Data protection
On this page you can find information about the processing of personal data by the Finnish Institute for Health and Welfare (THL) and about citizens’ rights to their own data.
- Statutory duties of THL
- Services provided by THL
- Statistics, registers and data maintained by THL
- What are the sources of the personal data?
- What can personal data be used for?
- THL as the controller
- Your rights in regard to the processing of personal data
- When is the exercise of rights not possible?
- How can I exercise my rights?
- How is the implementation of data protection monitored?
- Contact details
Statutory duties of THL
The duties of THL are defined in the Act on the National Institute for Health and Welfare (668/2008). According to section 2 of the Act, the statutory duties of THL include:
- monitoring and promoting the well-being and health of the population and the factors affecting these areas
- monitoring, developing and guiding social welfare and health care activities
- engaging in research activities related to social welfare and health care
- maintaining social welfare and health care registers and
- utilisation of data in the social and health care sector and engaging in international co-operation.
Services provided by THL
THL offers various statutory services and services that support statutory activities. These relate to areas such as patient and client work, decision-making and research. In addition, THL has a centralised system of special social welfare and health care services, including Prisoners' health care , forensic medicine and forensic psychiatric services and the organisation and coordination of mediation services in criminal and civil cases.
The range of services also includes websites, newsletters, an online bookstore and different kinds of events.
Statistics, registers and data maintained by THL
THL maintains several national statistics databases, registers and other data collections that describe the Finnish social and health care service system. Data is produced on areas such as primary health care and specialised medical care, social services for children, working-age people and the elderly, and infectious diseases.
THL has collected a number of datasets for use in its research activities. Some of these cover the entire population (population surveys) while others cover just a subset. The data collected by THL mainly include the social and health data of citizens, which is why THL’s data resources are sensitive and confidential.
What are the sources of the personal data?
THL collects register data and statistical data from health centres, hospitals, municipalities, private social welfare and health care actors, Statistics Finland, the Social Insurance Institution of Finland and the National Supervisory Authority for Welfare and Health (Valvira). As part of the services of THL, data can also be collected from other authorities or from citizens themselves. In scientific studies conducted by THL, data is collected from subjects who have given their consent to participate in the study. Studies may also utilise data obtained from other sources relevant for the research topic.
THL also uses a stakeholder register, the data of which is collected from various sources including selected registers and stakeholders.
If you subscribe to THL newsletters or order publications, your customer data will be stored in the customer register of that service.
More detailed information on how THL processes personal data can be found in the privacy notices.
Privacy notices
What can personal data be used for?
THL primarily uses the register-based, statistical and research data that it collects to carry out its statutory tasks, which include monitoring and promoting the well-being and health of the population and factors affecting these areas, monitoring, developing and directing social welfare and health care activities, and conducting research activities related to social welfare and health care.
Who does THL disclose data to?
The Act on the Secondary Use of Health and Social Data (Secondary Use Act) lays down the purposes for which data collected by THL may be used. According to section 2 of the Act, data may be disclosed for the following reasons in addition to its primary purpose: compilation of statistics, scientific research, development and innovation activities, education, knowledge management, steering and supervision of social welfare and health care by the authorities and planning and reporting duties of a government authority.
In addition to the collected data being used internally by THL, the Health and Social Data Permit Authority (Findata) may also grant permits for the use of THL data for external actors. However, such authorisation is only granted for the purposes laid down in the aforementioned Secondary Use Act. For more information on Findata’s activities, visit the Findata website.
Findata
To whom does THL not disclose data?
THL does not disclose data, for example, to insurance companies for consideration in individual insurance decisions nor to the Social Insurance Institution of Finland (Kela) for consideration in benefit decisions. In addition, the data is not disclosed for marketing or the specifying of personal, commercial services.
THL as the controller
The controller is the party responsible for ensuring that the personal data is processed in a legal manner. THL is the controller of the data that it collects. The processing of personal data requires that the controller has a legal basis for such processing.
The legal grounds for the processing of personal data by THL depends on which of its activities the data processing is part of. For example, when collecting and maintaining statutory registers or processing personal data within THL’s special social welfare and health care services, the basis for processing the data is:
- Article 6(1)(a) of the EU General Data Protection Regulation (data subject has given consent to the processing of his or her personal data); or
- Article 6(1)(c) of the EU General Data Protection Regulation (processing is necessary for compliance with a legal obligation to which the controller is subject).
In statistics, archiving and scientific research, on the other hand, the basis for processing is usually:
- Article 6(1)(e) of the EU General Data Protection Regulation (processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller).
When THL processes data for special categories of personal data (previously referred to as sensitive data), such as a person’s health data, the processing takes place on the basis of both one of the above mentioned criteria and also one of the following:
- Article 9(2)(a) (explicit consent),
- Article 9(2)(g) (processing is necessary for reasons of substantial public interest),
- Article 9(2)(i) (processing is necessary for reasons of public interest in the area of public health); or
- Article 9(2)(j) (archiving purposes in the public interest, scientific or historical research purposes or statistical purposes).
More detailed, function-specific criteria for the processing of personal data can be found in the THL privacy notices.
Your rights in regard to the processing of personal data
Under the General Data Protection Regulation (2016/679), the data subject has the right to obtain information on the processing of his or her personal data, to access the data, to rectify the data, to erase the data and to be forgotten, to restrict the processing of the data, to transfer the data from one system to another, to object to the processing of the data and to not be subject to automated decision-making.
In other words, everyone has the right to be informed about the use of their personal data. However, THL may only implement the rights of data subjects in respect to registers under the control of THL, i.e. those for which THL is the controller. If you wish to exercise your rights in relation to the registers of bodies such as hospitals, health centres, social welfare authorities, the Social Insurance Institution of Finland or Statistics Finland, you should contact these organisations directly.
It is also worth remembering that although the Health and Social Data Permit Authority,Findata and the Prisoners' health care operate under THL, they act as independent units and as the controllers of their own data. If you wish to inspect personal data that is held by Findata or the Prisoners' health care, you should contact these organisations directly.
Health Care Services for Prisoners
The data subject has the following rights to THL data:
- Right of access to one’s personal data (Article 15)
- Right to rectify one’s data (Article 16)
- Right to erasure (Article 17)
- Right to restrict the processing of one’s data (Article 18)
- Right to object to the processing of one’s data. (Article 21)
However, the aforementioned rights under Articles 15–21 do not apply to data in which the person cannot be identified. The data subject’s register-specific rights also depend on the particular register’s basis for data processing. THL has prepared forms to facilitate the exercise of data subjects’ rights. THL records in the register all requests to exercise a data subject’s rights.
If you wish to exercise your rights as the data subject, you can find the instructions on this page under How do I exercise my rights?
When is the exercise of rights not possible?
Since THL has a statutory obligation within its field to collect, maintain and utilise data resources and registers in order to promote well-being and health, THL also has the right to collect and retain the data obtained for as long as this is needed for the performance of its duties. Therefore, the data of the data subject cannot, for example, be deleted from statutory registers even if the data subject so requests (Article 17).
THL will retain the data it has obtained for as long as is necessary for the performance of its duties. After this, the data is destroyed in an appropriate manner. However, if the data in the personal data file has been collected with the explicit consent of the data subject, the data subject has the right to withdraw their consent to the use of personal data. Some THL research data, for example, may fall within this category.
The right to restrict the processing of personal data (Article 18) is applicable in certain situations and may already be implemented directly as a result of other requests. For example, THL restricts the processing of personal data for the period of processing a request for the rectification of personal data (Article 16). The right to restrict the processing of data is also valid in situations where the data subject requires their personal data in order to prepare, present or defend a legal claim.
How can I exercise my rights?
You can exercise your rights under the General Data Protection Regulation (GDPR) by submitting a written request to THL. The request may be freely worded, but you also have the option of using the Finnish or Swedish request forms.
The request should indicate which right you wish to exercise and which data the request concerns. In addition, the request must include contact details with which the applicant can be identified in the register and through which the applicant can be contacted if necessary for the processing of the request.
If a guardian wishes to exercise the rights provided by the GDPR on behalf of a minor, children over the age of 10 must, as a rule, also express their own consent, for example by signing a written request together with the guardian/guardians. It is recommended that the guardians discuss the request with the child and hear the child's opinion on the matter before making the request, even if the child is not yet able to make a decision on the matter. If, taking into account their age and level of development, the child is able to understand the matter and its significance, then they can decide on the exercise of their rights.
In order to implement the data subject’s rights, THL must verify their identity. This is important so that we can be sure that we are performing the measures on the data of the correct person. For this reason, we ask that requests be sent wherever possible via the Suomi.fi service.
A guardian can submit a request for a minor via the Suomi.fi service by registering for services provided on behalf of a minor. For instructions on how to act on behalf of a minor, see the link below ‘Instructions for starting to use Suomi.fi Messages’. A minor can also use Suomi.fi Messages themselves if they have personal means of strong identification.
Instructions for starting to use Suomi.fi Messages
Do this:
- Log in to the Suomi.fi service with your personal online banking codes, a certificate card or a mobile certificate.
- Go to ‘Compose a message’.
- Select ‘National Institute for Health and Welfare’ as the recipient of the message.
- Select ‘Registry’ as the recipient’s service or issue.
- Enter ‘THL: data subject rights’ as the subject.
- List the rights you wish to exercise in the message field.
- Attach any form(s) by clicking ‘Add the attachments here’.
- Finally, click ‘Send the message’ button.
The message will be delivered to the THL Registry, from where it will be forwarded on for further processing. We seek to process requests within one month of receiving them. If the processing of the request is complex or involves several registers, we may extend the processing time to three months.
We will send a reply to the data subject on the implementation of the request / resolving the matter as a Suomi.fi message.
If you wish to cancel your request, send a message concerning the request to THL via the Suomi.fi service.
It is possible to exercise your rights even if you are unable for some reason to use the Suomi.fi service. In such cases, you will need to personally visit the THL reception in Helsinki or Kuopio. Bring with you a written request and an official ID, such as a passport or an ID card issued by the police.
If you have any further questions about the implementation of your rights, please contact our Data Protection Officer.
Contact details
Further data can also be found on the website of the Office of the Data Protection Ombudsman.
Office of the Data Protection Ombudsman
How is the implementation of data protection monitored?
The activities of THL as a controller are supervised by the THL Data Protection Officer and the Data Protection Ombudsman. In addition, the lawfulness of actions taken by authorities is supervised by the Parliamentary Ombudsman and the Chancellor of Justice.
The National Supervisory Authority for Welfare and Health Valvira monitors THL’s data secure user environments.
Contact details
Jarkko Reittu
THL Data Protection Officer
E-mail: tietosuoja(at)thl.fi
Tel. +358 29 524 7474