Privacy notice Processing of personal data, outreach youth work

Date of publication: 18 September 2020 (Updated: 7 August 2024)

City of Espoo

Anna Vilen, Manager of Local Youth Services

Ida Stolt-Haglund, Development Manager, Swedish Education and Cultural Services

Email: firstname.lastname@espoo.fi

Tel. 09 816 21 (switchboard)

Tatu Törmänen, Youth Work Service Supervisor

Email: firstname.lastname@espoo.fi

Tel. +358 9 81621 (switchboard)

Helena Niemi, Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

According to section 10, subsection 1 of the Youth Act, the mission of outreach youth work is to reach young people in need of assistance and provide access to services and other support designed to promote their growth, independence, social inclusion and life management skills as well as to improve access to education and facilitate entry into the labour market. Outreach youth work is based on voluntary participation by and cooperation with the young person involved.

The personal data register for outreach youth work is used to reach and identify young people in need of support and to offer support to young people. In addition, the register is used to facilitate the provision of support for young people in cooperation between authorities and other operators. In outreach youth work, the register is used to manage and develop client relationships as well as for analytical and statistical purposes. Data is collected while a young person is a client of outreach youth work.

Personal data is processed in the national PARent customer management and statistical system. The Excel-based PAR system is part of the Microsoft M365 solution. PAR was also designed to facilitate the tracking of state aid. Anonymised, numerical and statistical client data is transferred to the national PARent system database.

In outreach youth work, the users of the system are responsible for the processing of data related to their tasks.

Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject. Provisions on outreach youth work and the related collection of data are laid down in sections 10–12 of the Youth Act.

The situation of young people in need of support varies, which affects the amount of data collected and processed in connection with outreach youth work. As the data controller, the City of Espoo ensures that the personal data is necessary and correct considering the tasks of outreach youth work.

Basic information, i.e. a person’s first and last name, date of birth and municipality of residence, is first collected in the register. Other information that is necessary for the management of the client relationship may also be collected. This includes background information as well as information on the person’s situation, client relationship and logs. The young person’s personal identity code is collected if it is necessary for service counselling purposes.

In the national PARent customer management and statistical system:

• Basic information: first name, last name, date of birth, email address, telephone number, street address, postal code and city/town
• Background information: education, work experience, goals, family and other background information
• Situation-related information: main activities, financial situation and form of housing
• Client information: how they became a client, start and end date of client relationship, measures during client relationship
• Log information: other client-approved matters affecting the client relationship

Outreach youth work is usually carried out based on the information provided by the young person and their own assessment of their need for support. If outreach youth workers need information on the young person from other sources, it can be obtained with the young person’s consent. In the case of minors, the situation is first discussed with their guardian, unless this is clearly contrary to the young person’s interests.

Basic information is obtained when a young person is registered as a client of outreach youth work under the Youth Act.

Young people can also seek help from outreach youth work themselves. According to section 11 of the Youth Act, education providers (basic education, vocational education, general upper secondary education or preparatory education for programmes leading to an upper secondary qualification), the Finnish Defence Forces and the Centre for Non-Military Service have an obligation to refer a young person to outreach youth work and can do so without the young person’s consent. Additionally, an authority other than those mentioned above and the Social Insurance Institution of Finland (Kela) may, regardless of non-disclosure provisions, disclose the young person’s identifying and contact information to their municipality of residence for the purposes of outreach youth work. With the express consent of the young person or the guardian of a minor, anyone can refer them to outreach youth work (young person’s identifying and contact information).

Other information (background, situation, client relations and logs) is obtained from the young person or, with the young person’s consent, from the party that referred them to outreach youth work.

Data and documents are disclosed to the person requesting them in accordance with the Act on the Openness of Government Activities. Information and documents are public unless specifically defined as confidential under law. Information about a person being subject to outreach youth work can be considered information on their personal circumstances and therefore confidential under section 24, subsection 1, paragraph 32 of the Act on the Openness of Government Activities.

In connection with outreach youth work, such information concerning the young person may be generated that may need to be disclosed to the service provider to which the young person is referred. Such information concerning the young person may only be disclosed to another authority with the express consent of the young person or their guardian if the young person is a minor. However, a minor may make decisions regarding the disclosure of their personal information according to their level of maturity.

For under 18-year-olds, when the conditions of the Child Welfare Act are met, outreach youth workers have to submit a child welfare notification or an anticipatory child welfare notification to child welfare authorities in accordance with sections 25 and 25c of the Child Welfare Act. Provisions on contacting social services for the purpose of assessing the need for support are set out in section 35 of the Social Welfare Act. In addition, social welfare authorities and the police have a legal right to obtain, on request, information on a young person from outreach youth work under section 64 of the Act on the Processing of Client Data in Healthcare and Social Welfare and chapter 4, section 2 of the Police Act. According to section 28 of the Youth Act, any non-disclosure obligation notwithstanding, any party performing duties pursuant to the Youth Act is entitled to disclose to the police information necessary for the purpose of assessing any threat to life and limb and preventing any acts of threat if they become aware of circumstances suggesting that a person may be at risk of being exposed to violence.

The City of Espoo may use operational or technical service providers to organise the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision. The PAR system is used for tracking the spending of state aid granted by Regional State Administrative Agencies, harmonising data production and statistics across the country, evaluating performance and compiling reports for different funding agencies. Standardised PARkki statistics can be used to study the distribution of assistance granted towards youth work and to facilitate decision-making. PAR is managed by the Regional State Administrative Agency for Western and Inland Finland and financed by the Ministry of Education and Culture. The system is offered to users free of charge.

The Excel-based PAR system is part of the Microsoft M365 solution.

Statistical material collected (no identifying data) is sent to the national database (nuorisotilastot.fi).

The email messages handled by the email service provided by Microsoft are stored within the EU. Microsoft operates and develops Office 365 services from locations outside Europe, and data is considered to be transferred outside the EU if, for example, an administrator establishes a remote connection from the United States to a data centre in Europe, for example to solve a technical problem. In these situations, safeguards are established to maintain the high level of data protection required by European legislation even after the personal data has been transferred. These safeguards include an adequacy decision by the European Commission and a commitment to the required safeguards, such as the EU-US Data Privacy Framework, by the recipient of personal data. Required safeguards may also include the use of standard contractual clauses adopted by the European Commission as part of agreements concluded with personal data processors, in addition to which the processors are required to observe appropriate technical and administrative safeguards.

Data is stored and destroyed in line with the City of Espoo’s records management plan and the applicable provisions and regulations issued by the National Archives of Finland.

Client data is stored for as long as it is deemed necessary for the purpose of managing the client relationship. Data may be stored for the duration of the calendar year in which the client relationship ended and for the following calendar year or for about 3 months after the client relationship ended.

Data is deleted at the request of the young person or their guardian who gave their consent or due to the ending of the client relationship.

Data protection legislation guarantees various rights for the data subject in relation to the processing of personal data. Requests concerning the data subject’s rights can be submitted to the city’s Data Protection Officer or the contact person of the register using the above-mentioned contact details.

If necessary, the controller may ask the data subject to provide additional information to fulfil the request.

The controller must respond to a request concerning the data subject’s rights without undue delay and no later than one month after receiving the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are, as a rule, free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

The data subject shall have the right to obtain from the controller confirmation as to whether personal data concerning him or her is being processed as well as the right to access the data and to obtain a copy of the data. However, the provision of data shall not adversely affect the rights or freedoms of others.

The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. In addition, taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed.

Under certain conditions, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her. For example, if the processing of personal data is based on consent and the data subject withdraws his or her consent and there is no other legal ground for the processing, the data subject shall have the right to have his or her data erased. However, the data subject shall not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The data subject shall have the right to request the restriction of processing in certain situations. For example, if the accuracy of the personal data is contested by the data subject, processing is restricted for a period enabling the controller to verify the accuracy of the personal data. The right also applies if the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her, which is processed for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In such a situation, the controller may only continue processing the personal data if the controller demonstrates compelling legitimate grounds for the processing. Processing may also continue if it is necessary for the establishment, exercise or defence of legal claims.

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes data protection legislation. The data subject can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link, opens in a new window)

Change history: -