Processing personal data – City of Espoo Occupational health services

Date of publication of the Privacy Statement: 16 September 2020

1. Data controller

City of Espoo
Occupational health services Kamreerintie 2 A, 2nd floor
02070 Espoo

2. Person responsible for the data file

Head of Occupational Health, Chief Physician
Marianne Alho
marianne.alho(at)espoo.fi

3. Data file contact person

Data protection contact person, occupational health services, Expert
Maarit Salmi
maarit.kulma(at)espoo.fi
Tel.: +358 40 6631724

4. Data protection officer

City of Espoo Data Protection Officer
Address: P.O. Box 12, 02070 City of Espoo
Tel. +358 9 84921 (exchange)
E-mail: tietosuoja(at)espoo.fi

5. For what purpose is personal data processed?

The purpose of processing personal data within Occupational Health Care’s patient data file is to provide occupational health services for the personnel of the City of Espoo in accordance with the Occupational Health Care Act.

According to Section 4 of the Occupational Health Care Act, the employer shall arrange occupational health care at the employer’s own expense in order to prevent and control health risks and problems related to work and working conditions and to protect and promote the safety, working capacity and health of the employees.

6. On what grounds is personal data processed?

The purpose of processing personal data within Occupational Health Care’s patient data file is to provide occupational health services for the personnel of the City of Espoo in accordance with the Occupational Health Care Act.

• Article 6(1)(a) of the EU General Data Protection Regulation: The data subject has given consent to the processing of his or her personal data for one or more specific purposes

Occupational health care e-services and online appointment booking.

Measurement of customer experience.

The data can be used for knowledge management in accordance with the Act on the Secondary Use of Health and Social Data.

• The EU General Data Protection Regulation, Article 6(1c): processing is necessary for compliance with a legal obligation to which the controller is subject;
• The EU General Data Protection Regulation, Article 6(1e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

Essential legislation:

• EU General Data Protection Regulation (2016/679)
• Data Protection Act (HE 9/2018 vp)
• Act on the Openness of Government Activities (621/1999)
• Occupational Health Care Act (1383/2001)
• Health Care Act (1326/2010)
• Act on the Protection of Privacy in Working Life (759/2004)
• Act on the Status and Rights of Patients (785/1992)
• Act on Health Care Professionals (559/1994)
• Other acts and decrees regulating occupational health care activities
• Act on the Secondary Use of Health and Social Data (552/2019)

7. What data is processed?

Occupational health care’s patient data file contains the patients’ following personal and basic data: HIJAT ID, first name, last name, personal identity code, job title, home address, postal code, city, municipality of residence and e-mail address.

In addition, patient information generated in the course of the patient’s reception work is stored in the patient data file, including information about the patient’s counselling, treatment, health assessment, monitoring, examinations and other information in accordance with the content of occupational health care as specified in Section 12 of the Occupational Health Care Act.

Data concerning health is considered special categories data, which can only be processed in situations specified in legislation. In occupational health care, the processing of data concerning health is permitted under Section 9.1 (h) of the GDPR, as the processing of health data is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of legislation or pursuant to contract with a health professional.

For the purposes listed above, personal data concerning health is always processed by a professional subject to the obligation of professional secrecy (GDPR, Section 9.3).

The electronic service channel contains the first name, last name, personal identity code, home address, postal code, city and e-mail address of those patients who have used it. The data is transferred from the patient information system during login. The electronic service channel also contains the messages, images and documents sent by the user in the service. A summary of the essential data in the electronic service channel is transferred to the patient information system.

Measurement of customer experience. Customer experience measurement helps increase customer satisfaction and develop occupational health care activities. The customer can choose to be contacted personally by leaving their contact information (name, telephone number and/or e-mail address) in the system. The contact request will not be recorded in the patient information system.

Personal data in the patient data file is confidential.

On the basis of Section 24.1 (25) of the Act on the Openness of Government Activities, documents containing information on the state of health of a person or medical care or treatment given to them are considered confidential official documents.

According to Section 13 of the Act on the Status and Rights of Patients, the information contained in patient documents is confidential and health care professionals or other persons working in a health care unit or carrying out its tasks shall not give information contained in patient documents to outsiders without an express written consent by the patient with the exceptions provided for separately in legislation. The obligation of professional secrecy remains valid after the conclusion of the employment relationship or job task.

8. Where is the data obtained from?

Patient information is generated during occupational health care reception work in cooperation with the patient.

The patients’ personal and basic data is obtained daily from the City of Espoo personnel data file.

The patients’ other personal data is mainly collected from the patients themselves, especially in connection with the pre-employment health examination and reception work. The information is updated during reception work and more detailed information is collected, for example, when additional information is needed for the assessment of the patient’s work and functional capacity.

Pursuant to Section 5 of the Act on the Protection of Privacy in Working Life, a medical certificate or statement concerning an employee’s work capacity issued by the employee to the employer may be handed over to an occupational health care provider for the purpose of carrying out occupational health care tasks provided for in the Occupational Health Care Act, unless the employee has specifically forbidden the handover. In any case, the employer may inform the occupational health care provider of the time and duration of the employee’s sick leave.

The City of Espoo occupational health care purchases some of its examinations and specialist medical consultations as outsourced services. The provider of such outsourced services provides the City of Espoo occupational health care with feedback on outsourced examinations and consultations.

9. Is data disclosed or transferred outside the city?

As a rule, personal data is not disclosed.

The disclosure and conveyance of patient information to third parties requires, as a rule, a specified written consent of the patient (Act on the Status and Rights of Patients, Section 13).

The person requesting the disclosure of data shall explain their grounds and right of access to the data in question and specify which patient documents are included in the disclosure request.

In addition to the situations specified in the Act, with the patient’s consent, occupational health care may disclose to another health care unit or health care professional information contained in patient documents that is necessary to organise the patient’s examination and treatment (Act on the Status and Rights of Patients, Section 13).

According to Section 17 (2) of the Occupational Health Care Act (1383/01), the employer, the workplace occupational safety committee and the occupational safety delegate are entitled to obtain from persons engaged in occupational health care information that these persons obtain on account of their position that is important for the health of employees and the development of healthier workplace conditions. However, information designated confidential by law may not be disclosed without the consent of the party for whose benefit the confidentiality obligation is prescribed, as separately provided. According to Section 13 of the Act on the Status and Rights of Patients (785/92), patient documents are confidential.

Occupational health care may only provide the employer with information on whether the employee is suitable for the job or whether there are any limitations to their suitability.

The employer has the right to send an employee to occupational health care for an assessment of the employee’s work capacity, if the employer has reasonable grounds to assume that the employee’s ability to work is impaired by a health issue.

Patient information related to appointments arising from work-related accidents can be disclosed to insurance companies upon request. The insurance company’s right to receive information in the event of an occupational accident is based on Section 252 of the Workers’ Compensation Act (459/2015).

Notwithstanding the confidentiality provisions and other restrictions on access to information, the Social Insurance Institution has the right to obtain the necessary information to settle a pension or benefit decision from a state or municipal authority or another body governed by public law (National Pensions Act, Section 86).

Data may be disclosed to authorities maintaining national data files for research, planning and statistical purposes (Act on National Personal Data Files in Health Care (556/1989), Section 3, Communicable Diseases Act, Section 24).

Data can be disclosed upon request to authorities that have a legal right to access the information contained in the data files. The person requesting data disclosure must refer to the section of law on the basis of which the data is requested.

10. Is data transferred outside the EU/EEA?

Data is not transferred outside the EU or EEA.

11. How long is data stored?

As a rule, patient documents will be kept for 12 years after the patient’s death, or 120 years after the patient’s birth if there is no information of the patient’s death. Furthermore, public health care patient documents of persons born on the 18th and 28th day of any given month have been ordered to be permanently stored (Ministry of Social Affairs and Health decree 298/2009 on patient documents).

Health care units shall keep patient documents for a period necessary for arranging and providing care and treatment for a patient, for investigating possible claims for compensation related to care, and for scientific research.

Patient documents shall be disposed of immediately after there are no grounds as referred to above for keeping them.

Further provisions on the drawing up of patient documents and on keeping them are issued by a Decree of the Ministry of Social Affairs and Health.

Permanent storage of documents is regulated by the Archives Act (831/1994).

All texts and documents in the electronic service channel will be destroyed one year after the employment relationship has ended.

12. How is data protected?

Data maintenance systems and protection principles

The patient information system used in occupational health services is Acute, which stores almost all patient data file information. This is a certified system. On Espoo workstations, Acute is used online with SSL/TLS encryption and specified user IDs.

Access rights to the patient information system are granted individually and to occupational health care personnel only. They have personal certificate cards issued by the Population Register Centre, without which they cannot access the patient information system. The treatment relationship is verified based the personnel data file information and verification of the personal identity code. Usage log reviewing is carried out to monitor and control the use of the patient information system. Patient information disclosure report is always made in connection with usage data disclosure.

The SoftMedic and Webstar systems previously used as patient information systems still contain some patient information. The protection principles listed above also apply to the patient information contained in these systems. The systems can only be accessed with specified user IDs.

The electronic service channel is a web-based information system, a cloud service operated by Movendos Oy. The information system meets the requirements related to the processing of personal data and the system’s data security is subject to regular auditing.

Users of the electronic service channel authenticate themselves with online banking credentials. All connections between the user’s computer and the server are SSL encrypted.

The paper patient document archive is located in a separate, locked space, which can only be accessed by occupational health personnel. It contains, for example, old ECG tapes that have not been converted to digital format.

13. The data subject’s rights

Read more detailed instructions on how to submit data requests in accordance with the GDPR.

13.1. How can I access my data?

You have the right to obtain from the data controller a copy of the personal data undergoing processing. The controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

The request for reviewing patient data file information is to be presented to the occupational health care customer service office (Kamreerintie 2A, 2nd floor, CITY OF ESPOO, tel. +358 9 81624400, tyoterveys@espoo.fi). The patient is given a review request form, which is completed and signed by the patient.

If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and no later than within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests by the data subject and the related measures are free of charge. However, where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or refuse to take the action requested.

13.2. When can I request rectification of my data?

You have the right to have incorrect, inaccurate, incomplete, outdated or unnecessary personal data that we retain, corrected or supplemented by us.

The demand for rectification of the patient data file information is to be presented to the occupational health care customer service office (Kamreerintie 2A, 2nd floor, CITY OF ESPOO, tel. +358 9 81624400, tyoterveys@espoo.fi). The patient is given a rectification request form, which is completed and signed by the patient.

13.3. When can I request erasure of my data?

You have the right to have personal data concerning you erased by the data controller without undue delay under certain preconditions. You have no right to remove the data if, following the statutory commitment requires processing of the data or the processing is done for the purpose of performing a task concerning public interest or exercising official authority vested in the controller. In these cases, the personal data will only be destroyed after the statutory deadline.

13.4. When can I request restriction of processing of my data?

If the data collected about you is inaccurate, you may require that the processing of your customer data be restricted until the accuracy of the data has been verified.

13.5. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you consider the processing of personal data to be in breach of data protection legislation. You can lodge a complaint with the office of the Data Protection Ombudsman(external link).

13.6. Possible other rights

The requests shall be addressed to the data file contact person/Occupational health services.

Right to transfer data from one system to another (Data Protection Regulation, Article 20)

The data subject shall have the right to the transfer only if the processing is based on consent or agreement and if the processing is performed automatically. The right of the data subject to transfer the data from one system to another shall not be applied to processing that is necessary for performing a task concerning public interest or exercising official authority vested in the controller.

If the data processing is based on consent, the data subject shall have the right to cancel his or her consent at any time.