Privacy Policy for Prescription Centre

Privacy Policy for Prescription Centre

This is a valid Privacy Policy for Prescription Centre. The policy was updated on April 2, 2020.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of register

Prescription Centre

Purpose of processing of personal data / purpose of use of the register

Under section 18 of the Act on Electronic Prescriptions (61/2007) the Social Insurance Institution of Finland (hereinafter referred to as Kela) is the register controller for the Prescription Centre. Kela is responsible for ensuring the usability and consistency of the data stored in the Prescription Centre, for the integrity of the data contents, and for the storage and destruction of the data.

In implementing the processing of personal data, Kela adheres to the EU General Data Protection Regulation, other laws governing the processing of personal data and the Act on Electronic Prescriptions.

The purpose of the register is to enable the storage and preservation of electronic prescriptions under the Act on Electronic Prescriptions and related dispensing data and requests for renewal in the centralised nationwide Prescription Centre. Electronic prescriptions stored in the Prescription Centre may be dispensed in accordance with consent given in My Kanta Pages from any pharmacy that has joined the electronic prescription system and from such pharmacies in Member States of the European Union as referred to in section 23 a of the Act on Electronic Prescriptions.

Electronic prescriptions and related dispensing data stored in the Prescription Centre can, on grounds laid down in the Act on Electronic Prescriptions, be used e.g. when checking a patient's overall medication, in official supervision of social and health care providers and pharmacies, when determining benefits under the Health Insurance Act and in scientific research, reporting and statistics.

Patients are entitled to receive a prescription on paper or by phone instead of electronically in the event of technical problems, exceptional events or comparable situations.

Electronic prescriptions stored in the Prescription Centre are available to social and health care providers and to pharmacies for 30 months. They are stored for a further 20 years and thereafter destroyed. Prescription data may be viewed via the My Kanta Pages.

Information content of the register

The Prescription Centre contains electronic prescriptions under the Act on Electronic Prescriptions, related dispensing details and requests for renewal.

Appendix 1 at the end of this policy contains data and groups of data contained in the register.

Regular sources of data

An electronic prescription can be issued by a doctor, dentist, medical or dental student with authorisation to prescribe medicines, or nurse whose right to prescribe medicines has been verified.

The pharmacy must store prescriptions received on paper or by phone and related dispensing data in the Prescription Centre if the prescription has been issued in writing or by phone for example because of technical problems.

Notes on the prescription regarding the dispensation are made and stored at the pharmacy by a chief pharmacist, pharmacist or health care professional authorised to dispense medicines.

Regular disclosure of data and transfer of data outside the EU or the EEA

Appendix 2 at the end of the policy contains information on situations when it is possible to disclose prescription and dispensing data under the Act on Electronic Prescriptions and other legislation, grounds for the disclosure of data and the mode of data disclosure.

Data are not transferred outside the EU or the EEA.

Principles of register security

The data stored in the Prescription Centre are confidential data on a person's state of health.

Organizational measures

Social and health care providers, pharmacies, independent professionals and Kela must, for their part, follow and monitor the legality of the data processing, and each party must have a self-monitoring plan to ensure data security and data protection. Kela, the social or health care provider and the pharmacy must have an appointed privacy officer for follow-up and supervisory duties.

Kela, the responsible manager of the social or health care provider and the owner of the pharmacy shall issue written instructions on the processing of data in the Prescription Centre and ensure sufficient competence and know-how among the personnel when processing a patient's data.

Kela, social or health care provider and pharmacy must on their own initiative take necessary measures if data stored in the Prescription Centre have been unlawfully accessed, used or disclosed.

For follow-up and monitoring purposes, social and health care providers that have joined the electronic prescription system and the pharmacy are entitled to receive log information from Kela, insofar as the personnel of the provider or pharmacy have accessed and processed data in the Prescription Centre.

Pharmacies in other member states of the European Union interact with the Prescription Centre through contact points in the member state in question or through national Finnish contact points. Contact points of other member states are entitled to receive log information from Kela to the extent that such information is needed to correct problems or issue official statements.

Technical protection

The viewing, storing and other processing of data in the Prescription Centre requires individualised strong authentication of the handler and administration of access rights related to the system.

Digital and population data services agency is responsible for the authentication and certification services as regards electronic prescriptions. The European Commission is responsible for certification services in relation to national contact points.

For their part, the social or health care provider, pharmacy and Kela are responsible for the administration of user rights.

Log information is stored in the log of the Prescription Centre every time data in the Prescription Centre are viewed or processed.

Physical protection of environment and devices

The data stored in the Prescription Centre are technically protected from change and deletion.

The facilities of Kela and the data are physically located in Finland. Limited access to the facilities is provided to Kela technical maintenance personnel insofar as their job duties so require.

Right of access

Patients have the right to check what information is stored about them in the Prescription Centre. A request to check information can be made on an official Kela form available from social and health care providers that have joined the electronic prescription system, from pharmacies, and from Kela offices. Requests to check the information stored in the Prescription Centre should be addressed to Kela (Registry, PO Box 450, 00056 Kela). Requests can be made by contacting Kela’s Registry by phone or by email (kirjaamo@kela.fi). A reply to the request is as a general rule provided free of charge.

Right to request the correction of data

Patients have the right to request that erroneous data stored in the Prescription Centre is corrected. If a patient or his/her legal representative requests the correction of an error caused by information provided by a prescriber or dispenser of a medication, the request for correction must be directed to the prescriber or dispenser or to the organisation that employed them at the time.

In other situations or if the request concerns dispensing data recorded by a pharmacy in another European country, the request to correct the data is sent in writing to Kela (Registry, PO Box 450, 00056 Kela). If it is not possible to comply with the request, Kela provides the patient with a certificate of denial. The certificate of denial states the reasons why the patient's or the patient's legal representative's request has not been accepted. After having received the certificate of denial, the patient can bring the matter to the attention the competent supervisory authority.

Right to file a complaint with a supervisory authority

If a patient considers that his or her personal data is processed in a way which contravenes the applicable provisions on data protection (Articles 12–22 of the EU General Data Protection Regulation), the patient may file a complaint with the competent supervisory authority. In Finland, that competent supervisory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

Patients can use the My Kanta Pages to view the data stored in the Prescription Centre and check to which social and health care providers and pharmacies the data have been disclosed.

Patients are entitled to file a request with Kela to obtain log information in order to find out which persons who have processed and accessed the data stored on them in the Prescription Centre. Patients are entitled to request the log data on how Finnish pharmacies have processed their prescription data retrieved from abroad.

The request to obtain log information should be made on an official Kela form available from social and health care providers that have joined the electronic prescription system, from pharmacies and from Kela offices. The request is addressed to Kela (Registry, PO Box 450, 00056 Kela). Requests can be made by contacting Kela’s Registry by phone or by email (kirjaamo@kela.fi). A reply to the request is as a general rule provided free of charge.

Log information that is more than two years old cannot be examined, unless there are justifiable reasons for this. The patient must not use or disclose the log information he or she has obtained for other purposes.

If the patient on the basis of the log information considers that his or her has been processed without justification, he or she can request a statement from the relevant pharmacy or social or health care provider If the pharmacy is in another European country, the request is made to Kela.

The patient has the right to obtain the data again if there is a justifiable reason for this in order to secure the patient's privileges and rights. If data are disclosed again, Kela can request a fee that corresponds to the cost of disclosing the data.

The Prescription Centre is a service based on law (Act on Electronic Prescriptions) implemented and maintained by Kela. Kela’s operations are based on national laws. Therefore, the right under Article 17 of the EU General Data Protection Regulation of data subjects to obtain the erasure of personal data and the right under Article 20 to transmit data from one controller to another are not applied to data stored in the Prescription Centre.

Appendixes of the Privacy Policy

Last updated 21.07.2020