Controller
The Social Insurance Institution of Finland
Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11
Person responsible for register-related issues or contact person
Data Protection Officer for Kanta Services
kanta@kanta.fi
Name of register
Client using the Kanta Services
Purpose of processing personal data / purpose of use of the register
By virtue of the Act on Electronic Processing of Client Data in Social and Health Care (159/2007) and the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) acts as the administrator and/or data controller of the national information system services in health care (the Kanta services). Furthermore, Kela maintains the Pharmaceutical Database service, the Kanta client test service and the joint testing service. In order to carry out its statutory duties, Kela requires that the clients shall keep an up-to-date record of the concerned persons in charge and contact persons.
Clients of the Kanta Services
In this privacy policy, a client refers to
- social welfare and healthcare service providers and pharmacies that sign an agreement on the use of Kanta services
- doctors or dentists with a professional healthcare practice right who register as users of the Kelain service
- information system suppliers deploying the Kanta client test service, the joint testing service or the staging environment
- application suppliers integrating the application in Kanta PHR
- organisations acting as a Kanta provider and an intermediary for the Pharmaceutical Database
- other cooperation bodies receiving fault notifications or other communications (for example, invitations to meetings).
Client register of Kanta services and utilisation of the data
The client register of the Kanta services is a dataset maintained by the clients themselves and used for customer service and contacts between Kela and the client. The data is utilised, e.g. for providing information to the clients and sending fault notifications with respect to the Kanta services, the reception service for the purchases and settlement of medicines, and the query service for direct reimbursement details. It is also possible to send queries to the contact persons/points notified by the client in order to collect information from the client with regard to essential matters in terms of Kela’s tasks and on matters related to the monitoring and control of data processing. The collected data is used for the development of operations. The collected data is used also for the implementation of control measures in as far as Kela is acting as the data controller.
The contact details of a client that has deployed the Kanta service and those of its Data Protection Officers can also be used for distributing information and instructions by the Office of the Data Protection Ombudsman and for contacts between the Office of the Data Protection Ombudsman and the Data Protection Officers.
Maintaining the client data
The social welfare and healthcare service providers, pharmacies, and doctors or dentists with a professional practice right using the Prescription service, the Patient Data Repository or the client data archive for social welfare services record and update data and contact details related to their client accounts in the client register of Kanta services using the Kanta Ekstranet service or the Kelain service. Clients deploying other services shall provide the client data on a service-specific contact form in connection with the service deployment, in which case the Kanta services will manually record the data in the client register of Kanta services.
Other clients shall notify the client data either by telephone, post or email, in which case the Kanta services will manually record and update the data in the client register of Kanta services.
The roles of contact persons and contact points in the client register
The client’s contact persons and contact points are connected to the client in the client register with roles, on the basis of which distribution lists are created for each target group. The distribution lists are utilised in notifications, queries and other communication.
Depending on the Kanta service deployed, the client shall notify to Kela the contact details in relation to the following roles:
- administrative contact person
- technical contact person or organisation
- Data Protection Officer
- archivist of the Patient Data Repository
- archivist of the client data archive in social welfare services
- contact person for invoicing
- recipient of fault notifications.
The supplier of an information system to be certified in the Kanta service shall report to Kela the contact persons related to the development and maintenance of the system and to joint testing. The Kanta agent shall report to Kela the contact persons related to the maintenance of the access point. All clients can report to Kela their contact person for fault notifications and the contact details for communications.
Storage of data
The data is retained for 10 years after the client account has been terminated, after which the data will be destroyed. The original accession documents shall be stored in Kela’s document archive for 10 years after the termination of the client account, after which the data will be destroyed.
Information content of the register
The register includes information about the services used by the client and the client’s contact persons/points (e.g. name, address, telephone number, role of the contact person), as well as technical data (e.g. access point and system data) in relation to the Kanta services used by the client. With respect to the person acting as archivist, the number of the certificate card is also recorded in the register. With respect to actions carried out by the client, information about the Katso ID of the person making the change is saved in the register.
Regular information sources of data
Kela obtains the information from the clients of the Kanta services. The client shall record the data in the client register when joining it as a client of the Kanta services. The client shall record and update the information in the Kanta Ekstranet service. The information can also be notified to the Kanta service in another way, if necessary.
Regular disclosure of data and transfer of data outside the EU or the European Economic Area
The data shall not be transferred outside the EU or the European Economic Area.
Principles of protection of the register
Organisational protection principles
For its own part, Kela monitors and supervises the lawfulness of data processing. Kela also has a self-monitoring plan to ensure data protection and data security. Kela provides written instructions on the processing of data and takes care of sufficient expertise and competence of its staff when processing the data.
Technical protection principles
The clients shall administer their client data through Kanta Ekstranet, the access to which requires a Katso ID and an applicable Kela role or Master User ID linked to it in the Katso service.
At Kela, access to data in the client register has been restricted by only providing access rights to persons whose duties require such access.
Log data is recorded in the client data log of the viewing and processing of data in the client register.
Physical protection principles
The data recorded in the client register is technically protected to prevent editing and deleting.
Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have limited access to the IT areas when the management of their duties requires such access.
Access to the data
The representative of the client organisation is entitled to check the data recorded of themselves in the client register. A free-form and individualised request is sent by email to kirjaamo@kela.fi.
Right to correct data
A client using the Kanta service may correct their contact details related to their client account in the Kanta Ekstranet service or request correction via the Kanta service
Right to lodge a complaint to the regulatory authority
If the client deems that the processing of their personal data breaches the applicable data protection regulations (Articles 12–22 of the EU’s General Data Protection Regulation), the client is entitled to lodge a complaint to the competent regulatory authority.
Other rights related to the processing of personal data
The client register of the Kanta services is a service implemented and maintained by Kela. Kela’s operations are based on the national legislation. As a result of this, the data subject's right to erasure of data by virtue of Article 17 of the EU's General Data Protection Regulation and the data subject’s right to transmit the data from one system to another by virtue of Article 20 of the regulation shall not be applied to data recorded in the Kanta client register. The client data recorded in the client register will be destroyed after the retention period.