By Joonas Dammert


The Finnish Parliament has approved the new general Act on the Secondary Use of Social Welfare and Health Care Data (Laki sosiaali- ja terveystietojen toissijaisesta käytöstä, based on government proposal HE 159/2017) in March 2019. The Act shall become effective within the following weeks.

The Act is a welcome change to the old regime where national provisions concerning the subject matter have been scattered into different regulations, namely the Patient’s Rights Act (1992/785), Act on Electronic Processing of Social and Health Care Customer Data (2007/159), Bio Bank Act (2012/688) and Medicines Act (1987/395). This fragmentation has, unsurprisingly, lead to a heavy administrative burden for the secondary users of social and health care data by parallel and slow licence procedures with various authorities.

The new Act codifies the relevant legislation and broadens the possibilities to, under certain conditions, utilize and combine for secondary purposes personal data collected in relation to public or private social and health care operations.

As for the data subjects, the main purpose is to ensure full compliance with the applicable data protection legislation while processing sensitive social and health care data for secondary purposes. The Act complements the GDPR and introduces reinforced data security requirements and strict authorization procedures.

The Act governs the transfers of personal social and health care data from data controllers responsible for the primary purpose of processing to an established IT ecosystem controlled by the licence authority. These are mainly administrators of major national registers, inter alia: the Social Insurance Institution (KELA), the Population Register Center (Väestörekisterikeskus), the Statistics Finland (Tilastokeskus) and the Pension Security Center (Eläketurvakeskus), National Supervisory Authority For Health and Welfare (Valvira), Finnish Institute of Occupational Health (Työterveyslaitos) and Finnish Medicines Agency (Fimea).


The secondary use of personal data stored at the registers of the aforementioned data controllers shall be allowed for permitted purposes under a fixed-term revocable licence. The decisions on licenses are subject to an appeal. The licence authority shall be a new ‘one-stop-shop’ operating under the supervision of the Ministry of Social Affairs and Health (Sosiaali-ja Terveysministeriö).

The license may be applied for educational, information management as well as innovation and development activities going beyond traditional research purposes reflected under GDPR 89 article.

License available for innovation and development activities has been promoted as an important opportunity for businesses to utilize and combine social and health care data with their existing technical and commercial data as well as to reap the benefits of a ‘one-stop-shop’ mechanism where they can acquire a license for data obtained from different data controllers. All of this means there are better opportunities for innovative product development by e.g. start-ups and pharmaceutical companies, which may generate considerable external societal advantages as well.
The data subjects are protected against secondary use by a requirement that an explicit consent shall be the only applicable legal basis for processing concerning innovation and development activities since none of the other legal basis under GDPR article 9(2) would be applicable.

Data subjects should be able to control their consents trough a dynamic digital ecosystem hosted by a pre-selected service provider in order to communicate better with the licence authority as well as to make alterations and withdrawals. The consent must cover the processing operations of the licence authority and the secondary user each and are strictly subject to the terms of the consent. The basic idea is that a data subject can flexibly consent to the original and secondary use at once or later on.

The potential secondary users for innovation and development purposes may alternatively request information in an anonymized form. In these cases, the processing does not rely on consent and the licence authority must determine if anonymization is possible under GDPR 9(2) g) and 86 articles. This way, the principle of publicity and privacy shall be balanced on case-by-case basis.

Furthermore, the licence applicant must have an authorized person in charge and a pre-approved utilization plan in place in order to be admissible for a licence.


The license authority has the jurisdiction to issue licenses and supervise the compliance with the license terms. The authority shall also be responsible for the compilation, combining and transferring the data for licensees. In addition to the licence procedures, the authority has jurisdiction to compile and anonymize data from different registers based on information requests described above.

Another key operator as regards to license procedures is the service provider mentioned above that maintains a digital ecosystem for the licence procedure and the subsequent secondary use of data. The service provider shall control the licensee’s user rights in the ecosystem and keep user registers.

The governmental proposal concerning the Act has provoked plenty of public discussion as regards to sensitive data and privacy. The Parliamentary vote were an extremely tight one as the Act passed by a vote of 92 to 80 with the left-wing parties demonstrating the most notable opposition.

For further information, please contact