Reuse of personal data for a new purpose
The exclusivity of purpose is the main rule of the PDA. Personal data must not be used or otherwise processed in a manner incompatible with the stated purposes. However, later processing for purposes of historical, scientific or statistical research is not deemed incompatible with the original purposes (cf. Section 7). So, if sensitive data is of scientific value or is historically unique, a request for permission to archive data can be submitted to the National Archives (The National Advisory Board on research ethics’ proposals).
Secondary users of data should be requested to sign an agreement on the conditions set for secondary research and if needed also a pledge of confidentiality (TENK: Ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review).
One of the general conditions of processing personal data is that the data controller must ensure that the data subject can have information on the data controller, on the purpose of the processing of the personal data, on the regular destinations of disclosed data, as well as on how to proceed in order to make use of the rights of the data subject in respect to the processing operation in question. The PDA, however, states that there is no right of access for data subjects to the data on him/her in a personal data file, if the data in the file are used solely for historical or scientific research or statistical purposes (cf. Section 27.1.3).
Third country transfer
According to the PDA, the data controller shall notify the Data Protection Ombudsman of the transfer of personal data to outside the European Union or the European Economic Area (cf. Article 36.2). The notification shall include a description of the file, the types of data and how the transfer is carried out (cf. Article 37.1). The Ombudsman makes an assessment of the adequacy of data protection in the country in question, and evaluates each case separately (Lehtonen 2004).
Personal data may be transferred to outside the European Union or the European Economic
Area only if the country in question guarantees an adequate level of data protection. The adequacy of the level of data protection shall be evaluated in the light of the nature of the data, the purpose and duration of the intended processing, the country of origin and the country of final destination, as well as the general and sectorial legal provisions, codes of conduct and security measures applied in that country (cf. Section 22).
Section 22 does not prevent the transfer of data if it is e.g. based on the data subject’s unambiguously given consent (cf. Section 23.1).
Lehtonen. L.2004. The Implementation of EU Directive 95/46/EC and the Protection of Sensitive Health Data in Medical Research in Finland. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 87-95.
National Advisory Board on Research Ethics, 2009. Ethical principles of research in the humanities and social and behavioural sciences and proposals for ethical review [pdf]. Available at: <http://www.tenk.fi/sites/tenk.fi/files/ethicalprinciples.pdf> [Accessed 9 September 2014].
The Personal Data Act, 1999 [pdf] Available at: <http://www.finlex.fi/fi/laki/kaannokset/1999/en19990523.pdf> [Accessed 10 September 2014].