Privacy Policy for Information Management Service

Privacy Policy for Information Management Service

This is a valid Privacy Policy for Information Management Service. The policy was updated on July 10, 2020.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of register

Information Management Service 

Purpose of processing personal data / purpose of use of the register

According to section 14 a of the Act on the Electronic Processing of Client Data in Social and Health Care Services (159/2007), the Social Insurance Institution of Finland (hereinafter Kela) maintains the Information Management Service and acts as its controller.

Kela carries out the processing of personal data in accordance with the EU’s general data protection regulation and other legislation regulating the processing of personal data, and by virtue of the Act on Electronic Prescriptions.

Healthcare service providers may use the data recorded and shown in the Information Management Service when organising and implementing the client’s health and medical care. Clients can browse and update the data concerning consents and declarations of intent recorded in the Information Management Service in the My Kanta Pages service.

Data concerning consents and declarations of intent recorded in the Information Management Service may be utilised in scientific research, reporting and compiling of statistics under conditions provided in the law.

Data recorded in the Information Management Service concerning the patient’s consents and declarations of intent shall be retained for 12 years after the patient died or, if not known, 120 years after the patient was born, after which the data shall be destroyed.

Data content of the register

A note about the fact that the patient has been informed of the national information system services (Kanta Services, i.e. the Patient Data Repository, Prescription and My Kanta Pages) shall be recorded in the Information Management Service. A note about the fact that the patient has been informed about the common register, which is a common entity of patient data registers for the municipal healthcare custodians in the area of each hospital district, shall be recorded in the service.

The patient’s consent concerning sharing of patient data, withdrawal of the consent, refusal to share patient data and the withdrawal of the refusal shall be recorded in the service. The patient’s living will and their opinion on organ donation shall also be recorded in the service.

Furthermore, data concerning the provision of information and consents with regard to electronic prescriptions of the patient shall also be recorded in the Information Management Service.

Regular information sources

Healthcare service providers who have joined the Kanta Services shall record data concerning the patient’s consents and declarations of intent in the Information Management Service. In My Kanta Pages the patient may record their acknowledgement of receipt of information about the Kanta Services. The patient may also record their consent to share patient data, the withdrawal of the consent, the refusal to share patient data and the with drawal of the refusal, as well as their acknowledgement of receipt of information about the Cross-border prescription, consent concerning the Cross-border prescription and the refusal to share electronic prescriptions.

Regular disclosure of data and transfer of data to outside the EU or the European Economic Area

Healthcare service providers may use the data recorded and shown in the Information Management Service when organising and implementing the client’s health and medical care. The data sharing must be based on the patient’s consent, section 13 (3)(3) of the Act on the Status and Rights of Patients, or on other regulation justifying the sharing. Data for which the patient has given their refusal shall not be shown through the Information Management Service.

Sharing of data requires that the existence of a patient care relationship between the patient and the party requesting the sharing of data has been verified by means of information technology.

Situations where data on the patient’s consents and declarations of intent, the grounds for sharing the data and the method of sharing in accordance with the act on electrical processing of client data in social and health care and other legislation have been compiled in Appendix 1 at the end of this policy.

Data shall not be transferred to outside the EU or the European Economic Area.

Principles of protection of the register

The data recorded in the Information Management Service is confidential data concerning the person’s health and medical care.

Organisational protection principles

The responsible director of the healthcare service provider shall provide written instructions on the processing of data and take care of sufficient expertise and competence of his/her staff when processing patient data.

The healthcare service provider and Kela for its own part shall monitor and supervise that the data protection and data security related to the service it provides are realised. The healthcare service provider and Kela have appointed a Data Protection Officer for the monitoring and supervision task.

Technical protection principles

Browsing, recording and other processing of data in the patient data management system and accessible via the system require strong authentication that identifies the processor, as well as access rights management related to the system by both the healthcare service provider and Kela.

The Digital and Population Data Services Agency is responsible for the identification and certification services for the Kanta Services.

The healthcare service provider and Kela are responsible for the management of access rights for their own parts.

Log data is recorded in the log of the Information Management Service with regard to all browsing and processing of data in the Information Management Service.

Physical protection principles

The data recorded in the Information Management Service is technically protected against editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have restricted access to the IT areas when the management of their duties requires access to these areas.

Access to the data

The patient is entitled to inspect their personal data recorded in the Information Management Service. The request can be submitted on the inspection request form, which is available from healthcare units that have joined the Kanta Services and from Kela's offices. The request to inspect the data recorded in the Information Management Service shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela). The request can be made by telephone or by sending an email to Kela’s Registry (kirjaamo@kela.fi). As a rule, the respond to the inspection request is sent free of charge.

Right to request rectification of data

The patient is entitled to request rectification of incorrect data that has been recorded in the patient data management system. If the patient or their legal representative requests rectification of an error or the incorrect data is based on an entry made by a healthcare service provider, the request for rectification must be addressed to the healthcare service provider that made the incorrect entry.

In other cases, the request for rectification shall be sent in writing to Kela (Registry, P.O. Box 450, 00056 Kela). If it is not possible to agree to the request for rectification, Kela shall issue a certificate of refusal to the patient. The reasons why the request by the patient or their legal representative was not accepted shall be stated in the certificate of refusal. After receiving the certificate of refusal, the patient may still refer the matter to be dealt with by the competent regulatory authority.

Right to lodge a complaint to the regulatory authority

If the patient deems that the processing of their personal data has breached the applicable data protection regulations (Articles 12–22 of the EU’s general data protection regulation), the patient is entitled to lodge a complaint to the competent regulatory authority. In Finland, the regulatory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

The patient is entitled to learn who has had access to their personal data recorded in the Information Management Service by submitting a log data request to Kela. In addition, the patient is also entitled to be informed about the sharing of data that is accessed via the Information Management Service.

The log data request can be submitted on the log data request form, which is available from healthcare units that have joined the Kanta Services and from Kela's offices. The log data request shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela). The request can be made by telephone or by sending an email to Kela’s Registry (kirjaamo@kela.fi). As a rule, the respond to the log data request is sent free of charge.

There is no right to obtain log data that is older than two years without a valid reason. The patient must not use or share the log data they have received for any other purpose.

If the patient considers on the basis of the log data that their information has been processed without a valid reason, they can request the pharmacy or healthcare unit in question for an explanation of the matter.

The patient is entitled to receive the same data again if there is a valid reason for it in order to fulfil the patient’s interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to information that is provided a second time.

Appendixes of the Privacy Policy

Last updated 04.08.2020