Updated: 7 February 2017
This data protection description applies to customers of nursing and social services provided by Mehiläinen Oy and its subsidiaries for whom Mehiläinen Oy or a subsidiary acts as the controller.
Pohjoinen Hesperiankatu 17
00260 Helsinki, Finland
Business ID: 1927556-5
If a customer relationship is based on an assignment by a municipality or a joint municipal authority, or if the customer has been granted a service voucher, the controller is the municipality or joint municipal authority in question. The controller’s data protection policy and the operating models described therein are observed with regard to these customer records. Concerning the aforementioned registers, please contact social services in the municipality that makes the investment.
2 CONTACT PERSON FOR REGISTER QUERIES
The person in charge of privacy protection at Mehiläinen Group and the contact person for data subjects is Mehiläinen’s Chief Medical Officer Jarmo Karpakka, firstname.lastname@example.org, switchboard +358 10 414 0112.
3 THE PURPOSE OF USE OF THE CUSTOMER REGISTER AND THE GROUNDS FOR PROCESSING THE DATA
The processing of customer data is based on the law or the customer’s consent.
The information stored in the customer register will be utilised for the planning, implementation and assessment of the customer’s care, and for other statutory or consent-based purposes of use.
If the controller is a municipality or a joint municipal authority, these customer records will be stored separately and delivered to the controller for filing at the end of the customer relationship.
4 THE DATA STORED IN THE CUSTOMER REGISTER
The customer’s name, personal identity code, and contact information.
Next of kin designated by the customer, legal guardian for a minor, the customer’s legal representative, and any other contact persons/parties reported by the customer.
Information required in order to organise, plan, implement and monitor the customer’s care and rehabilitation, such as event and health data gathered during examinations and treatment, and preliminary information.
Information about the duration of the service, billing details for the service, and invoicing addresses.
Other information necessary for treatment, e.g., a nurse’s, nutritionist’s, or psychologist’s records concerning the patient.
Information on any disclosure of data and the grounds for disclosure.
Information on the person who provided the customer with care and rehabilitation.
In child welfare units, certificates of basic education and a plan on the arrangement of personal teaching.
The customer register information forms a coherent whole. Information recorded by health care professionals who take part in the care and rehabilitation of the customer is stored in the same register, as a partial register thereof.
In addition to the electronic register, separate paper-format registers can be maintained as partial registers that include information on, e.g., the customer’s consents and prohibitions on the disclosure of customer records, signed lease and service agreements, a list of medication, a list of outdoor activities, a list of liquids, or other similar lists that ensure the implementation of care and rehabilitation.
4.1 Regular sources of information
The customer, the customer’s guardian, the customer’s legal representative, or the customer’s next of kin.
The medical staff, and health care and social welfare professionals.
With the customer’s consent, information can also be obtained from other social welfare units or professionals, for example via the national patient data repository (Kanta).
4.2 Storage time
In the storage times of the personal data stored in the customer register, the valid regulations on the storage times of customer data will be followed.
5 SHARING OF CUSTOMER DATA
Customer records are confidential, and the staff are obliged to maintain confidentiality.
Customer data can be transferred:
· By specific, individualised consent of the customer or his/her legal representative.
· If applicable law so indicates.
When the said service is provided with the concession contract of a municipality or joint municipal authority, the principal acts as the controller. In such a case, the municipality or joint municipal authority decides on all disclosure of data, even when this is based on legislation.
5.1 Regular submission of customer data and the groups acquiring them
For research, planning, statistics and supervisory tasks to the National Institute for Health and Welfare and the Finnish Medicines Agency Fimea who maintain national health care registers, and to Fimea for the purpose of narcotics control.
The following terms are applied with respect to other possible data recipients:
· During further examinations, the customer records may be submitted to another health care operations unit or health care professional with the customer’s verbal consent registered in the customer documents.
· Information necessary for arranging and implementing the customer’s examination and treatment by another Finnish or foreign health care operations unit or health care professional can also be submitted to such a unit or person if, on account of a mental disturbance, mental disability, or a similar factor, the patient is not able to evaluate the significance of consent and he or she does not have a legal representative, or if, because the customer is unconscious or there are comparable circumstances, consent cannot be obtained.
· The national patient data repository (Kanta).
· Information may be submitted to an insurance company with the customer’s written consent or if required by law.
· The customer’s guardian, other legal representative, and the customer’s next of kin, if the customer has given consent to this. If a minor customer, because of his/her age or level of development, can decide on the treatment given to him/her, he/she has the right to prohibit the provision to his/her guardian or other legal representative of information on his/her state of health and care.
· Also, in the case of a customer whose being treated is a result of unconsciousness or a comparable factor, the customer’s personal information and information on his or her health may be submitted to the customer’s next of kin or another person close to him or her, unless there is reason to assume that the customer would prohibit this.
6 USE OF CUSTOMER DATA AND THE GENERAL PRINCIPLES OF PROTECTION
Customer records have been prescribed as confidential, and no such records are disclosed to outsiders.
Customer records are to be used only by the people treating the customer at the operations unit in question, to the extent their duties so require, or on its commission or by people participating in related tasks. The controller’s senior executives decide on organisational solutions and specify the levels of access rights granted to employees. Obtaining a user ID and a password requires the signing of a non-disclosure agreement.
Old paper-based registers and other physical files are kept in locked and supervised facilities.
The information to be processed electronically can only be accessed by authorised employees with their personal user IDs and passwords. The use of customer records is supervised via monitoring of log information.
7 RIGHTS OF THE DATA SUBJECT
7.1 The data subject’s right of access to the data (inspection right)
The customer has the right to access his or her personal data. Such an inspection request must be made in accordance with Section 8 of this data protection description. The right to inspection may be declined on statutory grounds. The information is provided by a person in charge at the operating unit or other health care professional, determined by the person in charge, who registers the exercise of the right of access in the customer records. Customers can check their customer records free of charge once a year.
When the service is based on an assignment from a municipality or joint municipal authority, or a service voucher granted by them, the right to inspection is granted by an official at the municipality or joint municipal authority, on the basis of a written request.
7.2 The data subject’s right to demand rectification or erasing of data or a restriction on processing data
The controller is obliged to perform correction, erasing, or supplementing of information in the customer records without unnecessary delay, on his or her own initiative or upon the customer’s request, to address information that is erroneous, unnecessary, incomplete or obsolete for the purpose of use of the customer records.
The data subject also has the right to demand the controller to restrict the processing of his or her personal data, for example, in a situation where the data subject is waiting for Mehiläinen’s response to his or her request to rectify or erase data.
Implementation and organisation of the data’s rectification and restriction of processing
· A rectification request and a request for restricting the processing of data must be made in writing and be addressed to the controller in accordance with Section 8 of this data protection description, and it must always be delivered personally to the operative unit as well. The customer’s identity will be authenticated using a reliable method.
· If the customer’s request is considered legitimate, the correction and possible procedures to restrict processing will be made by a person who has the right to correct the customer records.
· Any incorrect entries are struck out or are transferred to a background file such that both the incorrect and correct entry can be seen. The name and position of the person making the correction, the correction date, and the grounds for the correction must be entered in the documents.
7.3 The data subject’s right to make a complaint to the supervising authorities
The data subject has the right to make a complaint to the competent supervising authorities if the controller has not followed the applicable data-protection regulations in its operations.
7.4 The national patient data repository (KANTA)
Mehiläinen joined the KANTA repository for the part of health services on 21 April 2016. Customer data on nursing and social services, on the other hand, will not be exported to the KANTA repository.
In all matters related to the processing of personal data and all situations regarding the exercising of one’s own rights, the data subject should contact Mehiläinen by post at the address: Mehiläinen Oy / Asiakasrekisteri, Pohjoinen Hesperiankatu 17 C, FI-00260 Helsinki. When required, Mehiläinen can request the data subject to further specify their request in writing, and, if needed, the identity of the data subject can be authenticated before initiating any other measures.