Act on the Secondary Use of Health and Social Data (free translation, 552/2019, English translation is not available) and research
The Act on the Secondary Use of Health and Social Data has come into effect on 1 May 2019. In accordance with the transitional provisions of the Act, the operating environments will take effect 1 May 2022. A proposal for amend the transitional provision is being submitted to the Finnish Parliament. The aim of the Act on the Secondary Use of Health and Social Data is to enable the efficient and secure processing of personal data stored in social and health care activities and for social, health, guidance, research and statistical purposes, and to combine them with the personal data of the Social Insurance Institution of Finland, Digital and Population Data Service Agency, Statistics Finland and the Finnish Centre for Pensions. The Act on the Secondary Use of Health and Social Data determines the disclosure and use of social and health data in research. Findata operates as an information permit authority in accordance with the Act on the Secondary Use of Health and Social Data. Findata's competence with regard to information permits and decisions is based on Section 44 of the Act on the Secondary Use of Health and Social Data.
Primary use means the purpose for which the data was originally saved in the customer and/or patient register. The primary use may be, for example, planning, examination, treatment and monitoring of the patient care and rehabilitation of the patient, or the processing of benefits by a social care client or the Social Insurance Institution of Finland.
The secondary use of social and health data means that customer and register data generated in social and health care activities are used for a purpose other than the primary purpose for which they were originally saved. The secondary uses provided for in the Act on the Secondary Use of Health and Social Data are: scientific research, statistics, development and innovation operations, steering and supervision by authorities, planning and reporting duty of an authority, education and knowledge management. For example, for development and innovation operations, it is only possible to obtain aggregated statistical data from which an individual cannot be identified.
From 1 May 2022, the release of individual-level social and health data will only take place in audited secure data environments, where they can also be analysed. Existing data permits will not be affected by the entry into force of the requirements. It the data is processed on the basis of an already valid data permit, it may continue in the same environment. A case-by-case review is in place for modification applications. The operating environment requirements apply to applications submitted on or after 1 May 2022. This applies to all uses of secondary legislation for which an data permit is required (incl. scientific research, statistics, education).
The social and health information permit authority Findata seeks statistical data with a data request and individual-level data is applied for with a data permit. Please note: Data requests are currently possible only with a Finnish personal identity code through Suomi.fi identification. Alternative secure identification applications for international clients are under construction.
The Act on the Secondary Use of Health and Social Data aims at easier and more secure access to social and health materials and at improving the data protection of citizens. Permission and request for information from social and health materials will become more centralized. There are changes in the payment and collection of social and health data. The processing and analysis of social and health data take place in an audited operating environment.
- In the future, data requests and data permits required for the utilization of social and health data will be issued by Findata under the National Institute for Health and Welfare, if the study uses the social and health data of several public social welfare and health care service providers or one or more private social welfare and health care service providers.
- Data submitted through new data requests can only be processed in an audited secure environment - for example, the data may no longer be analyzed on our own workstations. This also applies to the transfer of data from individual registers.
- Research projects are recommended to take into account in project planning (schedules, funding) the calendar time required for handling the data requests and data submissions (promised processing time up to 3 months). In addition, it is good to note that the use of secure operating environments increases costs that research projects must anticipate. If the project is based on Findata's services, the price lists of Findata's services can be found on Findata's website. Please note that using CSC SD Desktop service is free of charge in Finnish higher education institutions.
- National services will develop in stages and research projects should identify possible special needs and requirements that will be needed in research activities to process material in accordance with the Act on the Secondary Use of Health and Social Data - for example, the possible need for high-performance computing
- The need for information relates to the data of only one registry, a data request or data permit may be addressed directly to the registrar concerned, who processes requests/permits for its own registry data.
- The need for information concerns the data of several registers, the data request or data permit is submitted via the electronic system to the Data Permit Authority (Findata), which issues the data permit or approves the data request and responds to the decision. The Data Permit Authority takes care of the collection, combination and transfer of data to the secure user environment. Note: You can log in to the system using Suomi.fi e-identification only.
For more information, see Findata's table of competencies
- Public and private service providers of social welfare and health care
- Data saved in Kanta services (digital services for the social welfare and health care sector in Finland)
- Social Insurance Institution of Finland (KELA) [benefits and prescriptions]
- Finnish Centre for Pensions (ETK) [work and earnings data, benefits and the bases for them]
- national registers and survey data
- Finnish Institute for Health and Welfare (THL)
- Social Insurance Institution of Finland (KELA)
- Finnish Centre for Pensions (ETK)
- Statistics Finland's register data of the causes of death
- social welfare and health care datasets of the National Supervisory Authority for Welfare and Health Valvira, the Finnish Medicines Agency Fimea and the Finnish Institute of Occupational Health and Regional State Administrative Agencies (AVI)
- Basic information on the people and buildings of the Digital and Population Data Service Agency (DVV) for legal purposes
- The research plan must be attached to the application when the purpose of the data on the data permit application is scientific research. Checklist of information included in the research plan:
- Does the research plan describe the registrars, registers and data to be extracted from the registers which the data is requested? The required information should be described at the variable level and the description of the variable level can also be added as an appendix to the research plan.
- How is the target group of the research study formed and delimited, what information is needed about the target population?
- Will other data be combined with the data authorised by Findata’s data permit? Describe this data too.
- Is the purpose of the data described in such a way that the data specified in the data permit is necessary from the point of view of the implementation of the research study?
- Do you want the data to be processed in a non-Findata environment? If yes, describe the processing environment and explain why the use of another operating environment Is necessary for the implementation of the research study?
- Does the research plan describe how the results are to be published?
- Does the research plan describe the registrars, registers and data to be extracted from the registers which the data is requested? The required information should be described at the variable level and the description of the variable level can also be added as an appendix to the research plan.
- The information permit application must specify the required material in detail for each variable. More information on the registrars' data descriptions can be found on the registrars' web pages (only in Finnish).
- Based on request and the granted permission, the Data Licensing Authority collects data from data registrars, combines and pre-processes them (eg. pseudonymizes) and submits them for processing in a secure user environment.
- Findata always opens the remote access environment on a per data permit basis. The researcher cannot combine data from data submitted on the basis of separate data permits and/or the data from different remote access environments.
- The user can export to the Findata server the part of his/her data that he/she wants to connect with the data of another registrar.
- The user cannot download individual data from Findata server to his/her own computer, only combined entities.
- Findata charges for data collection, processing and storage. The price of the service consists of a decision fee and an hourly fee, which is determined by the working time spent on combining and processing the data, as well as fees based on the registrars' own regulations for collecting and delivering the requested data. See Findata's price list. (data permit / data request for the project: 1000 € or information permit / information request for the thesis 250 € + processing fees 115 € / h + remote use environment at least 187.50 € / month; the preparation of at least 5000 € / case).
- It is not possible to have high-performance computing in the Findata service, nor is it possible to combine data with, for example, imaging, biosignal or genome research data.
- Findata only provides remote Windows desktops but does not support Linux.
- Standard software is available in the Findata remote operating environment, the installation of other tools is an additional charge and the customer is responsible for the licenses.
- Note the time allocated for the processing of the permit process and the delivery of data in your research plan (the processing of the application for a maximum of 3-6 months and delivery of data for a maximum of 2 months) and prepare for the permit and data costs in the research project budget.
- There is the database of secondary-use environments, and for example CSC's services are free of charge for Finnish higher education institutions.
Advisory service
- Findata serves by e-mail at info@findata.fi and by phone at 029 524 6500 (open on weekdays from 9:00 to 11:00 and from 12:00 to 16:00).
- Findata answers questions such as data requests, data permits and how to apply for them. For the time being, it is advisable to look for information on the information contents of the registers on the registrars' own websites, where you can find more information on the Data page.
Licensing service
- Findata grants data permits for individual-level material.
- Findata makes decisions on data requests, ie. to obtain statistical-level material.
Data service
- Findata compiles registry data from registrars.
- Findata pre-processes the data (aggregation and pseudonymization, anonymization or production of statistical information).
- Findata converts and combines the licensee's own data.
Secure remote access environment
- Findata provides the secure environment for processing pseudonymized individual-level data, where the most important software required for data analysis is available.
Q: If the data is transferred to the data files of one data registrar (Section 44, Subsection 3 of the Act on the Secondary Use of Health and Social Data), can the data be processed elsewhere than in a data-secure environment?
A: No, in accordance with Findata Regulation 1/2020, the transfer of data via a data permit decision made by an individual data registrar must also take place to the licensee in a secure environment referred to in Section 20 of the Act on the Secondary Use of Health and Social Data.
Q: Does Findata's pre-processing remove data that may affect the research study or its reliability? How does Findata communicate about the pre-processing performed during the data transfer?
A: In pre-processing, the main operation is the removal of direct identifiers and, as a general rule, no other information is deleted from the files. Should such a situation arise, the applicant will, in principle, be contacted. On its website, Findata announces that it will delete data from all data it processes that exercise its right to object to the EU's general data protection regulation.
Q: Are Findata's secure operating environments suitable for research projects such as social welfare and healt care imaging data, biosignal-based or genomic data, for example? If not applicable, how will these data be handled for data permits and decisions coming after May 1, 2021?
A: For imaging data, this is possible but requires a case-by-case assessment, for example related to the use of possible standalone software. Due to the nature of genomic data (large data), Findata's remote access environment is not currently suitable for processing genomic data. As a side note, after May 1, 2021, the material may be released to a non-Findata operating environment, but the environment must be audited by an approved information security assessment body.
Q: How is the operating environment audited and how long does the operating environment audit take?
A: At present, a few assessment bodies have the qualifications defined by the Finnish Transport and Communications Agency Traficom. The audit of the operating environment takes at least eight weeks, but in practice usually it takes longer.
Q: How does Findata view the reproducibility of research and do these become additional costs after the end of the research project that the organization should be prepared for when project funding is no longer available?
A: The data permit is valid until the deadline specified therein. Until now, the data is available to the licensee. If, on the other hand, an extension of time is required to process the data, an application for a change permit must be submitted to Findata before the expiry of the previous permit or permits. In addition, the data permit decision may specify that the data may be kept for, for example, five years after the expiry of the data permit in order to ensure the reliability of the research results. During this time, however, the data is no longer available to processing.