What is personal data?
According to the Finnish Personal Data Act (PDA), personal data is any information on a private individual and any information on his/her personal characteristics or personal circumstances, where these are identifiable as concerning him/her or the members of his/her family or household (cf. Article 3.1).
As long as a person is identifiable this is considered personal data, even though the controller could not identify anybody him or herself. According to the law, the processing of such semi-anonymous data should therefore still comply with the data protection principles. In Finnish practice, however, it is often considered that if actual identification of the data subject requires unreasonable effort and the data de facto is anonymous, it is not necessary to strictly follow the data protection principles (Lehtonen 2004).
What is sensitive personal data?
In Section 11 of the PDA, sensitive personal data includes information relating to or intending to relate to:
· race or ethnic origin;
· the social, political or religious affiliation or trade-union membership of a person;
· a criminal act, punishment or other criminal sanction;
· the state of health, illness or handicap of a person or the treatment or other comparable measures directed at the person;
· the sexual preferences or sex life of a person; or
· the social welfare needs of a person or the benefits, support or other social welfare assistance received by the person
Conditions for processing of personal data
The general conditions on the processing of personal data are set out in Chapter 2 of the PDA. Unless a relevant alternative applies, the processing must be based on the data subject’s unambiguously given consent. (See also Conditions for consent). Moreover, it is required (among others) that:
· The data controller must ensure that personal data is processed lawfully and carefully, and in compliance with good processing practice under the PDA. Anyone operating on the behalf of the data controller is subject to the same duty of care.
· Personal data is only processed for a pre-defined purpose which must be appropriate and justified with respect to the controller’s operations.
· The personal data processed must be necessary for the declared purpose of the processing (necessity requirement).
· The data controller must ensure that no erroneous, incomplete or obsolete data are processed (accuracy requirement).
Obligation to notify the supervisory authority
The PDA outlines two separate data protection authorities; the Data Protection Ombudsman and the Data Protection Board. The Data Protection Ombudsman duties are:
· provide direction and guidance on the processing of personal data,
· supervise the processing in accordance with the Act, and
· make decisions concerning right of access and rectification (cf. Article 38(1)).
The Data Protection Board duties:
· deal with questions of principle relating to the processing of personal data (cf. Article 38(2)).
According to Article 36 (1) of the PDA, the data controller shall notify the Data Protection Ombudsman of automated data processing by sending a description of the file to the authority.
Scientific research, together with the majority of the general grounds for data processing, is however exempted from the requirement of notification (cf. Article 36.4). The duty of notification would concern e.g. the cases where the processing of personal data is outsourced or certain cases where personal data is transferred to outside the European Union or the European Economic Area.
It seems, however, that this exemption is applicable only to research that does not utilise sensitive data, and that e.g. registries including sensitive information are to be notified to the Data Protection Ombudsman (Lehtonen 2004).
However, pursuant to the Act, the data controller shall draw up a description of the personal data file, including the following information:
· the name and address of the controller and, where necessary, those of the representative of the controller;
· the purpose of the processing of the personal data;
· a description of the group or groups of data subjects and the data or data groups relating to them;
· the regular destinations of disclosed data and whether data are transferred to countries outside the European Union or the European Economic Area; and
· a description of the principles in accordance to which the data file has been secured.
The data controller shall keep the description of the file available to anyone.
There are no mechanisms for prior assessment of research projects within the data protection authorities. See however Requirements to acquire approval from an ethics committee and Ethical review in the human sciences.
Data Protection Officers
There is no specific requirement in the PDA for organisations to appoint a data protection officer.
Data Protection Ombudsman
Data Protection Board
The Personal Data Act
Data Protection Ombudsman: Duties [online]. Available at: <http://www.tietosuoja.fi/en/index/tietosuojavaltuutetuntoimisto/duties.h... [Accessed 10 September 2014].
Data Protection Ombudsman, 2012: Prepare a data balance sheet [pdf] Available at: < http://www.tietosuoja.fi/material/attachments/tietosuojavaltuutettu/tiet... [Accessed 10 September 2014].
DLA Piper’s Data Protection Laws of the World, 2012: Finland [online]. Available at: <http://www.edrm.net/resources/data-privacy-protection/data-protection-la... [Accessed 10 September 2014].
Lehtonen. L.2004. The Implementation of EU Directive 95/46/EC and the Protection of Sensitive Health Data in Medical Research in Finland. In: D. Beyleveld, D. Townend, S. Rouille-Mirza and J. Wright, ed. 2004. Implementation of the Data Protection Directive in Relation to Medical Research in Europe. Ashgate. pp. 87-95.
Ministry of Justice, Finland. The Finnish Data Protection Board [online] Available at: < http://oikeusministerio.fi/en/index/theministry/neuvottelu-jalautakunnat... [Accessed 10 September 2014].
The Personal Data Act, 1999 [pdf] Available at: <http://www.finlex.fi/fi/laki/kaannokset/1999/en19990523.pdf> [Accessed 10 September 2014].