Finnish authorities have begun the process of examining how national personal data storage complies with the new General Data Protection Regulation (GDPR). Finland permanently stores a comprehensive archive of health histories that may be in breach of the GDPR, as citizens may not have control over the data it contains. Current legislation in Finland allows for health records to be stored in stated administered databases permanently, but this may breach the GDPR’s article covering the right to be forgotten.
State-owned administrator Kela has created an electronic database, Kanta, which stores old medical records. Clinics can upload patient medical histories and then delete them from their own systems in an effort to centralise medical data. Sinikka Rantala from the National Institute for Health and Welfare said recently that: “This means that organisations can still access older information in a treatment situation. Even if the old archiving system has fallen out of use, the patient data can still be found.”
In 2011, Finland’s national archive service ordered that electronic data on Kanta be stored under “permanent retention”. In 2015, the order was reviewed. However, permanent data retention could cause a conflict with the new GDPR and may leave Finnish authorities in breach of the Regulation.
Data management specialist Maritta Korhonen from Finland’s Social Affairs and Health Ministry said: “The ministry has launched an investigation into how the EU’s new data protection directive will affect Finland’s social and health care legislation. This is linked in part to the Archives Service’s proposal to store electronic patient information in perpetuity. The cost of storing and using the data permanently must also be taken into account.”
Even before the permanent storage order was enforced, the Finnish authorities maintained data for a very long time. Previous rules stated that medical records were to be kept 120 years after birth or 12 years after death.
Get ready for the GDPR
Need to know more about how the GDPR will affect your business? Our EU General Data Protection Regulation (GDPR) Documentation Toolkit can accelerate your GDPR compliance project. Designed and developed by expert GDPR practitioners, it provides all the templates, worksheets and policies needed to comply with the documented aspects of the Regulation.
With this toolkit, you can get professional guidance on GDPR compliance obligations and personal data best practice, make sure you have adequately identified risks to personal data, and integrate GDPR documentation with your ISO 27001 documentation.