Results of the request for clarification on the Prescription service: further efforts on data protection work are needed

Limited working time of data protection officers is a problem 

The data protection officer is an independent data protection expert within an organisation who monitors the processing of personal data and helps employees to comply with the data protection rules.  The task of the organisation is to support the data protection officer, e.g. by allowing enough time for their work and by offering opportunities for the development of their professional skills. 
 
However, the results of the request for clarification with regard to the Prescription service indicate that data protection officers have very little time to carry out their tasks.  This situation is particularly poor in the public sector where more than 72 per cent of respondents assess that there is not enough time to carry out the duties of a data protection officer. Respondents in pharmacies (26 per cent) and in private healthcare (18 per cent) assess that there is more sufficient time for these tasks. 
  
The tasks of data protection officers are not always recognised or specified precisely within organisations. For example, fewer than half of the respondents are aware that the monitoring of impact assessment is part of the tasks of a data protection officer even though the task has been clearly assigned for data protection officers in the General Data Protection Regulation. On the other hand, as the knowledge among the personnel increases, the amount of work for data protection officers would probably increase as well, which further emphasises sufficient resourcing. 
 
Although data protection work cannot be suspended when a data protection officer is unable to carry out their tasks, the majority of organisations in all sectors have not appointed a substitute for the data protection officer (pharmacies 52 per cent, public sector 55 per cent, private sector 64 per cent). 

Instructions on processing of client data are at a good level, but there is still room for development 

The responsible director of a social welfare and healthcare organisation and pharmacy must provide the employees with written instructions on the processing of and procedures for client data.  Drawing up the instructions and taking care of the employees’ competence are a task decreed by law, which can be used for preventing misuse of information. 
 
Although the result of the request for clarification is reasonably good, organisations still have plenty of room for development in providing instructions for the processing and viewing of data and its conformity to law. Extensive instructions for the processing of client and patient data in different operating processes have been drawn up by  

• 95 per cent of pharmacy respondents 
• 87 per cent of public sector respondents, and 
• 70 per cent of respondents in private healthcare. 

 Training in relation to the compliance with the instruction was received by 81 per cent of respondents in pharmacies and the public sector and 62 per cent of private healthcare respondents. 
 
By law, patient records are to be kept confidential, and the employees are bound by the obligation of secrecy.    In addition, it is recommended that the employees are requested to sign a non-disclosure agreement.  The survey result is good among the respondents in pharmacies and the public sector, but in the private healthcare more employees should be requested to sign a non-disclosure agreement than at present. A non-disclosure agreement has been signed by 

• 95 per cent of pharmacy employees 
• 86 per cent of public sector employees, and 
• 57 per cent of private healthcare employees. 

Annual planning is needed in order to promote monitoring and supervision 

Social welfare and healthcare organisations and pharmacies monitor the processing of data entered in the Prescription Centre in their own operations.  For this reason, it is recommended to draw up an annual plan to promote the monitoring and supervision and to guide the implementation and reporting of the requirements of data protection work and the related legislation. 
 
According to the results of the request for clarification, annual planning should be utilised more widely than before especially in the public sector and in private healthcare. According to the results, an annual plan for monitoring and supervision approved by the management is with 

• 70 per cent of pharmacy respondents 
• 30 per cent of public sector respondents, and  
• 24 per cent of respondents in private healthcare.  

Even if an annual plan has been drawn up, its compliance seems to falter across the board on the basis of the results. Monitoring and supervision are mainly carried out manually in the organisations, which is laborious and time-consuming.  Monitoring and supervision are carried out according to the plan only by 

• 41 per cent of pharmacy respondents 
• 16 per cent of public sector respondents, and 
• 15 per cent of respondents in private healthcare.

Many operators do not have instructions for reporting data breaches

Personal data breaches must be reported to the data protection officer if they pose a risk to the person who is the subject of the data in question.  The incident must also be reported to the data subject if the resulting risk is high.  
 
Instructions on the procedure for reporting data breaches to the office of the data protection officer have been received by  

• 84 per cent of public sector respondents 
• 63 per cent of pharmacy respondents, and 
• 49 per cent of private healthcare respondents.  

Instructions on reporting data breaches to the data subject have been given to  

• 77 per cent of public sector respondents 
• 54 per cent of private sector respondents, and  
• 64 per cent of pharmacy respondents.

Self-monitoring plan directs the processing of personal data

All organisations, pharmacies and self-employed professionals providing social welfare and healthcare services must draw up a self-monitoring plan by virtue of the Client Data Act. The plan is the most important document guiding the processing of personal data within an organisation.  It is also a statutory obligation to monitor the implementation of the self-monitoring plan and to update it. 
 
According to the results of the request for clarification, a commendable share of the respondents from all sectors has drawn up a self-monitoring plan for the use of data protection, information security and information systems. Of those who responded to the request for clarification, the plan has been drawn up by  

• 99 per cent of pharmacy respondents 
• 93 per cent of public sector respondents
• 90 per cent of private sector respondents, and
• 78 per cent of self-employed professionals.

The request for clarification on the Prescription service was submitted to the social welfare and healthcare service, pharmacies and self-employed professionals in January 2021. A response was received from 52 per cent of 2,340 recipients. The request for clarification was drawn up in cooperation with the Office of the Data Protection Ombudsman and the Finnish Institute for Health and Welfare. Its purpose is to help outline the overall picture and everyday problem areas of data protection work. 
 
The request for clarification is implemented by virtue of section 24 of the Act on Electronic Prescriptions. The Act is used for monitoring the processing of data and personal data entered in the Prescription service in the Prescription Centre. Operators who have joined the Prescription service meet their reporting obligation to Kela by responding to the request for clarification.

Further information 

• Privacy policy concerning clients using the Kanta Services