DATA PROTECTION STATEMENT REGARDING THE FSHS
Name of the register: Patient Register of the Finnish Student Health Service
Data protection statement compiled on: 1 May 2018
Data protection statement updated on: 25 September 2020
Updated by: The person responsible for data protection Marjo Tipuri, Medical Director Päivi Metsäniemi
Version number: 1.02
SUMMARY OF THE DATA PROTECTION STATEMENT
- We are committed to protecting the privacy of students within the scope of our services. Your confidence in us is of primary importance.
- We use your personal data for the provision of healthcare and medical care services, for statutory control and compilation of statistics, to compile statistics about our own activities, to plan our activities, and to carry out and enable scientific research.
- The data we process comes from students themselves, from observations made by our staff or from educational establishments, or is derived from these.
- We offer students the opportunities, as required, to influence the processing of their data. See Section 8 for a list of your rights. You will find forms for example to request copies of your patient documents and to request rectification of inaccurate or incorrect data from FSHS’s online services.
CONTENTS OF THE DATA PROTECTION STATEMENT
The FSHS is committed to protecting the privacy of university students in accordance with the EU’s General Data Protection Regulation (2016/679), the Act on the Status and Rights of Patients (1992/785), the Act on the Electronic Processing of Client Data in Social and Health Care (2007/159) and other applicable legislation.
1. Who is responsible for data processing? Who can i contact?
The data controller is the Finnish Student Health Service (FSHS), address: Töölönkatu 37 A, 00260 Helsinki, Finland.
The person responsible for data protection at the FSHS is Marjo Tipuri, who can be contacted using an online form. Marjo Tipuri will answer all questions concerning the processing of data and this data protection statement.
Please do not send any confidential information about your state of health or treatment via email.
2. For what purposes is my personal data collected?
The processing of data contained in the Patient Register is based on a statutory obligation to maintain patient documents. We only process personal data for predetermined uses. These are:
• Planning and carrying out patients’ examinations and treatment: We offer university students general healthcare, mental healthcare and oral healthcare services.
• Students’ health promotion and its planning: We monitor and promote students’ well-being, health and fitness to study. We arrange an electronic health survey for all first-year students in accordance to the health care act (1326/2010). In addition, we organise individual health check-ups as needed.
• Healthcare-related statutory control and compilation of statistics: We are required by law to provide reports and statistics about our activities for the supervisory authorities, such as the National Institute for Health and Welfare.
• Compilation of statistics about FSHS’s own activities and the planning of activities: We are constantly improving our services. We produce reports and conduct surveys to support decision-making.
• Invoicing of patient fees: A small number of our services are subject to appointment fees. Some medical statements and no-show appointments that have not been cancelled are also subject to a charge.
• Scientific research: We carry out scientific research on university student health, health behaviour, lifestyles, study environments and health services. We also conduct joint research together with external researchers and research bodies. The use of patient data for research always requires official permission. Data will only be disclosed for external research purposes if permitted by you or the National Institute for Health and Welfare.
3. What kind of data is collected about me?
We collect students’ personal data as needed for the purposes described in Section 2 of this data protection statement. The data collected in different situations depends on the purpose for which it is to be used.
All information of students which is provided by universities or other institutions of higher education (in order to make it possible to organize the health examinations for the first-year students).
- Name and personal identity code
- Information of educational institution, type of study right and starting date, information on enrollment (enrollment information, enrolled as present), educational institution, education code, study town, study right area.
Information given by the student or personally identifiable information:
• contact details, such as address, telephone number and email address
• demographic information, such as age, gender, native language, contact language and home country
• information needed to ensure unhindered accessibility to services, such as physical limitations and need for an interpreter
• permissions, such as consent to receive SMS messages and reminders on appointments, secure communications and forms provided in the service portal
• non-disclosure for personal safety reasons
• contact person appointed by the student
• booking and invoicing information
• health status information essential for treatment
• information concerning information provision, consent and refusal as required by the National Archive of Health Information (Kanta services).
Information derived from the above:
• derived information is defined as information deduced from student data, e.g. the placing of students into groups of users of certain services for statistical and planning purposes.
All information concerning health status is classed as sensitive personal information. Particular attention is given to protecting this kind of information.
We organise patient records into logical entities and compile them in accordance with the official regulations. This way, we can use the data and, if necessary, disclose it to external parties under the conditions specified in section 6, e.g. for further treatment, without compromising the availability, usability, confidentiality or integrity of the data.
4. From what sources is my data collected?
Personal data is primarily given by the students themselves as part of an assessment of the need for treatment or a treatment contact.
Our staff also records other data arising during examinations and treatment. We also store in our own register treatment records generated as part of subcontracting services.
With the student’s consent and within the scope of the defined permission, we accept data from other healthcare units and the Kanta Data Repository.
We receive the above-mentioned demographic and educational establishment data from the Virta data warehouse, which is a service provided by the Ministry of Education and Culture.
5. Who will process my personal data?
Our staff are under obligation to maintain confidentiality, and they only process personal data to the extent required by their work. Data concerning health status is processed only if required for treatment purposes or for some other particular reason. In some instances, we may outsource the processing of personal data to third parties. If we do, we will put in place a contract to ensure that the data is processed in an appropriate manner and in accordance with the EU’s General Data Protection Regulation and other applicable legislation.
We will not transfer data outside the EU or EEA unless it is necessary for reasons such as server location. If we transfer data outside the EU or EEA, we will ensure the personal data is adequately protected, for example by agreeing on the confidentiality and processing of the data as required by legislation, e.g. by using model contract clauses approved by the European Commission, and otherwise by processing personal data in accordance with this data protection statement. We will not transfer data to international organisations.
6. Will my personal data be disclosed to any third parties?
Data relating to state of health is confidential. FSHS patient document instructions have been compiled based on legislation governing their use, disclosure and protection to ensure uniform procedures when processing patient records. We never sell or lease any personal data. We only disclose personal data in the cases described below:
• We may disclose a student’s personal data to third parties if the student has consented to this orally, in writing or electronically. Consent is required for data disclosure to other healthcare providers for the provision of further treatment. If the student is unable to assess the meaning of the consent, e.g. due to their state of health, we are allowed to disclose data with the consent of their legal representative. Data disclosure to insurance companies requires written consent in some cases.
• We may disclose a student’s personal data in the manner prescribed by the legislation in force at the time as required by the relevant authorities or other parties.
• We may disclose data for scientific or historical research provided that the data has been changed into such a form that the student concerned is no longer identifiable from the data or with the permission of the National Institute for Health and Welfare.
• We may disclose segment data on students to our partners to improve our activities. Our partners are not permitted to link the data in any way that would enable an individual student to be identified.
• We disclose data to those authorities maintaining national healthcare registers to the extent required by the registers as stipulated in the legislation. The registers include:
o Care Register
o Finnish Cancer Registry
o Register for adverse drug reactions
o Vaccine Adverse Events Register
o National Infectious Diseases Register.
7. For how long will my personal data be stored?
We will only store personal data for as long as required by the legislation in force at the time for the purposes described in Section 2 above. The basic information on students in order to make it possible to conduct the electronic health survey is stored with the same standards as patient records even though the student would not have filled in the form.
The time for which patient data may be stored is stipulated in the Patient Documents Decree (2009/298). The storage time is usually 12 years from the patient’s death or 120 years from birth. We destroy the data after the storage time has ended. If we need data for statistics, for instance, we will pseudonymise it. This means that we will remove any data that can be connected to an individual person.
8. What kind of opportunities do i have to influence my data?
We are committed to accepting requests from students regarding their data, and where such requests are reasonable we will agree to them. We will process the requests within one month and inform the applicant of any action taken or if the request has been rejected. The rights listed below apply to data contained in the Patient Register.
Inspection of data
Students have the right to receive copies of their medical records and to inspect the personal data collected about them. The easiest way to view one’s own patient records is via the Social Insurance Institution’s (Kela) My Kanta service. The My Kanta service contains general and mental health data from 30 June 2016 on. We will start entering oral health data in the Kanta service at later. If data older than this is wanted, requests for a copy should be made using an online form or in person or using the Patient Register review request form in the FSHS unit where the university is located. The student must provide identification in order to obtain the data, which is why data given following a written request must be collected personally from the unit. You can request copies / exercise your inspection right free of charge once a year while you are studying and once after you have graduated. Thereafter, you will be charged in accordance to our service fees.
Rectification of inaccurate and incorrect data
Students have the right to ask the FSHS to rectify inaccurate or incorrect data on themselves. The FSHS is also obliged to rectify any incorrect personal data that comes to its attention. Because of the nature of the healthcare sector, we are occasionally forced to make decisions based on incomplete information. We can therefore only rectify data that is objectively incorrect based on the information available at the time of recording. Students have no right to decide what data about them is recorded. Requests for rectification can be made directly to the staff member who recorded the information at the time of the treatment contact. If a mutual understanding is not reached, students can make a request for rectification in writing by electronic (identification by online banking ID or mobile ID) or in the FSHS unit where the university is located (ID must be shown). Compliance or otherwise with the rectification request will be decided by the FSHS Unit Director, if necessary together with the Medical Director. The reasons for rejecting a request will be given in writing. Rectified data will also be rectified in the Kanta Data Repository.
Completion of incomplete data
Students have the right to have incomplete personal data completed. Contact details and contact language can be updated via the Self online service. Significant incompleteness of data relating to state of health is processed as for rectification of data described above.
Inspection of log data
We collect log data on the use of Patient Register data and data disclosure. We use log data to ensure that patient records are used appropriately. If misuse of data is suspected by a student, he or she has the right to ask for the log data to be checked. The request should be made using the online form or a Patient Register log data request form in the FSHS unit where the university is located (an ID must be shown). Compliance or otherwise with the log data request will be decided by the FSHS Unit Director together with the person responsible for data protection. Log data from the previous two years will be checked. The FSHS Unit Director will give a report of the inspection. If they wish, students have the right to receive a copy of the log data. The reasons for rejecting a request will be given in writing.
Certain general rights of registered persons, such as removal of data, are not applicable to Patient Register data for legal reasons.
If any Patient Register data is destroyed, damaged, stolen or disclosed without authorisation, or if such data disappears, we will inform the Office of the Data Protection Ombudsman without delay and within 72 hours at the latest. If the students concerned are likely to suffer adverse consequences as a result, we will inform them of the information security breach.
Cookies are small text files placed on your device by your internet browser. These cookies contain a unique identifier, the purpose of which is to identify your browser. Data is collected based on the sites you visit; cookies do not contain personal data. Cookies can be used to follow your interests based on which internet sites you visit and what you look at when you visit them.
This data will not be used to identify individual persons.
11. Where can i get help in conflict situations?
The person responsible for the Patient Register is Medical Director Päivi Metsäniemi.
If required, advice regarding the exercise of your rights can be obtained from the person responsible for data protection, Marjo Tipuri, who can be contacted using an online form, or from the Patient Ombudsman, who can be contacted using the online form.
Students also have the right to appeal to the Office of the Data Protection Ombudsman if they consider that their personal data has been processed against the EU’s General Data Protection Regulation or other data protection legislation in force at the time. The Office of the Data Protection Ombudsman will inform the appellant of the progress of the appeal, the decision and any appeal against the decision.
12. What do automatic decision-making and profiling mean and are they applied to my data?
Profiling means any automatic processing of personal data in which such data is used to assess, analyse or predict aspects related to the characteristics of the person in question, e.g. behaviour or health. We do not profile students and we do not apply automatic decision-making to students’ data.
13. Can this data protection statement be changed?
We are constantly improving our services, and we reserve the right to change this data protection statement, notification of which will be made through our services. Changes may also result from changes in legislation. We recommend that students familiarise themselves regularly with the contents of the data protection statement.
The person responsible for data protection at the FSHS is Marjo Tipuri. You can contact her through filling the form, which is attached under this text, or by calling her on Fridays’ between 10am and 11am to the number 040 5775526.