Privacy notice for maintaining customer records and educational records at the psychology training and research clinic PSYKE
PSYKE is a psychology training and research clinic at Tampere University. The clinic develops professional practices in psychology, serves customers, provides teaching and training to psychology students, and conducts research. This privacy notice describes how PSYKE collects and processes data in connection with the delivery of outsourced customer services and the provision of training to healthcare professionals. The data controller is Tampere University Foundation sr, psychology training and research centre PSYKE (address Kalevantie 5, FI-33014 Tampere University, Finland). The contact person is the head of PSYKE.
Why we are allowed to process personal data
We use the personal data stored in our customer records for the purposes of planning and providing treatment, therapy sessions and rehabilitation services to our customers as well as for invoicing and other customer relationship management purposes. We also process personal data to organise training/methodology training and manage related payments and invoices.
With an individual’s explicit consent, we can add them to a network (such as a mailing list or a discussion forum) that has been created to facilitate communication between persons who have completed a specific training programme.
Lawful basis for processing personal data
We process personal data primarily based on customers’ consent and the data controller’s legal obligation to maintain customer records. Applicable legislation:
- Data subjects have provided their consent for processing their personal data (GDPR 2016/679; article 6, paragraph 1a).
- Processing is necessary to comply with the data controller’s legal obligation (GDPR 2016/689; article 6, paragraph 1c).
- Processing is necessary in order to perform a specific task in the public interest for scientific research purposes (GDPR 2016/679; article 6, paragraph 13).
- Data Protection Act (1050/2018, section 4)
- Act on the Status and Rights of Patients, section 13 (785/1992)
- Health Care Act (1326/2010)
- Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007)
- Act on Health Care Professionals (559/1994)
- Decree on Patients Records issued by the Ministry of Social Affairs and Health (30.3.2009/289)
- Act on the Openness of Government Activities (621/1999)
The types of personal data we process
We process the following types of personal data while serving customers:
Customer’s name, date of birth, personal identity number, hometown, contact information, name and contact information of parents/guardian, first language and preferred language, consent regarding the disclosure of data and other basic information that is essential from the perspective of treatment, such as family structure, a child’s school, teacher and support measures provided by the school, the doctor or psychologist overseeing the treatment, a child’s diagnosis and medication. With a customer’s consent, video or audio recordings may be made. The data stored in our records includes information about a payment commitment/service voucher concerning evaluation or rehabilitation services and the number of customer sessions and, in the necessary extent, key information about treatment, the final statement or feedback, and other treatment-related information and documents received from external parties. The records are confidential.
We process the following types of personal data in connection with the provision of education and training: customer's name, contact information, invoicing address, job title, employer, dietary restrictions and other additional information provided by the customer. In addition, we may process patient records collected by a training participant which has been collected and disclosed to PSYKE with the patient’s consent and is used for the purpose of completing training provided by PSYKE.
How long we retain personal data
The retention period for customer records is defined in the decree issued by the Ministry of Social Affairs and Health (298/2009). Depending on the type of document, documents are generally stored for 12 years after they are prepared or after treatment has ended, or 12 years after the customer has passed away/120 years after the customer was born. Patient documents are securely disposed of by using secure shredding services intended for sensitive materials.
Data collected for the purpose of providing training will be retained in accordance with Tampere University’s data management plan. Personal data that is collected by a training participant for the purpose of completing training provided by PSYKE will be retained for as long as is necessary to complete the training. After this, the data will be returned to the participant or securely disposed of by using secure shredding services intended for sensitive materials.
How we collect personal data
We collect customer information from customers or their parents/guardian or, with the consent of a customer or his or her parent/guardian, from the unit that refers the customer to PSYKE, other units that provide treatment to the customer, or a customer’s school. Data can also be generated in connection with treatment. The customer’s consent (or his or her parent’s/guardian’s consent) is always required for communicating with another unit that provides treatment to our customer or with his or her school.
Personal data that we process for the purpose of providing training is collected from the participants themselves or other organisations that purchase training services from PSYKE. Patient records that a training participant works with while attending our training are provided by that training participant.
Transfer of personal data
Data stored in our customer records will only be disclosed with the customer’s consent (or his or her parent’s/guardian’s consent) or to fulfil the data controller’s legal obligations (Data Protection Act, patient records privacy laws). In case it is necessary to disclose data, the recipient is generally another healthcare unit or a healthcare professional that has referred the customer to PSYKE or that needs the data to organise an evaluation or provide treatment. Persons who process the records have a strict duty to maintain confidentiality.
When customers who have received a payment commitment or a service voucher use our services, the data controller of their customer records is the organisation that issued the payment commitment/service voucher, and PSYKE acts as the data processor as defined in the GDPR. The employee responsible for the treatment will provide information about the number of sessions that have taken place and feedback management to the organisation that issued the payment commitment/service voucher and the party that referred to customer to PSYKE. Other important documents that are drawn up during treatment will be stored by PSYKE on behalf of the data controller. The retention period for these documents will be specified in the agreement signed by PSYKE and the data controller, after which the documents will be handed over to the data controller.
We do not disclose to third parties any personal data that we collect for the purpose of providing training. Patient records that a training participant has collected to complete our training is returned to that participant.
Transfer of data outside of the EU or the EEA
Customer data is not transferred outside of the EU or the EEA.
How we process your personal data
Customer records are confidential and are not disclosed to any third parties. Access to customer records is restricted to persons who provide treatment to the customer or are involved in the delivery of treatment. Documents are stored in locked facilities that cannot be accessed by unauthorised persons. All equipment used while processing personal data is centrally maintained, and the mass storage of mobile devices is encrypted. User access management is based on user roles, and the lifecycle of user accounts is automatically managed and linked to the length of a user’s contract. In addition, access to information about customer visits, which is temporarily stored in an electronic format, and to other documents is protected with a separate employee-specific password. The names of documents do not identify our customers. Only designated persons responsible know the decryption key for decoding pseudonymised data and matching customer identity and document names.
Patient information that is collected to complete training provided by PSYKE is securely stored in strict compliance with data protection requirements.
How we protect personal data
We process all personal data securely and in compliance with legal requirements. We have carefully assessed the potential risks associated with our processing activities and taken the necessary measures to control the risks. The data controller requires that all its partners take appropriate measures to protect personal data. The data controller has taken appropriate technical and organisational measures to ensure data privacy. Among other things, the following measures are taken to protect data:
- equipment and file access control
- physical access control
- user identification
- user rights
- processing instructions and monitoring.
Rights of data subjects
Right of access (GDPR, Article 15)
You have the right to know what personal data we process and hold about you.
Right to rectification (Article 16)
You have the right to have any incorrect, inaccurate or incomplete personal details that we hold about you revised or supplemented without undue delay. You are also entitled to have any unnecessary personal data erased from our records.
Right to be forgotten (Article 17)
In certain circumstances, you have the right to have your personal data erased from our records.
The right to erasure does not apply, if the processing is necessary for us to comply with our legal obligations or perform tasks carried out in the exercise of official authority.
Right to restrict processing (Article 18)
In certain circumstances, you have the right to request us to restrict processing your personal data until the accuracy of your data, or the lawful basis for processing your data, has been appropriately reviewed and potentially revised or supplemented.
Right to data portability (Article 20)
You have the right to obtain a copy of the personal data that you have submitted to the University in a commonly used, machine-readable format and transfer the data to another data controller. This right applies to situations where data is processed automatically on the basis of consent or contract.
This means that the right to data portability does not apply to data processing that is necessary for the performance of a task carried out in the public interest or to fulfil legal obligations imposed on the data controller. Consequently, this right does not generally apply to the higher education institution’s personal data registers.
Right to object (Article 21)
You may at any time object to the processing of your personal data for special personal reasons, if the basis for processing is a task carried out in the public interest, the exercise of official authority, or the higher education institution’s legitimate interests. After receiving such a request, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for processing your data.
Right to lodge a complaint with a supervisory authority (Article 77)
You have the right to lodge a complaint with a supervisory authority, if you consider that the processing of your personal data violates the provisions of the GDPR (2016/679). In addition, you may follow other administrative procedures to appeal against a decision made by a supervisory authority or seek a judicial remedy.
Street address: Lintulahdenkuja 4
Postal address: PO Box 800, FI-00531 Helsinki, Finland
Email: tietosuoja [at] om.fi
Switchboard: +358 2956 66700
Questions about data protection
You can request to have any inaccurate personal data rectified in connection with the process where the data is generated. Please address your written request primarily to a contact person at PSYKE. Please deliver all subject access requests to the data protection officer of Tampere Universities (by email at dpo [at] tuni.fi () or by post to the following address: Data Protection Officer, Tampere University, FI-33014, Tampere, Finland).
This privacy notice was updated on 22 September 2021.