Secure Secondary Use of Health and Social Data
5 January 2018
In October 2017, the Finnish Government proposed a new act on the secondary use of health and social data (FI: laki sosiaali- ja terveystietojen toissijaisesta käytöstä, HE 159/2017) (the “Act”). The aim of the proposed Act is to create modern and unified conditions for the use of health and social data for, among other, statistical, research, innovation and development, education, and knowledge management purposes, to rationalise the processing of requests for secondary use of health and social data, allow faster access to data and improve data security, as well as to unify the fragmented legal framework of this legislative area. In addition, the proposed Act would bring this legislative area into compliance with EU’s General Data Protection Regulation (the “GDPR”) which will be applied in all EU Member States as of 25 May 2018. The Act is expected to come into force during the spring, before the GDPR becomes applicable.
The Act defines the secondary use of data as the use of data for purposes other than for what it was originally collected for. Secondary use of health and social data allows the data to be used in research and statistics, as well as in development and innovation, teaching, knowledge management, monitoring, steering, and official planning. At the moment, this data is spread around in different information systems managed by many different authorities, which makes data request processes slow and strenuous.
According to the proposed Act, data requests and granting of licenses for the secondary use of health and social data would be managed by a licensing authority. After granting a licence upon a request in an electronic portal, the licensing authority would collect the relevant data from different registers and edit, combine and pre-process the data before transferring the pre-processed data to a secure environment where the licence holder could process the data by remote access. Another option would be to provide a service where the licensing authority edits relevant data resources by removing all identification data. The licensing authority would also safeguard data security. For businesses, the new legislation means easier access to more extensive data with the aim of fostering innovation, product development, as well as new business models. For individuals, it is said to provide better services and treatment in healthcare and social welfare along with more effective medicines, since more data is available for medical research.
In principle, the GDPR prohibits the processing of special categories of personal data, such as health data. However, special categories of data, such as health data, may be processed for necessary archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with GDPR Article 89(1) based on Union or Member State law. In addition, the GDPR states that the processing of personal data for scientific research purposes should be interpreted in a broad manner including for example technological development and demonstration, fundamental research, applied research and privately funded research. All the processing of health and social data should nevertheless be evaluated carefully according to the principles of the Article 5 of the GDPR.