Joint controller
The Social Insurance Institution of Finland
Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11
Person responsible for register-related issues or contact person
Data Protection Officer for Kanta Services
Name of register
Information Management Service
Purpose of processing personal data / purpose of use of the register
The Information Management Service is a national data system service used to compile, from archived client data, current information important for the patient's care or processing a client's case. In addition, the service manages the documents to be maintained.
Each social and healthcare service provider and the Social Insurance Institution of Finland (hereinafter Kela) are the joint controllers of the Information Management Service.
As joint controller, Kela is responsible for the usability and integrity of the data, non-alteration of data contents and the storage and destruction of data, as provided in Section 14 of the Act on the Electronic Processing of Client Data in Social and Health Care Services (hereinafter Client Data Act, 784/2021). The service providers that enter the data to be compiled in the Information Management Service are responsible for the correctness of the data being entered, as well as for all other obligations of the data controller.
Kela acts as contact point in accordance with Article 26 (1) of the EU General Data Protection Regulation. As contact point, Kela is responsible for fulfilling and implementing the obligation to provide information, imposed on data controllers by the data protection legislation, with regard to the Information Management Service. In addition, Kela acts as the primary contact point for requests for the exercise of data subjects' (clients) rights and forwards the request to the correct party, if necessary.
The legislation on joint controllership and the procedures to be followed under joint controllership are discussed in the relevant document Description of joint controllership of services related to Kanta Services (pdf, in Finnish).
Kela carries out the processing of personal data in accordance with the EU General Data Protection Regulation and other legislation regulating the processing of personal data, and by virtue of the Act on Electronic Prescriptions.
Healthcare providers are permitted to use the data stored in and accessible from the Information Management Service to carry out patient care. Information may be disclosed through the Information Management Service as provided in Section 20 of the Client Data Act (784/2021). The data in the Information Management Service may be processed within the framework of the access rights provided for in Section 15 of the Client Data Act (784/2021) and defined by the Decree issued pursuant to the section.
Data concerning consents and declarations of intent recorded in the Information Management Service may be utilised in scientific research, reporting and compiling of statistics under conditions provided in the law.
Data recorded in the Information Management Service concerning the patient’s consents and declarations of intent shall be retained for 12 years after the patient died or, if not known, 120 years after the patient was born, after which the data shall be destroyed.
Data content of the register
Patient records are used by the Information Management Service to compile patient data that are important for the implementation of healthcare and to provide summaries thereof to service providers for the implementation of patient care.
Key patient data include diagnoses and reasons for visit, risks, laboratory test results, vaccinations, procedures, medication data, physiological measurements and imaging examinations recorded using the procedural codes, data related to physical capacity, appointment data, and a plan of the patient's examinations, treatment or rehabilitation or other similar plan, as provided in Section 4a of the Act on the Status and Rights of Patients (785/1992).
Regular information sources
Healthcare providers that have joined the Kanta service enter patient documents in the Patient Data Repository. Key patient data is compiled from the patient records stored in the Patient Data Repository.
Regular disclosure of data and transfer of data to outside the EU or the European Economic Area
Healthcare providers can use the summaries of patient data in the Information Management Service to implement patient care. Data which the patient has not consented for disclosure is not shown through the Information Management Service.
Data may be shared through the Information Management Service as provided in the Client Data Act. Sharing of data requires that the existence of a patient care relationship between the patient and the party requesting the sharing of data has been verified by means of information technology.
Appendix 1 at the end of the report contains the situations for disclosure of the data in the Information Management Service under the Client Data Act and other legislation, the grounds for disclosure of the data and the method of disclosure.
Data shall not be transferred to outside the EU or the European Economic Area.
Principles of protection of the register
The data recorded in the Information Management Service is confidential data concerning the person’s health and medical care.
Organisational protection principles
Social and healthcare service providers and Kela, for their part, monitor and control the lawfulness of the data processing, and each party has a data security policy to ensure data protection and security. Kela and the social and healthcare service provider each have a designated data protection officer.
Kela and the responsible official of the social and healthcare service provider provide written instructions on the processing of data in the Information
Management Service and ensure that the staff have sufficient expertise and competence in processing patient data.
Kela and the social and healthcare service provider will take the necessary measures on their own initiative if the data stored in the Information Management Service has been illegally viewed, used or shared.
In order to carry out monitoring and control, a social and healthcare service provider using the Information Management Service has the right to obtain log data from Kela to the extent that the personnel of the relevant service provider have viewed and processed the data in the Information Management Service.
Technical protection principles
Browsing, recording and other processing of data in the patient data management system and accessible via the system require strong authentication that identifies the processor, as well as access rights management related to the system by both the healthcare service provider and Kela.
The Digital and Population Data Services Agency is responsible for the identification and certification services for the Kanta Services.
The healthcare service provider and Kela are responsible for the management of access rights for their own parts.
Log data is recorded in the log of the Information Management Service with regard to all browsing and processing of data in the Information Management Service.
Physical protection principles
The data recorded in the Information Management Service is technically protected against editing and deleting.
Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have restricted access to the IT areas when the management of their duties requires access to these areas.
Access to the data
The client is able to view a summary of the information stored in the Information Management Service through MyKanta.
The client has the right to inspect the data stored on them in the Information Management Service. The service provider is the data controller of the data generated through its operations and, as joint controller, is responsible for the correctness of the data compiled for the Information Management Service.
If the client exercises their right of inspection, the request should be addressed to the service provider who is responsible for the correctness of the recorded data, as well as other obligations of the data controller. The service provider must provide the client with the information stored about them in accordance with the Data Protection Regulation.
A request to inspect information may be made using the inspection request form, which is available from service providers that have joined the Kanta services and from Kela offices. If necessary, a request to inspect the data stored in the Information Management Service can be addressed to Kela (Registry, PO Box 450, 00056 Kela). The request can also be made by contacting the Kela Registry by phone or email (kirjaamo@kela.fi). Kela will forward the request to the service provider responsible for the correctness of the recorded information.
As a rule, the reply to an inspection request is provided free of charge.
Right to request rectification of data
The client is entitled to request rectification of incorrect data that has been recorded in the patient data management system. If the client or their legal representative requests rectification of an error or the incorrect data is based on an entry made by a healthcare service provider, the request for rectification must be addressed to the healthcare service provider that made the incorrect entry.
In the role of joint controller, Kela acts as the contact point for the client or data subject. Thus, a request for rectification can be submitted in writing to Kela (Registry, PO Box 450, 00056 Kela). If necessary, Kela will forward the submitted rectification request to the service provider in the course of whose operation the entry in question was made.
If the client's request for rectification is not accepted, they may still refer the matter for review by the competent regulatory authority.
Right to lodge a complaint to the regulatory authority
If the client considers that the processing of their personal data violates the applicable data protection regulations, they have the right to lodge a complaint with the competent regulatory authority, under Article 77 of the EU General Data Protection Regulation and Section 21 of the Data Protection Act. In Finland, the regulatory authority is the Data Protection Ombudsman.
Other rights related to the processing of personal data
In MyKanta, the client can view the data compiled for the Information Management Service and see with which service provider it has been shared.
The client has the right to know to whom information on them stored in the Information Management Service has been disclosed by making a log data request to Kela.
The log data request can be made using the log data request form available from social and healthcare units that have joined Kanta Services and from Kela offices. The request for log data should be addressed to Kela (Registry, PO Box 450, 00056 Kela). The request can also be made by contacting the Kela Registry by phone or email (kirjaamo@kela.fi). Aa a rule, a response to a log data request is provided free of charge.
The social and healthcare service provider is the controller of the usage logs generated in its operations. If the client's log data request concerns usage log data, the request should be addressed to the relevant service provider.
Clients do not have the right to obtain log data older than two years without a specific reason. The client may not use or disclose the received log data for any purpose other than to determine and exercise their rights regarding access to or processing of their own client information.
If, on the basis of the log data, the client considers that their data has been unjustifiably accessed or processed, they may request clarification from the service provider concerned.
The client is entitled to receive the same data again if there is a valid reason for it in order to fulfil the client's interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to information that is provided a second time.
The Information Management Service is a statutory service executed and maintained by Kela (Client Data Act). Kela's operation is based on national legislation. Therefore, the right of the data subject (client) to remove information under Article 17 or the right of the data subject to transfer data from one system to another under Article 20 of the EU General Data Protection Regulation do not apply to data entered into the Information Management Service.