Privacy policy for Log register of the usage of Kanta Personal Health Record

Privacy policy for Log register of the usage of Kanta Personal Health Record

This is a valid Privacy Policy for Log register of MyKanta Personal Health Record. The policy was updated on June 3, 2022.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of register

Log register of the usage of Kanta Personal Health Record (PHR)

Purpose of processing of personal data / purpose of use of the register

According to section 4 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021), Kela is the data controller for the wellbeing data and service usage data stored in the Kanta PHR service, which is part of the national information system services in health care, the Kanta Services.

Kanta PHR usage log register data are used to verify the processing of data stored in the Kanta PHR. Usage log data are also used for troubleshooting at Kela.

Log data are retained for 12 years after their generation, after which the data will be deleted.

Data content of the register

The register includes the following data:

  • time of event
  • the personal identity code of the person whose data processing the log entry concerns
  • the event giving rise to the log entry
  • identifier of the wellbeing application that has requested data processing
  • identifier of the party that has requested data processing (the person themselves)
  • usage type
  • identifier of certificate used in the event
  • user rights of the wellbeing application that has requested data processing
  • search criteria
  • end result of the event
  • returned error code
  • internal error code and reason
  • amount of data returned in the search results
  • identifier of the processed data
  • type of processed data
  • additional information of the processed data.

Regular information sources

Logged data is stored in the log register when the user logs into the service and when they use the Kanta PHR service.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

Kela will not disclose data in the register to third parties.

Kela will not transfer data outside the EU or the European Economic Area.

Principles of protection of the register

The data in the log register contains confidential personal data.

Organisational measures

For its own part, Kela monitors and supervises the lawfulness of data processing. Kela has a named data protection officer. Kela will issue written instructions on data processing and will ensure that personnel have sufficient expertise and competence for this purpose. Kela has a date security plan covering data security, privacy protection and information system use.

Kela takes the necessary measures of its own accord if the data entered in the register has been processed unlawfully.

Technical protection

The processing of data in the register requires strong identification that identifies the data controller, as well as the management of access rights related to the system.

The logged data is only utilised in problem situations in accordance with Kela’s described process by the Data Protection Officer or a special working group. Only designated members of Kela’s personnel have access to the data recorded in Kanta services.

Physical protection of environments and devices

The logged data is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have limited access to the IT areas when the management of their duties requires such access.

Rights of data subjects

Users may submit an information request for usage log data concerning themselves pursuant to section 26 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. If they consider that the processing of their personal data violates applicable privacy protection legislation (EU GDP Regulation, Articles 12–22), they have the right to file a complaint with the competent supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman.

Last updated 20.4.2023