Privacy Policy for Prescription Centre

Privacy Policy for Prescription Centre

This is a valid Privacy Policy for Prescription Centre. The policy was updated on 1 January 2024.

Joint controller

The Social Insurance Institution of Finland

Nordenskiöldinkatu 12, 00250 Helsinki
Postal address PO Box 450 Kela
Postal code 00056
Phone number 020 634 11

Person responsible for register-related issues or contact person

Customer inquiries about the registers of the Prescription Centre can be addressed to Kanta Services customer support at asiakaspalvelu@kanta.fi.

In matters related to the rights of a data subject, the data subject may send inquiries by email to the Data Protection Officer of Kanta Services at tietosuoja@kanta.fi.

Name of register

The Prescription Centre

Purpose of processing of personal data and grounds for processing

The Prescription Centre is a database that consists of electronic prescriptions entered by the prescribers of the medicine, prescriptions entered by pharmacies, data concerning medicines handed to patients by healthcare and social welfare service providers, dispensing data attached to prescriptions, and entries related to the implementation and evaluation of pharmacotherapy.

The purpose of the register is to enable recording and storage of electronic prescriptions issued in accordance with the Act on Electronic Prescriptions, as well as the related dispensing data and renewal requests in a nationally centralised Prescription Centre. Electronic prescriptions entered in the Prescription Centre can be dispensed by any pharmacy that has deployed the electronic prescription and by pharmacies in European countries referred to in section 23a of the Act on Electronic Prescriptions. A hospital pharmacy prescription can only be dispensed from a hospital pharmacy.

In addition, electronic prescriptions entered in the Prescription Centre and their dispensing data can also be utilised under the conditions provided by the Act on Electronic Prescriptions, e.g. when establishing the patient's overall medication regime, in regulatory

supervision of healthcare and social welfare services and pharmacies, in decisions concerning benefits by virtue of the Sickness Insurance Act, and in scientific research, reporting and compiling of statistics.

Prescription data is stored in the Prescription Centre database for 12 years after a person’s death or 120 years after the person’s birth if the date of death is not known, or if the patient is a child who was under the age of 18 at the time of death, after which the data is destroyed. The dispensing notes of prescriptions are stored for 12 years after the expiry of the prescription. In the pharmacy, the data is available for 42 months from the date of issuing the prescription. The client can view all their prescription information in the Prescription Centre’s data repository in MyKanta.

According to section 18 of the Act on Electronic Prescriptions (61/2007), the Social Insurance Institution of Finland (hereinafter Kela) is a joint controller of the privacy policy of the Prescription Centre together with service providers issuing electronic prescriptions and independent prescribers.

Kela is responsible for the availability and integrity of the data in the Prescription Centre, the integrity of the data contents and the retention of data, as well as the destruction of data at the end of the retention period.

Service providers and independent prescribers issuing electronic prescriptions are responsible for the accuracy of the data in a prescription to be entered in the Prescription Centre. The pharmacy that has dispensed the medicine is responsible for the accuracy of the dispensing data to be entered in the Prescription Centre.

Kela acts as the contact point for data subjects in accordance with section 1, Article 26 of the General Data Protection Regulation. As a contact point, Kela is responsible for fulfilling and implementing the controller’s obligation to provide information, as laid down in the information security legislation, in terms of personal data collected in the Prescription Centre. In addition, Kela acts as the primary contact point in requests concerning the exercising of the rights of data subjects and, if necessary, communicates the request to the right place.

Legislation on joint controllership and the procedures to be complied with in joint controllership are addressed in the following document relating to it: Description of joint controllership of services related to the Kanta Services (pdf, in Finnish).

Kela carries out the processing of personal data in accordance with the EU’s General Data Protection Regulation and other legislation regulating the processing of personal data, and by virtue of the Act on Electronic Prescriptions.

Data content of the register

Electronic prescriptions, the related dispensing data and renewal requests in accordance with the Act on Electronic Prescriptions are recorded in the Prescription Centre. The following basic patient information is stored in all prescription documents: Name, personal identity code (if any), date of birth and gender. The data included in the register and the data segments have been compiled in Appendix 1 at the end of this policy.

Regular data sources

An electronic prescription can be issued by a doctor, dentist, students of medicine and dentistry entitled to prescribe medicines or a nurse whose right to prescribe medicines has been verified.

The pharmacy is obliged to enter a prescription received in paper form or by telephone and the related dispensing data in the Prescription Centre if the prescription has been issued in writing or by telephone, for example, due to a technical fault or for another reason. The dispensing notes of the prescription are made and entered in the pharmacy by the staff pharmacist or pharmaceutical assistant. The storage obligation does not apply to hospital pharmacies.

Regular disclosure of data and transfer of data outside the EU or the European Economic Area

Confidentiality provisions and other provisions on the use of data notwithstanding, Kela may, as the joint controller of the Prescription Centre, disclose prescription and dispending information to an authority or for scientific research upon request.

Situations of sharing the prescription and dispensing data, the reasons for sharing the data and the method of sharing by virtue of the Act on Electronic Prescriptions and other legislation have been compiled in Appendix 2 at the end of this policy.

The data is not transferred outside the EU or the European Economic Area.

Principles of protecting the register

The data recorded in the Prescription Centre is confidential data concerning the person’s medical status.

Organisational protection principles

Kela, healthcare and social welfare service providers and pharmacies must have an information security plan to ensure data protection and information security. Kela, healthcare and social welfare service providers and pharmacies must appoint a data protection officer.

Service providers’ managers in charge, pharmacists and Kela shall provide written instructions on the processing of client data and the procedures to be followed, and ensure that personnel have sufficient expertise and capabilities to process client data.

The controller, operating units and pharmacies must take the necessary measures on their own initiative if someone has unlawfully viewed, used or disclosed information stored by the prescription centre.

In order to implement monitoring and supervision, healthcare and social welfare service providers and pharmacies using the Prescription Centre have the right to obtain log data from Kela with regard to the viewing and processing of data in the Prescription Centre by operating unit in question or pharmacy staff.

A pharmacy operating in the territory of another European country shall contact the Prescription Centre via the national contact points of the country in question and Finland. A contact point of another country, Kela will investigates errors based on prescription log data to the extent that is required for settling problem situations and for regulatory determinations.

Principles of technical protection

In order to browse, record, and process data in other ways in the Prescription Centre, the healthcare and social welfare service provider, pharmacy and Kela need to use strong authentication that identifies the processor, as well as access rights management related to the system.

The Digital and Population Data Services Agency is responsible for the identification and certification services of electronic prescriptions. The European Commission is responsible for the certification services for the national contact points.

The healthcare and social welfare service provider, pharmacy and Kela are responsible for the management of access rights for their own part.

Log data on viewing and processing and disclosing of data in social welfare and healthcare services and pharmacies is stored in the Prescription Centre.

Principles of physical protection

The data recorded in the Prescription Centre is technically protected to prevent editing and deleting.

Kela’s IT areas and the physical location of data are in Finland. Kela’s technical administrators have limited access to the IT areas when the management of their duties requires such access.

The right of access to personal data

In accordance with Article 15 of the EU's General Data Protection Regulation (2016/679), the data subject has the right to access the data stored in the Prescription Centre.

A person may act using a power of attorney or as a legal representative on behalf of an adult and request the right to access their data stored in the Prescription Centre. A request for information made by a representative requires that the representative has the right to represent their client in the case in question. Kela will verify the person's right to receive the data. The disclosure of data may be refused on legal grounds.

A guardian may request the right to access information on a minor stored in their data stored in the Prescription Centre. Kela will verify the validity of the custody upon a guardian’s request to access a minor's data. The disclosure of data may be refused on legal grounds.

The data request can be made using the data request form, which is available from social welfare and health care service providers, pharmacies and Kela customer service points that have joined the Kanta Service. A request for data should be directed to Kela (Registry, P.O. Box 450, 00056 Kela).

A request for data may also be made by contacting Kela's Registry by phone or email (kirjaamo@kela.fi).

The reply to the request will arrive within one month of the request's receipt for processing at Kela. If, for justified reasons, it is not possible to provide information within this period, the processing of the request may be extended for a maximum period of two months.

Right to demand rectification of incorrect data

According to Article 16 of the EU's General Data Protection Regulation (2016/679), the data subject has the right to obtain the rectification of inaccurate personal data concerning him/her from the controller.

A person may act using a power of attorney or as a legal representative on behalf of an adult and request the rectification of inaccurate personal data. A guardian may request the rectification of inaccurate personal data on behalf of a minor.

Inaccurate prescription or dispensing data is rectified in the unit of the healthcare or social services provider or the pharmacy where the inaccurate records were created. Service providers and pharmacies are always responsible for the content and accuracy of the data they record. It is recommended that the requests for rectification of inaccurate information be addressed to the data protection officer of the healthcare and social services provider or pharmacy.

In its role as the joint controller of the Prescription Centre, Kela acts as the contact point for data subjects. Kela accepts requests for the rectification of inaccurate prescription data and forwards them to the healthcare service provider who recorded the inaccurate data for rectification. The request for rectification can be delivered in writing to Kela (Registry, P.O. Box 450, 00056 Kela).

When the required rectification concerns the dispensing data entered in a pharmacy in another European country, the request for rectification shall be submitted in writing to Kela.

If the request for rectification cannot be accepted, Kela will provide the client with a certificate of refusal. The reasons why the request by the client or their legal representative was not accepted shall be stated in the certificate of refusal. After receiving the certificate of refusal, the client may still refer the matter to be dealt with by the competent regulatory authority.

Right to lodge a complaint with a supervisory authority

If the client deems that the processing of their personal data breaches the applicable data protection regulations, the client is entitled to lodge a complaint with a competent regulatory authority in accordance with Article 77 of the General Data Protection Regulation and section 21 of the Data Protection Act. In Finland, the regulatory authority is the Data Protection Ombudsman.

Other rights related to the processing of personal data

In MyKanta, the client can browse the data entered in the Prescription Centre and see which healthcare and social welfare service providers and pharmacies the data has been shared with.

The client has the right to learn who has processed and viewed their data entered in the Prescription Centre by submitting a log data request to Kela. The client has the right to request log data concerning how Finnish pharmacies have processed their prescription data retrieved from abroad.

A person may act using a power of attorney or as a legal representative on behalf of an adult and request for information on who have processed and viewed the data stored in or disclosed to the Prescription Centre by submitting a log data request to Kela. Kela will verify the person's right to receive the data. The disclosure of data may be refused on legal grounds.

A guardian can request information behalf of a minor who has processed and viewed the data stored in or disclosed to the Prescription Centre by submitting a log data request to Kela. Kela will verify the validity of the custody upon a guardian’s request to access a minor's data. The disclosure of data may be refused on legal grounds.

The log data request can be made using the log data request form, which is available from social welfare and health care service providers, pharmacies and Kela customer service points that have joined the Kanta service. The log data request shall be sent to Kela (Registry, P.O. Box 450, 00056 Kela). The request can also be made informally by telephone or email to Kela’s Registry (kirjaamo@kela.fi).

There is no right to obtain log data that is older than two years unless there is a special reason for it. The client must not use or share the log data they have received for any other purpose.

If a client considers on the basis of the log data that their data has been processed without a valid reason, they can request the pharmacy or healthcare and social welfare service provider in question for an explanation on the matter. If the customer requires an explanation of the grounds for processing their data in the case of a pharmacy in another European country, the request for clarification can be addressed to Kela (kirjaamo@kela.fi).

The client is entitled to receive the same data again if there is a valid reason for it in order to fulfil the client’s interests and rights. Kela may charge a fee corresponding to the costs of providing the information with regard to data that is provided a second time.

Kela’s operations and the maintenance of Kanta Services are based on the national legislation. For these reasons, the data subject's right to erasure of data by virtue of Article 17 of the EU's General Data Protection Regulation and the data subject’s right to transmit the data from one system to another by virtue of Article 20 shall not be applied to data entered in the Prescription Centre. National legislation provides for a retention period for data stored in the Prescription Centre, after which the data is destroyed.

Appendices to the privacy policy

Last updated 13.2.2024