Information security
THL’s information security policy defines the principles followed within the institute to ensure the secure use, processing, storage, and disposal of data.
The organisation’s information security is managed by identifying the data and materials that require protection, assessing risks, planning and implementing control measures to an acceptable level, and through internal reviews and continuous improvement.
Our information security and data protection practices ensure safety:
- Only individuals who have been granted a specific access permission for clearly defined purposes can access the relevant data and information systems. Others are not able to view, process, modify, or delete the data.
- Data, systems, and services are reliable and up to date. They are not altered or destroyed as a result of unauthorised activity, malware, hardware or software failures, or any other incidents.
- All datasets and registers containing sensitive personal data (identified or pseudonymised) are subject to written handling instructions.
Organisation and responsibilities
Information security is the foundation of all operations, and the Director General holds the highest responsibility for THL’s information security. Unit heads specified in the rules of procedure are responsible for the information security within their respective units. Every employee, official, or person acting in the name of THL, on its premises, or using its resources is responsible for the information security related to their duties and is required to comply with the given regulations and instructions.
The Chief Information Security Officer is responsible for maintaining and developing the information security management system, and for coordinating and improving the institute’s information security arrangements.
The Data Protection Officer leads the development of the data protection management system and is responsible for the development and legality of THL’s data protection activities. The Data Protection Officer monitors compliance with legislation, data protection regulations, and the operational procedures applied by the controller or processor relating to the protection of personal data.
Protection of personal data
As a public authority, THL is obliged to report aggregated nationwide data related to health and welfare.
THL’s statutory duties—such as infectious disease surveillance and official reporting—require the processing of information containing personal data. Personal data is needed in order to combine information from multiple healthcare operators, for example for epidemic management and case counting.
Act on the National Institute for Health and Welfare (Finlex)
THL maintains a level of information security that ensures the confidentiality of data related to partners, customers, and other stakeholders. For example, datasets are provided to researchers only without personal data, or personal data in research materials is replaced by pseudonymised identifiers (e.g., coded identifiers).
The purpose of information security arrangements is to ensure that data, information systems, and services receive appropriate protection so that confidentiality, integrity, and availability–related risks remain controlled. Technical measures support data confidentiality and integrity, ensuring that external parties cannot read or modify the data.
Processing of personal data at THL
In the processing of personal data, THL complies with applicable legislation and processes personal data in accordance with data protection laws.
Over time, private individuals have been able to participate in THL’s and its predecessors’ studies, in which personal data has been collected through surveys and measurements. Participation has required consent in accordance with the legislation effective at the time, and the research has been conducted as a statutory task of THL and as research carried out in the public interest.
Where previously collected consents no longer meet the requirements of the new EU General Data Protection Regulation and obtaining new consents is not possible, the legal basis for processing the datasets may be considered THL’s statutory task and scientific research, statistics, and archiving carried out in the public interest.
A private individual may exercise the rights granted under the General Data Protection Regulation, such as inspecting their own data and withdrawing consent. More information is available on the Data Protection page.
Data protection
