Privacy policy of patient registers of Hammas Hohde oy and independent professionals
1 CONTROLLERS
For oral health services provided by Hammas Hohde Oy (including employed dentists and dental hygienists), where Hammas Hohde Oy is the controller:
– The controller is Hammas Hohde Oy, Busines ID 2339589-3, Koljonniemenkatu 2, 70100 Kuopio
For oral health services provided by an independent professional (or a company in whose account the professional is acting) operating with Hammas Hohde Oy:
– The controller is the professional treating the patient (or a company in whose account the professional is acting).
The independent professionals have outsourced the technical maintenance of the data file to Hammas Hohde Oy. For clarity, it is stated that Hammas Hohde Oy and such independent professionals are not joint controllers.
2 CONTACT PERSON IN DATA PROTECTION MATTERS
Data Protection Officer
Hammas Hohde Oy
Koljonniemenkatu 2, 70100 Kuopio
tietosuojavastaava@hammashohde.fi
tel. 010 5050 830
3 NAME OF THE PERSONAL DATA FILE
Patient register of Hammas Hohde Oy / Patient register of independent professional
4 PURPOSE AND LEGAL BASIS OF PROCESSING
The legal basis for processing is:
– Legal requirement of the controller (inter alia Patient act 785/1992, Decree on patient documents 298/2009, Act on the secondary use of social and medical information 552/2019)
– The data subject’s consent
Personal data may be processed for the following purposes:
– Treatment of the patient
– Purposes in accordance with applicable laws
– Purposes in accordance with the patient’s consent, such as the subcontracting of prosthesis work
5 DATA INCLUDED IN THE PERSONAL DATA FILE
The following information, for example, may be processed about the data subject:
– Name, social security number, customer number, sex, language, address, telephone number, email address and other necessary contact information.
– Next of kin, guardian, dependent, legal representative.
– Information necessary to perform, plan, execute and monitor the treatment of the patient, such as health data from examinations and treatment as well as preliminary information.
– Other information necessary for treatment, for example information input by a dental hygienist while performing their work duties.
– Possible information concerning disclosures and the grounds for disclosures.
– The employer of the patient when the dental health services are covered by the employer.
– Information whether the patient allows other dentists treating the patient at Hammas Hohde Oy to see patient information input by another private dentist when this is necessary for the patient’s treatment.
– Information whether the patient allows other private dentists treating the patient at Hammas Hohde Oy to see patient information contained in the occupational health service data file of Hammas Hohde Oy when this is necessary for the patient’s treatment.
– The information concerning personnel treating the patient as well as the patient’s scheduling information are stored as a partial register of the patient register.
– Likewise, the laboratory and x-ray examinations’ results obtained during the examination and treatment of the patient are stored as a partial register of the patient register.
In addition to an electronic data file, separate partial registers on patient information and basic information are maintained on paper, which data files may contain information on the consents and bans given by the patient concerning the transfer of patient information.
6 REGULAR SOURCES OF DATA
The data is collected primarily from the following sources:
– The data subject themselves, transactions related to the client relationship, use of services, communication, and business of the data subject.
– Medical personnel
– A third-party offering identification, certification, address, on call duty, credit agency or other equivalent services.
– The population information system provided by the Digital and Population Data Services Agency and other public records systems.
With the patient’s consent, information can also be obtained from other health care units or professionals, for example through the national health archive (KANTA).
7 RETENTION OF PERSONAL DATA
The data contained in the patient register is retained in accordance with applicable regulation concerning the retention times of patient information.
Information related to the treatment of the patient is stored in accordance with the decree of the Ministry of Social Affairs and Health, for 12 years of the patient’s death, of if such date is not known, for 120 years from the patient’s birth.
Log information concerning patient data is stored in accordance with applicable laws, for at least 12 years from the formation of the log.
The data will be removed within three months from the termination of the retention period.
8 REGULAR DISCLOSURES OF PERSONAL DATA
Patient information is confidential, and members of personnel processing patient information have an obligation of confidentiality.
Patient information may be disclosed:
– With the consent of the patient or the patient’s legal representative
– Under an express statute
Regular recipients of data are inter alia the following:
– The healthcare professionals and experts of Hammas Hohde Oy that process data based on a consent for a joint personal data file.
– Healthcare officials, courts and other officials that have a legal reason to obtain healthcare data to perform their official duty.
– Data necessary to perform treatment may be disclosed to other healthcare units, treatment locations or healthcare professionals based on an oral or written consent of the patient or a consent otherwise apparent from the context, which will be noted on a medical document.
– The national center for prescriptions (Kanta-archive)
– With the written consent of the patient or based on an express statute, the information may be disclosed to an insurance company.
– The patient’s guardian, other legal representative and next of kin, if the patient has given their consent to this. If a minor patient is able, taking in to account their age and level of development, to decide on their treatment, such patient has however the right to forbid the disclosure of their information to their guardian or legal representative.
– If the patient is treated due to unconsciousness or a comparable reason, to the patient’s next of kin or other close person may be disclosed information about the patient’s identity and their health, unless there is reason to assume that the patient would have forbidden to act so.
9 TRANSFERS OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION OR THE EUROPEAN ECONOMIC AREA
All patient information and other personal data is processed primarily within the European Union or the European Economic Area.
The personal data may be transferred outside the European Union or the European Economic Area in accordance with data protection legislation and within the limits imposed by such legislation, if this is necessary for example for the procurement of a certain service (for example Invisialign treatment). In such cases the transfer is executed using the model contractual clauses of the European Commission or using another mechanism allowed by applicable data protection legislation.
10 DATA SECURITY
Patient information is confidential under law. Patient information may not be disclosed to third parties.
Patient information may be used only by persons treating the patient or taking part in the treatment of the patient within the healthcare unit or on an assignment from the unit. The top management of the controller decides on the organizational solutions and gives user credentials to employees to patient register data to the extent required by such persons’ work duties.
Old paper records as well as such records possibly created in addition with the patient information system are stored in locked and supervised spaces.
Electronic data can only be accessed with the personal user credentials and password of an employee having the right to access such data. The use of patient information is supervised by monitoring log information and the viewing, changing and removal of such data results in a log item, that you have the right to request for inspection.
The use of patient information is supervised by monitoring log information, and the viewing, changing and removing of patient information is logged.
11 DATA SUBJECT’S RIGHTS
11.1 Data subject’s right to access the data (right of inspection)
The data subject also has the right to inspect what information concerning themselves has been stored to the patient register of Hammas Hohde Oy or the patient register of an independent professional.
11.2 Data subject’s right to request the rectification of data, the erasure of data and to restrict the processing of data
The data subject has the right to demand that the controller rectifies any inaccurate or incorrect personal data concerning the data subject. The data subject also has the right to have any incomplete personal data completed.
The data subject has the right to have the controller erase personal data concerning themselves without undue delay.
The data subject also has the right to request the controller to restrict the processing of their personal data, for example in a situation where the data subject waits for the reply of the controller to their request to rectify or erase their information.
The controller must, without undue delay and unprompted or upon the patient’s request, rectify, remove or complete personal data in the patient register that is contrary to the purpose of the processing (the purpose of the patient register), incorrect, unnecessary, deficient or out of date.
The rectification of data or restriction of processing:
– The request to rectify and to restrict processing is made in writing and addressed to the controller as set out in Section 13 of this Privacy Policy and is additionally always delivered in person to the relevant operational unit. The patient’s identity is always confirmed in a reliable way.
– If the patient’s demand is justified, the rectification and possible actions to restrict processing are performed by a person having a special right to amend data in the patient register.
– Possible incorrect information is struck through and will be moved to a background file so that both the incorrect and the correct marking are viewable at a later date. The name and position of the person making the amendment, as well as the date and basis of the amendment are marked to the patient information documents.
11.3 Data subject’s right to data portability
For the data the data subject has provided to the patient register themselves, and which data is processed based on consent, the data subject has the right to receive such information in a primarily machine-readable format and has the right to transmit such data to another controller.
11.4 Data subject’s right to file a complaint to a supervisory authority
If the data subject thinks the EU General Data Protection Regulation is not complied with in the processing of their personal data, the data subject may lodge a complaint with a competent authority. The supervisory authority in Finland is the Data Protection Ombudsman, www.tietosuoja.fi.
11.5 Other rights
If personal data is processed based on the consent of the data subject, the data subject has the right to withdraw their consent by a notification to the controller.
12 KANTA archive
Hammas Hohde Oy has joined the KANTA archive on 19.1.2018, and all patient information created after that date are transferred to the KANTA archive, and the patient may manage such data through the OMAKANTA system.
13 CONTACT
All questions and requests related to data subjects’ rights may be presented to the contact person specified in Section 2 above. The data subject may also contact a service location of Hammas Hohde Oy. The contact information of service locations is available at www.hammashohde.fi.
Hammas Hohde Oy may ask the data subject to specify their request in writing and the identity of the data subject may be verified, if necessary, prior to taking other action.