Privacy policy for User data register of the Kanta Personal Health

Privacy policy for User data register of the Kanta Personal Health

This is a valid Privacy Policy for User data register of the Kanta Personal Health. The policy was updated on October 24, 2018.

Controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Data Protection Officer for Kanta Services
kanta@kanta.fi

Name of register

User data register of the Kanta Personal Health Record

Purpose of processing of personal data / purpose of use of the register

Based on the agreement between the Ministry of Social Affairs and Health and the Social Insurance Institution of Finland, Kela acts as the register controller of the My Kanta Pages Personal Health Record, which is part of the national information system services in health care (the Kanta Services), with respect to the user data of the My Kanta Pages Personal Health Record.

The purpose of the register is to enable the storage of citizens’ (users) wellbeing data in a national centralised My Kanta Pages Personal Health Record. Kela is responsible for the technical operation of the service so that the wellbeing data cannot be processed or shared against the law.

Data in the My Kanta Pages Personal Health Record will be retained until the user has removed the data themselves or until otherwise prescribed by law.

Data content of the register

Information saved in the register with regard to the users of the My Kanta Pages Personal Health Record:

  • user’s personal identity code
  • information about the user rights granted by the user to the applications (right to read and enter measurement data).

The data is saved when the user takes the service into use and whenever the user provides terms of use for the application. In the deployment stage, the user logs in to the service with Suomi.fi identification. The user of the service selects the method of identification/ certification service provider and agrees to forward the personal identity code to the register controller in the identification service.

Regular information sources

The data entered in the service is received from the user him/herself.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

The data in the register shall not be shared with outsiders. Data shall not be transferred outside the EU or the European Economic Area.

Principles of protection of the register

The data saved in the register shall be kept confidential.

Organisational protection principles

Kela for its own part monitors and supervises the legality of data processing. Kela has appointed a Data Protection Officer for the monitoring and supervision task.

Kela provides written instructions on the processing of data in the register and takes care of sufficient expertise and competence of its staff.

Kela takes the necessary measures of its own accord if the data entered in the register has been processed illegally.

Technical protection principles

The processing of data in the register requires strong authentication that identifies the controller, as well as user rights management related to the system.

Information about all actions of data processing by the user and in relation to Kela’s maintenance measures is saved in the log of the Kanta PHR.

Physical protection principles

The data recorded in the register is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Members of Kela’s technical maintenance staff have limited access to the IT areas when the management of their duties requires such access.

Access to the data

The user may view the data they have entered in the Kanta PHR themselves via My Kanta Pages.

Right to lodge a complaint to the regulatory authority

If the user of the service deems that the processing of their personal data breaches the applicable data protection regulations (Articles 12–22 of the EU’s General Data Protection Regulation), the user of the service is entitled to lodge a complaint to the competent regulatory authority. In Finland, the regulatory authority is the Data Protection Ombudsman.

Right to request rectification of data

The user of the service is personally responsible for their wellbeing data they have entered, as well as for ensuring that the data is correct.

Right to transmit the data from one system to another

The user of the service is entitled to request the wellbeing data they have entered in the Service in order to transmit it to another system.

Last updated 27.07.2020