Privacy Policy for Prescription Centre

Privacy Policy for Prescription Centre

This is a valid Privacy Policy for Prescription Centre. The policy was updated on 1 November 2021.

Joint controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of register

The Prescription Centre

Purpose of processing of personal data / purpose of use of the register

The Prescription Centre is a database that consists of electronic prescriptions entered by the prescribers of the medicine, prescriptions entered by pharmacies, data concerning medicines handed to patients by healthcare and social welfare service providers, dispensing data attached to prescriptions, and entries related to medication reviews.

The purpose of the register is to enable recording and storage of electronic prescriptions issued in accordance with the Act on Electronic Prescriptions, as well as the related dispensing data and renewal requests in a nationally centralised Prescription Centre. Electronic prescriptions entered in the Prescription Centre can be dispensed by any pharmacy that has deployed the electronic prescription and by pharmacies in European countries referred to in section 23a of the Act on Electronic Prescriptions in accordance with the consent to data sharing issued by the person in My Kanta Pages.

In addition, electronic prescriptions entered in the Prescription Centre and their dispensing data can also be utilised under the conditions provided by the Act on Electronic Prescriptions, e.g. when establishing the patient's overall medication regime, in regulatory

supervision of healthcare and social welfare services and pharmacies, in decisions concerning benefits by virtue of the Sickness Insurance Act, and in scientific research, reporting and compiling of statistics.

The patient has the right to receive a paper of telephone prescription instead of an electronic prescription in the event of disruption, in exceptional situations or in other similar cases.

The data entered in the Prescription Centre is stored in the Prescription Centre for 20 years, after which the data is destroyed. In the pharmacy, the data is available for 42 months from the date of issuing the prescription. The client can view the prescription data in My Kanta Pages.

According to section 18 of the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) is a joint controller of the privacy policy of the Prescription Centre together with service providers issuing electronic prescriptions and independent prescribers.

Kela is responsible for the availability and integrity of the data in the Prescription Centre, the integrity of the data contents and the retention of data, as well as the destruction of data at the end of the retention period.

Service providers and independent prescribers issuing electronic prescriptions are responsible for the accuracy of the data in a prescription to be entered in the Prescription Centre. The pharmacy that has dispensed the medicine is responsible for the accuracy of the dispensing data to be entered in the Prescription Centre.

Kela acts as the contact point for data subjects in accordance with section 1, Article 26 of the General Data Protection Regulation. As a contact point, Kela is responsible for fulfilling and implementing the controller’s obligation to provide information, as laid down in the information security legislation, in terms of personal data collected in the Prescription Centre. In addition, Kela acts as the primary contact point in requests concerning the exercising of the rights of data subjects and, if necessary, communicates the request to the right place.

Legislation on joint controllership and the procedures to be complied with in joint controllership are addressed in the following document relating to it: Description of joint controllership of services related to the Kanta Services (pdf, in Finnish).

Kela carries out the processing of personal data in accordance with the EU’s General Data Protection Regulation and other legislation regulating the processing of personal data, and by virtue of the Act on Electronic Prescriptions.

Data content of the register

Electronic prescriptions, the related dispensing data and renewal requests in accordance with the Act on Electronic Prescriptions are recorded in the Prescription Centre. The data included in the register and the data segments have been compiled in Appendix 1 at the end of this policy.

Regular data sources

An electronic prescription can be issued by a doctor, dentist, students of medicine and dentistry entitled to prescribe medicines or a nurse whose right to prescribe medicines has been verified.

The pharmacy is obliged to enter a prescription received in paper form or by telephone and the related dispensing data in the Prescription Centre if the prescription has been issued in writing or by telephone, for example, due to a technical fault or for another reason. The dispensing notes of the prescription are made and entered in the pharmacy by the staff pharmacist or pharmaceutical assistant.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

Situations of sharing the prescription and dispensing data, the reasons for sharing the data and the method of sharing by virtue of the Act on Electronic Prescriptions and other legislation have been compiled in Appendix 2 at the end of this policy.

The data is not transferred outside the EU or the European Economic Area.

Principles of protecting the register

The data recorded in the Prescription Centre is confidential data concerning the person’s medical status.

Organisational protection principles

Healthcare and social welfare service providers, pharmacies, independent prescribers and Kela for their part shall monitor and supervise the lawfulness of data processing, and each party must have an information security plan to ensure data protection and information security. Kela, healthcare and social welfare service providers and pharmacies have appointed a data protection officer.

Kela, the responsible manager of the healthcare and social welfare service provider and the staff pharmacist shall issue written instructions on the processing of data in the Prescription Centre and ensure sufficient expertise and competence among the personnel when processing a client's data.

Kela, the healthcare and social welfare service provider and the pharmacy shall on their own initiative take necessary measures if data entered in the Prescription Centre has been unlawfully accessed, used or shared.

In order to implement monitoring and supervision, healthcare and social welfare service providers and pharmacies using the Prescription Centre have the right to obtain log data from Kela with regard to the viewing and processing of data in the Prescription Centre by the service provider in question or pharmacy staff.

A pharmacy operating in the territory of another European country shall contact the Prescription Centre via the national contact points of the country in question and Finland. A contact point of another country has the right to obtain from Kela the log data of an electronic prescription in the extent that is required for settling problem situations and for regulatory determinations.

Principles of technical protection

In order to browse, record, and process data in other ways in the Prescription Centre, the healthcare and social welfare service provider, pharmacy and Kela need to use strong authentication that identifies the processor, as well as access rights management related to the system.

The Digital and Population Data Services Agency is responsible for the identification and certification services of electronic prescriptions. The European Commission is responsible for the certification services for the national contact points.

The healthcare and social welfare service provider, pharmacy and Kela are responsible for the management of access rights for their own part.

Log data is stored in the log of the Prescription Centre whenever data in the Prescription Centre is viewed or processed.

Principles of physical protection

The data recorded in the Prescription Centre is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical administrators have limited access to the IT areas when the management of their duties requires such access.

The right of access to personal data

The client can view data entered in the Prescription Centre via the My Kanta Pages service.

The client has the right to access their personal data entered in the Prescription Centre.

The request concerning the access to data can be submitted on the subject access request form, which is available from healthcare and social welfare units using electronic prescriptions, pharmacies and Kela’s offices. The subject access request can be addressed to Kela (Registry, P.O. Box 450, 00056 Kela). The request can also be made by telephone or email to Kela’s Registry (kirjaamo@kela.fi). As a rule, the respond to the subject access request is provided free of charge.

Right to demand rectification of incorrect data

The client is entitled to request rectification of incorrect data recorded in the Prescription Centre. If a client or their legal representative requests rectification of an error and the incorrect data is based on an entry made by the prescriber or dispenser of the medicine, the request for rectification must be addressed to the person who made the incorrect entry or to the organisation that employed them at the time.

In its role of joint controller, Kela acts as the contact point for data subjects. Therefore, the request for rectification can be delivered in writing to Kela (Registry, P.O. Box 450, 00056 Kela.) If necessary, Kela will address the delivered request for rectification to the service provider whose entry is subject to the request for rectification.

Otherwise, and when the required rectification concerns the dispensing data entered in a pharmacy in another European country, the request for rectification shall be submitted in writing to Kela (Registry, P.O. Box 450, 00056 Kela). If the request for rectification cannot be accepted, Kela will provide the client with a certificate of refusal. The reasons why the request by the client or their legal representative was not accepted shall be stated in the certificate of refusal. After receiving the certificate of refusal, the client may still refer the matter to be dealt with by the competent regulatory authority.

Right to lodge a complaint with a supervisory authority

If the client deems that the processing of their personal data breaches the applicable data protection regulations, the client is entitled to lodge a complaint with a competent regulatory authority in accordance with Article 77 of the General Data Protection Regulation and section 21 of the Data Protection Act. In Finland, the regulatory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

In My Kanta Pages, the client can browse the data entered in the Prescription Centre and see which healthcare and social welfare service providers and pharmacies the data has been shared with.

The client has the right to learn who has processed and viewed their data entered in the Prescription Centre by submitting a log data request to Kela. The client has the right to request log data concerning how Finnish pharmacies have processed their prescription data retrieved from abroad.

The request can be submitted on the inspection request form, which is available from healthcare and social welfare units using electronic prescriptions, pharmacies and Kela’s offices. The log data request shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela). The request can also be made by telephone or email to Kela’s Registry (kirjaamo@kela.fi). As a rule, the respond to the log data request is provided free of charge.

There is no right to obtain log data that is older than two years unless there is a valid reason for it. The client must not use or share the log data they have received for any other purpose.

If a client considers on the basis of the log data that their data has been processed without a valid reason, they can request the pharmacy or healthcare and social welfare service unit in question for an explanation on the matter. In the case of a pharmacy in another European country, the request for clarification shall be addressed to Kela.

The client is entitled to receive the same data again if there is a valid reason for it in order to fulfil the client’s interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to data that is provided a second time.

The Prescription Centre is a statutory service implemented and maintained by Kela (Act on Electronic Prescriptions). The storage periods of electronic prescriptions and the data concerning them entered in the service are provided for in legislation. The processing of data entered in the service is based on the rule of law. Kela’s operations are based on the national legislation. For these reasons, the data subject's right to erasure of data by virtue of Article 17 of the EU's General Data Protection Regulation and the data subject’s right to transmit the data from one system to another by virtue of Article 20 shall not be applied to data entered in the Prescription Centre.

Appendices to the privacy policy

Last updated 22.11.2021