How Finland is pioneering the use of health data for secondary purposes

By Mario Romao, Health and AI Policy

Can we envisage a future where, for secondary use, the efficient and secure processing of health and social data collected during the provision of social and healthcare is made possible, at scale and under the requirements of the GDPR?

Yes, according to Finland. This Nordic nation and European Union member approved a law, the “Act on the Secondary Use of Health and Social Data”, to leverage the exceptionally comprehensive and high-quality data resources in the social welfare and healthcare sector by facilitating their better use while respecting the privacy of individuals.

It was within this pioneering policy context, that Intel participated at the High-Level Forum on the Silver Economy on July 9-10, 2019 in Helsinki. The Forum gathered global, national, and local business and government leaders. David Ryan, Intel’s GM for Health and Life Sciences moderated the session “From Pilots to Scale: Technology and Policy Driving the New Wave of Health, Ageing and Innovation”.

Quite often, the successful scaling of pilots hinge on supportive legislative frameworks. The Act on the Secondary Use of Health and Social Data is just one of those frameworks. As the availability of data increases, so does the potential to provide better services and more effective therapies and treatments. For instance, technologies such as Artificial Intelligence, require quality data to function. It can help physicians and researchers prevent disease, speed recovery and save lives, by unlocking complex and varied data sets to develop new insights.

The Act establishes a “one-stop shop” – the Data Permit Authority – to grant data permits for health and social data in a centralised manner, namely when a data enquiry requires collection from several data repositories managed by different organisations. An operating environment with robust cyber security controls will be created in which the data disclosed can be processed in accordance to the permit, although processing in other environments is also foreseen.

The secondary uses referred to in the Act include scientific research, statistics, development and innovation activities, steering and supervision of authorities, planning and reporting duties by authorities, teaching and knowledge management.
In accordance with the principle of data minimisation, the data will be made accessible in the following order of priority and according to the specific request:

  • Aggregate data
  • Anonymised personal data
  • Personal data that does not contain identifiers that would directly identify a person
  • Pseudonymised personal data
  • Exceptionally, data containing personal identifiers in well-justified situations.

It is worth mentioning that when the data to be disclosed was collected on the basis of the data subject’s consent, a data permit to access those data will only be granted if it conforms to the terms and conditions of the consent. Moreover, in Finland, “public interest” (art. 6.1.e and art. 9.2.(j) of the GDPR) are used as the legal basis for processing personal data for scientific research.

Intel has long promoted the innovative and ethical data use for the transformative positive impact it can make on the lives of individuals. Finland’s Act on the Secondary Use of Health and Social Data is a giant step in the right direction. One that should serve as inspiration to other EU Member States and countries around the world to follow next.