For oral health services provided by Hammas Hohde Oy (including employed dentists and dental hygienists), where Hammas Hohde Oy is the controller:
Hammas Hohde Oy, Busines ID 23395589-3, Koljonniemenkatu 2, 70100 Kuopio
For oral health services provided by an independent professional (or a company in whose account the professional is acting):
The professional treating the patient (or a company in whose account the professional is acting) is the controller.
The professionals have outsourced the technical maintenance of the data file to Hammas Hohde Oy.
2 CONTACT PERSON IN MATTERS CONCERNING THE PERSONAL DATAFILE
Data Protection Officer Ville Pesonen, firstname.lastname@example.org, 010 5050 830
3 PURPOSE OF USE OF THE PATIENT REGISTER AND LEGAL BASIS OF PROCESSING OF PATIENT INFORMATION
The processing of patient information is based on legislation (inter alia Patient act 785/1992, Decree on patient documents 298/2009, Act on the secondary use of social and medical information 552/2019), or the consent of the data subject. The personal data is processed in accordance with the EU General Data Protection Regulation (GDPR).
The information contained in the patient register are used for the treatment of the patient and for other purposes in accordance with applicable law and consents.
4 DATA INCLUDED IN THE PERSONAL DATA FILE
Patient’s name, social security number, contact information.
Next of kin nominated by the patient, the guardian of an underage patient, and the legal representative or patient.
Information necessary to perform, plan, execute and monitor the treatment of the patient, such as health data from examinations and treatment as well as preliminary information.
Other information necessary for treatment, for example information input by a dental hygienist while performing their work duties.
Possible information concerning disclosures and the grounds for disclosures.
The employer of the patient when related to occupational dental health services.
Information whether the patient allows other dentists treating the patient at Hammas Hohde Oy to see patient information input by another private dentist when this is necessary for the patient’s treatment.
Information whether the patient allows other private dentists treating the patient at Hammas Hohde Oy to see patient information contained in the occupational health service data file of Hammas Hohde Oy when this is necessary for the patient’s treatment.
The information concerning personnel treating the patient as well as the patient’s scheduling information are stored as a partial register of the patient register.
Likewise, the laboratory and x-ray examinations’ results obtained during the examination and treatment of the patient are stored as a partial register of the patient register.
In addition to an electronic data file, separate partial registers on patient information and basic information are maintained on paper, which data files may contain information on the consents and bans given by the patient concerning the transfer of patient information.
4.1 Regular sources of data
The patient, their guardian, their legal representative or next of kin.
With the patient’s consent, information can also be obtained from other health care units or professionals, for example through the national health archive (KANTA).
4.2 Retention of data
The data contained in the patient register is retained in accordance with regulation concerning the retention times of patient information as in force from time to time.
Information related to the treatment of the patient is stored in accordance with the decree of the Ministry of Social Affairs and Health, for 12 years of the patient’s death, of if such date is not known, for 120 years from the patient’s birth.
Log information concerning patient data is stored in accordance with applicable laws, for at least 12 years from the formation of the log.
5 DISCLOSURES OF PATIENT INFORMATION
Patient information is confidential, and members of personnel have a confidentiality obligation.
Patient information may be disclosed:
- With the consent of the patient or the patient’s legal representative
- Under an express statute
5.1 Regular disclosure of patient information and recipients
Patient information may only be disclosed based on the consent of the data subject or based on applicable legislation.
Regular recipients of data are inter alia the following:
- The healthcare professionals and experts of Hammas Hohde Oy that process data based on a consent for a joint personal data file.
- Healthcare officials, courts and other officials that have a legal reason to obtain healthcare data to perform their official duty.
- Data necessary to perform treatment may be disclosed to other healthcare units, treatment locations or healthcare professionals based on an oral or written consent of the patient or a consent otherwise apparent from the context, which will be noted on a medical document.
- The national center for prescriptions (Kanta-archive)
- With the written consent of the patient or based on an express statute, the information may be disclosed to an insurance company.
- The patient’s guardian, other legal representative and next of kin, if the patient has given their consent to this. If a minor patient is able, taking in to account their age and level of development, to decide on their treatment, such patient has however the right to forbid the disclosure of their information to their guardian or legal representative.
- If the patient is treated due to unconsciousness or a comparable reason, to the patient’s next of kin or other close person may be disclosed information about the patient’s identity and their health, unless there is reason to assume that the patient would have forbidden to act so.
6 LOCATION OF PATIENT INFORMATIONAND DATA TRANSFERS
We process all patient information and other personal data primarily within the European Union or the European Economic Area.
The personal data may be transferred outside the European Union or the European Economic Area in accordance with data protection legislation and within the limits imposed by such legislation, if this is necessary for example for the procurement of a certain service (for example Invisialign treatment). In such cases the transfer is executed using the model contractual clauses of the European Commission or using another mechanism allowed by applicable data protection legislation.
7 USE OF PATIENT INFORMATION AND GENERAL PRINCIPLES OF PROTECTION
Patient information is confidential under law. Patient information may not be disclosed to third parties.
Patient information may be used only by persons treating the patient or taking part in the treatment of the patient within the healthcare unit or on an assignment from the unit. The top management of the controller decides on the organizational solutions and gives user credentials to employees to patient register data to the extent required by such persons’ work duties.
Old paper records as well as such records possibly created in addition with the patient information system are stored in locked and supervised spaces.
Electronic data can only be accessed with the personal user credentials and password of an employee having the right to access such data. The use of patient information is supervised by monitoring log information and the viewing, changing and removal of such data results in a log item, that you have the right to request for inspection.
8 DATA SUBJECT’S RIGHTS
8.1 Data subject’s right of access (right of inspection)
8.2 Data subject’s right to request the rectification of data, the erasure of data and to restrict the processing of data
The controller must, without undue delay and unprompted or upon the patient’s request, rectify, remove or complete personal data in the patient register that is contrary to the purpose of the processing (the purpose of the patient register), incorrect, unnecessary, deficient or out of date.
The data subject also has the right to request the controller to restrict the processing of their personal data, for example in a situation where the data subject waits for the reply of Hammas Hohde Oy to their request to rectify or erase their information.
Execution and organizing of the rectification of data or restriction of processing:
- If the patient’s demand is justified, the rectification and possible actions to restrict processing are performed by a person having a special right to amend data in the patient register.
- Possible incorrect information is struck through and will be moved to a background file so that both the incorrect and the correct marking are viewable at a later date. The name and position of the person making the amendment, as well as the date and basis of the amendment are marked to the patient information documents.
8.3 Data subject’s right to file a complaint to a supervisory authority.
The data subject has the right to file a complaint to a supervisory authority, if the controller has not complied with applicable data protection legislation in its activities. The supervisory authority in Finland is the Data Protection Ombudsman, www.tietosuoja.fi.
8.4 KANTA archive
Hammas Hohde Oy has joined the KANTA archive on 19.1.2018, and all patient information created after that date are transferred to the KANTA archive, and the patient may manage such data through the OMAKANTA system.