Systematic monitoring of data protection in Siun sote
Siun sote has made systematic effort in the development of data protection and data security since the Kanta services were launched. How is data protection enforced?
The national Kanta services are a key basis for smooth and safe sharing of patient data throughout the healthcare supply chain. Data protection in healthcare services is planned, developed and enforced in many different ways. Siun sote, the joint municipal authority for North Karelia social and health services, complies with strict procedures to ensure data security and to guarantee the enforcement of client’s data protection.
“In terms of data security, we have a data security policy approved by the board of Siun sote for controlling the use of data. The policy sets out the key principles, responsibilities and obligations related to data security and the ways data security is implemented in practical terms,” says Pekka Nevalainen, security manager at Siun sote.
Log data requests are thoroughly investigated
To put it simply, data security means the technical solutions and practices of an organisation, and data protection, or the protection of privacy, means the protected and controlled use of client data. At Siun sote, data protection is monitored and enforced systematically according to the defined process.
“We have strict descriptions of how data protection is monitored and enforced and what kinds of consequences or procedures are in place if errors are detected in the use of data,” says Mirja Vilpponen, data protection specialist at Siun sote.
Clients can make a log data request if they suspect that their patient data has been snooped on. In such a case, roughly the following process is complied with:
- If nothing suspicious is detected in the data, the client is told that the data has been used appropriately. If they so wish, the client can obtain the log data to see for themselves. If necessary, further information is provided, for example, concerning why a certain person has accessed their data.
- If it is suspected that a client’s data has been subject to unauthorised access, the employee in question shall provide an explanation of why and for which reason they have accessed the data. If the access was justified, the client will be provided with an account of it.
- However, if misuse of data is suspected, the suspected person is consulted in writing and further measures are decided on. If necessary, the opinion of the police will be requested.
- If it turns out that data was mishandled, the employee will receive a penalty. The penalty is determined according to the infringement: it may be a written warning, a reprimand or the termination of employment. If necessary, the matter will be reported to the police.
- The key issue in investigating suspected snooping is a case-specific consultation, which determines any further measures and the penalty.
Misuse of data is uncommon
Pekka Nevalainen and Mirja Vilpponen emphasise the fact that there have been extremely few cases of misuse of data. Last year, just under a hundred log data requests were made to Siun sote. One of these cases was reported to the police and in two cases the employee received a punishment.
In addition to log data requests, the implementation of data protection is enforced with random sampling, i.e. a certain number of documents are investigated through random selection. Sometimes, the use of data is also investigated at the managers’ request. At Siun sote, enforcement takes place completely manually.
“We do not use automated log control, but that may be the next development step. We will have to consider whether a log control system helping us in the enforcement would be necessary in the future,” Nevalainen ponders.
Increased awareness, above all, is essential in the monitoring of data protection. A new employee joining the organisation is given information protection guidelines, which they commit to by signing it. Training events are organised for staff members, and they have to attend training packages at regular intervals in order to prove their awareness of the matter. It is also ensured that the instructions concerning data protection are up-to-date. It is important that people also know the consequences of their mistakes.
Viewing of data requires strong authentication
In a digital system, everything leaves a trace, which in turn makes it easier to enforce data protection. Healthcare professionals can access the data in Kanta services only with strong authentication, i.e. in practice only with their own professional cards. They cannot access the data without the card.
Nevalainen also wants to remove the misconception that healthcare professionals can access all data in the Patient Data Repository of Kanta.
“They can access the repository only through the patient system of their own controller. Therefore, it is not a databank that you can just pop into in order to view data."
Data security and data protection have been a high priority since the deployment of Kanta services, and their monitoring is invested in constantly. Healthcare services are using clear procedures, and the employees are also aware of their obligations. Vilpponen and Nevalainen recommend that the necessary consents are granted for the use of data. That would ensure as good, flexible and rapid treatment as possible.
“The data in Kanta must not be used for any other purpose than medical care. It must not be accessed out of curiosity. If a client suspects that their data has been snooped or misused, they can approach their own health centre or hospital and check the use of their data. This right can and should be used.”