Patient register privacy statement
Date of drafting: 23 February 2009, updated on 9th June 2021
1. Data controller and contact information
Docrates Cancer Center
Saukonpaadenranta 2, 00160 Helsinki, Finland
tel. +358 (0)10 773 2000
fax: +358 (0)10 773 2099
When contacting about matters of processing personal data, we ask that you primarily contact the tietosuoja(a)docrates.com.
If your contact involves health information or other sensitive personal information, please use Docrates Oy’s security e-mail.
Health services produced by an independent external clinical expert operating in Docrates Cancer Center (or a company on whose behalf the external clinical expert works for): The independent external clinical expert treating the patient is the Data controller (or a company on whose behalf the external clinical expert works for). The external clinical expert has assigned the technical maintenance of the register to Docrates Cancer Center.
2. Data Protection Officer
If you wish, you can contact Docrates Oy’s data protection officer directly at docrates.tietosuojavastaava(a)fondia.com
3. Name of the register
Docrates Cancer Center patient register
4. Purpose and grounds for the processing of personal data
The processing of patient data is based on the legislation and regulations concerning the patient care and examinations, as well as patient consent.
The data in the patient register is used for
- Planning the patient’s treatment, execution (e.g. surgeries, pharmacotherapies, radiation treatment, prescriptions (including narcotics)) and follow-up
- Making referrals to treatment or examination at Docrates Cancer Center and other examination and care units and saving the printed results of the examinations (e.g. imaging, laboratory and pathology examinations).
- Invoicing the treatment and examinations and for debt collection purposes
- Monitoring the actions of the health care professionals and clarifying possible claims for compensation
- Monitoring Docrates Cancer Center’s operations and for statistical purposes.
- Scientific studies
5. The data content of the register and the categories of the data subjects
The register includes the following personal data of patients that is necessary for the patient:
Basic information of the patient
- First name and surname
- Contact information (postal address, email address and phone number)
- Identification information (date of birth or social security number)
- Name and contact information of the guardian or legal representative of a minor patient
- Name of the next of kin of the patient
- Other basic information (such as gender, native language)
- Information on given consents and imposed bans or limitations
Medical information required for examinations and treatments:
- Preliminary information form (for example, initial information concerning the profession, health or diseases)
- Continuous medical record: information on treatments’ and examinations’ referrals and results such as laboratory and imaging examinations, prescriptions
- Information on patient’s consent concerning data recording, collection and disclosure
- Patient/customer history, for example, information related to appointments, invoicing and debt collection
- Fingerprint identification for radiotherapy to ensure patient safety
- Communication between the patient and care team through the Kaiku system.
6. Data sources
Basic information of the patient, including address, is collected from the patient and from the guardian or legal representative of a minor. Data can be updated from public sources, for example, from the population register.
Data concerning patient treatment and examinations is collected from Docrates Cancer Center’s data files related to examinations and treatment and, with a consent from the patient, from other care units and the National Archive of Health Information (Kanta).
7. Data disclosure and transferring data
Data is confidential. All data processors are bound by confidentiality and professional secrecy. Data can be disclosed with patient’s written consent or in accordance with the legislation. Patients can at any time withdraw or restrict their consents to disclose data.
Data is disclosed to national registers, for example, to the Finnish Cancer Registry and the National Archive of Health Information (Kanta). Data is disclosed to the Finnish Medicines Agency Fimea for research, planning, statistical and monitoring purposes as well as for reports on adverse reaction and special permission for compassionate use applications for medicine that requires a special permit. Disclosures will be conducted according to the Act on National Personal Records Kept under the Health Care System.
In principal, data concerning patients can only be disclosed on the basis of the patient’s consent. If it is not possible to get the patient’s consent, for example, due to their disease or condition, patient information can only be disclosed to the next of kin, unless there is a reason to suspect that the patient would prohibit it. Patient information may also be disclosed to patient’s guardian or legal representative. However, if a minor patient is able to decide on the treatment in accordance with the age and maturity, the patient has the right to prohibit the disclosing of his/her health and treatment data to his/her guardian or other legal representative.
Patient’s documented data is confidential also after the death of the patient. Then, the data may only be disclosed to the extent that is necessary to clarify or exercise the significant interests and rights of the requesting person. A disclosure request must always be justified.
Docrates Cencer Center uses the following external service providers in processing of personal data:
- Vitec Software Oy, management of the patient information system
- Kaiku Health Oy, management of the communication data
- Don & Branco Oy, management of the contact form, e-payments and booking to Stockholm Information on the Docrates website
Docrates Cancer Center uses the following information systems in processing of personal data:
- PACS system to save diagnostic images
- Radiotherapy planning and monitoring system to manage external radiotherapy
- HDR treatment planning system
- Imaging device workstations (CT, MRI, PET, SPET, Ultrasound)
- Radiotherapy fingerprint identification management
- Software for analyzing pseudonymised patients’ data.
- Vincit Oy, MyDocrates internet booking service
Personal data shall not be transferred outside the EU or European Economic Area.
8. Principles of protecting personal data and the retention periods
A. Manual material
The data saved in the register are confidential and they are stored in locked and monitored facilities. Manual materials are digitalised to the patient information system and destroyed according to the data protection requirements.
B. Electronically saved data
The data saved in the register is confidential. Only designated persons have access to the data in the register and a login and password are required. Users can be identified afterwards, if necessary, from log files. The register is protected with firewalls. Devices and the server are located in protected and monitored facilities.
Docrates Cancer Center ensures the data protection compliance of its subcontractors with data processing agreements.
Patient data is retained as long as it is necessary or according to the retention periods described in the legislation and regulations, for example, in the Act on the Status and Rights of Patients and the Decree of the Ministry of Social Affairs and Health on Patient Documents.
9. Rights of the data subjects
The data subject has the right to access the data saved in the register concerning them and the right to request rectification and erasure of data. The requests must be submitted personally or in writing (provided with a handwritten signature or with otherwise verified documents).
The data subject has the right at any time to withdraw or restrict their consent.
Data subjects have the right to object at any time to processing of personal data concerning them, request for restricting the processing or transferring of their data and to lodge a complaint concerning the processing of patient information to the Data Protection Ombudsman.