Privacy notice: Processing of personal data, client register for Finnish and Swedish pre-primary education and instruction preparing for basic education (pre-primary education)

Date of publication: 19 January 2023

Data controller

City of Espoo

Person responsible for the register

- Growth and Learning Sector / Finnish Early Childhood Education Director of Early Childhood Education

- Growth and Learning Sector / Swedish Education and Cultural Services Director of Swedish Education and Cultural Services

Contact person of the register

System specialists, evakatuki@espoo.fi 

Data Protection Officer

Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email: tietosuoja@espoo.fi

For what purpose is personal data processed?

The personal data stored in the register is processed for the purposes of organising pre-primary education and taking care of tasks that arise from the pre-primary education unit’s relationship with the pupil (Basic Education Act, sections 4 and 26a; Act on Early Childhood Education and Care, section 1).

Statutory information regarding the number of children is reported on the basis of this register (Act on the Financing of Educational and Cultural Provision, Act on Central Government Transfers to Local Government for Basic Public Services), and the register is used for compiling statistics for the City of Espoo. When statistics are compiled, the data is processed anonymously.

On what grounds is personal data processed?

Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject.

Special categories of personal data: According to section 6 of the Data Protection Act, Article 9(1) of the Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the controller by law.

What data is processed?

- The child’s name, personal identity code, contact information and mother tongue

- Guardians’ names, personal identity codes, contact information and custody information

- Names and telephone numbers of other persons authorised to pick up the child

- Application for pre-primary education

- Information on the child’s need for instruction preparing for basic education

- Decision on pre-primary education and the pre-primary education unit / decision on instruction preparing for basic education and the place of instruction during the pre-primary education year

- Information on accepting/rejecting and termination of a place in pre-primary education / instruction preparing for basic education and connected early childhood education

- Information on early childhood education connected to pre-primary education / instruction preparing for basic education and the hours of early childhood education

- The child’s pre-primary education plan (LEOPS)

- Support measures for the child

- The child’s picture

- Pedagogical documentation

- Pedagogical documents related to the child’s pre-primary education / support for instruction preparing for basic education

- Transport-related information

- Information concerning the child’s attendance and absences

- The person filling in the application can also choose to provide information on the child’s sibling (if using the sibling principle), need for support, allergies and special dietary needs.

PUBLIC ACCESS TO AND CONFIDENTIALITY OF DATA: The personal data in the register is processed for the purposes of taking care of tasks related to pre-primary education / instruction preparing for basic education. The data is partly confidential (e.g. information on the child’s health or need for support).

GROUNDS FOR CONFIDENTIALITY: Basic Education Act, section 40; Act on the Openness of Government Activities, section 24, subsection 1.

What are the sources of data?

- The child’s guardians

- Pre-primary education staff

- Other employees in the multi-professional cooperation network

- When filling in the application, the applicant’s and their children’s names, personal identity codes and addresses are retrieved from the Population Information System. The information retrieved from the Population Information System is updated once a day.

- Early childhood education services, a previous provider of pre-primary education or a previous pre-primary education unit in the same municipality may disclose public information that is needed for the organisation of the child’s pre-primary education (Act on the Openness of Government Activities, section 16, subsection 3).

- The provider of early childhood education may disclose confidential information that is necessary for the organisation of pre-primary education (Basic Education Act, section 41, subsection 4; Act on Early Childhood Education and Care, section 41, subsection 3).

- A previous provider of pre-primary education or a previous pre-primary education unit in the same municipality may disclose confidential information that is necessary for the organisation of pre-primary education (Basic Education Act, section 40, subsections 2 and 4).

- In addition, health care and social welfare authorities, other providers of early childhood education, health care and social welfare services, and health care and social welfare professionals may, notwithstanding provisions on confidentiality, disclose information that is needed for the organisation of the child’s education (Basic Education Act, section 41, subsection 4).

- Under section 41 of the Basic Education Act, early childhood education services may disclose to the pre-primary education unit such information concerning the child that is necessary for the organisation of the child’s education.

Will data be disclosed or transferred outside the city?

Access may be granted to a personal data register controlled by an authority, on the grounds of section 16, subsection 3 of the Act on the Openness of Government Activities, if the person requesting access has the right to record and use such data. Personal data can only be disclosed based on a detailed information request (Act on the Openness of Government Activities, section 13, subsection 2).

Confidential information may only be disclosed with the written consent of the guardian or on the basis of a provision that authorises its disclosure (Act on Early Childhood Education and Care, section 41; Basic Education Act, section 40, subsection 4 and section 41, subsection 4; Act on the Status and Rights of Social Welfare Clients, section 20; Act on the Openness of Government Activities, section 11).

The national centralised integration service for study rights and study records (KOSKI) collects information on each learner’s education from completed study units to degrees and qualifications (Act on the National Registers of Education Records, Qualifications and Degrees, 884/2017).

The City of Espoo may use operational or technical service providers to organise the service. The service providers process personal data on behalf of the City of Espoo and according to its instructions, to the extent that is necessary to enable service provision.

The service providers (processors) that process data through eVaka (early childhood education information system) on behalf of the City of Espoo: There is a contractual relationship between the City of Espoo and Digia (framework agreement on the development and maintenance of the City of Espoo’s digital services), which means that agreements have been concluded on the matter. Amazon is Digia’s sub-processor. The agreements take account of the General Data Protection Regulation of the EU and the related descriptions of processing activities.

Will data be transferred outside the EU/EEA?

Data will not be transferred outside the EU or the EEA.

How long will data be stored?

Data is stored and destroyed in line with the records management plan of Espoo’s Finnish and Swedish Early Childhood Education units and the up-to-date versions of provisions and orders issued by the National Archives of Finland. Data is stored in the system for the duration of the archiving period. After the archiving period, the data is deleted either automatically or by the administrator (storage period is 10–12 years). Permanently stored documents will be transferred to the electronic archiving system Särmä.

How is data protected?

Data processing is regulated by the General Data Protection Regulation (e.g. the principles of purpose limitation, necessity and accuracy). Personal data is processed in a manner that ensures appropriate security of the personal data, including protection (Article 5(1)(f) of the General Data Protection Regulation). Personal data is protected against unauthorised access and unlawful processing, such as loss, alteration or disclosure. Each employee can only process the data they need to conduct their work. Each employee who processes data is under an obligation of secrecy and confidentiality, which remains in force even after the employee’s employment relationship has ended.

The protection of confidential and sensitive data is given particular consideration when, for example, describing work processes and granting access rights. Provisions on the confidentiality of data are laid down in section 40 of the Basic Education Act and section 24 of the Act on the Openness of Government Activities.

Electronic maintenance systems:

The client information system used is eVaka. The system can be used through an internal network only accessible to City of Espoo employees. Each user has personal, separately granted access rights. IT equipment is located in protected and supervised premises. Each user must accept the user agreement and non-disclosure agreement concerning the data and the information systems.

The eVaka application has been integrated into the Finnish Population Information System using the national service channel architecture. Encrypted communication between eVaka and the service channel is implemented using an encrypted protocol. Messages between services are encrypted and signed with certificates. Information on the personnel’s access rights is obtained from the City of Espoo’s user directory (Active Directory).

Manual maintenance systems:

Manual materials are stored in locked premises and destroyed by shredding or by using confidential waste bins.

Rights of the data subject

Further instructions on submitting information requests referred to in the General Data Protection Regulation: Data protection / Clients’ right of access to personal data

How can I access my data?

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and of the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

When can I request erasure of my data?

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(external link)