Tietosuojavaltuutetun toimisto (Finland) - 8979/162/21

From GDPRhub
Tietosuojavaltuutetun toimisto - 8979/162/21
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 6(1) GDPR
Article 6(1)(c) GDPR
Article 6(1)(e) GDPR
Article 6(3) GDPR
Article 10 GDPR
Act on Investigating the Criminal Background of Persons Working with Children 504/2002
Article 23 Data Protection Act in Criminal Matters 1054/2018
Type: Other
Outcome: n/a
Started:
Decided:
Published: 18.03.2022
Fine: n/a
Parties: Oulun kaupunki, sosiaali- ja terveyspalvelut
National Case Number/Name: 8979/162/21
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: Anna Naumchuk

The Finnish DPA issued a reprimand to the social and health services for requesting police data from persons applying to become family caregivers. The persons had to use their right of inspection to obtain information required by the authority.

English Summary[edit | edit source]

Facts[edit | edit source]

Social and health services of the city of Oulu (the controller) is an authority that checks whether a person who applies for foster or support family activities is suitable for the role of a family caregiver. The police received numerous requests regarding the data subjects’ right of inspection in accordance with Article 23 Data Protection Act in Criminal Matters 1054/2018 (Lakihenkilötietojen käsittelystä rikosasioissa ja kansallisen turvallisuuden ylläpitämisen yhteydessä), where the data subjects used their right of inspection at the request of the controller.

Social and health services required persons applying to become family caregivers to use the persons’ right of inspection regarding the processing of personal data by the police and submit the answer they received for the controller. In the controller’s view, requesting such information was necessary to assess the person’s suitability and safeguard the child’s interests. Moreover, information could not be handed over to the authority solely based on the person’s consent since, according to the principles of the GDPR, collection of personal data by authorities should primarily be based on law. For this reason, it became a practice to request police information for consideration directly from the data subjects.

Holding[edit | edit source]

The Finnish Office of the Data Protection Commissioner (DPA) issued a reprimand to the controller and held that the controller violated provisions of Articles 6(1) and 10 GDPR, as it did not have a legal basis for the processing of the personal data in question. Article 6(3) GDPR requires that the basis for the processing of personal data in the cases stipulated in Articles 6(1)(c) or 6(1)(e) GDPR shall be laid down in the Union or Member State law applicable to the controller. As the DPA rightly observed, the Finnish national legislation has the law that Article 10 GDPR refers to, – Act on Investigating the Criminal Background of Persons Working with Children 504/2002 (Laki lasten kanssa työskentelevien rikostaustan selvittämisestä). Thus, there is an appropriate procedure for checking the criminal background of family caregivers.

The DPA stressed that the goal of the right of inspection established in Article 23 Data Protection Act in Criminal Matters 1054/2018 (Lakihenkilötietojen käsittelystä rikosasioissa ja kansallisen turvallisuuden ylläpitämisen yhteydessä) is that a person has the opportunity to use this right so that they can themselves stay informed about the legality of the processing and check it. Also, the DPA noted the authority cannot require the person to provide information obtained based on the use of the person’s inspection right, and thus cannot use the inspection right as a tool for the authority’s information acquisition. Even if, according to the controller’s opinion, the acquisition of more extensive data and the processing of personal data would be justified, the controller cannot introduce additional illegal procedures in addition to the procedure stipulated in the law.

Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

Exercising the registered right of inspection at the request of the controller regarding the processing of police personal data

Keywords: right of inspection
social services
support and foster family activities

Legal basis: decision in accordance with the EU General Data Protection Regulation

Diary number: 8979/162/21

Decision of the Deputy Data Protection Commissioner

Thing

Exercising the registered right of inspection at the request of the controller regarding the processing of police personal data

Initiator

Own initiative of the Office of the Data Protection Commissioner

Registrar

City of Oulu, social and health services

The processing of personal data in question

According to the information received from the police by the Office of the Data Protection Commissioner, the police have received numerous requests regarding the data subject's right of inspection in accordance with Section 23 of the law on the processing of personal data in criminal matters and in connection with the maintenance of national security (1054/2018, hereinafter the Data Protection Act in Criminal Matters), where the data subject has used the right of inspection at the request of the controller. According to the information received from the police, apparently the social and health services of the data controller have required persons applying for support family or foster family activities to use the registered person's right of inspection regarding the processing of personal data by the police and submit the answer they received for the data controller to see

Statement received from the registrar

Pursuant to Article 58(1) of the Data Protection Regulation (EU) 2016/679 and Section 18 of the Data Protection Act (1050/2018), the Office of the Data Protection Commissioner has requested an explanation from the data controller with the following questions. The report on the welfare services of the city of Oulu has been received on 13 December 2021. The report was given by the social director. In response to the questions asked in the clarification request, the controller stated the following:

1. Has the social services of the city of Oulu required, for example, persons applying for foster or support family activities to submit to the social services of the city of Oulu based on exercising the right of inspection?

Yes. The issue is related to the approval process for family caregivers. According to Section 6 of the Family Care Act, a person who, based on their education, experience or personal characteristics, is suitable to provide family care can be accepted as a family carer. Before entering into an assignment contract, a person who intends to become a family caregiver must complete the preliminary training required for the task. The Family Nursing Act or elsewhere does not provide for record keeping or the authorities' right to receive information regarding persons who apply and are accepted as family caregivers. Basically, child protection, like other social care authorities, has a very wide right to access information in customer matters from other authorities, such as the police, pursuant to Section 20 of the Social Care Customer Act when it is necessary to organize social care. Since the family caregiver is not a client of social care and no client has been placed with her during the application phase, the applicability of the Social Care Client Act and its provision entitling to access to information is unclear, and the City of Oulu is aware that some municipalities have deemed it also applicable to those applying to become family caregivers.

Unlike the Family Care Act, the Adoption Act has a separate provision on the applicability of the Social Care Customer Act to the recipient of adoption counseling (Adoption Act § 96). According to the child welfare authorities, it would be necessary to add a similar reference, which explicitly states that the Customer Act is applicable to a person applying to become a family caregiver or who is undergoing preliminary training, also in the Family Care Act.

Children placed by child welfare services are children in a particularly vulnerable position and in need of support, often traumatized, whose care and upbringing by family caregivers is a public administrative task. When weighing the effects of different measures on the rights of individuals, the child welfare authorities must primarily consider the best interest of the child. For the reasons mentioned above, the child protection authorities must ensure that the conditions at the family caregiver's place are safe and stable and that the children placed in foster care receive better care than at home.

The child welfare authorities have considered it necessary to make sure that a person is suitable as a family caregiver even before children are placed with him. From the point of view of the child welfare authorities, the information that appears from the criminal records of those who work with children alone has not been sufficient to ensure suitability for the role of a family caregiver. For example, home alarms due to intoxication or domestic violence or other disruptive behavior that appear in the police's data are necessary information, because they can be an obstacle to working as a family caregiver.

As stated, the applicability of Section 20 of the Customer Act when a person applies to become a family caregiver and has not yet been placed with children is unclear nationwide. In Oulu, it has been interpreted so that the Social Care Client Act does not apply to a person applying to be a family caregiver during the training/acceptance phase, when there is no client placed with him. Consequently, the only option left is to request information with the consent of the person applying to be a family caregiver, or to request information from the person applying to be a family caregiver.

According to the information received from the police, information or a statement cannot be handed over to the authority solely based on the person's consent. For this reason, it has become a practice to request police information to be seen directly from the applicants themselves.

The city of Oulu's own family caregivers are only people approved as family caregivers, for whom the procedure is described above. Other support family and support person activities There is a shopping service in Oulu. Regarding the shopping service, the city has not made an assessment of the person's suitability as a support family or support person, but the suitability assessment has been made by a private service provider.

2. If the social services of the city of Oulu have operated as described in the 1st question, then who or which institution has decided on the introduction of the procedure and by whom and how has the procedure been instructed?

Checking police records for those applying to become family caregivers has been a practice for a long time, and it is not known that it was actually decided or discussed in the municipal institution.

3. If the social services of the city of Oulu have operated as described in question 1, how has the received data been processed (who has been able to process the data, has it been stored on a platform and how long is the data stored)?

Police information, as well as other information requested from those applying to become family caregivers, have been processed in the city of Oulu only by certain designated officials and employees in the foster care support unit, whose tasks include the approval of family caregivers. The police data has not been received, collected or stored in the information systems of the child protection authorities, but the system only contains an indication of the data inspection date and the inspector.

4. If the social services of the city of Oulu have operated as described in the 1st question, does it still intend to continue the operation in question?

After the request for information from the Data Protection Commissioner, the City of Oulu has become aware of the decision of the Data Protection Commissioner regarding the procedure of the City of Helsinki on January 15, 2021 (6689/186/20), against which the City of Helsinki has appealed. Since the status of the case is unclear, the child protection authorities of the city of Oulu have no longer requested police information from those applying to become family caregivers.

However, from the point of view of the child welfare authorities of the city of Oulu, it is risky that the police information could not be checked under any circumstances for those who apply to become family caregivers or support families. From the point of view of the child protection authorities of the city of Oulu, the legislation should add articles regarding the registration of data of those intending to become family caregivers and family caregivers, and regarding the checking of information, a reference to the applicability of Section 20 of the Social Care Customer Act to the assessment of the suitability of those who intend to become family caregivers. This would make it possible to request information already at the stage when a person applies to become a family caregiver or support family and the authority considers that requesting certain information is necessary to assess the person's suitability and safeguard the child's interests.

Those who apply and are accepted as family caregivers must be registered in the authority's personal register. This data registration, as well as the right to receive information about a person applying to be a family caregiver, currently has to be based on consent in the absence of a law, which is not appropriate from the point of view of the child protection authorities, taking into account the principles of the EU data protection regulation, according to which the collection of personal data by the authorities should primarily be based on the law. It would be desirable for the legislation to be clarified in this regard as soon as possible.

Applicable regulations and evaluation of the matter

The registrar has implemented a procedure in which persons who wish to become family caregivers must use the registered person's right of inspection provided for in Section 23 of the Criminal Data Protection Act regarding the processing of personal data by the police and present the personal data obtained based on the right of inspection to a representative of the registrar. Family care refers to family care according to Section 3 of the Family Care Act (263/2015).

The processing of personal data is defined in Chapter 1, Article 4, Section 2 of the Data Protection Regulation, the processing of personal data is also the fact that the controller requires the registrant to present documents containing personal data and check them.

According to Article 10 of the Data Protection Regulation, the processing of personal data related to criminal convictions and crimes or related security measures based on Article 6 paragraph 1 is only carried out under the supervision of an authority or when it is permitted by Union law or the legislation of a Member State, which provides for appropriate safeguards to protect the rights and freedoms of the data subject. A comprehensive criminal record is only kept under the supervision of a public authority.

The Data Protection Regulation is directly applicable legislation in the member states. However, Article 6(2) of the Data Protection Regulation enables more detailed regulations to be issued to adapt the provisions of the Regulation when the processing of personal data is necessary to comply with the controller's statutory obligation (Article 6(1)(c)) or to perform a task in the public interest or to exercise public authority vested in the controller (Article 6(1) point e). Article 6, paragraph 3 of the Data Protection Regulation requires that the basis for the processing of personal data is regulated in these situations in Union law or in the legislation of the Member State applicable to the data controller. Such legislation may contain provisions on, among other things, the type of data to be processed, the persons registered, the parties to whom and the purposes for which personal data may be disclosed.

In Finnish national legislation, there is a regulation referred to in Article 10 of the Data Protection Regulation, which concerns the processing of personal data related to criminal convictions and crimes in the case of family caregivers. The law on checking the criminal background of people working with children (504/2002) applies to checking the criminal background of family caregivers, in accordance with section 2, subsection 1, point 3 of this law. The legislation has thus created a proportionate and appropriate procedure for checking the criminal background of those working with children.

The goal of the registered right of inspection is that the registered person has the opportunity to use this right so that he can himself stay informed about the legality of the processing and check it. The authority cannot require the registered person to provide information obtained based on the use of the registered person's inspection right, and thus cannot use the registered person's inspection right as a tool for the authority's information acquisition. Even if, according to the controller's opinion, the acquisition of more extensive data and the processing of personal data would be justified, the controller cannot introduce additional illegal procedures in addition to the procedure stipulated in the law.

Regarding the conditions for the processing of personal data in official duties, Article 6, Clause 1, subsections c and e of the Data Protection Regulation and the national regulations issued based on them are followed. With regard to criminal convictions and crimes or security measures related to them, the regulations regarding the authority's activities must meet the requirements set out in Article 10 of the Data Protection Regulation. By requiring that aspiring family caregivers must use the right of inspection in accordance with Section 23 of the Criminal Data Protection Act, and when processing personal data obtained on the basis of the right of inspection, the controller has acted contrary to the provisions of Article 6(1) and Article 10 of the Data Protection Regulation, as it has not had a legal basis for the processing of the personal data in question.

Note from the Deputy Data Protection Commissioner

I give the data controller a notice in accordance with Article 58, paragraph 2, subparagraph b of the Data Protection Regulation, because the personal data processing operations of the data controller, as described above, have been in violation of Article 6, Paragraph 1 and Article 10 of the Data Protection Regulation. The registrar has announced that it will not continue the activity in question.

Supervision of the deputy data protection officer

According to the registrar's report, there is no provision in the Family Care Act or elsewhere for the keeping of records or the authorities' right to receive information regarding persons who apply and are accepted as family caregivers. As a guide, I state that the criminal background check of family caregivers is subject to the Act on investigating the criminal background of those working with children (504/2002), in accordance with section 2, subsection 1, point 3 of this law (section 5 above).

Appeal

According to Section 25 of the Data Protection Act (1050/2018), this decision can be appealed by appealing to the Administrative Court in accordance with the provisions of the Act on Trial in Administrative Matters (808/2019). The appeal is made to the administrative court.

Service

The decision is notified in accordance with § 60 of the Administrative Act (434/2003) by mail against receipt.