Data protection and information security

Data protection and information security policy of Pihlajalinna Group

Updated 21 April 2020

INTRODUCTION

Pihlajalinna Group (“Pihlajalinna”) values the privacy of its customers, patients, partners and employees.This data protection and information security policy explains how the companies in Pihlajalinna Group collect, use and process various types of personal data and ensure privacy protection. The data protection and information security policy specifies the principles, liabilities, obligations, operating methods, monitoring and surveillance used by the Group to implement and develop data protection and information security. This policy is supplemented by detailed regulations and instructions.

The data files of Pihlajalinna contain information related to patients, customers, employees, stakeholders, suppliers and operations and it is legally required to be protected. The processing of personal data is stipulated in the General Data Protection Regulation of the EU as well as the related local legislation. Any patient data related to healthcare services and customer data related to social services are subject to special legislation.

The data protection and information security policy processed by the Pihlajalinna Management Team and confirmed by the CEO covers any data processing tasks related to the Group’s operations. Each employee and information system user at Pihlajalinna must be familiar with this policy and comply with the instructions and regulations issued based on the policy.

Any operators, suppliers and other parties external to Pihlajalinna must also agree to comply with legislation, this data protection and information security policy as well as instructions related to data protection and information security in order to gain access to Pihlajalinna’s information systems and their materials as required by their tasks. When Pihlajalinna acts as the controller, the suppliers are required to sign a separate agreement (or appendix) concerning the processing of personal data. Individuals processing data are required to sign the data protection commitment. When Pihlajalinna Group or a Group company acts as the processor of personal data, a separate agreement shall be concluded on the processing of personal data.

Data protection refers to the protection of privacy when processing personal data.

Any operations must naturally include the data protection and information security in accordance with the approved data protection and information security policy. Developing and maintaining data protection and information security is part of the general security operations, risk management and internal control of Pihlajalinna Group and the Group companies.

DATA PROTECTION AND INFORMATION SECURITY WORK

The objective of data protection and information security work is to secure the legal processing of personal data, ensure the uninterrupted functions of the information systems and networks of the Group or Group company, prevent personal data breaches and unauthorised access to information systems and/or their unauthorised use, prevent accidental or intentional destruction or distortion of the data and to minimise any damages. In addition, the work aims to prepare for and settle any risky situations interrupting the operations.

As a service provider of social or healthcare services, Pihlajalinna acts in accordance with the policies of an elevated information security level.

ORGANISATION AND LIABILITIES

Data protection and information security is managed and monitored by the CEO of Pihlajalinna. The CEO decides the development goals, organisation, resources and operating authorisations of the various sections of overall safety and security. The Medical Director of Pihlajalinna acts as the supervisor of data protection and appoints the data protection officers. The supervisor of data protection reports to CEO. The Head of ICT appoints the supervisor of information security. The supervisor of information security reports to the head of ICT and appoints the Information Security Officer.

The data protection officer is responsible for tasks in accordance with the General Data Protection Regulation of the EU and local legislation. The information security officer is responsible for overall information security work within the framework of resources and operating authorisations granted by the Group management. They are also in charge of communicating matters related to information security.

The views of Pihlajalinna’s key operations are represented by a data protection and information security team appointed by the supervisors of data protection and information security. The data protection and information security team processes any policies and instructions before they are presented to the management for approval. The data protection and information security team includes at least the supervisors of data protection and information security, the data protection officer(s), information security officer, administrators of the Group’s patient data systems as well as representatives of the HR and property administration.

The tasks of the team members are as follows:

• The team members are responsible for preparing the matters in their area of responsibility
• The tasks of the data protection officer are specified in the General Data Protection Regulation of the EU
• The information security officer is responsible for specifying, assessing and reporting information security. They are responsible for drawing up information security development plans, monitoring the implementation, raising information security awareness and secure operating methods in the Group and in any procured services as well as reporting to the management.
• The information security officer is responsible for equipment and software security
• The representative of property administration is responsible for security related to facility and equipment technology
• The representative of HR administration is responsible for employee security in terms of information security
• The data protection and information security team shall be chaired by the supervisor of data protection or, if they are not available, the supervisor of information security

Each Pihlajalinna data file containing personal data has a designated supervisor whose responsibilities are described in the General Data Protection Regulation of the EU and in local legislation.

Each Pihlajalinna information system has an owner unit and a supervisor. The responsibilities of an information system supervisor include specifying the requirements set for the functions and security of the information system (e.g. criticalness, continuity planning and backup copy policies) as well as granting and supervising access rights.

The unit’s manager(s) are in charge of providing security-related instructions as well as communicating and supervising information security in their units, and the chief medical officer of the unit is responsible for patient data protection.

Each Pihlajalinna employee, processor of personal data or other information, administrator of information systems or networks or user is responsible for implementing data protection and information security and following instructions. Each person is responsible for reporting any threats and anomalies related to data protection and information security to the data protection or information security officer.

IMPLEMENTATION

The implementation of data protection and information security is based on this written data protection and information security policy of Pihlajalinna that is provided to each Group employee and information system user.

The data protection and information security principles of Pihlajalinna are based on the General Data Protection Regulation of the EU as well as national legislation. The implementation and maintenance of data protection and information security is described in detail in separate instructions. Achieving the objectives of data protection and information security is a continuous process.

Users’ operations are guides with confirmed and available instructions as well as with data protection and information security training.

MONITORING AND SUPERVISION

The managers, chief medical officers and supervisors of Pihlajalinna Group companies monitor the implementation of data protection and information security in their units.

The information security officer monitors and supervises the implementation of Pihlajalinna’s information security and takes the necessary action to improve security.

DATA ACQUISITION, SOURCES AND CATEGORIES OF DATA

The methods of acquiring data, sources and categories of data subjects are described separately in the privacy statement of each data file.

DISCLOSURE OF DATA TO CUSTOMERS AND OPENNESS TOWARDS DATA SUBJECTS

The disclosure of data to customers and openness towards data subjects is described in the privacy statement of each data file.

COOPERATION WITH VARIOUS INTEREST GROUPS AND AUTHORITIES

Pihlajalinna cooperates with various interest groups and authorities according to the General Data Protection Regulation of the EU, local legislation and special legislation.

INTERNATIONALITY

Pihlajalinna will primarily not transfer personal data outside the EU or the EEA. Valid legislation and regulations shall be complied with in any transfers.

DATA PROTECTION AUTHORITIES

The Data Protection Ombudsman is an authority that provides guidance, advice and supervision concerning the processing of personal data in accordance with the Personal Data Act. The Data Protection Ombudsman uses their authority in matters concerning the implementation of the right of access and data rectification and provides solutions regarding the legality of controllership and the realisation of data subjects’ rights.

UPDATING THE DATA PROTECTION AND INFORMATION SECURITY PRINCIPLES

Our data protection and information security principles are in line with our current policy. We update the principles regularly and at least once a year.