Keeping patient data under lock and key
The data protection of the users of My Kanta Pages is in good hands, assures the data protection officer of Kela’s Kanta services.
‘The Kanta services have extremely stringent data protection requirements, and therefore data protection has been at a high level from the very beginning. A good level is reached when legislation and the regulations and guidelines issued by the authorities based on the legislation are being followed,' says Henna Koli, Data Protection Officer of the Kanta services.
The data protection officer is Kela’s special adviser in data protection issues. The officer provides guidance and instructions to Kela’s employees and customers and supports the management in their decision-making regarding new features in information systems.
‘A data protection officer is always involved in the planning of data processing.’
Koli mentions strong electronic authentication as an example of statutory data protection. In terms of using My Kanta Pages, it means electronic authentication with banking codes, an electronic ID card or a mobile certificate.
‘These methods of identification are personal and they are strong in terms of data security. Of course, much depends on how careful our customers are when they are using these tools.’
‘In My Kanta Pages, a parent or carer can access the data of a child under 10 years of age, but viewing the data also requires strong electronic identification in these cases.'
There is also some room for interpretation in data protection issues. An annual data protection survey is carried out among the customers of Kanta services in cooperation with the Data Protection Ombudsman in order to evaluate the data protection situation among the customers. How has data protection developed according to the reports?
‘We can see from the surveys that data protection issues are regarded as important, but there is still room for improvement.'
According to Koli, there are plans to harmonise the monitoring and supervision of data processing throughout the whole country.
‘Currently, the supervision of personnel who are processing customer data is the responsibility of each and every healthcare unit and pharmacy. Supervision takes place, for example, retrospectively at random on the basis of log data.’
The EU’s Data Protection Directive imposes more requirements on the implementation of data protection. The Directive, which will be applied from May 2018, will further strengthen data protection and also oblige to prove that the letter of the directive is being followed.
‘In practical terms this means that, for example, documentation will be improved.’
Data processing also in Kela’s internal work is very restricted by virtue of legislation. The data protection of My Kanta Pages is safeguarded by many kinds of guidelines, processes and supervision. The same also applies more generally to the data protection of all those persons whose data has been recorded in Kanta services such as the Prescription service or the Patient Data Repository.