News

GA4GH GDPR Brief: The Finnish Secondary Use Act 2019 (May 2020 Bonus Brief)


 

The Finnish Act on the Secondary Use of Social and Health Data (552/2019) entered into force on 1 May 2019. It applies to data collected in social and healthcare organisations and governs processing for secondary purposes, including statistics, scientific research, and other activities. The Act applies to personal data (as defined in the GDPR), but also governs other data, such as clinical data of deceased patients. This brief describes the Act especially as it applies to scientific research.

Finnish social and health sector data have been available for scientific research for decades, but the new Act seeks to enable more efficient use. A pivotal change concerns the permissions process. Under the old rules, the individual social and health care providers typically made decisions about the use of data in their custody, and thus it was often necessary to obtain several authorizations for research relying on data from multiple sources. It was also possible that one organization would provide data but another would refuse. 

From 1 April 2020, a new agency, Findata, will make these decisions where data are requested from more than one organization and in all cases where the request is for access to private sector health and social care data. The Act also sets time limits both for the permission and for delivering data from the organizations (the original data controllers) to Findata and eventually to the researchers, when previously there were no limits. As a rule, Findata will collect, combine and pseudonymise or anonymise the requested data set. Another novelty is that public sector data controllers must publish descriptions of available data and provide information services so that the potential data users can evaluate whether or not data are suitable for their needs, which may assist in data discoverability.

While seeking to facilitate more efficient data use, the Act also introduces material restrictions on how and where data can be processed to ensure protection of personal data. From 1 May 2021 onwards, data must be provided only via secure information processing environments approved by inspection bodies accredited in Finland and, as a general rule, the environment provided by Findata itself. These environments enable remote access to the raw data, but not exporting or downloading the data. Only data that Findata has irreversibly aggregated to ensure anonymity may be processed outside the secure environments. Another restriction is that Findata will control the release of results obtained from data analyses to ensure their anonymity. These restrictions may impede Finnish researchers’ participation in initiatives wishing to build international databases, for example. Researchers outside of Finland may not be willing to go through the accreditation process or store their data (and data analytics tools) in systems accredited in Finland. 

The restrictions in the Act extend beyond GDPR requirements and apply also to non-personal data. They may, therefore, in some cases tip the balance from enabling research to obstructing it. Combining data from several sources may become overly complicated, for example, and doing meta-analyses instead may have disadvantages. The restrictions seem at odds with one of the main objectives of the GDPR – the free movement of data – and with the freedom of science protected by the Finnish Constitution and the EU Charter of Fundamental Rights, as well as the freedom of academic expression and information additionally covered by the Finnish Data Protection Act. Clarifications about the Act’s relation to other legislation such as the Finnish Biobank Act and the rules on clinical trials are also expected from the government. How well the new Act will serve researchers when compared to the old rules will largely depend on the quality of Findata’s services and its interpretations of the new Act.

Further reading

Relevant GDPR Provisions

  • Recital 4 – Data protection is not an absolute right and it must be balanced against other fundamental rights
  • Recital 13 – Free movement of data
  • Recital 21 – Interpretation of what constitutes personal data
  • Article 1(3) – Prohibition of restrictions on the free movement of data
  • Article 4(1)– Definitions, ‘personal data’ 
  • Article 5(1)(b)– Principles relating to processing of personal data, ‘purpose limitation’
  • Article 85 – Rights to data protection and freedom of expression and information to be reconciled by Member States
  • Article 89 – Safeguards and derogations for scientific research

Tom Southerington is a lawyer conducting data protection research at the University of Turku and an ELSI expert with BBMRI ERIC. He works for the Finnish Biobanks – FINBB and the Hospital District of Southwest Finland.

For a list of previous briefs, please consult here.

Please note that GDPR Briefs neither constitute nor should be relied upon as legal advice. Briefs represent a consensus position among Forum Members regarding the current understanding of the GDPR and its implications for genomic and health-related research. As such, they are no substitute for legal advice from a licensed practitioner in your jurisdiction.