Frequently asked questions about information systems
According to the Data Protection Ombudsman’s established decision-making practice, user log data is related to the access management of a data subject’s personal data and does not concern the data subject themselves. Rather, user log data can concern, for example the employees who processed the individual’s data. Article 15 of the General Data Protection Regulation provides for the data subject’s right of access to data concerning him or her. Since log data concerns access management and not the data subject on whose data it is accumulated, that individual is not entitled to log data by virtue of this right of access.
The Client Data Act, or Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (159/2007), specifically provides for the right of patients and social welfare clients to log data. You can obtain information on who has used your patient records or social welfare client records, or to whom they have been disclosed. The Data Protection Ombudsman is not competent to evaluate the realisation of this right or to order such information to be delivered to patients or clients. More information on the disclosure of log register data is available in the Frequently asked questions about health care section under ”I suspect that my patient records have been processed without basis”.
Section 11 of the Act on the Openness of Government Activities concerning parties’ right of access can also be applied to log data, also enabling access to secret information from logs kept by authorities. The Data Protection Ombudsman is not competent to evaluate the realisation of the right of access to information by virtue of the Act on the Openness of Government Activities or to order such information to be delivered by virtue of the Act.