Skip to main content

Privacy policy: Patient Register

Privacy policy
General Data Protection Regulation of the European Union (2016/679)

 

Patient Register

1. Data controller

The County Board of the Western Uusimaa Wellbeing Services County

2. Person responsible for the register

The Wellbeing Services County Director

3. Contact persons for the register

Administrative Managers for the service areas

Contact information

Western Uusimaa Wellbeing Services County

P.O. Box 33, 02033 Western Uusimaa Wellbeing Services County

Switchboard’s phone number: 029 151 2000

4. Purposes of processing personal data and the legal grounds for processing

The purposes of processing

Personal data is processed in the register for the purpose of organising outpatient and inpatient care as well as oral health care for the client/patient. The data is used to organise, plan, and implement examinations, treatment, and rehabilitation as well as for the purposes of monitoring, guiding, and quality control.

In the register, data is also processed from school and student health services, children and young people’s rehabilitation services, child psychiatry services as well as data from school psychologists and family counselling centres.

In addition, data is processed for the purposes of processing client and patient fees and collecting payment data.

Patient documents are also used for planning, statistical analysis, supervision, assessment, self-supervision, knowledge management, and scientific research of the work in health care services, as laid down in the Act on the Secondary Use of Health and Social Data or as otherwise provided for by law.

Legal grounds for processing

Article 6(1) point (c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject.

As a special category of personal data, health information is processed under Article 9 (2)(h), which permits data processing when necessary for the provision of health care.

Key legislation

  • General Data Protection Regulation of the European Union (679/2016)
  • Data Protection Act (1050/2018)
  • Act on the Openness of Government Activities (621/1999)
  • Health Care Act (1326/2010)
  • Act on the Status and Rights of Patients (785/1992)
  • Act on Electronic Prescriptions (61/2007)
  • Act on Healthcare Professionals (559/1994)
  • Mental Health Act (1116/1990)
  • Archives Act (831/1994)
  • Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023)
  • Act on the Secondary Use of Health and Social Data (552/2019)
  • Administrative Procedure Act (434/2003)
  • Government Decree on maternity and child health clinic services, school and student health services and preventive oral health services for children and youth (338/2011)
  • Communicable Diseases Act (1227/2016)
  • Student Welfare Act (1287/2013)
  • Act on Client Charges in Healthcare and Social Welfare (734/1992)
  • Act on Organising Healthcare and Social Welfare Services (612/2021)
  • Act on Organising Healthcare, Social Welfare and Rescue Services in the Region of Uusimaa (615/2021)

5. Contents of the register

The register holds the patient’s basic data, data related to provision of care, information on health and illnesses, and data on client fees.

The basic data of the patient consists of identification and contact information, such as the following: personal identity code, name, preferred first name, gender, address and whether the address is subject to non-disclosure for personal safety reasons, telephone numbers, municipality of residence, mother tongue, service language, marital status, email address and other necessary contact information Data related to provision of care include, for instance, the following: data on appointment booking, queues, and treatment reservations; visits and care period data of the operational units of the wellbeing services county and in other care facilities based on contracts; as well as the names and professional details of the note-makers. Information on health and illnesses consist of data on medical risks, data regarding health counselling, disease diagnosis, treatment planning, progress monitoring, and assessments related to appointments and care periods, laboratory and radiology requests and results, functional capacity information, statements and certifications given, consultation requests and responses (including those obtained from outside the Wellbeing Services County, such as responses received from HUS), referrals and epicrisis documents, and final medical statements. In addition, the processed information includes information that the patient produces or provides about themselves, as well as information on prohibitions, restrictions, consent, and other preference data.

In addition, insurance information that may pertain to the client relationship is processed.

The patient register also includes care and radiology statement information recorded by healthcare professionals and purchased on behalf of the Wellbeing Services County, as well as information arising from payment commitments and service voucher services.

6. Disclosure of personal data in accordance with legislation

Personal data is disclosed, based on legislation or a detailed information request, to authorised authorities in accordance with the legislation.

Under the Secondary Use Act, information concerning patients is provided to Findata for the purpose of scientific research, statistics, development and innovation activities, teaching, social and healthcare authority guidance and supervision as well as for planning and reporting duties of authorities. In addition, under the Secondary Use Act, the Wellbeing Services County discloses patient information for applicants for the purpose of scientific research, statistics, teaching, social and healthcare authority guidance and supervision as well as for planning and reporting duties of authorities, when the application pertains only to the data maintained by the Wellbeing Services County.

In addition, the Wellbeing Services County discloses patient information to service providers (e.g., in the case of outsourced services) if necessary for the provision of the patient’s health care. On legislative grounds, the Wellbeing Services County will also disclose patient information to supervisory authorities (e.g., AVI, EOA, Valvira).

As a rule, data is not transferred from the register to countries outside the EU or the EEA. However, personal data may be transferred to countries outside the EU/EEA area where the European Commission has determined that the level of data protection is adequate. In addition, personal data may be transferred to countries outside the EU/EEA when the protection measures required by the General Data Protection Regulation have been implemented, for example, by incorporating standard data protection clauses into contracts and by employing additional measures recommended by the European Data Protection Board as necessary.

7. Data storage periods

Storage periods for patient documents are defined in the appendix concerning storage times for client documents of the Act on the Processing of Client Data in Healthcare and Social Welfare (703/2023) as well as in decisions on storage times for client documents and decisions by the National Archives of Finland.

As a general rule, patient documents are kept for 12 years after the patient’s death. If the date of death is unknown, documents are kept for 120 after the patient’s birth. These documents include the patient’s basic information, key treatment and care details, living will, summaries, care planning, implementation, follow-up or assessment records, referrals, epicrisis documents, consultation documents, medical statements, and treatment decisions.

Permanently stored documents include public healthcare patient records and documents for people born on the 18th and 28th of each month, as well as documents from hereditary medicine units.

All patient records archived to the Kela electronic archive will be permanently stored electronically. 

8. Sources of personal data

The Digital and Population Data Services Agency primarily provides patients’ identification and contact information, such as name and address.

Information in the patient register related to organising care is obtained and maintained based on information received from the patient or their representative as well as on information produced within health care units.

In addition, data on imaging and laboratory results are obtained from service providers. Data on services purchased with service vouchers is also obtained from service providers.

If the patient has not prohibited the disclosure of their information within the Uusimaa region, the authority organising and implementing health services of the wellbeing services county, the City of Helsinki, and the HUS Group, and those operating on its behalf, have the right, regardless of confidentiality regulations, to obtain and use another patient's information from an authorised health service provider of another wellbeing services county in the Uusimaa region, the City of Helsinki, or the HUS Group. This right extends to the extent that is necessary for providing the patient's treatment. The patient must be informed of their right to prohibit disclosure of information.