Privacy Policy for User Data Register of the Kanta Personal Health Record

Privacy Policy for User Data Register of the Kanta Personal Health Record

This is a valid Privacy Policy for User Data Register of the Kanta Personal Health Record. The policy was updated on October 26, 2020.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of register

User Data Register of the Kanta Personal Health Record

Purpose of processing of personal data / purpose of use of the register

Based on the agreement between the Ministry of Social Affairs and Health and the Social Insurance Institution of Finland, Kela acts as the register controller of the Kanta Personal Health Record (Kanta PHR), which is part of the national information system services in health care (the Kanta Services), with respect to the user data of the Kanta PHR.

The purpose of the register is to enable the storage of citizens’ (users) wellbeing data in a national centralised Kanta PHR. Kela is responsible for the technical operation of the service so that the wellbeing data cannot be processed or shared against the law.

Data in the Kanta PHR will be retained until the user has removed the data themselves or until otherwise prescribed by law.

Kanta Personal Health Record (Kanta PHR) and cookies

The user signs in to Kanta Personal Health Record (Kanta PHR) via the Suomi.fi service when they take the service into use and when granting user rights to Kanta PHR for apps they want to use with the service. In this connection, cookies are used in Kanta PHR, the use of which is necessary in order to provide the service. The user’s consent is not requested for using these cookies. Kela does not utilise this data in any other way. Cookies are destroyed automatically when the browser is closed.

Data content of the register

Information saved in the register with regard to the users of the Kanta Personal Health Record (Kanta PHR):

  • user’s personal identity code
  • information about the user rights granted by the user to the applications (right to read and enter measurement data).

Data is saved when the user takes the service into use and whenever the user grants user rights to Kanta PHR. In the deployment stage, the user logs in to the service with Suomi.fi identification. The user of the service selects the method of identification/ certification service provider and agrees to forward the personal identity code to the register controller in the identification service.

Regular information sources

The data entered in the service is received from the user him/herself.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

The data in the register shall not be shared with outsiders. Data shall not be transferred outside the EU or the European Economic Area.

Principles of protection of the register

The data saved in the register shall be kept confidential.

Organisational protection principles

Kela for its own part monitors and supervises the legality of data processing. Kela has appointed a Data Protection Officer for the monitoring and supervision task.

Kela provides written instructions on the processing of data in the register and takes care of sufficient expertise and competence of its staff.

Kela takes the necessary measures of its own accord if the data entered in the register has been processed illegally.

Technical protection principles

The processing of data in the register requires strong authentication that identifies the controller, as well as user rights management related to the system.

Information about all actions of data processing by the user and in relation to Kela’s maintenance measures is saved in the log of the Kanta PHR.

Physical protection principles

The data recorded in the register is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Members of Kela’s technical maintenance staff have limited access to the IT areas when the management of their duties requires such access.

Access to the data

The user may view the data they have entered in the Kanta PHR themselves via My Kanta Pages.

Right to lodge a complaint to the regulatory authority

If the user of the service deems that the processing of their personal data breaches the applicable data protection regulations (Articles 12–22 of the EU’s General Data Protection Regulation), the user of the service is entitled to lodge a complaint to the competent regulatory authority. In Finland, the regulatory authority is the Data Protection Ombudsman.

Right to request rectification of data

The user of the service is personally responsible for their wellbeing data they have entered, as well as for ensuring that the data is correct.

Right to transmit the data from one system to another

The user of the service is entitled to request the wellbeing data they have entered in the Service in order to transmit it to another system.

Last updated 04.11.2020