Privacy Notices Processing of personal data, Finnish and Swedish Early Childhood Education units’ client register (early childhood education)

The personal data stored in this register is processed for the purposes of organising early childhood education and taking care of tasks that arise from the early childhood education provider’s relationship with the child.

Date of publication: 23 September 2020

1. Data controller

City of Espoo

2. Person responsible for the register

Director of Finnish Early Childhood Education

Director of Swedish Education and Cultural Services

3. Contact person of the register

Miia Latvala System Coordinator miia.latvala(at)espoo.fi P.O. Box 30, 02070 City of Espoo tel. 043 827 3209

4. Data Protection Officer

5. For what purpose will personal data be processed?

The personal data stored in this register is processed for the purposes of organising early childhood education and taking care of tasks that arise from the early childhood education provider’s relationship with the child (section 5 of the Act on Early Childhood Education and Care) ·

Statutory information regarding the number of children is reported on the basis of this register (Act on Central Government Transfers to Local Government for Basic Public Services)

The register is used for compiling statistics for the City of Espoo. When statistics are compiled, the data is processed anonymously.

Personal data is processed on the grounds of:

Article 6(1)(c) of the General Data Protection Regulation of the European Union (2016/679)

Act on Early Childhood Education and Care (540/2018)

Government Decree on Early Childhood Education and Care (753/2018)

Act on Client Fees in Early Childhood Education and Care (1503/2016)

6. On what grounds will personal data be processed?

Article 6(1)(c) of the General Data Protection Regulation of the European Union: processing is necessary for compliance with a legal obligation to which the controller is subject.

Special categories of personal data: According to Section 6 of the Data Protection Act Article 9(1) of the Data Protection Regulation does not apply to any processing of data that is provided by law or that derives directly from a statutory duty set out for the controller by law.

7. What data will be processed?

The information system, event calendar and forms used by Espoo’s Early Childhood Education:

· The child’s name, personal identity code, contact information, mother tongue

· Custodians’ names, personal identity codes and contact information

· The information of other persons living in a shared household with the child

· The need for services

· Application information

· Decision on early childhood education and decision on a place in early childhood education · Information on the early childhood education provider and the needs for services

· Entries mentioning acceptance of the early childhood education place and discontinued early childhood education

· Agreement on the hours of the child’s early childhood education

· The child’s early childhood education plan

· The health information needed for the organisation of early childhood education

· Decision on transport

· Information on the child’s day-to-day attendance and absences

· Early childhood education support measures

· Early childhood education employees’ observations on the child’s development as entered on an observation form

· Information on client fees

· Other information needed for the provision of early childhood education

PUBLICITY AND CONFIDENTIALITY OF DATA:

Some of the data is confidential.

GROUNDS FOR CONFIDENTIALITY:

Act on the Openness of Government Activities 24.1 §, Act on early childhood education 40 §

8. What are the sources of data?

· The child’s custodians

· Early childhood education employees

· Client information is updated from the Finnish Population Information System through the KAR (municipal resident register) application

· A former early childhood education provider may hand over public information which is necessary for the organisation of a child’s early childhood education (section 16(3) of the Act on the Openness of Government Activities).

· Notwithstanding provisions on confidentiality, a former early childhood provider must immediately hand over information which is necessary for the organisation of a child’s early childhood education (section 41(3) of the Act on Early Childhood Education and Care)

· Notwithstanding provisions on confidentiality, education officials, social and health care officials, other early childhood education, social and health care providers and social and health care professionals may hand over information which is necessary for the organisation of a child’s early childhood education (section 41(1) of the Act on Early Childhood Education and Care).

9. Will data be disclosed or transferred outside the city?

Access may be granted to a personal data register controlled by an authority, on the grounds of section 16(3) of the Act on the Openness of Government Activities, if the person requesting access has the right to record and use such data. Personal data can only be disclosed following a specified request for data (section 13(2) of the Act on the Openness of Government Activities).

Confidential information may only be disclosed with the written consent of the guardian, or on the grounds of a provision of an act that authorises its disclosure (section 41 of the Act on Early Childhood Education and Care, section 41(4) of the Basic Education Act, section 20 of the Act on the Status and Rights of Social Welfare Clients, section 11 of the Act on the Openness of Government Activities).

Some data that is stored in the early childhood education customer information system is transferred to Community, an invoicing system used to invoice early childhood education clients.

For the purpose of statistics, a set of data put together in the Effica system concerning ongoing placements, decisions on fees, the related rows, needs for special support, support measures, applications, persons, families, journal entries, unit information and employee attendance is transferred to a data warehouse server on the 15th day of each month.

In addition, a set of data put together in the Effica system concerning ongoing placements, needs for special support, support measures, persons, applications and unit information is transferred to a data warehouse server every Monday.

The city of Espoo may use service providers to organize he service. The service providers process personal data on behalf of the city of Espoo and according to the city’s instructions when it is necessary for the organization of the service.

10. Will data be transferred outside the EU/EEA?

Data is not transferred outside the EU or the EEA.

11. How long will data be stored?

Data is stored and destroyed in line with the records management plan of Espoo’s Finnish and Swedish Early Childhood Education units and the upto-date versions of provisions and orders issued by the National Archives of Finland.

12. How will data be protected?

Data processing is regulated by the General Data Protection Regulation (e.g. the principles of purpose limitation, necessity and accuracy). Personal data is processed in a manner that ensures appropriate security of the personal data, including protection (Article 5(1)(f) of the General Data Protection Regulation). Personal data is protected against unauthorised access and unlawful processing, such as loss, alteration or disclosure. Each employee can only process the data they need to conduct their work. Each employee who processes data are under an obligation of secrecy and confidentiality, which remains in force even after the employee’s employment relationship has ended.

Electronic maintenance systems:

Electronic documents are stored in the early childhood education customer information system Effica. As a protective measure, Effica’s users only have the right to access the data they need to perform their duties. The early childhood education customer information system can only be used through the “S network”, an internal network only accessible by some City of Espoo employees. Personal data can also be stored in another secure location used by the city when it is necessary for organising early childhood education. All users of this network accept an end user license agreement that for example includes a confidentiality agreement. The server is located in a protected, supervised space (in the service provider’s data centre). Communications between the server and workstations are encrypted and protected with firewalls and user credentials. The information connected to an appointment in the event calendar (name, email, telephone number) can only be accessed with the user credentials of the unit in question.

Manual materials:

Manual materials are stored in locked premises and destroyed by shredding or by being disposed of in confidential waste bins.

13. Rights of the data subject

Further instructions on submitting information requests referred to in the General Data Protection Regulation: Data_protection/Client_rights

13.1 How can I access my data?

You have the right to obtain from the controller a copy of the personal data that is subject to processing. The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

13.2 When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

13.3 When can I request erasure of my data?

You have the right to have the controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. In these cases, the data will only be erased after the statutory time limit.

13.4 When can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

13.5 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: www.tietosuoja.fi(extrernal link).