The Act on the Secondary Use of Health and Social Data (552/2019, English translation is not up-to-date) affects research work
The purpose of the Act on the Secondary Use of Social and Health Data (Secondary Use Act) is to enable the efficient and secure use of personal data generated in social and health care for purposes other than their original purpose (primary use).
Primary use refers to the purpose for which the data was originally recorded in a client and/or patient registry. The primary purpose may be, for example, the planning, provision, and monitoring of a patient’s care, as well as rehabilitation; or, similarly, the services received by a social welfare client or the processing of benefits by Social Insurance Institution of Finland (also known as KELA).
Secondary use of social and health data refers to the use of client and registry data generated during social and health care activities for a purpose other than the primary purpose for which it was originally recorded.
Finnish registries are exceptionally comprehensive and of high quality. They contain information on the entire population, span decades, and enable individual-level follow-up studies without the need for separate research interviews or patient recruitment. Combining data from different registries provides a comprehensive picture of an individual’s health, social situation, use of services, and living conditions. Secondary use improves social and health services, enables evidence-based decision-making, and produces internationally significant research.
Secondary use is strictly regulated. It does not mean unrestricted access to registries, but rather a process based on data protection that is authorised and monitored.
The secondary purposes of use specified in the Act on the Processing of Personal Data are: scientific research, statistics, development and innovation activities, regulatory guidance and supervision, planning and investigative tasks carried out by public authorities, education, and knowledge management. For example, for development and innovation activities, only aggregated statistical data from which individuals cannot be identified may be provided.
The disclosure of individual-level social and health data takes place only to audited, secure environments where the data can also be analysed. If data is already being processed under an existing authorisation, this processing may continue in the same environment to which it was originally disclosed. For requests for changes, a case-by-case review is conducted, which may result in changes to the operational environment requirements. This applies to all purposes of use under the Secondary Use Act that require a data permit (including scientific research, statistics, and education). In the Astori registry, maintained in accordance with the Customer Data Act and the Secondary Use Act, you can find information on usage environments that meet data security and data protection requirements.
Statistical data is requested through a data request, and individual-level data is requested through a data access application.
The Act on the Secondary Use of Health and Social Data aims at easier and more secure access to social and health materials and at improving the data protection of citizens. Permission and request for information from social and health materials will become more centralized. There are changes in the payment and collection of social and health data. The processing and analysis of social and health data take place in an audited operating environment.
- As a result of the 2026 legislative amendment, the Secondary Use Act does not apply to the processing of registry data in clinical research. If a clinical study uses data regulated by the Secondary Use Act—such as patient registry data or cause-of-death data—no data permit under the Secondary Use Act is required for such data, nor will the processing of the data be subject to the conditions set forth in the Secondary Use Act.
- Going forward, requests for data disclosure and disclosure authorizations required for the use of social and health data will be issued by Findata, an agency under the National Institute for Health and Welfare (THL), if a study uses social and health data from more than one public social and health service provider or from one or more private social and health service providers. Following a legislative amendment that took effect in 2026, data requesters can decide for themselves whether to submit a centralized data authorization application or data request covering data from more than one organization to Findata, or to submit a separate application to each organization.
- With the 2026 legislative amendment, in addition to Findata, other organizations operating under the Secondary Use Act will also be able to compile and combine datasets. The processing of anonymized datasets will also become easier, and in the future, a data access permit may be granted for a specific reason even to environments other than audited, secure data environments, which may also facilitate international research collaboration.
- As a general rule, data sets are transferred for processing to an audited, secure operating environment. Data sets may be transferred to another secure operating environment with Findata’s authorization if the necessary conditions are met and the following three criteria are satisfied: 1) the risks to national security and to the data set being transferred under the authorization are minimal, 2) one of the project participants is an entity conducting research at a Finnish research organization, and 3) the level of data protection and data security in the processing of the data sets is adequate. Anonymized data sets may also be disclosed to other secure operating environments, and the decision regarding such disclosure is made by the competent organization.
- Research projects are advised to take into account the lead time required for data transfer requests and actual transfers (the process from requesting the data to its availability can take 5–12 months) when planning their projects (schedules, funding). In addition, it is important to note that the use of secure computing environments incurs costs, which research projects must budget for. If a project relies on Findata’s services, Findata’s pricing information can be found on its website. Please note that the CSC SD Desktop service is free of charge at Finnish higher education institutions.
- National services are being developed in stages, and research projects should identify any specific needs and requirements that will arise in research activities related to the processing of data under the Secondary Use Act - for example, a potential need for high-performance computing
- The Secondary Use Act does not apply to clinical research when such research is based on informed consent and is conducted under the following laws:
The Act on Clinical Trials of Medicinal Products
The Act on Medical Research
The Act on Medical Devices
A data permit is required when using individual-level, identifiable, or pseudonymized data sets.
A data permit is requested from
A. Findata, when the data set concerns
- data stored in the Kanta services
- data from private social or health care providers
- organizations that have transferred their authorization authority to Findata
- the Digital and Population Data Services Agency (DVV)
- the Finnish Centre for Pensions (ETK)
- the Eastern Uusimaa Welfare Region
- the Finnish Medicines Agency (Fimea)
- National Institute for Health and Welfare (THL), subject to certain restrictions
- Findata’s ready-to-use datasets
- the transfer of anonymized data outside a secure data environment
- data is processed in an environment other than one compliant with the Secondary Use Act
B. Directly from the data controller, when the requested data set concerns only the registers of a single public data controller. For example:
- Public social and health care service providers, such as a welfare region
- Ministry of Social Affairs and Health (STM)
- National Institute for Health and Welfare (THL)
- Social Insurance Institution of Finland (KELA)
- Finnish Institute of Occupational Health (TTL)
A data request is used when no individual-level data is needed, the data can be disclosed in anonymized form, and the data consists of statistical information or a similar aggregate.
A data request is submitted
A. Findata, when the data concerns
- multiple registrars
- Kanta data
- private service providers
- Findata’s ready-made datasets
B. to an individual registrar if the data concerns only that registrars’s own data
Formulating a Research Idea
Define your research question with sufficient precision: what do you want to investigate, in which population, and over what time period? Ensure that the research question is scientifically sound and aligns with the acceptable uses specified in the Secondary Use Act.
Drafting a research plan
Write a sufficiently detailed research plan that clearly outlines: the research question, methods, data requirements, and justifications from a data protection perspective. The plan must be attached to the permit application.
Defining Data Requirements
List the required registers, variables, time periods, and target population as precisely as possible. Remember the principle of data minimization: collect only the data you need.
For research data that contains direct personal identifiers or pseudonymised information, you must prepare a privacy statement, a preliminary data protection assessment, and, if necessary, a data protection impact assessment (DPIA), and publish the research details if you are unable to inform the research participants.
Identifying Registrars
Determine who owns the data you need. Some applications are submitted to Findata, while others go directly to the registrars, depending on your data needs.
Assessing Permission Requirements
Do you need a data permit, or is a data request sufficient? Is a prior ethical review required? Are you reviewing registry data, or do you need clinical patient data?
Ethical review (if necessary)
If the applicable legislation and/or research design requires an ethical review, ensure that you have the ethics committee’s statement at your disposal during the application phase.
Preparing the Application
a. Gather all attachments: research protocol, list of variables, privacy statement, and organizational commitment. Requirements for additional attachments vary depending on the research protocol (e.g., ethics committee statement, collaboration agreement, funding plan).
b. Verify the competent authority responsible for granting access to the data you need; if necessary, use FinData’s application assistant or contact FinData’s advisory service: [email protected]
c. Contact the registrars if you need additional information about the datasets or variables. Contact information for the most frequently requested registrars can be found on Findata’s “Data” page
d. Specify your data needs and dataset extractions for each registry as precisely as possible. Use the data extraction description form provided by Findata; be sure to describe any different extraction sequences if necessary, especially if the extraction involves multiple steps. Make use of the Data Catalog. If you have agreed directly with the registrar on a specific method for carrying out the extraction, include in your application the name of the person with whom the agreement was made.
e. Fill out the application carefully. Pay special attention to basic information such as the license applicant, the registrar for the data to be transferred, billing information, and any other data that may be linked to it.
Permit Processing
Findata typically processes data permit applications within 2–4 months and data requests within 3–6 months. More specific information on processing times for individual registrars is not available. Be prepared to provide additional information to complete the application
Data Delivery
Findata typically compiles the data from registrars within 3–6 months after the authorisation decision and delivers it in pseudonymised form to a secure operating environment (e.g., SD Desktop). No more specific information is available regarding the processing times of individual registrars.
Analysis in a Secure Operating Environment
All data processing takes place in a closed, secure environment. Analysis tools are available in a remote desktop environment. .
Please note that processing personal data from abroad is generally considered a transfer of personal data, even if the data is located in a remote access environment; therefore, verify your right to transfer personal data, particularly outside the EU or EEA, if necessary.
Review and Export of Results
Research results (aggregated data, tables, images) are exported from the environment in accordance with data license terms and data protection requirements. Personal data may not be exported from the operating environments.
Publication and Data Retention
Publications must describe the data used, the license numbers, and the data protection practices. The data will be destroyed or archived in accordance with the license terms. An extension of the license’s validity period may be requested.
Estimated Timeline
Permit phase (application + decision): 3–6 months; compiling and submitting data: an additional 3–6 months. In other words, allow at least 6–12 months before you can begin the analysis. Start the permit process well in advance.
Cost Estimate
Different registrars have different pricing structures; links and average cost estimates have been compiled on the Findata website.
The total cost consists of several components: The decision fee (data permit, amendment permit, or data request), the registrars’ costs for extracting and delivering the data, and any hourly fee charged by Findata for combining, preprocessing, pseudonymising, and/or anonymising the data. A processing fee is also typically charged for negative and lapsed decisions.
More detailed information on Findata’s costs can be found in their price list.
More information:
Helsinki University Hospital (HUS)
- South Savo Wellbeing Services County (Eloisa)
- Wellbeing Services County of Central Finland (hyvaks)
- Wellbeing Services County of Pirkanmaa (Pirha, TaYS)
- Wellbeing Services County of North Karelia (Siun sote)
- Wellbeing Services County of North Savo (PSHVA, KYS)
- Wellbeing Services County of Southwest Finland (Varha, TYKS)
- Wellbeing Services County of North Ostrobothnia (Pohde, OYS)
- Public and private service providers of social welfare and health care
- Data saved in Kanta services (digital services for the social welfare and health care sector in Finland)
- Social Insurance Institution of Finland (KELA) [benefits and prescriptions]
- Finnish Centre for Pensions (ETK) [work and earnings data, benefits and the bases for them]
- national registers and survey data
- Finnish Institute for Health and Welfare (THL)
- Social Insurance Institution of Finland (KELA)
- Finnish Centre for Pensions (ETK)
- Statistics Finland's register data of the causes of death
- social welfare and health care datasets of the National Supervisory Authority for Welfare and Health Valvira, the Finnish Medicines Agency Fimea and the Finnish Institute of Occupational Health and Regional State Administrative Agencies (AVI)
- Basic information on the people and buildings of the Digital and Population Data Service Agency (DVV) for legal purposes
- The research plan must be attached to the application when the purpose of the data on the data permit application is scientific research. Checklist of information included in the research plan:
- Does the research plan describe the registrars, registers and data to be extracted from the registers which the data is requested? The required information should be described at the variable level and the description of the variable level can also be added as an appendix to the research plan.
- How is the target group of the research study formed and delimited, what information is needed about the target population?
- Will other data be combined with the data authorised by Findata’s data permit? Describe this data too.
- Is the purpose of the data described in such a way that the data specified in the data permit is necessary from the point of view of the implementation of the research study?
- Do you want the data to be processed in a non-Findata environment? If yes, describe the processing environment and explain why the use of another operating environment Is necessary for the implementation of the research study?
- Does the research plan describe how the results are to be published?
- Does the research plan describe the registrars, registers and data to be extracted from the registers which the data is requested? The required information should be described at the variable level and the description of the variable level can also be added as an appendix to the research plan.
- The data permit application must specify the required material in detail, variable by variable. Additional information on the registrars' data descriptions can be found on the registrars' web pages.
- Findata or another organization operating under the Secondary Use Act collects the data from the data controllers in accordance with the granted data access permit or a positive decision on a data request, combines and preprocesses (e.g., pseudonymises) it, and transfers it for processing to a secondary use environment in accordance with the Secondary Use Act.
- Remote access environments are specific to each data access authorisation. A researcher cannot combine datasets compiled under different data access authorisations from different remote access environments.
- All data transfers take place through Findata.
- Each provider bills for data extraction, processing, and storage according to its own pricing structure. For example, the cost of Findata’s service consists of a one-time fee for the decision, an hourly fee based on the time spent combining and processing the data, and fees charged by the data controllers for extracting and delivering the requested data, in accordance with their own regulations. See Findata’s price list. (Data permit/data request for a project: 800–3,000 €; or data permit/data request for a thesis: 250 € + processing fees of 115 €/h + remote access environment of at least 141 €/month; contingency fee of at least 5,000 € per case).
- Findata’s service does not support high-performance computing, nor is it possible to combine data with, for example, imaging, biosignal, or genomic research datasets.
- Findata’s remote access environment provides standardised software; the installation of other tools is subject to additional charges, and the customer is responsible for obtaining the necessary licenses.
- Pay special attention to the time required for the permit process and the delivery of data in your research plan.
- The Astori register has been created for secondary computing environments, and services provided by CSC, among others, are free of charge for Finnish higher education institutions. The University of Eastern Finland recommends using CSC’s services.
Advisory service
- Findata serves by e-mail at [email protected] and by phone at 029 524 6500 (open on weekdays from 9:00 to 11:00 and from 12:00 to 16:00).
- Findata answers questions such as data requests, data permits and how to apply for them. For the time being, it is advisable to look for information on the information contents of the registers on the registrars' own websites, where you can find more information on the Data page.
Licensing service
- Findata grants data permits for individual-level material.
- Findata makes decisions on data requests, ie. to obtain statistical-level material.
Data service
- Findata compiles registry data from registrars.
- Findata pre-processes the data (aggregation and pseudonymization, anonymization or production of statistical information).
- Findata converts and combines the licensee's own data.
Secure remote access environment
- Findata provides the secure environment for processing pseudonymized individual-level data, where the most important software required for data analysis is available.
CSC - The Finnish Center for Scientific Computing Ltd is a limited liability company owned by the Finnish government and Finnish higher education institutions that provides and develops information technology services for Finnish research, education, and innovation.
These services are free of charge for Finnish higher education institutions. Students should note that a supervisor must be involved in the application process.
CSC offers a variety of research services that can also be used when handling material subject to the Secondary Use Act.
A browser-based remote desktop for sensitive data. Enables secure analysis without the data leaving the protected environment.
A tool for securely transferring and sharing sensitive data in encrypted form. Used to transfer data to the SD Desktop environment.
SD Submit
Controlled publication of sensitive data (pilot phase)
Licensing of sensitive data and applying for reuse (pilot phase)
A service for storing and publishing human genetic and phenotypic data.
Q: Does Findata's pre-processing remove data that may affect the research study or its reliability? How does Findata communicate about the pre-processing performed during the data transfer?
A: In pre-processing, the main operation is the removal of direct identifiers and, as a general rule, no other information is deleted from the files. Should such a situation arise, the applicant will, in principle, be contacted. On its website, Findata announces that it will delete data from all data it processes that exercise its right to object to the EU's general data protection regulation.
Q: How does Findata view the reproducibility of research and do these become additional costs after the end of the research project that the organization should be prepared for when project funding is no longer available?
A: The data permit is valid until the deadline specified therein. Until now, the data is available to the licensee. If, on the other hand, an extension of time is required to process the data, an application for a change permit must be submitted to Findata before the expiry of the previous permit or permits. In addition, the data permit decision may specify that the data may be kept for, for example, five years after the expiry of the data permit in order to ensure the reliability of the research results. During this time, however, the data is no longer available to processing.