The Social Insurance Institution of Finland
Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11
Person responsible for register-related issues or contact person
Data Protection Officer for Kanta Services
Name of register
Purpose of processing of personal data / purpose of use of the register
According to section 18 of the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) is the custodian of the Prescription Archive. Kela is responsible for the availability and integrity of the data in the Prescription Archive, the stability of the data contents and the retention of data, as well as the destruction of data at the end of the retention period.
Electronic prescriptions recorded in the Prescription Archive and their dispensing data may also be utilised, e.g. when establishing the patient's overall medication regime, in regulatory supervision of social welfare and healthcare services and pharmacies, in decisions concerning benefits by virtue of the Sickness Insurance Act, and in scientific research, reporting and compiling of statistics under the conditions provided by the Act on Electronic Prescriptions.
According to the Act on Electronic Prescriptions, electronic prescriptions and the data concerning them shall be stored in the Prescription Archive for 20 years, after which the data will be destroyed.
Data content of the register
Regular information sources
Regular disclosure of data and transfer of data to outside the EU or the European Economic Area
Data shall not be transferred to outside the EU or the European Economic Area.
Principles of protection of the register
The data recorded in the Prescription Archive is confidential data concerning the person’s medical status.
Organisational protection principles
Kela monitors and supervises for its own part that data protection related to its services is realised. Kela has a self-monitoring plan in place to ensure data protection and data security. Kela has appointed a Data Protection Officer for the monitoring and supervision task.
Kela shall provide written instructions on the processing of data in the Prescription Archive and take care of sufficient expertise and competence of its staff when processing the data.
If data is shared with a technical interface, the authority requesting the data must provide an account of how data protection is managed in an appropriate way.
Technical protection principles
The browsing, recording and other processing of data in the Prescription Archive require strong authentication that identifies the processor as well as access rights management related to the system. Kela shall be responsible for its own part for the management of access rights.
Log data is recorded in the Prescription Archive log on all browsing and processing of data in the Prescription Archive.
Physical protection principles
The data recorded in the Prescription Archive is technically protected to prevent editing and deleting.
Kela’s IT areas and the physical location of data are in Finland. Kela’s technical maintenance staff have restricted access to the IT areas when the management of their duties requires access to these areas.
Access to the data
The patient is entitled to inspect their personal data recorded in the Prescription Archive. The request can be submitted on the inspection request form, which is available in social welfare and healthcare units using electronic prescriptions, in pharmacies and in Kela’s offices. The request to inspect the data recorded in the Prescription Archive shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela).
The request can be made by telephone or by sending an email to Kela’s Registry (firstname.lastname@example.org). As a rule, the respond to the inspection request is sent free of charge.
Right to request rectification of data
Requests for rectifying incorrect data must be addressed to Kela. The operating unit that has recorded the incorrect data must deliver to Kela a written assignment accompanied by a statement of reasons in order to rectify the incorrect data.
If it is not possible to agree to the request for rectification, Kela shall issue a certificate of refusal to the patient. The reasons why the request by the patient or their legal representative was not accepted shall be stated in the certificate of refusal. After receiving the certificate of refusal, the patient may still refer the matter to be dealt with by the competent regulatory authority.
Right to lodge a complaint to the regulatory authority
If the patient deems that the processing of their personal data has breached the applicable data protection regulations (Articles 12–22 of the EU’s general data protection regulation), the patient is entitled to lodge a complaint to the competent regulatory authority. In Finland, the regulatory authority is the Data Protection Ombudsman.
Other rights related to the processing of personal data
In My Kanta Pages, the patient can browse the data recorded in the Prescription Archive and view the social welfare and healthcare units and pharmacies that have received the data. My Kanta Pages shows the log data of prescriptions for the previous two years.
The patient is entitled to learn who has processed and viewed their personal data recorded in the Prescription Archive by submitting a log data request to Kela.
The log data request can be submitted on the log data request form, which is available in social welfare and healthcare units using electronic prescriptions, in pharmacies and in Kela’s offices. The log data request shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela). The request can be made by telephone or by sending an email to Kela’s Registry (email@example.com). As a rule, the respond to the log data request is sent free of charge.
There is no right to obtain log data that is older than two years without a valid reason. For this reason, in the log data request for data recorded in the Prescription Archive, the patient must provide a specific and valid reason for the disclosure of data from the Prescription Archive. The patient must not use or share the log data they have received for any other purpose.
If the patient considers on the basis of the log data that their information has been processed without a valid reason, they can request the pharmacy or social welfare and healthcare unit in question for an explanation of the matter.
The patient is entitled to receive the same data again if there is a valid reason for it in order to fulfil the patient’s interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to information that is provided a second time.
The Prescription Archive is a statutory service implemented and maintained by Kela (Act on Electronic Prescriptions). Kela’s operations are based on the national legislation. For this reason, the data subject's right to erasure of data by virtue of Article 17 of the EU's General Data Protection Regulation and the data subject’s right to transmit the data from one system to another by virtue of Article 20 shall not be applied to the data recorded in the Prescription Archive.