Data protection

Data protection refers to the protection of privacy when processing personal data.

On this page, we will tell you how Orton Oy collects, uses and processes various personal data and ensures privacy. The processing of personal data is regulated by the EU General Data Protection Regulation and related local legislation. Patient data related to health services is under special legislation, and we have listed below the practices and guidelines related to patient documents.

HYKSin Oy merged with Orton Oy on 1 July 2020.

As a result of the merger, the patient’s personal and guardian data and contact details in HYKSin Oy’s patient register became part of Orton Oy’s patient register.

Orton Oy’s personal data registers

We collect personal data in the registers listed below. You can read the privacy statements by clicking on the name of the statement.

Patient documents

Patient documents refer to all documents needed to arrange and provide care for a patient. They contain personal or health data about the patient. The obligations, rights and practices related to patient documents are based on the Decree of the Ministry of Social Affairs and Health on patient documents (298/2009).
Health care professionals record in patient documents the necessary and correct information for the planning, arrangement, provision and monitoring of patient care. Only information necessary for the purpose of use is entered into patient documents.
Patient data can only be accessed by members of personnel participating in the diagnosis, treatment and care of the patient. A treatment relationship is required for access.  Patient documents are used when health care professionals make statements about the patient’s care.

Use and secrecy of patient data

Patient data are, in principle, secret under the threat of punishmentunder the Finnish Criminal Code (19.12.1889/39). Information on the use of medical services is also secret. Persons employed in the health care sector are not at liberty to disclose any information contained in patient documents to outsiders without written permission from the patient or the patient’s legal representative. An outsider is a person who does not participate in the care of the patient or any related tasks. However, data concerning a patient may be disclosed to outsiders without written consent from the patient or their legal representative when the party requesting the information is an authority with a statutory right to access patient documents.

Patient register logs request

Under the Finnish Act on Electronic Processing of Customer Information in Social Welfare and Health Care (9.2.2007/159), in order to determine or exercise their right regarding the use of their personal data, customers are entitled to know who has accessed their data and to whom their data has been disclosed, and the reasons for accessing or disclosing this data. The social welfare or health care service provider is obliged to provide this data upon written request. However, the customer is not entitled to receive logs if the provider of logs is aware that the provision of logs could pose a serious risk to the customer’s health or treatment or to the rights of someone else. In addition, customers are not entitled to receive logs older than two years unless there is a specific reason for this.

Under the same Act, a log must be kept of access to patient data. If you wish to receive logs of your patient data, you can submit a free-form application. A request for logs is processed as a request for information and does not require any separate reporting or clearance.

Request for investigation of the processing of patient data

If you suspect that your patient data have been processed without an appropriate purpose, you can request a written investigation. You can make a free-form request for a written investigation, containing the grounds and facts that the request is based on.
The request for investigation can also be made by the patient’s guardian or other legal representative. In this case, the response to the request for investigation will not contain logs revealing the use of medical services by the patient.

Right to rectification and erasure of data

Under EU Data Protection Regulation (2016/679), Article 5, personal data must be accurate and, where appropriate, updated. The data controller must take all reasonable steps to ensure that personal data inaccurate and erroneous in relation to the purposes of processing are erased or rectified without delay.  In addition, under Article 16 of the Regulation, the data subject has the right to require the data controller to rectify inaccurate and erroneous personal data concerning the data subject without undue delay.

If you find data in your patient documents that is erroneous or unnecessary regarding the declared purpose of use, you can submit a free-form application. Make sure that you clearly specify the data that needs to be rectified or erased.

Data that a healthcare professional considers unnecessary or erroneous for the purpose of use may be removed from the patient documents. However, there will be no total erasure of patient documents, as Article 17(3)(b) of the GDPR states that where the processing of personal data and the personal data register are based on the implementation of a task under national law, the right to be forgotten shall not apply. The drafting and use of patient records to support treatment is a task mandated by Finnish legislation. As a rule, the retention period for patient documents is 12 years from death and the retention period is laid down in the Decree of the Ministry of Social Affairs and Health on patient documents (30.3.2009/298).

A request for rectification can be sent to: Orton Oy, Tenholantie 10, FI-00280 Helsinki.

Right of access

Under Article 15 of the EU General Data Protection Regulation (2016/679), data subjects such as patients are entitled to access data concerning them. In practice, this right is quite similar to the right of inspection of the Finnish Personal Data Act: the data controller must provide a copy of the processed personal data.

If you want copies of your patient data, you should contact Orton’s customer service.

The right to access data under the EU General Data Protection Regulation can be exercised by sending a free-form application to: Orton Oy, Tenholantie 10, FI-00280 Helsinki. The GDPR does not provide a format for how a request should be made, but a personally signed request is the surest and clearest way. If the request for information is sent e.g. by email, Orton Oy is obligated to verify the identity of the sender by the means available, and this will slow down the fulfilment of the request for information.

The right of access must be carried out in accordance with Article 15 of the GDPR within one month of receipt of the request or, if the request for information is extensive and laborious, the data must be submitted within two months.