Frequently asked questions about information systems
According to the Data Protection Ombudsman’s established decision-making practice, user log data is related to the access management of a data subject’s personal data and does not concern the data subject themselves. Rather, user log data can concern, for example the employees who processed the individual’s data. Article 15 of the General Data Protection Regulation provides for the data subject’s right of access to data concerning him or her. Since log data concerns access management and not the data subject on whose data it is accumulated, that individual is not entitled to log data by virtue of this right of access.
The Client Data Act, or Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021), specifically provides for the right of patients and social welfare clients to log data. You can obtain information on who has used your patient records or social welfare client records, or to whom they have been disclosed.
You do not have the right to receive the data, if disclosure of the data could cause a serious danger to the health or care of the client or patient or the rights of a third party. Information on the processing of data that is older than two years can only be received for a special reason. If the service provider does not think that the log data can be disclosed to you, the provider must make a decision on the refusal in writing. If you believe that there are no grounds for the refusal, you can submit the case to the Office of the Data Protection Ombudsman for processing.
Section 11 of the Act on the Openness of Government Activities concerning parties’ right of access can also be applied to log data, also enabling access to secret information from logs kept by authorities. The Data Protection Ombudsman is not competent to evaluate the realisation of the right of access to information by virtue of the Act on the Openness of Government Activities or to order such information to be delivered by virtue of the Act.