Action to be taken in suspected data breaches

Action to be taken in suspected data breaches

These guidelines are provided as support for service providers in situations where an actual or suspected personal data breach has been detected in relation to the Kanta Services. The guidelines are followed in combination with the service provider’s own data protection guidelines.

Personal data breach means a breach of security leading to the accidental or unlawful

  • destruction
  • loss
  • alteration
  • unauthorised disclosure of
  • or access to

personal data transmitted, stored or otherwise processed.

The provisions in the EU General Data Protection Regulation (eur-lex.europa.eu) shall be complied with in personal data breaches.

Action to be taken in different organisations

In suspected personal data breaches, the matter is reported to a party, which is designated by the organisation in question, who will then launch the necessary measures. 

If an actual or suspected personal data breach concerns personal data where the service provider is not the controller, the service provider shall report the matter to the controller without delay.

If the service provider is the controller themselves, it must investigate the situation and, if necessary, report the matter to the Office of the Data Protection Ombudsman (tietosuoja.fi) within 72 hours. If necessary, the data subjects must be notified of the matter.

Reporting to Kela

A report is submitted to Kela in the event of an actual or suspected personal data breach of the data in the Prescription Centre or the patient data management service where Kela is the controller. The report shall be sent to Kela’s technical support by email to tekninentuki@kanta.fi or by telephone to 020 634 7787.

The report shall include

  • which data has been breached
  • how the data has been breached (e.g. delicate information has been processed by unauthorised persons)
  • the date and time of the observation
  • place of the incident
  • detailed description of action taken in the situation.

If Kela is not the controller of the breached personal data, but Kela’s help is needed in the investigation of serious cases of personal data breach, please contact Kela’s technical support (contact details above).

Instructions for action in the event of other disruptions can be found on their individual page.

More information