Breadcrumb

Other permits relating to research

Other permits relating to research

Depending on the type of research, conducting scientific research requires various official permits, statements or notifications to different authorities.

Key authorities from which permits are applied for include Findata, in special cases Finnish Institute for Health and Welfare and Fimea. Other bodies key to studies are the office of the Data Protection Officer and the Board of Gene Technology (GTLK).

Further information on other research permits is available below.
 

Register studies refer to scientific research in which the research material consists, in part or in whole, of personal identity data belonging to various registers, such as client and patient registers of social welfare and health care. The use of personal data in scientific research requires, depending on the situation, a written consent of the registered subject, a data permit from the controller, a data permit of the data permit authority of the social and health care sector (Findata), or, in special cases, a permit of the Finnish Institute for Health and Welfare (THL). A special feature of the register data is that the information collected in the registers has not been originally collected for research use (secondary use).

Using patient or customer data for register research under the act on secondary use

From the register of one controller

If patient or customer data used as the data for the research is from the register of one controller, for example, from the register of the wellbeing services county of North Savo, the data permit is applied for from the controller.  The permit is applied for in eTutkija together with the application for a research permit. The application shall be accompanied by a research plan, privacy statement and impact assessment form (see data protection in scientific research). An application for a data permit in accordance with Findata’s regulation (2/2022) is also required as an attachment. The form can be found in the form register (84014-3M). This also applies to applications for changes. More information on applying for a data permit can be found on the Pulssi intranet of the wellbeing services county of North Savo.

From the register of several controllers

A data permit is applied for from Findata if the study combines patient or customer data from the register of more than one controller, or if the data stored in Kanta services or the register data of a private social and health care service provider are needed. Findata combines data from different registers and delivers them to the researcher for analysis in a secure environment. In special cases, the application for a permit will be submitted to THL. An application from Findata must be accompanied by a research permit from the responsible organisation (in the wellbeing services county of North Savo, through eTutkija) and its attachments.

See the Findata website for examples of the controllers’ authorities (authority table), i.e. to whom the application is sent and instructions on applying for data permits.

Data protection requirements for scientific research

The requirements of data protection legislation cover the entire life cycle of the processing of personal data in scientific research; from the planning of the collection of personal data, until the end of the retention period. In Finland, the supreme data protection authority is the Data Protection Ombudsman, whose website provides instructions on how to implement data protection rules in scientific research.

Identify the research controller

In accordance with the General Data Protection Regulation, a controller refers to a natural or legal person, authority, agency or other body that alone or together with others determines the purposes and means of processing personal data.

In scientific research, the controller may be considered to be the party that decides on the initiation of the processing of personal data for the purpose in question. The controller determines why the processing is to be conducted. In essential parts, it determines how personal data is processed and, for example, to whom the data can be disclosed. The controller is also responsible for compliance with data protection rules. However, the controller itself need not have access to personal data.

In the case of joint controllers, two or more controllers decide by mutual agreement on the purposes and means of processing personal data and, for example, on how to ensure the exercise of the data subjects' rights.  

Examples: In scientific theses (doctoral and master’s theses), the researcher is, as a rule, the entity that determines the purposes and means of processing personal data, i.e. the controller. Accordingly, when several researchers jointly define the purposes and means of processing, the team of researchers can be the controller. When a scientific study is launched in the wellbeing services county of North Savo as its own research, and the research is to continue in the wellbeing services county of North Savo, the controller is the wellbeing services county of North Savo, in spite of personnel changes in the study. In the case of a sponsor-driven study (such as pharmaceutical companies), the sponsor is generally the controller.

Identify also possible processors of personal data and make sure that there are written agreements with these parties on the terms and conditions of the processing of personal data.

Roles and responsibilities of personal data processing in scientific research 

The controller's accountability requires documentation

In accordance with General Data Protection Regulation’s principle of accountability, the controller must be able to demonstrate that it has planned the processing of personal data in such a way that data protection principles are effectively implemented in the research project. The researcher shall attach the privacy statement to the research permit as an attachment. At the same time, the privacy statement provides a record of processing activities in accordance with article 30 of the Data Protection Regulation.

Impact assessment based on a risk assessment

The controller of the study shall ensure compliance with data protection regulations and protect personal data in accordance with the risk relating to processing. When the processing of personal data is likely to pose a high risk to the rights and freedoms of data subjects, an impact assessment on data protection shall be conducted (article 35 of the Data Protection Regulation). The controller ensures that the impact assessment has been conducted, when necessary, and that the controller’s designated data protection officer is consulted in the assessment. If the research controller is WSCNS (KUH), an impact assessment is attached to the research permit application. In other cases, it’s submission as an attachment is voluntary.

Grounds for processing personal data and the rights of the subjects

Provisions on the grounds for processing personal data are decreed in articles 6 and 9 of the Data Protection Regulation and sections 4 and 6 of the Data Protection Act. In scientific research based on patient records, the grounds for processing are mainly based on scientific research in public interest (article 9, 2. j.). It should be noted that the subjects have rights based on the processing criterion, unless they have been restricted in the research on separate exceptional grounds.

Further information

Auli Mikkonen, data protection officer at the WSCNS, etunimi.sukunimi@pshyvinvointialue.fi, tel. +358 44 717 6894

Surveys and interviews conducted in the wellbeing services county of North Savo may target personnel, patients or clients.

For interview and survey studies, a research permit is applied for through the eTutkija system. Studies focusing on personnel require the support of North Savo human resource director. The support will be sought through eTutkija.

Please note that surveys and interviews are invasive studies, subject to the research act when the study interferes with the subject's psychological integrity and increases information on e.g. health, causes of illness and treatment.

Tissue studies and biobank studies are legal activities. Both tissue and biobank studies require a research permit from the wellbeing services county of North Savo before the research is started.

Tissue research

The Finnish Medicines Agency (Fimea) grants a permit for medical use of human organs, tissues and cells when the permit cannot be obtained with consent or when samples are not available from a biobank. The permit is granted to the health care unit, institution or department of pathology for whose operation the tissues, organs or cells have been removed or wherein the research is conducted.

Biobank research

Biobank research refers to research that utilises cell and tissue samples of human origin, stored in a biobank, or data related therein. Samples collected in a biobank may be used for biomedical basic research and for epidemiological and other health science research.

Further information 

Fimea is responsible for the supervision of medical devices. For more information on medical device legislation, see Fimea's website.
A clinical study with a medical device or accessory must be reported to Fimea when:

  • the study is conducted on a non-CE marked device,
  • the study uses the device in a manner deviating from the instructions or the intended use as specified by the manufacturer, or
  • the device and equipment are modified by adding new features.

All studies with an active implantable device should also be reported to Fimea.

More information on Fimea's website

A clinical pharmaceutical trial is a human-directed invasive study that investigates the effects of a medicine in humans as well as its absorption, distribution, metabolism or excretion in the human body.

Clinical pharmaceutical trials on humans (commissioned and researcher-driven studies) shall be evaluated through a joint European pre-authorisation procedure before the start of the trial.

Clinical pharmaceutical trials (commissioned and investigator-driven studies) shall be submitted for centralised evaluation through the European Medicines Agency’s (EMA) clinical trials information system (CTIS) in all member states on whose territory the study is to be conducted. Applications shall be evaluated simultaneously by the medicinal authorities of the member states in such a way that the medicinal authority of one member state acts as the reporting member state, while the authorities of the other member states act as the affected member states.

In Finland, clinical pharmaceutical trials are assessed in cooperation with the Finnish Medicines Agency (Fimea) and the National Committee on Medical Research Ethics (Tukija).

Further information

Studies on genetically modified material shall be either notified or licensed by the Board of Gene Technology (GTLK). A notification/application for authorisation of a clinical trial shall be submitted when the study concerns the use of genetically modified organisms in a confined environment.

A genetically modified organism or micro-organism refers to an organism or micro-organism whose genetic material has been modified. Research using genetic engineering methods or data is referred to as research on GMOs (genetically modified organism) or GMMs (genetically modified material). Research on DNA alone does not make the study a GMM study.
Gene technology applications typical in medicine include, for example, vaccines.

Further information