Data protection statement regarding the FSHS
Name of the register: Patient Register of the Finnish Student Health Service
Data protection statement compiled on: 1st of May 2018
Data protection statement updated on: 31st of January 2023
Updated by: The persons responsible for data protection are Marjo Tipuri and Aleksi Schrey, Medical Director Teija Kulmala
Version number: 1.07
Summary of the data protection statement
- We are committed to protecting the privacy of students within the scope of our services. Your confidence in us is of primary importance.
- We use your personal data for the provision of healthcare and medical care services, for statutory control and compilation of statistics, to compile statistics about our own activities, to plan our activities, and to carry out and enable scientific research.
- The data we process comes from students themselves, from observations made by our staff or from educational establishments, or is derived from these.
- We offer students the opportunities, as required, to influence the processing of their data. See Section 8 for a list of your rights. You will find forms for example to request copies of your patient documents and to request rectification of inaccurate or incorrect data from FSHS’s online services.
- FSHS comprises a joint register, which contains all of our service units, including our purchased service units. Your patient data recorded in different service units for the joint register, may be disclosed without your consent when you have a treatment contract with the unit needing the data. You also have the right to refuse the disclosure of your data within the register.
Contents of the data protection statement
The FSHS is committed to protecting the privacy of university students in accordance with the EU’s General Data Protection Regulation (2016/679), the Act on the Status and Rights of Patients (1992/785), the Act on the Electronic Processing of Client Data in Social and Health Care (2007/159) and other applicable legislation.
1. Who is responsible for data processing? Who can i contact?
The data controller is the Finnish Student Health Service (FSHS), address: Töölönkatu 37 A, 00260 Helsinki, Finland.
The persons responsible for data protection at the FSHS are Aleksi Schrey and Marjo Tipuri, who can be contacted using an online form. They will answer to all questions concerning the processing of data and this data protection statement.
Please do not send any confidential information about your state of health or treatment via email.
2. For what purposes is my personal data collected?
The processing of data contained in the Patient Register is based on a statutory obligation to maintain patient documents. We only process personal data for predetermined uses. These are:
- Planning and carrying out patients’ examinations and treatment: We offer students in higher education general healthcare, mental healthcare and oral healthcare services. A part of our services are produced by subcontractors. In cases where our services are produced by subcontractor partners we transfer the information needed for treatment. With our subcontractor partners we are using in general and mental health services we are using authorization for the outsourcing service provider. In these cases our subcontractor partners save the entries to the patient record system directly to the FSHS’s register.
- Students’ health promotion and its planning: We monitor and promote students’ well-being, health and fitness to study. We arrange an electronic health survey for all first-year students in accordance to the health care act (1326/2010). FSHS is permitted to send a text message reminder regarding the health inquiry to first year students based on the decision made by the Data Protection Supervisor. In addition, we organise individual health check-ups as needed.
- Healthcare-related statutory control and compilation of statistics: We are required by law to provide reports and statistics about our activities for the supervisory authorities, such as the National Institute for Health and Welfare.
- Compilation of statistics about FSHS’s own activities and the planning of activities: We are constantly improving our services. We produce reports and conduct surveys to support decision-making.
- Invoicing of patient fees: No-show appointments that have not been cancelled are also subject to a charge.
- Scientific research: We are conducting scientific research on the health, well-being and ability to study of students in higher education. We also conduct joint research together with external researchers and research bodies. The use of patient data for research purposes always requires a research permit. Permits to access registers for research purposes are issued by the Finnish Social and Health Data Permit Authority Findata. Other research permits are issued by the FSHS.
- Operational quality control: Some incoming calls to assess the need for care are recorded.
3. What kind of data is collected about me?
We collect students’ personal data as needed for the purposes described in Section 2 of this data protection statement. The data collected in different situations depends on the purpose for which it is to be used.
All information of students which is provided by universities or other institutions of higher education (in order to make it possible to organize the health examinations for the first-year students).
- Name and personal identity code
- Information of educational institution, type of study right and starting date, information on enrollment (enrollment information, enrolled as present), educational institution, education code, study town, study right area.
Information given by the student or personally identifiable information:
- contact details, such as address, telephone number and email address
- demographic information, such as age, gender, native language, contact language and home country
- information needed to ensure unhindered accessibility to services, such as physical limitations and need for an interpreter
- permissions, such as consent to receive SMS messages and reminders on appointments, secure communications and forms provided in the service portal
- non-disclosure for personal safety reasons
- contact person appointed by the student
- booking and invoicing information
- health status information essential for treatment
- information concerning information provision, consent and refusal as required by the National Archive of Health Information (Kanta services).
Information derived from the above:
- derived information is defined as information deduced from student data, e.g. the placing of students into groups of users of certain services for statistical and planning purposes.
All information concerning health status is classed as sensitive personal information. Particular attention is given to protecting this kind of information. The Patient Data system we are using are class A Patient Data registers.
We organise patient records into logical entities and compile them in accordance with the official regulations. This way, we can use the data and, if necessary, disclose it to external parties under the conditions specified in section 6, e.g. for further treatment, without compromising the availability, usability, confidentiality or integrity of the data.
4. From what sources is my data collected?
Personal data is primarily given by the students themselves as part of an assessment of the need for treatment or a treatment contact.
Our staff also records other data arising during examinations and treatment. We also store in our own register treatment records generated as part of subcontracting services.
With the student’s consent and within the scope of the defined permission, we accept data from other healthcare units and the Kanta Data Repository.
We receive the above-mentioned demographic and educational establishment data from the Virta data warehouse, which is a service provided by the Ministry of Education and Culture.
5. Who will process my personal data?
Our staff are under obligation to maintain confidentiality, and they only process personal data to the extent required by their work. Data concerning health status is processed only if required for treatment purposes or for some other particular reason. In some instances, we may outsource the processing of personal data to third parties. If we do, we will put in place a contract to ensure that the data is processed in an appropriate manner and in accordance with the EU’s General Data Protection Regulation and other applicable legislation.
We will not transfer data outside the EU or EEA unless it is necessary for reasons such as server location. If we transfer data outside the EU or EEA, we will ensure the personal data is adequately protected, for example by agreeing on the confidentiality and processing of the data as required by legislation, e.g. by using model contract clauses approved by the European Commission, and otherwise by processing personal data in accordance with this data protection statement. We will not transfer data to international organisations.
6. Will my personal data be disclosed to any third parties?
Data relating to state of health is confidential. FSHS patient document instructions have been compiled based on legislation governing their use, disclosure and protection to ensure uniform procedures when processing patient records. We never sell or lease any personal data. We only disclose personal data in the cases described below:
- We may disclose a student’s personal data to third parties if the student has consented to this orally, in writing or electronically. Consent is required for data disclosure to other healthcare providers for the provision of further treatment. The acceptance of the outsourced services is seen as a acceptance for the transfer of information. If the student is unable to assess the meaning of the consent, e.g. due to their state of health, we are allowed to disclose data with the consent of their legal representative. Data disclosure to insurance companies requires written consent in some cases.
- We may disclose a student’s personal data in the manner prescribed by the legislation in force at the time as required by the relevant authorities or other parties.
- We may disclose data for scientific or historical research provided that the data has been changed into such a form that the student concerned is no longer identifiable from the data or with the permission of the National Institute for Health and Welfare.
- We may disclose segment data on students to our partners to improve our activities. Our partners are not permitted to link the data in any way that would enable an individual student to be identified.
- We disclose data to those authorities maintaining national healthcare registers to the extent required by the registers as stipulated in the legislation. The registers include:
- Care Register
- Finnish Cancer Registry
- Register for adverse drug reactions
- Vaccine Adverse Events Register
- National Infectious Diseases Register.
7. For how long will my personal data be stored?
We will only store personal data for as long as required by the legislation in force at the time for the purposes described in Section 2 above. The basic information on students in order to make it possible to conduct the electronic health survey is stored with the same standards as patient records even though the student would not have filled in the form.
The time for which patient data may be stored is stipulated in the Patient Documents Decree (2009/298). The storage time is usually 12 years from the patient’s death or 120 years from birth. We destroy the data after the storage time has ended. If we need data for statistics, for instance, we will pseudonymise it. This means that we will remove any data that can be connected to an individual person.
Due to quality monitoring, the recorded call data is stored for 3 months.
8. What kind of opportunities do i have to influence my data?
We are committed to accepting requests from students regarding their data, and where such requests are reasonable we will agree to them. We will process the requests within one month and inform the applicant of any action taken or if the request has been rejected. The rights listed below apply to data contained in the Patient Register.
Inspection of data
Students have the right to receive copies of their medical records and to inspect the personal data collected about them. The easiest way to view one’s own patient records is via the Social Insurance Institution’s (Kela) MyKanta service. The MyKanta service contains general and mental health data from 30 June 2016 and oral health data from 21 December 2021. If data older than this is wanted, requests for a copy should be made using an online form or in person or using the Patient Register review request form in the FSHS service unit where the university is located. The student must provide a valid identification in order to obtain the data, which is why data given following a written request must be collected personally from the service unit. You can request copies / exercise your inspection right free of charge once a year while you are studying and once after you have graduated. Thereafter, you will be charged in accordance to our service fees.
Rectification of inaccurate and incorrect data
Students have the right to ask the FSHS to rectify inaccurate or incorrect data on themselves. The FSHS is also obliged to rectify any incorrect personal data that comes to its attention. Because of the nature of the healthcare sector, we are occasionally forced to make decisions based on incomplete information. We can therefore only rectify data that is objectively incorrect based on the information available at the time of recording. Students have no right to decide what data about them is recorded. Requests for rectification can be made directly to the staff member who recorded the information at the time of the treatment contact. If a mutual understanding is not reached, students can make a request for rectification in writing by electronic (identification by online banking ID or mobile ID) or in the FSHS service unit where the university is located (ID must be shown). Compliance or otherwise with the rectification request will be decided by the FSHS Regional Chief Physician, if necessary together with the FSHS Regional Chief Dentist. The reasons for rejecting a request will be given in writing. Rectified data will also be rectified in the Kanta Data Repository.
Completion of incomplete data
Students have the right to have incomplete personal data completed. Contact details and contact language can be updated via the Self online service. Significant incompleteness of data relating to state of health is processed as for rectification of data described above.
Inspection of log data
We collect log data on the use of Patient Register data and data disclosure. We use log data to ensure that patient records are used appropriately. If misuse of data is suspected by a student, he or she has the right to ask for the log data to be checked. The request should be made using the online form or a Patient Register log data request form in the FSHS service unit where the university is located (an ID must be shown). Compliance or otherwise with the log data request will be decided by the FSHS Regional Chief Physician together with the person responsible for data protection. Log data from the previous two years will be checked. Student has the right to receive a copy of the log files and, if necessary, the Regional Medical Director or Regional Medical Director for Dentistry will provide a report on them. The reasons for rejecting a request will be given in writing.
Certain general rights of registered persons, such as removal of data, are not applicable to Patient Register data for legal reasons.
If any Patient Register data is destroyed, damaged, stolen or disclosed without authorisation, or if such data disappears, we will inform the Office of the Data Protection Ombudsman without delay and within 72 hours at the latest. If the students concerned are likely to suffer adverse consequences as a result, we will inform them of the information security breach.
10. Students’ health promotion and its planning
We use and improve our digital services to promote students’ health and wellbeing. By starting to use the service/application in question, the user accepts the processing of personal data. As part of these services we may use the personal identity code as well as demographic and study-related information to identify the user. As regards applications outside the patient information systems, we will only store data required to target and personalise our services. In addition, any metrics and survey answers provided by the users themselves will be stored in the programmes/applications. Data stored by the users will be used for targeting our digital wellbeing and health services.
The stored data will be saved from the date the services are first used until the expiry of the right to use the services and for two years thereafter to ensure the continuity of services (the right to use services is renewed each study term once the student registers as an attending student).
Data confidentiality will be ensured by strong authentication when users log in to the service. Data used for identification purposes will be transferred from the patient register via an interface and will not be edited in another application.
The registered person’s right to request erasure of data, restrict the processing of data and to object to the processing of data will be implemented once the user account in question is deleted. If necessary, these data can be deleted earlier at the request of the user.
All contacts: contact the data protection officer
Personal data will only be processed by designated FSHS employees and the support person of the application supplier. Personal data will only be processed in the EU/EEA.
11. Cross-border healthcare
If your healthcare cover is provided by another EU or EEA country, Switzerland, Great Britain or Northern Ireland, you need to have the European Health Insurance Card (EHIC card), Global Health Insurance Card (GHIC card) or equivalent provisional certificate to qualify for reimbursement of FSHS costs. We will need a copy of your health insurance card for invoicing purposes. Nordic students may present a passport or an ID card as proof of eligibility for reimbursement of medical costs.
Copies of European Health Insurance Cards and passports will be stored securely for invoicing purposes, and the data will be deleted within 12 months after the month in which the card expires. This data can only be accessed by persons authorised to process it.
For more information, contact a data protection officer by completing a contact form.
Cookies are small text files placed on your device by your internet browser. These cookies contain a unique identifier, the purpose of which is to identify your browser. Data is collected based on the sites you visit; cookies do not contain personal data.
Necessary cookies are used to ensure the functioning of the website. We do not use other than necessary cookies without your permission. By accepting all cookies you give permission to the collection of anonymous visitor data.
Information about non-necessary cookies
Edit cookies settings
You can edit your cookies settings through the link below.
13. Where can i get help in conflict situations?
The person responsible for the Patient Register is Medical Director Teija Kulmala.
If required, advice regarding the exercise of your rights can be obtained from the persons responsible for data protection, Aleksi Schrey and Marjo Tipuri, who can be contacted using an online form, or from the Patient Ombudsman, who can be contacted using the online form.
Students also have the right to appeal to the Office of the Data Protection Ombudsman if they consider that their personal data has been processed against the EU’s General Data Protection Regulation or other data protection legislation in force at the time. The Office of the Data Protection Ombudsman will inform the appellant of the progress of the appeal, the decision and any appeal against the decision.
14. What do automatic decision-making and profiling mean and are they applied to my data?
Profiling means any automatic processing of personal data in which such data is used to assess, analyse or predict aspects related to the characteristics of the person in question, e.g. behaviour or health. We do not profile students and we do not apply automatic decision-making to students’ data.
15. Can this data protection statement be changed?
We are constantly improving our services, and we reserve the right to change this data protection statement, notification of which will be made through our services. Changes may also result from changes in legislation. We recommend that students familiarise themselves regularly with the contents of the data protection statement.
Contact the person responsible for data protection
The persons responsible for data protection at the FSHS are Marjo Tipuri and Aleksi Schrey. You can contact them through filling the form, which is attached under this text.