Register studies refer to scientific research in which the research material consists, in part or in whole, of personal identity data belonging to various registers, such as client and patient registers of social welfare and health care. The use of personal data in scientific research requires, depending on the situation, a written consent of the registered subject, a data permit from the controller, a data permit of the data permit authority of the social and health care sector (Findata), or, in special cases, a permit of the Finnish Institute for Health and Welfare (THL). A special feature of the register data is that the information collected in the registers has not been originally collected for research use (secondary use).
Using patient or customer data for register research under the act on secondary use
From the register of one controller
If patient or customer data used as the data for the research is from the register of one controller, for example, from the register of the wellbeing services county of North Savo, the data permit is applied for from the controller. The permit is applied for in eTutkija together with the application for a research permit. The application shall be accompanied by a research plan, privacy statement and impact assessment form (see data protection in scientific research). An application for a data permit in accordance with Findata’s regulation (2/2022) is also required as an attachment. The form can be found in the form register (84014-3M). This also applies to applications for changes. More information on applying for a data permit can be found on the Pulssi intranet of the wellbeing services county of North Savo.
From the register of several controllers
A data permit is applied for from Findata if the study combines patient or customer data from the register of more than one controller, or if the data stored in Kanta services or the register data of a private social and health care service provider are needed. Findata combines data from different registers and delivers them to the researcher for analysis in a secure environment. In special cases, the application for a permit will be submitted to THL. An application from Findata must be accompanied by a research permit from the responsible organisation (in the wellbeing services county of North Savo, through eTutkija) and its attachments.
See the Findata website for examples of the controllers’ authorities (authority table), i.e. to whom the application is sent and instructions on applying for data permits.
Data protection requirements for scientific research
The requirements of data protection legislation cover the entire life cycle of the processing of personal data in scientific research; from the planning of the collection of personal data, until the end of the retention period. In Finland, the supreme data protection authority is the Data Protection Ombudsman, whose website provides instructions on how to implement data protection rules in scientific research.
Identify the research controller
In accordance with the General Data Protection Regulation, a controller refers to a natural or legal person, authority, agency or other body that alone or together with others determines the purposes and means of processing personal data.
In scientific research, the controller may be considered to be the party that decides on the initiation of the processing of personal data for the purpose in question. The controller determines why the processing is to be conducted. In essential parts, it determines how personal data is processed and, for example, to whom the data can be disclosed. The controller is also responsible for compliance with data protection rules. However, the controller itself need not have access to personal data.
In the case of joint controllers, two or more controllers decide by mutual agreement on the purposes and means of processing personal data and, for example, on how to ensure the exercise of the data subjects' rights.
Examples: In scientific theses (doctoral and master’s theses), the researcher is, as a rule, the entity that determines the purposes and means of processing personal data, i.e. the controller. Accordingly, when several researchers jointly define the purposes and means of processing, the team of researchers can be the controller. When a scientific study is launched in the wellbeing services county of North Savo as its own research, and the research is to continue in the wellbeing services county of North Savo, the controller is the wellbeing services county of North Savo, in spite of personnel changes in the study. In the case of a sponsor-driven study (such as pharmaceutical companies), the sponsor is generally the controller.
Identify also possible processors of personal data and make sure that there are written agreements with these parties on the terms and conditions of the processing of personal data.
Roles and responsibilities of personal data processing in scientific research
The controller's accountability requires documentation
In accordance with General Data Protection Regulation’s principle of accountability, the controller must be able to demonstrate that it has planned the processing of personal data in such a way that data protection principles are effectively implemented in the research project. The researcher shall attach the privacy statement to the research permit as an attachment. At the same time, the privacy statement provides a record of processing activities in accordance with article 30 of the Data Protection Regulation.
Impact assessment based on a risk assessment
The controller of the study shall ensure compliance with data protection regulations and protect personal data in accordance with the risk relating to processing. When the processing of personal data is likely to pose a high risk to the rights and freedoms of data subjects, an impact assessment on data protection shall be conducted (article 35 of the Data Protection Regulation). The controller ensures that the impact assessment has been conducted, when necessary, and that the controller’s designated data protection officer is consulted in the assessment. If the research controller is WSCNS (KUH), an impact assessment is attached to the research permit application. In other cases, it’s submission as an attachment is voluntary.
Grounds for processing personal data and the rights of the subjects
Provisions on the grounds for processing personal data are decreed in articles 6 and 9 of the Data Protection Regulation and sections 4 and 6 of the Data Protection Act. In scientific research based on patient records, the grounds for processing are mainly based on scientific research in public interest (article 9, 2. j.). It should be noted that the subjects have rights based on the processing criterion, unless they have been restricted in the research on separate exceptional grounds.
Further information
Auli Mikkonen, data protection officer at the WSCNS, etunimi.sukunimi@pshyvinvointialue.fi, tel. +358 44 717 6894