Privacy policy for the log data of My Kanta Pages

Privacy policy for the log data of My Kanta Pages

This is a valid Privacy Policy for My Kanta Pages log data. The Policy was updated on June 9, 2018.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
asiakaspalvelu@kanta.fi

Name of register

My Kanta Pages log data

Purpose of processing personal data / purpose of use of the register

By virtue of the Act on Electronic Prescriptions (61/2007) and the act on electrical processing of client data in social and health care (159/2007), Kela takes care of the technical implementation of the citizen’s interface (hereinafter My Kanta Pages).

Kela carries out the processing of personal data in accordance with the EU’s general data protection regulation and other legislation regulating the processing of personal data, and by virtue of the above-mentioned laws.

With My Kanta Pages, the client has access to their data recorded in the Prescription Centre, the Patient Data Repository and the patient data management service.

Logging in to the service takes place with online banking codes, electronic ID card or mobile identification. A record is saved in the log with regard to the log-in to the service and acting on behalf of someone else.

The log data is used for verifying identification events and events of acting on behalf of someone else. On the basis of the data, it is possible to find out on request who, when and from which IP address has logged in to the My Kanta Pages and used the functions of acting on behalf of someone else and on behalf of whom.

The log data is used in resolving problem situations (e.g. problems related to data security, in which case Kela must verify the user data of the service) and in compiling statistics.

According to section 5 of the decree on electronic prescriptions (485/2008), log data must be retained for 12 years from its creation, after which the data shall be destroyed. Data retrieved from the Population Information System shall be retained for five years (Section 20 of the Act on the Population Information System and the Certificate Services of the Digital and Population Data Services Agency (661/2009), after which the data shall be destroyed.

Data content of the register

The register includes the following data:

  • the citizen’s personal identity code
  • time of logging in
  • method of identification (not used as of 15 December 2016)
  • certification service provider (not used as of 15 December 2016)
  • IP address
  • time stamp
  • personal identity code of the person on behalf of whom someone is acting (the dependent)
  • the time of acting on behalf of someone else
  • data retrieved from the Population Information System (retained for 5 years)
    • death data
    • date of death
    • domicile (permanent place of residence)
    • name data
    • permission (information about whether the person is permitted to act on behalf of someone else on the basis of information in the Population Information System).

Regular information sources

The information is recorded when the citizen logs in to the service. The citizen shall select the login method / certification service provider him/herself and agrees to provide the personal identity code to the service provider in the ID service.

The death data, date of death, name data, domicile and the personal data of minor dependants are information supplied by the Population Information System. The right to act on behalf of someone else is information supplied by the Suomi.fi e-Authorizations service.

Regular disclosure of data and transfer of data to outside the EU or the European Economic Area

No regular disclosure.

Principles of protection of the register

Technical protection

Viewing, recording and other processing of data in My Kanta Pages requires strong authentication that identifies the processor and the access rights management related to the system.

Only specified members of Kela’s personnel have access to the data recorded in Kanta services.

The log data is only utilised in problem situations in accordance with Kela’s described process by the Data Protection Officer or a special working group.

Physical protection of environments and devices

The data is technically protected to prevent editing and deleting. Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have restricted access to the IT areas when the management of their duties requires access to these areas.

Access to the data

The client is entitled to inspect their personal data that is recorded when logging in to the My Kanta pages. The free-format inspection request shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela). The request can be made by telephone or by sending an email to Kela’s Registry (kirjaamo@kela.fi). As a rule, the respond to the inspection request is sent free of charge.

Right to lodge a complaint to the regulatory authority

If the patient deems that the processing of their personal data has breached the applicable data protection regulations (Articles 12–22 of the EU’s general data protection regulation), the patient is entitled to lodge a complaint to the competent regulatory authority. In Finland, the regulatory authority is the Data Protection Ombudsman.

Last updated 12.06.2020