Privacy policy for the system for issuing declarations of intent

Privacy policy for the system for issuing declarations of intent

This is the effective privacy policy of the system for issuing declarations of intent, drawn up on 1 November 2021.

Joint controller

Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
P.O. Box 450, 00056
tel. 020 634 11

Person responsible for register issues or contact person

Data Protection Officer for Kanta Services

Name of the register

System for issuing declarations of intent

Purpose of processing personal data / purpose of use of the register

The system for issuing declarations of intent is a national information system service for maintaining documents for the provision of information, consents to data sharing, consents, and denials of consent to data sharing, as well as other declarations of intent related to healthcare and social welfare services and the handling of client data.

Each healthcare or social welfare service provider and the Social Insurance Institution of Finland (hereinafter Kela) are joint controllers of the system for issuing declarations of intent.

Kela is responsible for the availability and integrity of the data, the integrity of data contents, and the retention and destruction of data pursuant to section 14 of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021). Service providers entering data into the system for issuing declarations of intent are responsible for the accuracy of data entered and for other obligations of the controller.

Kela acts as the contact point in accordance with section 1, Article 26 of the General Data Protection Regulation. As a contact point, Kela is responsible for fulfilling and implementing the controller’s obligation to provide information, as laid down in the information security legislation, in terms of the system for issuing declarations of intent. In addition, Kela acts as the primary contact point in requests concerning the exercising of the rights of data subjects and, if necessary, communicates the request to the right place.

Legislation concerning joint controllership and the procedures to be complied with in joint controllership are addressed in the document relating to it.

Kela carries out the processing of personal data in accordance with the EU’s General Data Protection Regulation and other legislation regulating the processing of personal data, and by virtue of the Act on Electronic Prescriptions.

Healthcare and social welfare service providers use data entered in the system for issuing declarations of intent and viewed via the system for the arrangement and implementation of the social welfare services and health and medical care of the client.

Data concerning the provision of information, consents to data sharing and declarations of intent entered in the system for issuing declarations of intent may be utilised in scientific research, reporting and compiling of statistics under conditions provided in the law.

Data concerning the provision of information, consents to data sharing and declarations of intent is retained for 12 years after the client’s death. If the date of death is not known, the data shall be retained for 120 years from the client’s birth date. After that, the data will be destroyed.

Data content of the register

The following data is entered in the system for issuing declarations of intent:

  • information about the fact that a client has been informed of the nationwide information system services (Kanta Services)
  • consents to data sharing, consents, and denials of consent to data sharing issued by the client concerning the sharing of their data, as well as their withdrawals
  • the client’s living will and their opinion on organ donation.

Regular data sources

Healthcare and social welfare service providers that have joined the Kanta Services enter the client’s data on declarations of intent in the system for issuing declarations of intent.

The client can also enter declarations of intent in My Kanta Pages, from where they are saved in the system for issuing declarations of intent.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

Healthcare or social welfare service providers use the data in the system for issuing declarations of intent or viewed via the system when implementing and arranging the client’s health or medical care.

The data is not transferred outside the EU or the European Economic Area.

Principles of protecting the register

The data recorded in the system for issuing declarations of intent is confidential data concerning the person’s health and medical care.

Organisational protection principles

Healthcare and social welfare service providers and Kela monitor and supervise the lawfulness of data processing for their own part. Each party has an information security plan to ensure data protection and information security. Kela and every healthcare and social welfare service provider have appointed a data protection officer.

Kela and the responsible manager of the healthcare and social welfare service provider shall issue written instructions on the processing of data in the system for issuing declarations of intent and ensure sufficient expertise and competence among the personnel when processing a client's data.

Kela and the healthcare and social welfare service provider shall on their own initiative take necessary measures if data entered in the system for issuing declarations of intent has been unlawfully accessed, used or shared.

In order to implement monitoring and supervision, healthcare and social welfare service providers using the system for issuing declarations of intent have the right to obtain log data from Kela with regard to the viewing and handling of data in the system for issuing declarations of intent by staff members of the service provider in question.

Principles of technical protection

Browsing, recording and other processing of data in the system for issuing declarations of intent and accessible via the system require strong authentication that identifies the processor, as well as access rights management related to the system by both the healthcare service provider and Kela.

The Digital and Population Data Services Agency is responsible for the identification and certification services in the Kanta Services.

The healthcare and social welfare service provider and Kela are responsible for the management of access rights for their own part.

Log data is recorded in the log of the system for issuing declarations of intent on all browsing and processing of data in the system for issuing declarations of intent.

Principles of physical protection

The data entered in the system for issuing declarations of intent is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical administrators have limited access to the IT areas when the management of their duties requires such access.

The right of access to personal data

The client has the right to access their personal data entered in the system for issuing declarations of intent.  The client can browse and update their declarations in intent saved in the system for issuing declarations of intent via My Kanta Pages.

Inspection requests on the data entered in the system for issuing declarations of intent are addressed to the healthcare and social welfare service provider that has entered the declaration of intent in question.

In the case of data entered by the client themselves or if the data cannot be obtained from the service provider, the inspection request shall be addressed to Kela (Registry, P.O. Box 450, 00056 Kela).

If necessary, the client can request their data by using the inspection request form, which is available from services providers that have joined the Kanta Services and from Kela’s offices. The request can also be made by telephone or by email to Kela’s Registry (kirjaamo@kela.fi).

As a rule, the respond to the subject access request is provided free of charge.

Right to demand rectification of incorrect data

The client has the right to request rectification of incorrect data entered in the system for issuing declarations of intent. If the client or their legal representative requests rectification of an error and the incorrect data is based on an entry made by the healthcare or social welfare service provider, the request for rectification must be addressed to the service provider that made the incorrect entry.

The client themselves can also amend or correct part of the data entered in the system for issuing declarations of intent in My Kanta Pages.

In its role of joint controller, Kela acts as the contact point for data subjects. Therefore, the request for rectification can be delivered in writing to Kela (Registry, P.O. Box 450, 00056 Kela.) If necessary, Kela will address the delivered request for rectification to the service provider whose entry is subject to the request for rectification.

If the client’s request to correct the data is not accepted, client is entitled to lodge a complaint with a competent regulatory authority.

Right to lodge a complaint with a supervisory authority

If the client deems that the processing of their personal data breaches the applicable data protection regulations, the client is entitled to lodge a complaint with a competent regulatory authority in accordance with Article 77 of the General Data Protection Regulation and section 21 of the Data Protection Act. In Finland, the regulatory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

In My Kanta Pages, the client can view data entered in the system for issuing declarations of intent and see which service provider the data has been shared with. The client has the right to request log data on who has handled or shared their personal data entered in the system for issuing declarations of intent. The log data request concerning data entered in the system for issuing declarations of intent is addressed to the healthcare and social welfare service provider that has entered the declaration of intent in question.

In the case of data entered by the client themselves or if the data cannot be obtained from the service provider, the log data request shall be addressed to Kela (Registry, P.O. Box 450, 00056 Kela).

If necessary, the client can request their data by using the inspection request form, which is available from services providers that have joined the Kanta Services and from Kela’s offices. The request can also be made by telephone or email to Kela’s Registry (kirjaamo@kela.fi).

As a rule, the respond to the log data request is provided free of charge.

There is no right to obtain log data that is older than two years unless there is a valid reason for it. The client must not use or share the log data, which they have received, for any purpose other than for clarifying and implementing their rights concerning the handling of their own client data.  

If the client considers on the basis of the log data that their data has been processed without a valid reason, they can request the service provider in question for an explanation on the matter.

The client has the right to receive the same data again if there is a valid reason for it in order to fulfil the client’s interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to data that is provided a second time.

The system for issuing declarations of intent is a statutory service implemented and maintained by Kela (Client Data Act, Act on Electronic Prescriptions). The retention periods of data entered in the service are provided for in legislation and the processing of data entered in the service is based on the rule of law. Therefore, the data subject's right to erasure of data by virtue of Article 17 of the EU's General Data Protection Regulation and the data subject’s right to transmit the data from one system to another by virtue of Article 20 shall not be applied to the data recorded in the system for issuing declarations of intent.

The appendix to the privacy policy of the system for issuing declarations of intent, describing the principles of data sharing, will be published at a later date.