuring that the data it has entered in the register is correct and up-to-date.

Client register for the sandbox environment for Kanta Personal Health Record and utilisation of the data

The application supplier of the client register for the sandbox environment of Kanta Personal Health Record saves its data when starting to use the sandbox environment that authorises Kanta Personal Health Record and when creating a username for itself for the sandbox environment. At the same time, the application supplier agrees that Kela can enter the data provided by the application supplier in the client register of the sandbox environment of Kanta Personal Health Record and process it for the purposes of this privacy policy in the way described in the policy. The application supplier cannot see the data entered by other application suppliers in the client register.

Kela may use the data entered in the register in order to find out the number of users of the service and, when necessary, in error investigation or maintenance situations. Kela may use the contact details entered in the register to contact the application supplier for maintenance purposes. Kela will not utilise the data entered in the register in any other ways.

Maintaining the client data

Application suppliers who have entered their data in the sandbox environment may get in touch with Kela by email if it is necessary to update or delete the data stored in the register. Kela will then update or delete the data in the register.

Storage of client data

The data is stored in the register for a maximum of 2 years from the date when the application supplier has notified Kela in writing that it will terminate the use of the sandbox environment.

Data content of the register

The register includes the following data:

  • username
  • password.

Regular data sources

Kela obtains the data from the application supplier using the sandbox environment that authorises the Kanta Personal Health Record. The application supplier enters the data in the client register when creating a username for the sandbox environment.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

The data shall not be transferred outside the EU or the European Economic Area.

Principles of protecting the register

Organisational principles

Kela contributes to the monitoring and supervising of the lawfulness of data processing. Kela also has an information security plan to ensure that data protection and information security are fulfilled. Kela provides written instructions on the processing of data and takes care of sufficient expertise and competence of its staff when processing the data.

Technical principles

At Kela, access to data in the client register has been restricted by only providing access rights to persons whose duties require such access.

A log is saved of the viewing and processing of data in the client register by Kela’s administrators.

Physical principles

The data entered in the client register is technically protected against editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical administrators have limited access to the IT areas when the management of their duties requires such access.

Access to the data

The application suppliers have the right to inspect any data concerning them that has been entered in the client register. A free-form and individualised request is sent by email to kirjaamo@kanta.fi.

Right to rectification

Application suppliers may request the rectification of data they have entered by emailing Kela to kanta@kanta.fi.

Right to lodge a complaint before the supervisory authority

If an application supplier deems that the processing of their personal data is in breach of the applicable data protection regulations (Articles 12–22 of the EU’s General Data Protection Regulation and other applicable data protection legislation), the client has the right to lodge a complaint before the competent regulatory authority.

Other rights related to the processing of personal data

Articles in the EU General Data Protection Regulation related to the rights of data subjects shall be applied to the processing of data.

Last updated 25.5.2023