Data stored in Kanta services may only be handled by healthcare professionals. Anyone viewing your data must have permissions appropriate to their professional role, and an existing treatment or patient relationship and the patient’s consent are always required.
Who can handle my prescription details?
Anyone handling your prescription details must have a smart card issued to healthcare professionals and appropriate user rights to access the Prescription Centre. Also required are an existing treatment or client relationship and the patient's consent.
In the healthcare system, the Prescription Centre is accessible to doctors, dentists and students of both disciplines who have completed the required studies, as well as nurses.
In pharmacies, the information in the Prescription Centre may be viewed by pharmacists with or without an MSc (Pharm) (proviisori) and by pharmacology students.
Your prescriptions may be viewed in the following situations:
- Doctors can view the prescriptions they have issued.
- Pharmacy staff dispensing medicines can view prescriptions when medicines are picked up.
- The doctor or nurse treating you can view your prescriptions if you give them verbal consent to do so.
Without consent, doctors can view your data only in emergency situations. Exception: If a doctor is writing a prescription for a narcotic or a CNS drug, he or she may view prescriptions for such medicines. You can issue a refusal on My Kanta denying access to your prescription data for other doctors or pharmacies. Note that you will in that case only be able to collect your medication at the pharmacy by presenting the patient instruction sheet or a printed summary of the prescriptions.
Who can handle my health data?
The Patient Data Repository is only accessible to persons employed in the healthcare services who have a smart card granted by the healthcare certification provider and user rights appropriate to their position that grant them access to the information.
Disclosure of information between healthcare units always requires an existing treatment relationship and the patient's consent.
Principles of handling patient records
- Patient records stored in the Patient Data Repository are available to the healthcare provider that originally created them.
- Your consent is needed before they can be released to other healthcare providers.
- The consent is valid until revoked and covers all existing and all future patient records that will be stored in the system. You can restrict access to your data.
- If you wish to revoke a consent or a refusal, you can do so by contacting a healthcare provider or by visiting the My Kanta pages.
Checking who has accessed your data
You can see on My Kanta which healthcare units and pharmacies have accessed your prescription and medical records through the Kanta services.
Here’s how to use My Kanta to check which organisations have handled your data:
- Sign into My Kanta
- Look up your prescription details: Click the date on which the prescription was issued. ‘Tietojen luovutukset’ (Disclosure of data) at the bottom of the page shows where your prescription details have been handled.
- Look up your health data: ‘Terveystietojen luovutukset’ (Disclosure of health data), in the menu on the left, shows to which organisations your health data have been disclosed.
Typically your health data are handled by such organisations as health centres, occupational health providers and laboratories associated with private medical centres. Your prescription details are handled by the person who prescribed the medicine and, in the pharmacy, by the pharmacist who dispenses the requested medicine. For privacy reasons, and as required by the law, the names of these healthcare professionals are not shown.
User logs for Patient Data Repository data are not stored or displayed on My Kanta but are available from healthcare units. They can be requested from the organisation that processed them.
Using My Kanta to look up which organisations have handled your data
If you suspect that your personal information may have been misused
In most cases, when you look up on My Kanta which organisations have handled your information, the name of the organisation, such as a healthcare provider or pharmacy, may be enough to tell you that it is one you visited at a specific time. If you suspect that your personal information may have been misused, you can request the data controller to detail who have handled and processed your information. Do as follows
Contact the data protection officer of the healthcare unit that handled your data. You can ask for details on the basic principles applied when handling your information, and you can also ask for log data about the professionals that handled or accessed your records.
Requests for log data should be made to the data controller. The data controller is the healthcare unit (such as a health centre) where you have received treatment and which created the patient records or to which they have been disclosed.
Contact the data protection officer of the healthcare unit or pharmacy that handled your data. If the pharmacy is in another European country, the request for information should be directed to Kela.
You can also ask Kela for log data about the professionals who handled your prescription details. Requests for prescription log data are made on a form which is available at healthcare units, pharmacies and Kela service points.
Requests for log data should be made to the data controller. Kela is the data controller for prescription data (Prescription Centre and Patient Data Management Service).
Each healthcare organisation and pharmacy has a designated data protection officer
The data protection officer monitors the handling of personal data and facilitates compliance with the legal provisions governing data protection. Each healthcare organisation and pharmacy must have a designated data protection officer to monitor and supervise compliance with the legal provisions concerning the handling of data.
The data protection officer monitors compliance with data protection provisions throughout the organisations, brings to light any problems that may exist, and provides information and guidance to management and staff who handled personal data concerning their obligations under the data protection provisions. The management are ultimately responsible for ensuring that the organisation is in compliance with the provisions of the law.
Please contact the data protection officer if you suspect misuse of your data. Contact the organisation which you interacted with and which handled your data.