Deprecated: Creation of dynamic property App\Blocks\Factbox::$className is deprecated in /data/wordpress/vendor/generoi/sage-nativeblock/src/NativeBlock.php on line 70
publications

A Finnish Model For The Secure And Effective Use Of Data

Innovating and promoting the secondary use of social and health data

Writer

Heli Parikka

Published

Foreword

In the future, access to data and skills and technologies that enable integration and exploitation of data will be the keys to successfully creating flourishing ecosystems and efficient knowledge-management practices. People will have increasingly more ways to improve their well-being by benefiting from new technologies, data-driven applications and better use of genomic information and biomarker data.

Since 2011, in Finland, a national consensus has been reached through multiple strategies and programmes about the importance of knowledge-based decision-making and linking information and knowledge management to digitisation, experimentation, openness and integration of services. Knowledge management has become a central approach by which Finnish society and public administration at all levels seek more efficient and effective ways of providing public services. In fact, knowledge management is now seen as enhancing national-level competitiveness in Finland. It has been estimated that, in 2030, a platform economy based on the exploitation of data and integrating artificial intelligence into processes and service provisions might account for 30% of Finland’s GDP (Tekes, currently Business Finland [1], 2017).

This paper highlights some key lessons from Sitra’s Isaacus – Digital Heath HUB project that ran officially from 2015 to 2018. Our project built a model for encouraging innovation from public-private partnerships where there is:

  • a mixed ownership of parallel and partly competing projects;
  • competing institutional logic and principles;
  • a multiplicity of funding arrangements.

The Isaacus project was led by Sitra and it prepared a new operating model for a one-stop shop focusing on the better use of Finnish health and well-being data. All work was aligned with preparations for a new permit authority and new legislation for the secondary use of data. The objective of the Isaacus project was to enable the data-secure use of well-being data for various purposes. This document recounts how the new model for a one-stop shop for the better use of well-being data was built in Finland. In this document we refer to it as the “Digital Health HUB”, which in other contexts is also referred to as the “service operator”.

The Isaacus project played an essential role in building an innovation ecosystem and new legislation for the secondary use of well-being data drawn up by the Ministry of Social Affairs and Health. The Isaacus project helped to fulfil the national-level objectives, redefine the organisational processes and responsibilities, and forge a commitment from all parties involved. The project’s main accomplishments were the creation of a prototype for the one-stop-shop service model, the building of new technical infrastructures and greater expertise in the use of new technologies and multi-stakeholder collaboration.

JAANA SINIPURO
Project Director, Sitra

 

Abstract

Finland has succeeded in creating a new ecosystem built around the use of health and well-being data through a national development project culminating in groundbreaking new legislation. The result of several years of co-operation across numerous sectors, the one-stop shop, Findata, will begin its work to allow the secure and easy use of social and health data for the purposes laid down by the new Act on the Secondary Use of Health and Social Data.

This paper describes Sitra’s work on preparing an operating model that is based on new legislation, balances the needs of multiple stakeholders and ensures that the high level of trust people have in the authorities handling their data is maintained.

The development work to promote the secondary use of well-being data in Finland involved extensive co-operation between the public and private sectors. The Ministry of Social Affairs and Health began its preparations for drawing up the Act on the Secondary Use of Health and Social Data in 2015 that finally entered into force on 1 May 2019. The new act facilitates the establishment of a new central data permit authority in Finland, and it is expected to make the work and knowledge-based management smoother for researchers and businesses in particular.

Finland has a long history of collecting extensive data in registers but making use of the data has been difficult and inefficient. With the new enabling legislation, Finland has become the first country in the world to successfully enact a law on the secondary use of well-being data that meets the requirements of the European General Data Protection Regulation (GDPR). The legislation aims to make the secondary use of social welfare and healthcare data easier and make the data more available, as well as to promote its secure use for more extensive purposes.

The drafting of the new legislation was based on the national health-sector growth strategy, which aims to make Finland an internationally renowned pioneer in health business and in well-being. In fact, the health sector in Finland has grown and become more international at a much quicker rate than many other industries in recent years.

Sitra also found it important to support the shared national objective, which led to the launch of Isaacus – the Digital Health HUB project in 2015. The objective of the project was to prepare the operating principles and plan for a new one-stop shop and to support the ministry’s legislative work. The vision was that a new operator would be able to compile and co-ordinate all the data kept in Finnish social welfare and healthcare registries.

Sitra’s project outlined how the new operator should be founded, its service model and potential customer base and customer needs. A plan for the operations and development of the new operator was produced, detailing the resources, competence needs and functions it would require. In addition, preproduction projects prepared technological solutions that could be used in creating the new service.

The aim was also to allocate development work to the operations of the partner organisations. From the start of the project, attention was paid to developing the co-operation between registry authorities. The processes of change were supported in several ways. The project emphasised the need to put the concerns of potential customers of the forthcoming service first. In practice, this meant that the needs of businesses and the third sector were taken into consideration in the development work.

Determined efforts were carried out to strengthen networks. One of the greatest successes of the project was the increase in co-operation at grassroots-level and multidisciplinary competence building. Investments were also made in building international co-operation and networks.

The project led to the discovery that the increasingly efficient use of social and health data is not just a legal or technical matter. Considering all the different parties within the ecosystem and facilitating co-operation between them all are equally important and require investment if visible results are to be achieved.

The project has shown that the following factors need to be taken into account when launching and developing the service: operations need to be developed in a customer-oriented way, the fulfilment of the service promise needs to be monitored using indicators, and diverse expertise has to be ensured.

Sitra’s involvement in the project has come to an end and the Ministry of Social Affairs and Health will now be responsible for developing the new service in co-operation with the National Institute for Health and Welfare (NIHW).

This report describes the new operating model for the better use of health and social care data in Finland. It includes recommendations for implementing and developing the upcoming service and shares the lessons learned during the journey undertaken with all the project’s partners, including those outside Finland.

 

Tiivistelmä

Suomessa on luotu uudenlaisen ekosysteemi hyvinvointitiedon ympärille kansallisen lainsäädäntötyön ja kehittämishankkeen avulla. Useamman vuoden työn ja lukemattomien eri toimijoiden yhteistyön tuloksena Suomeen avaan uusi yhden luukun palvelu, Findata. Uusi palvelu takaa sosiaali- ja terveystietojen tietoturvallisen ja helpon hyödyntämisen uuden lain pohjalta.

Tässä selvityksessä kuvataan Sitran työtä uuden toimintamallin valmistelussa. Työssä otettiin huomioon uuden lainsäädännön vaatimukset ja erilaisten sidosryhmien tarpeet. Samalla huolehdittiin siitä, että kansalaisten kokema korkea luottamus viranomaistoimintaan ja henkilökohtaisten tietojen käsittelyyn säilyy.

Kehittämistyötä hyvinvointidatan toissijaisen käytön (toisiokäytön) edistämiseksi on tehty Suomessa laajassa yhteistyössä julkisen ja yksityisen sektorin kesken. Sosiaali- ja terveysministeriön vuodesta 2015 valmistelema laki sosiaali- ja terveystietojen toissijaisesta käytöstä (ns. toisiolaki) astui voimaan 1.5.2019. Laki mahdollistaa uuden keskitetyn tietolupaviranomaisen perustamisen Suomeen ja sen odotetaan sujuvoittavan erityisesti tutkijoiden ja yritysten työtä sekä tiedolla johtamista.

Suomessa on pitkä historia laajan rekisteritiedon keräämisessä, mutta tietojen hyödyntäminen on ollut hankalaa ja tehotonta. Uuden mahdollistavan lainsäädännön myötä Suomesta tuli maailman ensimmäinen maa, jossa onnistuttiin saattamaan voimaan eurooppalaisen tietosuoja-asetuksen (GDPR) vaatimuksiin vastaava laki hyvinvointidatan toisiokäytöstä. Lainsäädäntöä uudistamalla haluttiin helpottaa sote-rekisteritietojen toisiokäyttöä ja helpottaa datan saatavuutta sekä edistää sen tietoturvallista käyttöä nykyistä laajempiin tarkoituksiin.

Uuden lainsäädännön laatiminen pohjautui kansalliseen terveysalan kasvustrategiaan, jonka tavoitteena oli, että Suomesta tulee kansainvälisesti tunnettu terveysalan liiketoiminnan sekä hyvinvoinnin, terveyden ja uudistuvien palveluiden kärkimaa. Terveysala onkin viime vuosina kasvanut ja kansainvälistynyt Suomessa monia muita toimialoja nopeammin.

Yhteisen kansallisen tavoitteen tukeminen nähtiin tärkeäksi myös Sitrassa, joka käynnisti vuonna 2015 Isaacus – Hyvinvoinnin palveluoperaattori -projektin. Hankkeen tavoitteena oli valmistella toimintaperiaatteet ja -suunnitelma uudelle yhden luukun toimijalle sekä tukea ministeriön lainsäädäntötyötä. Visio oli, että uusi toimija kykenee tulevaisuudessa kokoamaan ja koordinoimaan suomalaisissa sosiaali- ja terveydenhuollon rekistereissä olevaa dataa.

Sitran projektissa selvitettiin, miten uusi toimija tulisi organisoida, millaista toiminnan tulisi olla, keitä sen potentiaaliset asiakkaat ovat ja millaisia asiakastarpeita on olemassa. Selvitysten pohjalta tuotettiin uudelle toimijalle toiminta- ja käynnistyssuunnitelma, jossa kuvattiin sen tarvitsemia resursseja, osaamistarpeita ja toimintoja. Lisäksi esituotantohankkeissa valmisteltiin teknologisia ratkaisuja, joita uusi toimija kykenisi hyödyntämään. Nämä tekniset tuotokset liittyvät järjestelmiin.

Kehittämistä haluttiin kohdentaa myös yhteistyöorganisaatioiden toimintaan. Hankkeen alusta lähtien kiinnitettiin huomiota rekisteriviranomaisten yhteistyön kehittämiseen ja tuettiin muutosprosessia monin tavoin. Hankkeessa korostettiin tulevan keskitetyn toimijan potentiaalisten asiakkaiden näkökulmaa. Käytännössä tämä tarkoitti, että yritysten ja kolmannen sektorin tarpeet huomioitiin kehittämistyössä ja tehtiin määrätietoisesti työtä verkostojen vahvistamiseksi. Jälkikäteen on arvioitu, että projektin yhdeksi parhaimmaksi anniksi koettiin ruohonjuuritason yhteistyön lisääntyminen ja monialaisen osaamisen kehittäminen. Myös kansainvälisen yhteistyön ja verkostojen rakentamiseen panostettiin.

Projektin aikana havaittiin, että sosiaali- ja terveysdatan aiempaa tehokkaampi hyödyntäminen ei ole pelkästään lainsäädännöllinen tai tekninen kysymys. Sen ympärille muodostuvan ekosysteemin eri toimijoiden huomioinen ja yhteistyön fasilitointi ovat yhtä tärkeitä ja niihin tulee panostaa, jos halutaan saada aikaan näkyviä tuloksia.

Taustatyö on tehty ja nyt on toimeenpanon aika. Projekti on osoittanut, että palvelun käynnistämisessä ja kehittämisessä tulee huomioida seuraavat seikat: toimintaa tulee kehittää asiakaslähtöisesti, palvelulupauksen toteutumista tulee seurata mittarein ja monipuolinen osaaminen tulee varmistaa.

Sitran projekti päättyi ja uuden toimijan kehittämisestä vastaa sosiaali- ja terveysministeriö yhteistyössä Terveyden ja hyvinvoinnin laitoksen (THL) kanssa. Tämä selvitys valottaa matkaa, jonka Sitra on kulkenut yhdessä lukuisten kumppaneidensa kanssa hankkeen aikana. Selvitys sisältää suositukset tulevan palvelun toteuttamiseen ja kehittämiseen sekä jakaa matkan varrelta saatuja oppeja yhteistyötahoille myös Suomen rajojen ulkopuolella.

 

Sammanfattning

I Finland har man påskyndat uppkomsten av nya ekosystem som utgår från utnyttjande av uppgifter om hälsa och välbefinnande genom lagstiftningsarbete och ett nationellt utvecklingsprojekt som genomförts parallellt. Som resultat av arbetet öppnas i Finland en tjänst som erbjuder allt över en enda disk, Findata, för utnyttjande av personuppgifter inom social- och hälsovården i syften som föreskrivs i den nya lagen.

Utvecklingsarbete för att främja sekundär användning av välfärdsdata har gjorts i Finland i brett samarbete mellan den offentliga och privata sektorn. Lagen om sekundär användning av personuppgifter inom social- och hälsovården (den s.k. lagen om sekundär användning) som beretts av social- och hälsoministeriet sedan 2015 trädde i kraft 1.5.2019. Lagen möjliggör inrättande av en ny centraliserad tillståndsmyndighet i Finland och förväntas göra särskilt forskares och företagens arbete samt informationsledning smidigare.

Finland har en lång historia av insamling av omfattande registeruppgifter, men utnyttjandet av uppgifter har varit besvärligt och ineffektivt. Tack vare den nya, möjliggörande lagstiftningen blev Finland det första landet i världen där man lyckats stifta en lag om sekundär användning av välfärdsdata som svarar mot kraven i den europeiska dataskyddsförordningen (GDPR). Genom att förnya lagstiftningen ville man underlätta den sekundära användningen av social- och hälsovårdens registeruppgifter och underlätta tillgången till data samt främja en datasäker användning av dem i större omfattning än i nuläget.

Stiftandet av den nya lagstiftningen utgick från den nationella tillväxtstrategin inom hälsobranschen, vars mål var att Finland ska bli ett internationellt känt spetsland i affärsverksamhet inom hälsobranschen samt inom välbefinnande, hälsa och tjänster som förnyas. Hälsobranschen har också vuxit och internationaliserats snabbare än andra branscher i Finland.

Även Sitra ansåg att det är viktigt att stödja ett gemensamt nationellt mål och inledde 2015 projektet Isaacus – Digitalt hälsonav. Projektets mål var att bereda verksamhetsprinciper och en -plan för en ny aktör enligt principen för alla tjänster över en disk samt att stödja ministeriets lagstiftningsarbete. Visionen var att den nya aktören i framtiden ska kunna samla in och koordinera data i finländska social- och hälsovårdens register.

I Sitras projekt utreddes hur den nya aktören borde organiseras, hur dess verksamhet borde läggas upp, vilka dess kunder är och vilka kundbehov det finns. Utifrån utredningarna togs för den nya aktören fram en verksamhetsplan och en plan för verksamhetsstart som beskriver de resurser, kompetensbehov och funktioner som den nya aktören behöver. Dessutom togs fram i projekt som förbereder produktionen teknologiska lösningar som den nya aktören skulle kunna utnyttja. Dessa tekniska resultat anknyter till system.

Man ville även rikta utveckling till samarbetsorganisationernas verksamhet. Ända sedan början av projektet fästes vikt vid utvecklingen av registermyndigheternas samarbete, och förändringsprocessen stöddes på många sätt. I projektet betonades den nya, centraliserade aktörens potentiella kunders perspektiv. I praktiken betydde detta att företagens och den tredje sektorns behov beaktades i utvecklingsarbetet och att man arbetade målmedvetet för att stärka nätverk. I efterhand har man bedömt att som ett av projektets bästa utbyte upplevdes ökat samarbete på gräsrotsnivå och utvecklingen av sektorsövergripande kompetens. Man satsade även på att skapa internationellt samarbete och nätverk.

Under projektet observerades att ett allt effektivare utnyttjande av social- och hälsodata inte enbart är en lagstiftningsmässig eller teknisk fråga. Lika viktigt är att ta hänsyn till olika aktörer i det ekosystem som växer upp kring det och facilitering av samarbete, och om man vill få synliga resultat ska man satsa på dem.

Bakgrundsarbetet är färdigt och nu är det dags för verkställande. Projektet har visat att då man inleder och utvecklar tjänsten ska man beakta följande: verksamheten ska utvecklas kundorienterat, uppfyllandet av servicelöftet ska följas upp med indikatorer och en mångsidig kompetens ska säkras.

Sitras projekt tog slut och social- och hälsovårdsministeriet svarar för utvecklingen av den nya aktören i samarbete med Institutet för hälsa och välfärd (THL). Denna utredning belyser Sitras resa tillsammans med sina otaliga partner under projektet. Utredningen innehåller rekommendationer för genomförande och utveckling av den kommande tjänsten samt delar med sig av lärdomar som fåtts under resan åt samarbetsinstanser även utanför Finlands gränser.

1. Background

The vision of Sitra with its partners was to establish a flourishing ecosystem around the secondary use of social and health data. This would happen by bringing all interested parties together, streamlining the processes for the issuing of research permits and data collection, and ensuring that data is being used in secure environments, thereby maintaining the trust that the general public have in authorities and the public sector.

The Act on the Secondary Use of Health and Social Data entered into force in Finland on 1 May 2019. The goal of the act is to make the use of health and social data smooth and more secure. It also adjusted provisions in this legislative area in a manner that ensures they meet with the requirements of the EU’s General Data Protection Regulation (GDPR). The new act will cover multiple areas, including:

  • scientific research
  • statistics
  • development and innovation activities
  • steering and supervision of authorities
  • planning and reporting duties by authorities
  • teaching
  • knowledge management.

The idea is that by making the practices of registration authorities more streamlined, there will be greater opportunities for research of clinical and register data. Also, international co-operation in Finland will benefit from easier access to data reserves.

The reforms will not only benefit researchers, but many diverse health technology and life-science companies will also start to see opportunities in Finland and expand their R&D activities to Finland. Overall, knowledge-management opportunities in social welfare and healthcare will improve with easier access to comprehensive data sources and new services around high-quality registered data.

One of the key players in the operating environment will be the new permit-granting authority (Findata), a new organisation within the National Institute for Health and Welfare that will implement the new act.

The new services to be established along with the act are targeted at Finnish and international companies, national authorities that maintain registers, research institutes and research groups, and social welfare and healthcare organisations and service providers.

Legislation is described in more detail in the article published on the Ministry of Social Affairs and Health’s website: Secondary use of health and social data.

The vision is that within the next few years, the well-being data ecosystem will serve as an environment for a versatile group of different parties, from analytics service providers to various researcher services. The ecosystem utilises extensive technological expertise and automated processes, supports the creation of expert and researcher networks, and uses, ethically and securely, the world’s best electronic registers and their content as raw material for developing analytics and artificial intelligence.

 

Building of the one-stop shop and its governance

Sitra played an essential role in drafting the operating model for the Digital Health HUB. Now that the project Isaacus has ended and the Act on the Secondary Use of Health and Social Data has been passed, other national bodies will have an important role in developing the new model further.

Responsibility for the operating and administration model of the permit authority and the future operator comes under the Ministry of Social Affairs and Health, which defines policy guidelines for the goals of the operations, the co-operation between data controllers, and the rules and co-operation structure required by the operations.

 

The process of developing the new one-stop shop body in Finland in 2016-2020.
Figure 1. The process of developing the new one-stop shop body in Finland

2. Implementation model

The reforms aim to accelerate the use of and improve access to well-being data for different purposes. Both the current permit processes and the data integration practices will benefit from the new act. The goal is that the collation of register data will become smoother and the knowledge base more comprehensive.

A data permit authority is being established for the implementation of the new act, in order to ensure the ethically sustainable use of data. The granting of data permits for health and social data will be centralised with the new authority, allowing data from numerous different data controllers to be gathered from one source. A centralised data permit system and secure user environments where data is processed will be built for the processing of permits.

With the new act there is now clear legal grounds for using register data in innovation and development activities. Companies can get collated, aggregated statistical data for these purposes more quickly and comprehensively.

The data permit authority to be established operates within the National Institute for Health and Welfare, but as a separate entity. The new act also makes it possible to establish a state-owned company in connection with the data permit authority.

The operating model for the new body and the technical and functional elements it requires were prepared as part of Sitra’s Digital Health HUB project. The task of the new operator is to collect, and co-ordinate data received from different registers.

New act enables secondary use of health data. Findata.fi will be the permit authority and new data operator.
Figure 2. The new act enables the establishment of the data permit authority, known as Findata

The act sets the requirements and defines the basis for the new data permit authority

The data permit authority’s services include: managing the request processes; obtaining the required data from different registries; combining the data with personal IDs; pseudonymisation and anonymisation; aggregation of the data and transfer of the data to a safe and secure environment. The new regulation offers several options for organising these services:

  • they can be part of the data permit authority;
  • they can be outsourced to a private provider; or
  • they can be organised under a publicly owned non-profit company.

These options will come under discussion and when the services start in 2020.

However, the aim is to build a new operating unit that has more flexibility in providing services and compensating data holders for the costs of data sharing. A publicly owned non-profit company would have also be able to better incentivise the ecosystem on data sharing.

Regardless of what the final structure and organisational model is, Sitra’s recommendation is that the new operations should be organised on a one-stop-shop principle, under a common brand.

The data permit authority and optional non-profit company are enablers for the developing data economy and ecosystems founded upon use of social and health data. It also develops interaction between stakeholders and promotes client-orientated services.

 

Key systems for the new permit authority

Three key technological systems have been prepared to support operations: a permit and information portal, a data description system (metadata) and a collection, processing and remote desktop for the data. Data pseudonymisation and anonymisation services are closely linked with the last item. The new authority will also be responsible for the anonymisation services of data for users. It should follow the technical development to ensure and guarantee the relevance of the anonymisation technology used.

The starting point is that researchers have access to a network of experts that provides them with first-class information directly from professionals working with data sources. The service provider portfolio covers all information-refining stages, from data processing to advanced analytics.

Table explaining research permit workflow when using social and health data.
Figure 3. Research permit workflow (Click picture to enlarge)

Planning of the operational model started by studying the draft version of legislation. The gathering of business requirements started with multiple workshops and detailed Enterprise Architecture planning guided by the principles governing the safe and secure use of sensitive data. This means that drafting the operational model included extensive parallel work on a legislative framework, governance models and possible implementation architectures. There were several options on how to create needed infrastructure for the new Agency.

Since increased collaboration between register holders was one of the main goals of project Isaacus, focusing on a model that would lead to tighter collaboration was the first option. The second option was to create an entirely new operator and acquire the required infrastructure for it to carry out its duties. The third option was to enhance existing research infrastructures and strengthen existing technologies with further direct investment.

As a result, the decision was made to build an entirely new kind of operating model, work on harmonising processes and focus on existing projects and technological solutions when building the integrated infrastructure. This option led to less investment in new technology and encouraged all stakeholders to collaborate and learn while planning and by doing. The key elements for the required infrastructure were developed through co-operation between various authorities and data controllers. These elements were then tested in technical pilot projects.

 

3. Key lessons learned

The main challenges in the development work were related to public-sector funding, national co-operation with funding providers, operating methods and siloed operating models. In contrast, the shared change-seeking strategic intent and the existence of high-quality data served as a driving force for everyone involved. The identification of obstacles and the successes are crucial factors now and in the future. So, after everything, what kinds of lessons and insights are there to be shared?

 

Earning public’s trust

When dealing with sensitive data, maintaining the trust of the public is a necessity. In general, people in Finland have very high levels of trust in government and this proved to be one of the critical success factors for the new legislation and supportive operating model.

A survey on attitudes commissioned by Sitra in Finland (2016) showed that people are interested in finding out what kind of data is collected about them and where it can be found. In addition, people are interested in the purposes for which data about them is used and in the related terms, conditions and authorisations. More recent research (2019[2]) from Sitra shows that there are small differences between European countries, but generally health data is considered as more sensitive than other data like shopping data or lifestyle data. Also, the survey indicates that recent data breeches have had some effect on people’s trust in digital services.

There is also increasing interest in the opportunities that exist to exercise influence over and manage one’s own data. This development trend can be seen in the activities of the MyData movement, for instance. The aim of the movement is to take personal data management and processing from the current organisation-centric model towards a human-centric model. The EU’s General Data Protection Regulation (GDPR) that entered into force in May 2018 also improves an individual’s opportunities to influence the use of data about them.

 

Towards customer-centricity

For Finland, the greatest challenge has not been the lack of interested parties that would like to conduct R&D based on social and health data in Finland. Instead, the problem is rather that there is no national body responsible for potential customers, to help them through the process, maintain active contact and ensure a smooth customer and service process. The practical implementation of customer-centric thinking has been one of the project’s key objectives. This was enhanced by listening to customers through many interviews carried out with different stakeholders and by bringing the service design thinking to the development work.

The goal has been to develop a data permit authority and the related new operator into a single one-stop shop, enabling the parties that need data to perceive the fragmented field of operators as a uniform whole and the operating processes as clear workflows. Researchers and companies considering research investments and co-operation and other parties in need of data can access and use the services they need smoothly, all through one centralised operator. Changing the mindset from production-centricity (data stores and their handling) to customer-centricity is a necessity for modern agencies to work effectively.

 

Importance of engaged stakeholders

Different stakeholders have also participated in the development of the new operator in various roles. Numerous representatives from different fields of expertise have been involved in the process.

Over the years, contributors to the project have included researchers, entrepreneurs and representatives of the business world and patient organisations, who were also heard in the drafting of the new act. A particularly important success factor has been the encounters with active parties at different events and in various forums that have provided direct input into the development work.

The inspiration for a centralised data permit authority began with national policy-level strategies whose aim was to improve people’s health and well-being through opportunities offered by research and technological development, among other means.

 

Openness in preparations

The drafting of the Act on the Secondary Use of Health and Social Data proceeded in stages as an open administrative process. At different stages, researchers, developers, directors and companies participated in thematic workshops that set goals and sought solutions to detected problems. Both the workshops and the work of the working group that drafted the act were documented in Innovillage’s[3] open workspaces, where everyone could view and comment on them. During the process, there was active co-operation between data controllers and ministries. Openness and interaction were key guiding principles.

Even in the early stages of drafting the act, co-operation was launched with Sitra’s Isaacus project. The project included pilots and tests based on the views and experiences of key stakeholders and users, which also benefited legislative development work.

The drafting of enabling legislation was also part of more extensive inter-ministry co-operation in the development of digitisation, data economy and ecosystems. Well-being and health was considered a key focus area exactly because it is very data-intensive and already has extensive national and international data repositories.

 

Resolving conflicting interests and ensuring coherent interpretations

From the perspective of developing the new operator, the national co-ordination of the implementation of these strategies, funding, practices and change management posed a set of challenges. Various parties co-operated to identify solutions to the challenges shown in the table below. Had these questions not been resolved, development work could not have proceeded as it did.

Table: Questions in developing one-stop data operator concerning origin of data, purpose of use, data-use permits and management.
Figure 4. Relevant questions in developing the new one-stop-shop data operator[4]

To tackle the challenges mentioned above, one must understand that the most difficult data-related questions were not technical in nature and solutions could be found by experimenting. Being unable to overcome obstacles before work has even begun does not boost development. Solutions can be found through practical experiments.

On the other hand, challenges that result from customisation and standardisation and that prevent the processing of data should be identified in advance. Data-related expertise and tacit knowledge are also key elements in processes and their role should not be forgotten.

When it comes to legislation, the differences between parties in the interpretation of the law should be understood. Information systems, organisations, regulations and the use of data should all also be regarded as interconnected networks that vary greatly (Aula, 2018).

 

Overcoming a technical skills shortage

Emerging technologies enabling big data innovations and integration challenges between different data sources and data types require a good mix of skills that can enable the use of the new technology and methods, analytics skills and achieve a good understanding of research practices.

The majority of pilot projects, focusing on Digital Health HUB development were highly technical. The projects tested the integration of data from existing systems with the aid of new technological solutions, developed existing systems to meet future requirements and developed entirely new systems. Technical problems were caused either by new technology, such as the support for and functionality of early-stage data-lake software versions, or by new requirements (Kaski, 2018[5]).

The rapid development of technology also makes it difficult for legislation to keep up and for legislators to understand development. Technological solutions change so fast that they should not be recorded in legislation. Instead, the law should include the requirements to be met by the technological solutions.

 

Facilitating co-operation in a sustainable manner

Sitra’s goal was to bring Finnish register authorities together to develop a national, harmonised solution for improving the availability of well-being data. The development of co-operation has been important both nationally and internationally.

With the new act in force, Finland can be viewed as an international pioneer in the development of legislation related to social and health data. According to an international study commissioned by the Ministry of Social Affairs and Health (2017[6]), none of the 10 countries included within the scope of the study had an equally comprehensive act on the management of social and health data. Instead, the comparison countries had several acts related to different data controllers.

International co-operation and the creation of networks has also been important. Long-term work extending over several years has resulted in an active network of several countries which meets regularly and in which countries that are developers and pioneers of the secondary use of well-being data share their experiences, learn from one another and co-operate. Stakeholders’ social capital and mutual trust have increased.

See the video: What’s up with well-being data – collaboration?

You need to accept marketing-cookies to watch this video

Open cookie settings

 

Furthermore, joint study visits have solidified co-operation between Finnish operators. From these trips, Finnish participants have taken home comparative information and a deeper understanding of foreign operators’ customers, architectures, business models and technical implementation models, as well as a genuine commitment to further shared national goals.

All in all, Sitra’s role has been to act as a bridge between participants and to create an overview and an overall goal for Finland from the wider perspective of the data economy.

 

4. The way forward

Customer-centricity, effectiveness and realising benefits for the whole ecosystem around the secondary use of health and social care data are a necessity for the new agency to succeed in the long term.

The new agency needs to co-operate with customers, data providers, partners and authorities.

The Act on the Secondary Use of Health and Social Data was passed in the plenary session of Parliament on 13 March 2019. The government plenary session proposed the approval of the act on 25 March 2019. The President of the Republic approved the act on 26 April 2019, and it entered into force on 1 May 2019. Some of the act’s provisions will be applied only after a transition period. The permit processing by the data permit authority will begin in stages in early 2020 and the operations will expand gradually.

Building new operations is worthless unless the new agency can operate in a more cost-efficient and customer-centric way than the traditional agencies. Added value comes from data curation services for integrated data sets, efficiency in delivery times and a great customer experience.

The data permit authority works as a part of the comprehensive ecosystem of data repositories and related added-value services. Operations should be developed applying the “customer-first” principle and indicators and systems should be developed for monitoring the fulfilment of the service promise. In addition, it should be ensured that diverse expertise is available for using the service. This puts pressure on the planning of expertise networks and incentive schemes.

The most significant added value is generated by the increase in the value of data when a high volume of data from several registers is combined. The figure below summarises other core requirements for the new agency.

Table: Recommendations of core requirements for one-stop shop: customer-centric approach, co-operation, responsibility and the quality and efficiency of service.
Figure 5. Recommendation from Sitra of the core requirements for the new operator

 

Customers, competence needs and the service promise must be taken into account during the preparations. In the first implementation stage, goals are set for the operations, required roles are defined and operating principles are agreed upon. In the second stage, agreement should be reached on shared procedures and the service production process launched. In the third and final stage, the necessary shared technical platforms and solutions need to be adopted.

Table: Operatios of new agency start in phases: commitment, launch and comprehensive operations.
Figure 6. The operations of the new agency start in phases (Ref. Sofigate 2017, modified)

 

Summary – what next?

The vision is that the new operator will be able collate data comprehensively from various public-sector registers including genomic, biological and clinical data registers. New genome laws and reforms of the biobank act are being prepared and these amendments may affect how the data from those sources can be accessed.

The volume of data collected by the public sector is constantly increasing, as is the technology needed for storing and analysing that data. Different parties are investing in data-lake technology and data repositories so that gene, monitor and sensor data and many other data sources that used to be difficult to process can be stored and utilised better.

However, data alone, no matter how high its quality, does not change the world or create better treatment or medication. There must be people who know how to interpret data. Furthermore, data must be used as the basis for building smart inference chains or self-learning systems that expand our understanding of social welfare and healthcare. This requires competent, trained professionals and financial resources.

It is important to invest in education and training and find new talented people because the well-being sector is a particularly data-intensive field. However, it is challenging to convert enormous amounts of data into high-quality information. When compared to other sectors, the social welfare and healthcare field is still developing many areas of data use.

The efficient secondary use of well-being data also requires a well-functioning ecosystem in the well-being sector. The new operator will be subject to many expectations, requirements and needs by many parties, such as social welfare and healthcare organisations, biobanks, research organisations and companies in the sector. However, the starting point must always be the individual as the producer of data and the final beneficiary.

On the other hand, it should be noted that an increasing amount of data is generated from outside the public sector, which cannot be regulated with national legislation or made use of despite the existence of a party like the permit authority and the data operator. In the future, increasing volumes of data will be generated by different internet services and by various devices and sensors. The simplest examples are smartwatches or mobile phones that collect data on physical exercise and heart rate. It is slightly more complicated to measure environmental data, such as air humidity and temperature, and collating it with data collected about a person.

This is why there will be more contemplation in the future about the factors that influence people’s health – when they fall ill, how well they recover or the effects of medication, for example. Measurable data related to health changes outside hospitals and doctor’s appointments does not accumulate in public registers, except in occasional surveys or studies. Consequently, this data is not handed over for secondary use by researchers or corporate R&D departments.

Sitra’s fair data economy project, launched in spring 2018, aims to develop a procedure for human-driven data exchange. The IHAN® project expands the horizon beyond social, health and register data and opens up opportunities to find new ways to manage one’s own data. One way to ensure future well-being is to ensure there is a simple, cost-efficient and easy-to-use way to disclose one’s own data for research purposes.

 

Glossary

Anonymisation

The processing of personal data in a manner that makes it impossible to identify individuals from that data. For example, the data can be rendered down to a general level (aggregated) or converted into statistics so that individuals can no longer be identified. The prevention of identification must be permanent and it must be impossible for the controller or a third party to convert the data back into identifiable form using the information held by them.

Findata

A new data permit authority that will be established and will operate within the National Institute for Health and Welfare, but as a separate entity. The new act also makes it possible to establish a state-owned company in connection with the data permit authority.

GDPR (the EU’s General Data Protection Regulation)

The GDPR applies to all EU member states since 25 May 2018. The GDPR provides better protection for personal data and more ways to manage the processing of personal data.

Data economy

In a data economy, data is used to develop services, products and business operations. The data economy was born when the extensive collection, storage and transfer of data became technically and financially feasible. For instance, search engine advertising and the resulting revenue are part of the data economy. Sometimes the terms “data economy” and “information economy” are used synonymously.

Data lake

A data lake is a solution intended for business data management that makes it possible to collect

and store different types of data for further processing. A data lake differs from a conventional data repository solution: its modelling allows the storage and processing of non-conventional data types (such as images, documents or data from sensors). A data lake is a new way of storing information in a format where the existing data structures do not restrict the availability and use of data.

Data permit authority

A data permit authority provides customers with usage permits and co-ordinates other directly related services, such as ethical assessment processes. The permit authority is responsible for processes related

to managing and granting usage permits. In the early stages, the duties of the permit authority are undertaken by a new separate unit working under the National Institute for Health and Welfare.

Digital Health HUB

A working title for a state-owned limited liability company that is separate from the permit authority and operates under the mandate of and is supervised by the permit authority. The tasks of the Digital Health HUB are to serve the customer, to provide guidance and data management services for the customer’s needs with the one-stop-shop principle and to collect and provide well-being data collated from various data sources and registers.

Knowledge management

The process of creating, sharing, using and managing the knowledge and information of an organisation. It refers to a multidisciplinary approach to achieving organisational objectives by making the best use of knowledge.

Metadata

Data about data, or descriptive and defining data about a data repository or a content unit. Metadata describes the context, content or structure of a data resource and guides and directs its processing and management.

Primary use of customer data

Data is used for the situation for which it was originally saved in the customer or patient register. Such situations include examinations of patients, rehabilitation, social welfare services or the processing of benefits by Kela (the Finnish Social Insurance Institution).

Pseudonymisation

Pseudonymisation refers to processing personal data so that it can no longer be associated with a certain person without additional data. This additional data must be stored carefully separated from personal data.

Secondary use of customer data

The use of the same information in contexts other than primary use. The secondary uses outlined in the Act on the Secondary Use of Health and Social Data include scientific research, compiling of statistics, development and innovation activities, teaching, knowledge management, steering and supervision by authorities, and the planning and reporting duties of authorities.

 

Partners for the Isaacus – The Digital Health HUB project

Main partners

Business Finland
Kela – The Social Insurance Institution of Finland
Ministry of Social Affairs and Health
Ministry of Economic Affairs and Employment of Finland

Pre-production project organizations

Biobanking and Biomolecular Resources Research Infrastructure (BBMRI.fi)
Hospital District of Helsinki and Uusimaa (HUS)
The National Archives of Finland
The City of Kuopio
Institute for Molecular Medicine Finland (FIMM)
The National Institute for Health and Welfare (THL)
Statistics Finland
Hospital District of Southwest Finland
Finnish Social Science Data Archive

 

References

[1] Currently known as Business Finland. Business Finland was established in January 2018 when Tekes, The Innovation funding agency in Finland, was merged with Finpro, the provider of internationalisation, investment and travel promotion services.

[2] Sitra (2019): Article: People value having the power to make decisions about the use of their data

[3] Innokylä or Innovillage is an innovation community in the health and welfare sector that is open to everyone. Innovillage brings together the development efforts in the sector, and offers a channel for sharing ideas, practices and models. The purpose of Innovillage is to support sustainable renewal in the health and welfare sector. For more information: www.innokyla.fi.

[4] Ville Aula (2018): Big Data, Big Infrastructures, Big Institution – Reconfiguring Secondary Health Data in Finland. Master’s thesis, Oxford University.

[5] Richard Darst, Mikko Hakala, and Kimmo Kaski (2017): Evaluation of the Isaacus project’s data lake solutions in research use. Aalto University.

[6] Toivonen Lotta (2017): International Review: The secure use of social, health and care data with the purpose of promoting health, welfare and other public objectives.

Publication details

Title

A Finnish model for the secure and effective use of data

Subtitle

Innovating and promoting the secondary use of social and health data

Authors

Heli Parikka (Ed.), Jaana Sinipuro, Hannu Hämäläinen, Markus Kalliola, Juhani Luoma-Kyyny, Saara Malkamäki

Place of publication

Helsinki

Year of publication

2019

Publisher

Sitra

Outlook

29 p.

ISBN (PDF)

978-952-347-115-3

ISSN (PDF)

1796-7112

Series

Sitra studies

Publication number

153

What's this about?

Your current shadow instance is ""Default shadow"". Exit