Legislation concerning health data

The General Data Protection Regulation (EU) 2016/679 (GDPR) is a regulation in EU law on data protection and privacy for all individual citizens of the European Union (EU) and the European Economic Area (EEA). It also addresses the transfer of personal data outside the EU and EEA areas. The GDPR aims primarily to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

The General Data Protection by EU is augmented in Finland by the use of Tietosuojalaki (https://www.finlex.fi/fi/laki/alkup/2018/20181050).

At University of Oulu, you can find information about data protection in Finnish at: https://patio.oulu.fi/fi/palvelut-ja-ohjeet/johtaminen/lakipalvelut/tietosuoja-tutkimuksessa

GDPR protects the use of individual’s data. In summary, a person’s consent is needed for collecting, storing, and processing of personal data. A person may withdraw his/her consent any time.

Data protection means must be applied in every phase of data use. This means collecting only minimal amount of data, and the data must be stored in anonymized format wherever possible.

At University of Oulu, contact Legal Team (email: legal@oulu.fi) in general issues concerning law and regulation in research, like guidance in applying the GDPR and Tietosuojalaki.

At University of Oulu, the data ombudsman’s email is: dpo@oulu.fi

Data protection information is also available in: https://tietosuoja.fi/en/home.

Researcher, who plans to do clinical research or any research involving data collection by any kind of measurements, needs to study the rules and regulations thoroughly in planning phase. It must be noted that even if the data collection does not involve health data, but any data related to test subject, the GDPR and Medical Research Act, 488/1999 English (“Laki lääketieteellisestä tutkimuksesta”, 1999/488) set requirements for informing and protecting the test persons.

The primary use of health and social data refers to the purpose for which the data was originally saved in the client register.

A separate law has been laid down on the secondary use of health and social data (Act on Secondary Use of Social and Health Data).

The purpose of the Act is to facilitate the effective and safe processing and access to the personal social and health data for steering, supervision, research, statistics and development in the health and social sector. A second objective is to guarantee an individual’s legitimate expectations as well as their rights and freedoms when processing personal data in accordance with GDPR legislation.

In practise this act enables the use of social and healthcare data in public and private registries also for scientific research purpose. It means that you can get a permit to use datasets in many governmental registries and in private organisations’ registries.

The organisation which controls public and private datasets is Findata, see https://www.findata.fi/en/.

You can find information about available datasets here: https://www.findata.fi/en/services/data/ .

Data descriptions:

Data controllers create data descriptions for their register content so that those requiring data can assess the suitability of the register’s data for secondary use. At present, controllers’ data descriptions can be found on the controllers’ own websites.

The data descriptions of the following controllers have been published in the Data Catalogue (in Finnish):

• Finnish Institute for Health and Welfare (THL)

• Finnish Centre for Pensions

• Social Insurance Institution of Finland

• Statistics Finland

• Southwest Finland Hospital District

Examples:

1. You need statistical data in governmental registry

Contact Findata and make data request: https://www.findata.fi/en/services/data-requests/

2. You need personal data in governmental or in private registry (like YTHS, Mehiläinen, Terveystalo etc).

Contact Findata and apply for data permit: https://www.findata.fi/en/services/data-permits/

3. You need to combine data in many social and healthcare registries

Contact Findata and make data request: https://www.findata.fi/en/services/data-requests/

4. You need to access Kanta-registry

Kanta-registry is not available via Findata yet. Findata’s schedule for granting permits to Kanta-registry is in the beginning of 2021.

5. You need to combine your own data and data in governmental registries

Contact Findata and apply for data permit: https://www.findata.fi/en/services/data-permits/. You need to upload your own data to the secure processing platform at Findata. DentAI-PoC is a case example.