Tietosuojavaltuutetun toimisto (Finland) - 3895/83/22: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Finland |DPA-BG-Color= |DPAlogo=LogoFI.png |DPA_Abbrevation=Tietosuojavaltuutetun toimisto |DPA_With_Country=Tietosuojavaltuutetun toimisto (Fi...")
 
(added hyperlinks)
 
Line 67: Line 67:
}}
}}


The Finnish DPA issued a warning to a healthcare provider whose envisaged risk profiling of patients for scanning and prevention purposes violated Articles 6, 9 and 22 GDPR.
The Finnish DPA issued a warning to a healthcare provider whose envisaged risk profiling of patients for scanning and prevention purposes violated [[Article 6 GDPR|Articles 6]], [[Article 9 GDPR|9]] and [[Article 22 GDPR|22 GDPR]].


== English Summary ==
== English Summary ==
Line 77: Line 77:


=== Holding ===
=== Holding ===
First, the Finnish DPA assessed whether the envisaged processing of personal data would lead to automated individual decisions within the meaning of [[Article 22 GDPR|Article 22 GDPR]]. It distinguished between two instances: cases where patients would be selected for further examination on the basis of a risk assessment and patients who would not be selected after the risk assessment. For the first group, the result of the profiling would be taken into account only as one element of the decision-making process. The final decision would be taken by a trained person. Therefore, there would be human intervention in accordance with [[Article 22 GDPR#3|Article 22(3) GDPR]]. However, for the second group no further assessment by a competent person would be made. Hence, the DPA evaluated whether the profiling would produce legal or similarly significant effects to the patients who were rejected. It concluded, that not being admitted to medical treatment could have significant adverse effects on the health of individuals. Accordingly, the envisaged processing would involve individual automated decisions prohibited under [[Article 22 GDPR#1|Article 22(1) GDPR]].  
First, the Finnish DPA assessed whether the envisaged processing of personal data would lead to automated individual decisions within the meaning of [[Article 22 GDPR|Article 22 GDPR]]. It distinguished between two instances: cases where patients would be selected for further examination on the basis of a risk assessment and patients who would not be selected after the risk assessment. For the first group, the result of the profiling would be taken into account only as one element of the decision-making process. The final decision would be taken by a trained person. Therefore, there would be human intervention in accordance with [[Article 22 GDPR#3|Article 22(3) GDPR]]. However, for the second group no further assessment by a competent person would be made. Hence, the DPA evaluated whether the profiling would produce legal or similarly significant effects to the patients who were rejected. It concluded that not being admitted to medical treatment could have significant adverse effects on the health of individuals. Accordingly, the envisaged processing would involve individual automated decisions prohibited under [[Article 22 GDPR#1|Article 22(1) GDPR]].  


Second, the DPA looked at the legal basis the controller put forward for the processing of health data. The DPA recalled that data concerning health was sensitive data and its processing needed to have one of the legal basis under Article 6 and 9 GDPR. Specifically, Articles 9(2)(h) and 9(3) GDPR allow for processing of sensitive data for preventive or occupational medicine purposes when respective of professional secrecy. The relevant national law, Section 12(1) of the Act on the Status and Rights of Patients and Section 13 of the Patient Act, prescribe confidentiality when maintaining patient records. Moreover, the data can only be processed when strictly related to the treatment of patients. The DPA held that a risk profling system, as the one envisaged by the controller, would not meet this strict purpose as it was not directly related to treatment. Consequently, the DPA found there was no valid legal basis to process health data.  
Second, the DPA looked at the legal basis the controller put forward for the processing of health data. The DPA recalled that data concerning health was sensitive data and its processing should rely on one of the legal basis under [[Article 6 GDPR|Article 6]] and [[Article 9 GDPR|9 GDPR]]. Specifically, [[Article 9 GDPR|Articles 9(2)(h)]] and [[Article 9 GDPR|9(3) GDPR]] allow for processing of sensitive data for preventive or occupational medicine purposes when respective of professional secrecy. The relevant national law, [https://www.finlex.fi/en/laki/kaannokset/1992/en19920785.pdf Section 12(1) of the Act on the Status and Rights of Patients and Section 13 of the Patient Act], prescribe confidentiality when maintaining patient records. Moreover, the data can only be processed when strictly related to the treatment of patients. The DPA held that a risk profling system, as the one envisaged by the controller, would not meet this strict purpose as it was not directly related to treatment. Consequently, the DPA held that there was no valid legal basis to process health data.  


In conclusion, the DPA issued a warning to the controller under [[Article 58 GDPR#2a|Article 58(2)(a) GDPR]] and stated that the envisaged processing would violate Articles 6, 9 and 22 GDPR.
In conclusion, the DPA issued a warning to the controller under [[Article 58 GDPR#2a|Article 58(2)(a) GDPR]] and stated that the envisaged processing would violate Articles 6, 9 and 22 GDPR.

Latest revision as of 11:34, 28 October 2022

Tietosuojavaltuutetun toimisto - 3895/83/22
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 6(1) GDPR
Article 9 GDPR
Article 9(3) GDPR
Article 22(1) GDPR
Article 58(2)(a) GDPR
Type: Advisory Opinion
Outcome: n/a
Started:
Decided: 23.06.2022
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 3895/83/22
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Tietosuojavaltuutetun toimisto (in FI)
Initial Contributor: n/a

The Finnish DPA issued a warning to a healthcare provider whose envisaged risk profiling of patients for scanning and prevention purposes violated Articles 6, 9 and 22 GDPR.

English Summary

Facts

The controller is a healtcare provider who requested the Finnish DPA to assess whether its planned system of processing patient data for scanning and prevention purposes would be compatible with the GDPR. Patients at risk to their health would be identified and referred to treatment through contact with the healthcare system. The patient population and medical records would be searched by a computer in order to identify patients at risk. The objectives of the approach would be to improve the health and well-being of individuals, prevent the onset and progression of diseases and improve equity in the health system.

The Finnish DPA assessed the data processing operations involved, in particular the risk of automated decision-making and valid legal basis for processing sensitive data.

Holding

First, the Finnish DPA assessed whether the envisaged processing of personal data would lead to automated individual decisions within the meaning of Article 22 GDPR. It distinguished between two instances: cases where patients would be selected for further examination on the basis of a risk assessment and patients who would not be selected after the risk assessment. For the first group, the result of the profiling would be taken into account only as one element of the decision-making process. The final decision would be taken by a trained person. Therefore, there would be human intervention in accordance with Article 22(3) GDPR. However, for the second group no further assessment by a competent person would be made. Hence, the DPA evaluated whether the profiling would produce legal or similarly significant effects to the patients who were rejected. It concluded that not being admitted to medical treatment could have significant adverse effects on the health of individuals. Accordingly, the envisaged processing would involve individual automated decisions prohibited under Article 22(1) GDPR.

Second, the DPA looked at the legal basis the controller put forward for the processing of health data. The DPA recalled that data concerning health was sensitive data and its processing should rely on one of the legal basis under Article 6 and 9 GDPR. Specifically, Articles 9(2)(h) and 9(3) GDPR allow for processing of sensitive data for preventive or occupational medicine purposes when respective of professional secrecy. The relevant national law, Section 12(1) of the Act on the Status and Rights of Patients and Section 13 of the Patient Act, prescribe confidentiality when maintaining patient records. Moreover, the data can only be processed when strictly related to the treatment of patients. The DPA held that a risk profling system, as the one envisaged by the controller, would not meet this strict purpose as it was not directly related to treatment. Consequently, the DPA held that there was no valid legal basis to process health data.

In conclusion, the DPA issued a warning to the controller under Article 58(2)(a) GDPR and stated that the envisaged processing would violate Articles 6, 9 and 22 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Processing of patient data for the purposes of prevention and anticipation, as well as automated individual decisions

Keywords: Proactive healthcare
Patient information

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 3895/83/22

The Deputy Data Protection Commissioner's decision on issuing a warning and written advice based on a request for a preliminary hearing

Thing

The controller has initiated a preliminary hearing request at the data protection commissioner's office on May 2, 2022. The request concerns the processing of patient data for the purposes of prevention and anticipation. Patients who are at risk for their health would be identified and brought into the scope of treatment through contact from the health care system. Patient mass and patient data would be reviewed with computer assistance to find patients who are at risk for their health. The goals of the operating model would be to increase individual health and well-being, prevent the onset and progression of diseases, and develop the equity of the health care system.

In addition to the processing of the preliminary hearing request focused on the risk assessment prepared by the controller, it is necessary to examine the legality of the processing of personal data. The assessment of legal compliance (section 3) is limited to the legal issues stated in sections 3.1.1 and 3.2.1, and the Deputy Data Protection Commissioner has not otherwise assessed whether the planned processing of personal data would meet the requirements of the General Data Protection Regulation (TSA, (EU) 2016/679) and other legislation applicable to the operation .

Section 4 examines the high risks identified by the data controller and gives the written advice of the data protection authorized office based on the request for a preliminary hearing.

Decision of the Deputy Data Protection Commissioner

Formation of automatic individual decisions

Resolving legal issues

The Deputy Data Protection Commissioner assesses whether the planned processing of personal data would result in automated individual decisions referred to in Article 22 TSA

a) for those patients who would be selected for a closer examination based on the risk assessment, or

b) for those patients who would not be selected for a closer examination based on the risk assessment

In addition, the deputy data protection commissioner assesses whether it is necessary to use corrective powers in accordance with Article 58, paragraph 2 of the TSA.

Applicable legislation

The General Data Protection Regulation applies to the processing of personal data as a general regulation.

According to TSA Article 4, paragraph 4, profiling refers to any automatic processing of personal data, in which personal data is used to evaluate certain personal characteristics of a natural person, in particular to analyze or predict features related to the work performance, financial situation, health, personal preferences, interests, reliability, behavior, location or movements.

According to Article 22(1) of the TSA, the data subject has the right not to be subject to a decision based solely on automatic processing, such as profiling, which has legal effects concerning him or which similarly significantly affects him.

According to TSA Article 22(2), paragraph 1 does not apply if the decision a) is necessary for the conclusion or execution of an agreement between the data subject and the data controller; b) is based on the Union law applicable to the controller or the legislation of a Member State, which also establishes appropriate measures to protect the rights and freedoms and legitimate interests of the data subject; or c) is based on the express consent of the data subject.

According to TSA Article 22, Paragraph 4, the decisions referred to in Paragraph 2 above may not be based on the special personal data groups referred to in TSA Article 9, Paragraph 1, except if Article 9, Paragraph 2 Subparagraph a or g applies and appropriate measures to protect the data subject's rights and freedoms and legitimate interests have been implemented.

The remedial powers of the data protection authority are provided for in Article 58(2) of the TSA. According to subparagraph a), the supervisory authority may warn the controller or personal data processor that the intended processing operations are likely to be in violation of TSA regulations.

Solution

Automated individual decisions would not be made for those patients who would be selected for a closer examination based on the risk assessment.

Automated individual decisions would probably be made for those patients who would not be selected for a closer examination based on the risk assessment.

The Deputy Data Protection Commissioner issues a warning to the data controller in accordance with TSA Article 58, paragraph 2, subparagraph a. The planned processing operations are likely to be in violation of the provisions of the TSA, because the controller has not identified the likely formation of automated individual decisions, and has not taken into account what is stipulated in Article 22 of the TSA.

Reasoning

The controller's description of the planned processing

The data controller has described the planned processing of personal data in the material he submitted to the data protection commissioner's office. The registrar states that it is necessary to go through the patient mass and patient data with computer assistance from the point of view of preventive health care. The registrar considers that the prevention of diseases is part of the organization of medical care services. Prevention and anticipation require that patients who are at risk for their health can be identified and efforts can be made to bring them into the scope of treatment through proactive contact from the healthcare system. In this case, patients can be offered various early support services and instructions even when the preventive services are timely for the patient.

According to the description of the registrar, professionals would be given an indicator of risk based on computer-assisted analysis for those patients whose health condition should be intervened and who have given their consent to this.

The registrar states in the submitted material that combining patients' risk information with the consenting individual does not lead to automatic decision-making or treatment decisions. According to the data controller, services cannot be denied or removed from customers based on computer-aided analysis of risk information, but the purpose of the processing is to provide additional health benefits and always implement treatment and patient selection in accordance with national treatment practices. The controller further states that the processing of risk data requires profiling and is a service based on the patient's express consent.

The registrar notes that for patients who have given consent, risk points according to risk models can be calculated for individual patients. The risk points are compared to the defined limit values in the risk model. In this case, it is possible to find out pseudonymous persons who, according to risk modeling, have an increased risk of increased need for the use of health services and the risk of illness. The existence of risk is indicated by risk information, which is linked to the person's pseudonymous data, and is visible to professionals, acting as an indicator of the result of the comparison of risk points and limit values.

After verifying the risk information, the patient is contacted, for example, with a well-being survey or directly by the treating professional. The health care professional assesses the patient's state of health and makes decisions about treatment in cooperation with the patient. According to the registrar, the risk model, risk scores or risk information do not affect treatment decisions, but rather act as an indicator for the need to assess the health status.

The concept of automated individual decisions

TSA Article 22 provides for automated individual decisions. According to the regulation, the data subject has the right not to be subject to a decision that is based solely on automatic processing, such as profiling, and that has legal effects concerning him or that significantly affects him in a similar way. It is possible to make automated individual decisions in the situations defined in Article 22 of the TSA.

The Deputy Data Protection Commissioner states that the profiling defined in TSA Article 4, paragraph 4 does not alone cause the application of TSA Article 22 to the processing of personal data. TSA Article 22 applies in connection with profiling, when decisions are made on the basis of profiling that have legal effects on the data subject or that affect him in a similar way.

A decision based solely on automatic processing refers to a situation where no human is involved in the decision-making process. If, for example, an automated process produces a recommendation regarding the registered person, which a person takes into account together with other factors when making a final decision, it is not a decision based solely on automatic processing.

The emergence of legal effects means that the decision affects a person's legal rights, his/her legal status or contractual rights. Other effects on data subjects will also trigger the application of the regulation on automated decision-making in accordance with Article 22 of the TSA, if they are similarly significant.

Significant effects can be considered to be those that are large or significant enough to be worth considering. These can be, for example, decisions that significantly affect a person's circumstances, behavior or choices, or affect the data subject long-term or permanently. For example, a decision that affects a person's chances of receiving health care services has such significant effects for the data subject.

The formation of automated individual decisions for those patients who would be selected for a closer examination based on the risk assessment

According to the description provided by the registrar, professionals are given an indicator of risk based on a computer-assisted analysis for those patients who have given their consent to profiling, and whose health condition should be addressed based on the risk assessment. Risk information is verified before possible contact with the patient. The purpose is that only patients at risk certified by professionals are contacted based on risk information.

According to the registry keeper, the patients' risk information is verified by a trained and limited group of medical professionals who, based on the patient's consent, are entitled to access the patient's medical information. Based on this information, professionals use profiling to ensure the predicted increase in the need to use services and the risk of illness. If there is no real risk, there is no need to contact the patient.

As stated in section 22, a decision based solely on automatic processing is not considered if the automated process produces a recommendation regarding the data subject, which a person takes into account together with other factors when making a final decision. According to the description provided by the registrar, for those patients who are selected for a closer examination based on the risk assessment, the result of the profiling is taken into account as one factor along with the patient data. The final decision on the necessity of contact is made by a person trained in the matter.

Based on the reasons presented above, the deputy data protection commissioner agrees with the registrar's assessment that the automated individual decisions referred to in Article 22 of the TSA would not arise in the case of patients selected for a closer examination. This is provided that the professional has the genuine opportunity, ability and authority to deviate from the recommendation indicated by the risk information if necessary.

The formation of automated individual decisions for those patients who would not be selected for a closer examination based on the risk assessment

The applicability of Article 22 of the TSA requires, first of all, that decisions are made solely on the basis of automatic processing of personal data. According to the information provided by the registrar, the result of the profiling would no longer be allowed to be evaluated by a human for those patients who have given their consent to the profiling, but who would not be selected for a closer examination based on the risk assessment. According to the controller, human participation would not be possible in practice. In this regard, the registrar states the following: "In order to effectively identify patients at risk, it is necessary to be able to go through the patient mass and patient data with computer assistance. An individual professional cannot do the analysis due to the individual's limited computing capacity.". Thus, the result of the profiling would remain final. The deputy data protection commissioner considers that the question would be a decision based solely on the automatic processing of personal data.

The application of Article 22 of the TSA requires, secondly, that the automated individual decisions have legal effects concerning the data subject or that they affect him in a similar way significantly.

The existence of actual legal effects would require that a decision based solely on automatic processing would affect a person's legal rights, their legal status or contractual rights. Such could be, for example, decisions regarding the denial of a certain statutory benefit or right. The registrar has stated that services cannot be denied or removed from customers based on computer-assisted analysis of risk information. According to the Deputy Data Protection Commissioner's opinion, the profiling planned by the controller would probably not have actual legal effects on the data subjects.

TSA Article 22 also becomes applicable if the decision has significant effects on the data subject in a manner similar to the legal effects. The Deputy Data Protection Commissioner uses the criteria defined by the European Data Protection Board in assessing the significance of the effects. According to these criteria, the effects on the data subject must be sufficiently large or significant to be noteworthy. The decision must potentially either have a significant impact on the circumstances, behavior or choices of the persons in question, affect the data subject long-term or permanently, or in extreme cases lead to the marginalization or discrimination of persons. In evaluating the significance of the effects, it is also necessary to take into account case-specific features, such as the degree of interference with privacy in the profiling process and the expectations and wishes of the data subjects.

The prior consultation request and the data protection impact assessment based on it have been prepared for the processing of personal data related to the proactive approach in its entirety. The request does not specifically specify, for example, what kind of health risks personal data would be processed for. Since the prior consultation request has concerned the proactive approach as a whole, the deputy data protection commissioner also evaluates the possible effects accordingly. It is possible that in all situations included in proactive healthcare, the effects are not the same. The effects and their significance are likely to be different depending, for example, on what kind of health risks are sought to be detected and what kind of measures are to be taken after profiling. A more accurate assessment would require a more detailed description of the details of the procedure.

The significance of the effects is influenced by how the adoption of a proactive approach is reflected in the implementation of health care services. The effects are likely to be different in the short and long term. For example, if the algorithm effectively helps to detect persons at health risk, it is possible that the result of the profiling will start to have a significant impact on access to treatment. A similar effect can be had, for example, if the resources available in the health care force force an emphasis on health services for patients selected on the basis of clear profiling.

As stated above in point 24, significant effects are considered to be, for example, that the decision affects the person's opportunities to receive health care services. The controller has stated that services cannot be denied or removed on the basis of computer-aided analysis of risk information, but the purpose of the processing is to provide an additional health benefit and always implement treatment and patient selection in accordance with national treatment practices. The Deputy Data Protection Commissioner considers that, in terms of significant effects, it is not necessary for the patient to be actively denied access to the treatment. It is sufficient that the profiling actually affects the patient's chances of receiving healthcare services. Based on the description of the registry keeper, the patient would be excluded from special preventive health care measures in accordance with the risk classification created based on the profiling. Thus, the deputy data protection commissioner considers that the effects of profiling on data subjects would probably be significant at least in some situations of proactive healthcare.

Even if, according to the current methods of operation, profiling would not in any situation lead to significant effects on the data subject, it is possible that this would be the case later with the change of services and the development of algorithms. Therefore, the controller should constantly monitor the different ways in which profiling actually affects the data subjects.

When evaluating the significance, it is also necessary to take into account the degree of interference with privacy. The patient data to be processed describe the state of health of the registered person. In addition, profiling could utilize well-being data collected with the help of applications. Profiling would thus be done on the basis of very intimate and detailed information describing health and behavior. This emphasizes relevance. The possibility of obtaining a more accurate risk assessment could also encourage data subjects to continuously provide the data controller with a wider range of welfare information, which would have an impact on the protection of the data subject's privacy.

The Deputy Data Protection Commissioner considers that the decisions arising from profiling would very likely have a significant impact on the data subject's behavior and circumstances, because proactive healthcare measures that are actively offered to the data subject would be selected based on them. It would probably also be important for the data subject's behavior, circumstances and choices if the data subject becomes aware that a risk has not been identified based on the information about him. The effects on the registrant's health can probably be long-term or permanent, at least in some situations.

Based on the above grounds, the deputy data protection commissioner considers that the automated individual decisions referred to in Article 22 of the TSA can probably be formed for those patients whose patient data is processed to identify risk, but for whom, based on profiling, there is no need for a more detailed review by a healthcare professional.

TSA on the application of Article 22

The Deputy Data Protection Commissioner emphasizes that making automated individual decisions is not impossible, but TSA Article 22, Sections 2 and 4 stipulates the conditions under which automated individual decisions can be made. The Deputy Data Protection Commissioner recognizes the beneficial potential of profiling and solutions based on it in healthcare operations. However, it is essential to ensure that the procedures are built by also taking into account aspects arising from data protection regulations and the protection of patients' privacy in a balanced way.

Warning from the Deputy Data Protection Commissioner

The controller has considered that the planned processing of personal data does not lead to the formation of automated individual decisions. On the grounds described above, the Deputy Data Protection Commissioner has considered that automated individual decisions can probably be made for patients who are not selected based on profiling for a closer examination by a healthcare professional.

The Deputy Data Protection Commissioner issues a warning to the data controller in accordance with TSA Article 58, paragraph 2, subparagraph a. The planned processing actions would probably be in violation of TSA regulations, because the controller has not identified the likely formation of automated individual decisions, and thus has not taken into account the TSA Article 22.

It is necessary for the controller to ensure, before taking possible processing actions, that the basis for making automated individual decisions according to TSA Article 22, Sections 2 and 4 exists whenever the decisions determined on the basis of profiling have significant effects on the data subjects corresponding to legal effects. In such situations, the controller can, for example, update the consent requested from the data subject before step 2 of the process so that it covers the data subject's explicit consent to make automated individual decisions.

Processing of patient data for building and developing a risk model

Legal issues to be assessed

The deputy data protection commissioner assesses whether there are grounds according to TSA articles 6 and 9 for the processing of patient data for the construction and development of a risk model as planned by the data controller (step 1 of the process).

In addition, the deputy data protection commissioner assesses whether it is necessary to use corrective powers in accordance with Article 58, paragraph 2 of the TSA.

Applicable legislation

According to TSA Article 5, paragraph 1, subparagraph a, personal data must be processed in accordance with the law, appropriately and transparently from the point of view of the data subject.

TSA Article 6 provides for the legality of personal data processing and defines the situations in which the processing is legal. The processing is lawful, for example, according to Article 2, subparagraph a, when the data subject has given his consent to the processing of personal data for one or more special purposes, or according to subparagraph c, when the processing is necessary to comply with the legal obligation of the controller.

According to Article 9(1) of the TSA, the processing of health-related data is prohibited. Paragraph 2 of the article defines the situations in which it is possible to deviate from the prohibition. For example, according to paragraph 2, subparagraph a, processing is possible when the data subject has given his express consent to the processing of the personal data in question for one or more specific purposes, except if Union law or the legislation of a member state stipulates that the prohibition referred to in paragraph 1 cannot be revoked with the consent of the data subject; According to paragraph 2, subparagraph g, when the processing is necessary for a reason of important public interest under Union law or the legislation of a Member State, provided that it is proportionate to the objective, it respects the right to the protection of personal data in key aspects and it provides for appropriate and special measures to protect the basic rights and interests of the data subject; according to subsection h, when the processing is necessary for preventive or occupational health care purposes, to assess the employee's work capacity, for medical diagnoses, to carry out health or social care treatment or processing, or for the administration of health or social care services and systems on the basis of Union law or the legislation of a Member State, or health care in accordance with the agreement made with the professional and in compliance with the conditions and protective measures presented in section 3.

According to Article 9, paragraph 3 of the TSA, personal data referred to in paragraph 1 can be processed for the purposes stated in paragraph 2, letter h, when the information in question is processed or is handled by a professional who has a statutory duty of confidentiality based on Union law or the legislation of a Member State or on the basis of rules established by national competent bodies, or another person , which is also bound by statutory confidentiality obligations based on Union law or Member State legislation or rules established by national competent bodies

According to section 12 subsection 1 of the Act on the Status and Rights of the Patient (Patient Act; 785/1992 vp.), the healthcare professional must enter in the patient records the information necessary to secure the organization, planning, implementation and monitoring of the patient's treatment.

According to Section 13 of the Patient Act, information contained in patient documents must be kept confidential. A health care professional or another person working in a health care operation unit or performing its duties may not give information contained in patient documents to a third party without the patient's written consent. If the patient does not have the conditions to evaluate the meaning of the consent to be given, information may be given with the written consent of his legal representative. Bystander in this law means persons other than those involved in the patient's treatment or related tasks in the relevant operating unit or on its behalf. It is possible to hand over patient data in the situations defined in section 3

According to § 4 of the regulation on patient documents issued by the Ministry of Social Affairs and Health (STM's patient document regulation, 94/2022), those involved in the patient's treatment or related tasks may process patient documents only to the extent that their duties and responsibilities require it.

The remedial powers of the data protection authority are provided for in Article 58(2) of the TSA. According to subparagraph a), the supervisory authority may warn the controller or personal data processor that the intended processing operations are likely to be in violation of TSA regulations.

Solution

The processing of patient data for the construction and development of a risk model (step 1 of the process) would not seem to be justified in accordance with Articles 6 and 9 of the TSA.

The Deputy Data Protection Commissioner issues a warning to the data controller in accordance with TSA Article 58, paragraph 2, subparagraph a, because the planned personal data processing operations are likely to be in violation of TSA regulations.

Reasoning

The controller's description of the data to be processed

According to the description provided by the registrar, the processing of patients' risk data can be divided into five upper-level process parts, the first of which is building a risk model. In this phase, pseudonymized patient data from the patient information system from around 2006 – the time of the model's creation – and random existing records from 1966–2005 are used. Those who have given their consent will also use the well-being and health information from the application.

According to the registrar, the risk model examines structured information and, if possible, textual information (patient document entries). This limitation of the data set ensures that the risk model develops as accurately as possible and, based on computer-aided analysis, produces the most accurate risk information for the persons who have given consent.

Planned purpose of use of personal data

According to the controller, the purpose of using personal data would be a) to predict the growth of the need to use health services and morbidity at the individual level and b) to predict the development of the need to use health services and morbidity at the population level.

The registry administrator states that risk modeling refers to the development of risk models at the population level, which can be used to monitor and predict the development of the use of health services and morbidity at the population or individual level. According to the registrar, the risk model is a constantly developing mathematical model / algorithm, the purpose of which is to produce higher quality and more valid forecasts as it develops.

Pseudonymization

The controller has pointed out that the processed personal data is pseudonymized in the first stage of the process. The Deputy Data Protection Commissioner states, for the sake of clarity, that pseudonymization is a justified protective measure, for example from the point of view of data minimization. However, pseudonymized information is still personal information, i.e. information related to an identifiable natural person. The regulation regarding the processing of personal data and patient data also applies when pseudonymized patient data is processed.

Primary use of patient data

The purpose of use of patient data is to secure the organization, planning, implementation and monitoring of the patient's treatment, derived from section 12 subsection 1 of the Patient Act. Patient (health and sick) treatment means, according to section 2, paragraph 2 of the Patient Act, measures taken to determine the patient's state of health or to restore or maintain his health, which are performed by healthcare professionals or performed in a healthcare operation unit.

In addition to the limitation of the purpose of use, the field of use of patient data is further limited by § 13 of the Patient Act and § 4 of the Patient Document Regulation. Based on these legal provisions, patient documents can only be processed in the above operating unit or by persons participating in the patient's treatment or related tasks on its behalf to the extent that their tasks and responsibilities require it.

Patient data can be given to other persons or for other purposes when the patient's consent is required for the transfer or there is another basis provided for in the law.

According to the Deputy Data Protection Commissioner's understanding of the processing of patient data, the so-called the primary purpose of use is when patient data is processed for needs arising from the patient's own treatment or related tasks. Consequently, it is not possible to process patient data for the purposes planned by the controller without a different basis when the processing is not related to the treatment of the patient himself.

In other words, a separate legal basis must be found for the processing of patient data for the purpose of predicting the need for the use of health services at the individual level of other patients, as well as for the purpose of predicting the need for the use of health services at the population level. Such a basis can be the patient's consent or another basis provided for in the law.

The basis for processing personal data identified by the controller,

In the material delivered to the data protection commissioner's office, the data controller states that the basis for processing personal data is the patient document legislation, articles 6 and 9 of the data protection regulation, the patient act, the health care act (1326/2010), the STM's patient document decree, the customer payment act (734/1992), the law on medical research (488/1999) and the Act on Publicity of the Authority's Activities (621/1999). As an exception in accordance with Article 9 of the TSA, the controller shall indicate the corresponding regulations.

The deputy data protection commissioner states that the basis for processing does not seem to have been identified with sufficient accuracy based on the submitted material. Naming the regulations in this context does not give a sufficient picture of which regulation would serve as a legal basis for processing patient data in the planned manner.

The assistant data protection commissioner's assessment that the processing of patient data for the intended purpose is not possible based on § 12–13 of the Patient Act is described above. The registrant has not provided such information on the basis of which it would be possible to evaluate the medical research in question, even though the law on medical research is mentioned in the material. The controller has also not shown that the processing of personal data is based, for example, on the grounds laid down in the Act on the Processing of Social and Health Information (secondary law) or on any other grounds expressly laid down in the law.

In the material provided by the controller, it is pointed out that the processing is planned to be based on the consent given by the data subject. Therefore, according to the Deputy Data Protection Commissioner's opinion, the purpose is that the processing would be based on the data subject's consent.

The controller's description of requesting consent

The controller states that the risk model built in the first stage of the process (stage 1: creating a risk model) is not applied to the individual level. Before risk modeling applied to an individual, consent is collected from individuals a) to use the information stored in the data controller's patient register for profiling purposes to improve the quality and effectiveness of treatment and to be contacted if health risks or deviations are noticed, and b) to hand over selected well-being data and patient data to the data controller in order to improve treatment. Individual risk modeling is started if both consents are given.

Based on the material provided by the data controller, consent would be sought before the second stage of the process (stage 2: risk identification). The Deputy Data Protection Commissioner's understanding is that consent would not have been planned to be requested before the first stage of the process (stage 1: creating a risk model).

Since the data controller has not brought forward any other legal basis for processing patient data in step 1 of the process (making a risk model), there is no legal basis for the planned processing of patient data in step 1 of the process, according to the opinion of the Deputy Data Protection Commissioner.

Warning from the Deputy Data Protection Commissioner

The processing of health data is only possible when there is a basis for processing the data according to both Article 6 and Article 9 of the TSA. Since there would seem to be no legal basis for the planned processing of patient data during the construction and development phase of the risk model (step 1 of the process), the deputy data protection commissioner issues a warning to the data controller in accordance with Article 58, paragraph 2, subparagraph a of TSA. If there is no basis for processing, the planned processing operations are likely to be in violation of the General Data Protection Regulation.

Before taking any processing steps, the controller must ensure that it has grounds to process the patient data as planned also in step 1 of the process. The controller can, for example, collect explicit consent from the patients to process their patient data before starting step 1. Alternatively, the controller can assess whether the regulation regarding the processing of patient data enables the planned processing activities. The controller can assess, for example, the applicability of Section 37 of the Act on the Secondary Processing of Social Security and Health Information for this purpose.

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.

The decision is legally binding.