Original draft in Finnish 4 January 2023, latest modification in Finnish 11 June 2023.
PrEP appointments involve dealing with sensitive personal data. Handling and storing this data is of utmost importance in Kallio Terveys. The digital registries are maintained in healthcare information systems according to the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. These information systems are approved and supervised by the National Supervisory Authority for Welfare and Health (Valvira).
Kallio Terveys is an auxiliary company name belonging to Licenciate of Medicine Jukka Hietalahti (“private entrepreneur”); the company name is Medi-Kallio (Finnish Business ID: 2753661-4).
Data controller and person responsible for the register
Jukka Hietalahti, Kuurinniityntie 18b, 02750 ESPOO
tel: +358 45 7838 4334
Name and parts of the register
Patient register of Kallio Terveys (customer registers in online booking service, in remote communication service, and in the electronic patient record; patient records including digitally stored appendices; electronic documents and messaging in remote communication service; billing information and bookkeeping in service provided by Holvi Payment Services Ltd; possible billing information in service provided by MobilePay [Mobile Pay A/S, branch in Finland])
Legal bases and purpose for processing personal data
Personal data is processed in a scope that fulfils legal obligations and makes appropriate and high-quality treatment possible.
Kallio Terveys processes personal data:
- with legal obligation: The basis of the personal data use in healthcare is provided by law. The acts and decrees concerning personal data use in healthcare are at least: Health Care Act (1326/2010), Act on the Electronic Processing of Client Data in Healthcare and Social Welfare; Act on the Status and Rights of Patients (785/1992); Data Protection Act (1050/2018); Act on the Secondary Use of Social and Health Data (552/2019); Act on Health Care Professionals (559/1994); Private Health Care Act (152/1990); Decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009); General Data Protection Regulation in EU law (GDPR 2016/679). Sosiaali- ja terveysministeriö on laatinut ohjeet potilasasiakirjojen laatimisesta ja käsittelystä The Finnish Ministry of Social Affair and Health has composed a guide for drawing up and handling of patient documents (STM 2012:4). In the General Data Protection Regulation of the EU law, e.g., ethnic origin, health information, sexual behaviour, and sexual orientation are special category data that need more protection due to their sensitivity. Kallio Terveys deals with this kind of data to produce healthcare services. The information composing the data is processed and stored to the extent that can be justified in order to secure high-quality healthcare. Kallio Terveys deals with this kind of data to produce healthcare services. The information composing the data is processed and stored to the extent justifiable to secure high-quality healthcare.
Kallio Terveys also processes personal data:
- for creating, maintaining and developing customer relationships (enabling patient appointments, examining patient’s state of health, planning, implementing, and monitoring the treatment, and contacting the patients)
- as to compose referrals
- based on the information provided by cooperation partners (these cooperation partners may be e.g., public and private healthcare sector; the basis of acquiring or releasing information is the permission given by the data subject, for instance, a signed request of patient records or a consultation answer given to a referral drafted in mutual understanding with the patient)
- based on compiling statistics (in anonymised data; e.g., public healthcare providers have to release an activity report with the total number of visits)
- based on compiling notifications according to the law or guidance from public authorities
- based on handling the feedback and consumer complaints
- based on official requests for evidence
- based on patient safety incidents
Data is not used for automated decision-making or profiling.
Personal data processed, means of personal data processing, and recipients of personal data
Patient records and personal data are confidential information that will not be disclosed to third parties without the data subject’s consent unless there is an obligation to do so based on law.
Personal data that is processed consists of:
- Name and personal identity code (customer register in remote communication service, customer register in the electronic patient record, digital patient records with their digital appendices, information on referrals, information disclosed to public authorities based on a legal obligation, billing, debt collection)
- Contact information: home address, municipality of residence, telephone number(s), email address(es) (customer register in online booking service, customer register in remote communication service, customer register in the electronic patient record, information on referrals, information disclosed to public authorities based on a legal obligation, billing, debt collection)
- Data regarding gender (apart from the data revealed by the personal identity code), sexuality, sexual behaviour, substance use (digital patient records with their digital appendices information on referrals when relevant [e.g., when referring to the public sector for the continuation of PrEP], information disclosed to public authorities based on a legal obligation [this solely includes a situation when diagnosing a generally communicable disease prompts filing a notification of communicable disease: in this notification, the route of transmission is disclosed in a multiple choice, e.g. “sex with man” or “injecting drugs”])
- Consents given by the data subject (customer register in remote communication service, customer register in the electronic patient record, digital patient records with their digital appendices)
- Patient records, including e.g., data on planning, implementing, and monitoring the treatment; medical data, including data on illnesses, medications, and diagnoses; laboratory results, data on referrals, data on prescriptions (digital patient records with their digital appendices, information on referrals)
Contents of the appointments and personal data are stored through the following information systems:
- Remote communication service: Nordhealth Connect (Nordhealth Finland Oy), Valvira category B
- Electronic patient record and online booking service: Acute (Vitec Acute Oy), Valvira category A3
If personal data or patient record entries are processed outside the aforementioned electronic systems so that the identity and details of the data content are not anonymized (e.g., printed to be sent to the customer), any duplicates or temporary files will be securely destroyed. Special attention is paid to data security while processing the data in the previously stated manner.
In Kallio Terveys, the recipient of personal data is the private entrepreneur, who, as a physician, has a statutory duty of secrecy.
Regular sources of data
The regular sources of information in Kallio Terveys are:
- the data subject and personal data given by them; identity is confirmed through strong electronic identification
- data that has earlier been saved to the electronic patient record of Kallio Terveys
- Patient Data Repository in Kanta Services maintained by Kela in the extent of the consent given by the data subject
- other healthcare organisations in the extent of necessity and the signed consent given by the data subject through strong electronic identification
Regular data sharing
Patient data may only be shared with the consent of the data subject or on legal grounds.
Personal data in Kallio Terveys is regularly shared with the following recipients:
- data subject themselves (e.g., laboratory results, prescriptions, medical certificates, etc.)
- healthcare authorities, when they have a legal right of obtaining health data to carry out an official duty
- other healthcare entity, when agreed with the data subject, e.g. about a referral or disclosure of patient data
- Kanta services⇗
Transfer of data outside the EU or EEA
Kallio Terveys does not transfer data outside the EU or EEA.
Rights of the data subject
The data subject has rights over their personal data. More information on the matter is on the web page of the Office of the Data Protection Ombudsman⇗.
The right of access: The data subject may request that their information be checked. Regarding patient record entries, the easiest way to check the data is to use MyKanta pages⇗, where a significant part of the data content of patient record entries is transferred.
The right to rectification: The data subject has the right to demand the rectification of inaccurate or incorrect personal data concerning them be corrected and to have incomplete personal data completed.
The right to erasure (the right to be forgotten): The data subject has the right to request the deletion of their data. However, patient record entries and the information contained in them must be kept for the period determined by the decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009). Thus certain items of data about the data subject cannot be deleted despite the request.
The right to restriction of processing: In certain situations, the data subject can ask the data controller to restrict the processing of personal data concerning them. Then, the processing and storing of personal data are possible only under certain conditions. More information on the website of the Office of the Data Protection Ombudsman⇗.
The right to data portability: If the data subject requests, personal data can be transferred from one system to another with certain restrictions. The most common situation is that the data subject’s patient record data is transferred to another healthcare provider with their consent.
The data subject may announce that they are using their rights, for example, by a free-form notification. The notification should include the following information: The full name and personal identity code of the data subject, telephone number, postal address, the concisely identified request concerning the Patient Register of Kallio Terveys, the place, the date, and the signature of the data subject (unless the request has been sent via remote communication service⇗). The request may be posted to the address Medi-Kallio, Kuurinniityntie 18b, 02750 ESPOO, or preferably sent as a message or as a scanned file via remote communication service⇗). An acknowledgment document is generated from the received request. If the request has been submitted by post, the data subject will be asked to sign the acknowledgment document electronically. The signature is done by strong identification. This identification works as identity verification. Since Kallio Terveys works remotely, the data controller does not have the possibility to verify the identity as a business visit or with another sufficiently strong means of identification.
The right to file a complaint to the supervisory authority: In situations where you suspect data protection issues, you should file a report of fault in personal data processing to the Data Protection Ombudsman⇗.
Storing of personal data
Patient record entries are kept for the period determined by the decree of the Ministry of Social Affairs and Health on Patient Documents (298/2009). Other background data related to the customer relationship, which does not fall under the scope of patient record entries, will be stored for a maximum of as long as the data subject wishes to use their right for erasure. Sensitive personal data, which is not directly saved as patient record entries (e.g. parts of the patient information forms), will be deleted from the background data as soon as possible after the appointment. The core content of this information may be transferred to a file in the patient information system. The data on this file is not transferred to Kanta.
Cookies on web page kallioterveys.fi
At the moment there are no cookies in use.