According to the Biobank Act, a biobank has the right to maintain personal registers for the purposes of biobank research. Such registers include the Consent Register, the Code Register and the Sample and Data Register.
BASIS FOR PROCESSING
The legal basis for processing personal data in the biobank is the public interest related to public health, in accordance with the Biobank Act and the EU’s General Data Protection Regulation (2016/679), Article 6(1)(e), and Article 9(2)(i).
CONTROLLER
The controller is the Wellbeing services county of Southwest Finland. The contact details of its Data Protection Officer are: tietosuoja@tyks.fi .
The person in charge of register matters at the biobank is director Lila Kallio, see contact details .
Information on the contents of each of Auria Biobank’s registers can be found through the links below.
Consent Register
The purpose of the Consent Register is to administer the criteria for the use of the samples and data and to ensure the realization of self-determination (consent/refusal). Data subjects are all those who have given biobank consent, submitted biobank refusal or a withdrawal thereof either on their own or their underage child’s or mentally incompetent person’s behalf. More information on submitting consent, refusal or withdrawal can be found on the the biobank consent and refusal page
The data saved in the register are:
- the person’s identification data (full name, personal identity code, address),
- information about the date of the consent/refusal/withdrawal (and document versions),
- answers to the questions on the consent form concerning contacts and
- information about whether samples or data concerning the person have been transferred to the biobank as so-called old samples based on the procedure in accordance with section 13 of the Biobank Act. In this case, the contents of the notification concerning the transfer and information about the transferring party are entered in the register.
The information saved in the Consent Register is obtained from the consent and refusal forms that are filled in by citizens. Information concerning old samples is obtained from the transferring health care unit or research group.
In accordance with Government decree 643/2013, the data contained in the Consent Register are saved permanently.
Code Register
The purpose of the Code Register is to secure the protection of privacy in biobank operations. Personal identity codes are replaced with a code issued by the biobank and stored in the Code Register. Data subjects are all those who have given biobank consent or whose samples have been transferred to the biobank as so-called old samples . The data saved in the Code Register include the person’s identification data (full name, personal identity) and the code issued by Auria Biobank. The identification data are obtained from the biobank’s Consent Register described above.
The information in the Code Register is stored either during the use of the sample and related information or for at least 25 years after the end of the biobank research to which the samples and/or data were assigned.
Sample and Data Register
A Sample and Data Register is maintained for biobank operations. Its purpose is to enable the up-to-date maintenance of samples and related information, and the use thereof in biobank research, as well as the monitoring and assessment of the biobank operations.
The data subjects are the donors, i.e. the persons who have given biobank consent and who have a sample in the biobank, and the persons whose sample has been transferred to the biobank as a so-called old sample .
The information saved in the Sample and Data Register includes:
- information about the type of consent
- donor identification data (code, gender, date of birth, date of death for deceased persons, cause of death)
- information related to the sample or its technical records (type of sample, date of sample collection, processing history, diagnostic information, statement text)
- health information concerning the donor (e.g. diagnoses, medical procedures, treatment, hospital visits)
- results and records of laboratory analyses, imaging and other examinations performed on the donor
- research results obtained from biobank research
The information saved in the register is obtained from:
- the patient registers of the Wellbeing services county of Southwest Finland, Satakunta hyvinvointialue and Pohjanmaan hyvinvointialue
- the donor him/herself
- the researchers participating in biobank research
- the research teams that have transferred so-called old research samples to the biobank
- the health care units that have transferred so-called old research samples to the biobank
The data contained are stored either during the use of the sample and related data or for at least 25 years after the end of the biobank research to which the samples and/or data were assigned.
DISCLOSURE OF DATA
The biobank forwards information on patients’ consent, refusal or withdrawal decisions to the wellbeing services county’s electronic health record system (EHRS). This allows the medical staff to see whether a patient has already made a decision on whether to give biobank samples, and the patient does not have to be repeatedly asked about the matter. No other information contained in the Consent Register is disclosed by the biobank.
The biobank does not disclose information in the Code Register to outsiders. Codes are not disclosed when the biobank assigns samples or data for research; instead, the biobank re-codes the samples and data for each research case.
The biobank assigns samples as well as the information in the Sample and Data Register to Finnish and foreign researchers or research teams for biobank research. Data security is ensured by encoding samples and data and by drawing up detailed contracts regarding how they are handled. More information about the disclosure terms and practices can be found on the page General principles governing access to samples and data .
The samples as well as the information in the Sample and Data Register can be disclosed outside the EU and EEA. Such disclosures are possible if the European Commission has decided that the data protection level in the country in question is sufficient or that other necessary security measures have been implemented. Such security measures are, for example, complying with the standard contractual clauses approved by the EC or if, for example, you have given your consent to the transfer of the samples or data in question.
The biobank does not, as a rule, disclose personal identity codes to third parties. Identifiable samples and data can only be assigned if the receiver has a permit granted by an authority or a legal basis for processing personal data, and if there is a justified need for it. The need may be, for example, to combine previous data collected by a researcher or data obtained from national social and health care registers with the biobank’s samples or data.
PROTECTION OF DATA
The starting point for biobank activities is protecting the donor’s information. See Data protection and rights of the donor .
The biobank maintains its registers in the information system environment of the Wellbeing services county of Southwest Finland. Employees log into the system using their personal credentials. The right of access is limited to those Auria Biobank employees who need to access the data contained in the register to perform their tasks. The director of the biobank grants access rights based on the employee’s job profile.
In accordance with wellbeing services county’s information security practices, the computers are located in rooms with electronic access control or in lockable rooms, access to which is monitored by a surveillance camera. In protecting documents, information security requirements according to state administration protection level III are applied. Manual material is stored separately in lockable metallic filing cabinets in spaces with restricted access.
RIGHTS OF DATA SUBJECTS
If you have any questions about data protection, please contact the biobank or the controller’s Data Protection Officer (tietosuoja@tyks.fi).
You have the right to contact or lodge a complaint with the Office of the Data Protection Ombudsman, which is the authority for the supervision of data protection in Finland: Tietosuojavaltuutetun toimisto, Ratapihantie 9, 6th floor, FI-00520 Helsinki: tietosuoja@om.fi.
More information on the rights of data subjects is available via the link The donor has a right to know