Data protection and information security

Data protection and information security policy of Pihlajalinna Group

Updated 22 March 2023

INTRODUCTION

This document specifies the goals, organisation, liabilities and implementation of Pihlajalinna Group’s data protection and information security policy. The policy is complemented by other approved plans and guidelines.
Pihlajalinna values and protects the privacy of all its stakeholders, as patient data related to health services and client data related to social services are subject to specific legislation. As a provider of social or health services, Pihlajalinna operates according to high-level security practices, including comprehensive log monitoring, 24/7 supervision of the IT environment, and constant improvement of information security.
Pihlajalinna complies with the EU General Data Protection Regulation, the Data Protection Act and the guidelines of the data protection authorities in all processing of personal data.
Each employee and information system user at Pihlajalinna must be familiar with this policy and comply with the instructions and regulations issued based on the policy.

OBJECTIVES

The objectives of work related to data protection and information security include

  • ensuring that all data is processed securely in accordance with the legislation.
  • ensuring the continuity of the group’s or group companies’ operations under all circumstances
  • pre-emptively preventing any data protection and information security breaches
  • ensuring the security of Pihlajalinna Group’s information systems.

ORGANISATION AND LIABILITIES

Data protection and information security is managed and monitored by the CEO of Pihlajalinna. The CEO decides the development objectives, organisation, resources and operating authorisations of the various sections of overall safety and security.

The Medical Director of Pihlajalinna acts as the supervisor of data protection and appoints the data protection officers. The Head of ICT is responsible for information security and appoints the supervisor of information security and the information security officer.

The views of Pihlajalinna’s key operations are represented by a data protection and information security team appointed by the supervisors of data protection and information security. The data protection and information security team processes any policies and instructions before they are presented to the management for approval. The data protection and information security team includes at least the supervisors of data protection and information security, data protection officers, and an information security officer.

IMPLEMENTATION

Data protection and information security complying with the approved data protection and information security policy must be integrated into all operations. The development and maintenance of data protection and information security are a part of Pihlajalinna Group’s and the group company’s security-related operations, risk management and internal monitoring.

DAILY WORK, MONITORING AND SUPERVISION

  • Each Pihlajalinna employee shares a personal responsibility for the implementation of data protection and information security, and is obliged to report any threats or deviations to data protection or information security that they detect as instructed.
  • Pihlajalinna has a process and a set of instructions for processing deviations. They aim to ensure continuity of operations and constant improvement.
  • Pihlajalinna’s information systems and network traffic are monitored 24 hours a day.
  • Users are guided by approved and available guidelines, continuous information, and data protection and information security training. These guidelines are updated regularly.
  • The manager(s) within their unit are responsible for providing guidance, information and supervision on matters related to data security, and doctor(s) within their unit are responsible for the data protection of patient data.
  • The persons responsible for data protection and information security have duties that include monitoring, supervising and reporting on the implementation of Pihlajalinna’s data protection and information security, as well as taking measures to improve them whenever necessary.
  • Pihlajalinna cooperates with various stakeholders and authorities in accordance with the EU General Data Protection Regulation, local legislation and specific legislation.
  • Information security is constantly developed and tested by external partners, too. These tests are used as a basis for development and corrective measures whenever necessary.
  • A Data Protection Impact Assessment (DPIA) is always carried out when new systems and processes are implemented.