Act on the Secondary Use of Health and Social Data

The Act on the Secondary Use of Health and Social Data aims at easier and more secure access to social and health materials and at improving the data protection of citizens. Permission and request for information from social and health materials will become more centralized. There are changes in the payment and collection of social and health data. The processing and analysis of social and health data take place in an audited operating environment.

• In the future, data requests and data permits required for the utilization of social and health data will be issued by Findata under the National Institute for Health and Welfare, if the study uses the social and health data of several public social welfare and health care service providers or one or more private social welfare and health care service providers. 
   
• Data submitted through new data requests can only be processed in an audited secure environment - for example, the data may no longer be analyzed on our own workstations. This also applies to the transfer of data from individual registers.
   
• Research projects are recommended to take into account in project planning (schedules, funding) the calendar time required for handling the data requests and data submissions (promised processing time up to 3 months). In addition, it is good to note that the use of secure operating environments increases costs that research projects must anticipate. If the project is based on Findata's services, the price lists of Findata's services can be found on Findata's website. Please note that using CSC SD Desktop service is free of charge in Finnish higher education institutions.
   
• National services will develop in stages and research projects should identify possible special needs and requirements that will be needed in research activities to process material in accordance with the Act on the Secondary Use of Health and Social Data - for example, the possible need for high-performance computing
   

• The need for information relates to the data of only one registry, a data request or data permit may be addressed directly to the registrar concerned, who processes requests/permits for its own registry data.
   
• The need for information concerns the data of several registers, the data request or data permit is submitted via the electronic system to the Data Permit Authority (Findata), which issues the data permit or approves the data request and responds to the decision. The Data Permit Authority takes care of the collection, combination and transfer of data to the secure user environment. Note: You can log in to the system using Suomi.fi e-identification only.

For more information, see Findata's table of competencies 
 

• Public and private service providers of social welfare and health care 
   
• Data saved in Kanta services (digital services for the social welfare and health care sector in Finland) 
   
• Social Insurance Institution of Finland (KELA) [benefits and prescriptions] 
   
• Finnish Centre for Pensions (ETK) [work and earnings data, benefits and the bases for them]
   
• national registers and survey data 
  • Finnish Institute for Health and Welfare (THL) 
  • Social Insurance Institution of Finland (KELA) 
  • Finnish Centre for Pensions (ETK) 
  • Statistics Finland's register data of the causes of death
     
• social welfare and health care datasets of the National Supervisory Authority for Welfare and Health Valvira, the Finnish Medicines Agency Fimea and the Finnish Institute of Occupational Health and Regional State Administrative Agencies (AVI) 
   
• Basic information on the people and buildings of the Digital and Population Data Service Agency (DVV) for legal purposes
   

• The research plan must be attached to the application when the purpose of the data on the data permit application is scientific research. Checklist of information included in the research plan:
   
  • Does the research plan describe the registrars, registers and data to be extracted from the registers which the data is requested? The required information should be described at the variable level and the description of the variable level can also be added as an appendix to the research plan.
     
  • How is the target group of the research study formed and delimited, what information is needed about the target population?
     
  • Will other data be combined with the data authorised by Findata’s data permit? Describe this data too.
     
  • Is the purpose of the data described in such a way that the data specified in the data permit is necessary from the point of view of the implementation of the research study?
     
  • Do you want the data to be processed in a non-Findata environment? If yes, describe the processing environment and explain why the use of another operating environment Is necessary for the implementation of the research study?
     
  • Does the research plan describe how the results are to be published? 
     
• The information permit application must specify the required material in detail for each variable. More information on the registrars' data descriptions can be found on the registrars' web pages (only in Finnish). 
   
• Based on request and the granted permission, the Data Licensing Authority collects data from data registrars, combines and pre-processes them (eg. pseudonymizes) and submits them for processing in a secure user environment. 
   
• Findata always opens the remote access environment on a per data permit basis. The researcher cannot combine data from data submitted on the basis of separate data permits and/or the data from different remote access environments. 
   
• The user can export to the Findata server the part of his/her data that he/she wants to connect with the data of another registrar. 
   
• The user cannot download individual data from Findata server to his/her own computer, only combined entities.
   
• Findata charges for data collection, processing and storage. The price of the service consists of a decision fee and an hourly fee, which is determined by the working time spent on combining and processing the data, as well as fees based on the registrars' own regulations for collecting and delivering the requested data. See Findata's price list. (data permit / data request for the project: 1000 € or information permit / information request for the thesis 250 € + processing fees 115 € / h + remote use environment at least 187.50 € / month; the preparation of at least 5000 € / case).
   
• It is not possible to have high-performance computing in the Findata service, nor is it possible to combine data with, for example, imaging, biosignal or genome research data. 
   
• Findata only provides remote Windows desktops but does not support Linux. 
   
• Standard software is available in the Findata remote operating environment, the installation of other tools is an additional charge and the customer is responsible for the licenses. 
   
• Note the time allocated for the processing of the permit process and the delivery of data in your research plan (the processing of the application for a maximum of 3-6 months and delivery of data for a maximum of 2 months) and prepare for the permit and data costs in the research project budget. 
• There is the database of secondary-use environments, and for example CSC's services are free of charge for Finnish higher education institutions.
   

Advisory service 

• Findata serves by e-mail at info@findata.fi and by phone at 029 524 6500 (open on weekdays from 9:00 to 11:00 and from 12:00 to 16:00). 
   
• Findata answers questions such as data requests, data permits and how to apply for them. For the time being, it is advisable to look for information on the information contents of the registers on the registrars' own websites, where you can find more information on the Data page. 

Licensing service 

• Findata grants data permits for individual-level material. 
   
• Findata makes decisions on data requests, ie. to obtain statistical-level material. 

Data service 

• Findata compiles registry data from registrars. 
   
• Findata pre-processes the data (aggregation and pseudonymization, anonymization or production of statistical information). 
   
• Findata converts and combines the licensee's own data. 

Secure remote access environment 

• Findata provides the secure environment for processing pseudonymized individual-level data, where the most important software required for data analysis is available.

Q: If the data is transferred to the data files of one data registrar (Section 44, Subsection 3 of the Act on the Secondary Use of Health and Social Data), can the data be processed elsewhere than in a data-secure environment? 

A: No, in accordance with Findata Regulation 1/2020, the transfer of data via a data permit decision made by an individual data registrar must also take place to the licensee in a secure environment referred to in Section 20 of the Act on the Secondary Use of Health and Social Data. 

Q: Does Findata's pre-processing remove data that may affect the research study or its reliability? How does Findata communicate about the pre-processing performed during the data transfer? 

A: In pre-processing, the main operation is the removal of direct identifiers and, as a general rule, no other information is deleted from the files. Should such a situation arise, the applicant will, in principle, be contacted. On its website, Findata announces that it will delete data from all data it processes that exercise its right to object to the EU's general data protection regulation. 

Q: Are Findata's secure operating environments suitable for research projects such as social welfare and healt care imaging data, biosignal-based or genomic data, for example? If not applicable, how will these data be handled for data permits and decisions coming after May 1, 2021? 

A: For imaging data, this is possible but requires a case-by-case assessment, for example related to the use of possible standalone software. Due to the nature of genomic data (large data), Findata's remote access environment is not currently suitable for processing genomic data. As a side note, after May 1, 2021, the material may be released to a non-Findata operating environment, but the environment must be audited by an approved information security assessment body. 

Q: How is the operating environment audited and how long does the operating environment audit take? 

A: At present, a few assessment bodies have the qualifications defined by the Finnish Transport and Communications Agency Traficom. The audit of the operating environment takes at least eight weeks, but in practice usually it takes longer. 

Q: How does Findata view the reproducibility of research and do these become additional costs after the end of the research project that the organization should be prepared for when project funding is no longer available? 

A: The data permit is valid until the deadline specified therein. Until now, the data is available to the licensee. If, on the other hand, an extension of time is required to process the data, an application for a change permit must be submitted to Findata before the expiry of the previous permit or permits. In addition, the data permit decision may specify that the data may be kept for, for example, five years after the expiry of the data permit in order to ensure the reliability of the research results. During this time, however, the data is no longer available to processing.