Massadata-arkkitehtuuri sosiaali- ja terveydenhuollossa: Tiedonhallinnan yleislainsäädännöstä seuraavat vaatimukset henkilötietojen käsittelylle

Abstract

There are big expectations for the utilisation of data masses in health and social care. By processing data, there is an aim to create a new understanding of service development through research, innovation activities and knowledge management. When processing personal data, there are requirements to take into account citizens' rights and norms related to personal data processing. That is highlighted when processing is related to sensitive data, like health and social care data.

When designing and implementing Big Data architectures, there is a need to consider the general law of information management in addition to social and healthcare legislation (General Data Protection Regulation, Information Management Act, Act on the Openness of Government Activities, Data Protection Act and Archives Act). There has yet to be any earlier research on the overall effect of this legislation on big data implementations.

This article aims to recognise requirements from the general law of information management to big data architectures, especially from the personal data processing point of view. In this article, the main research results are five categories originating from the legislation: 1) Administrative requirements, 2) Personal data protection, 3) Information management and security, 4) Data subject's rights and transparency and 5) Data transfers. In addition, requirements from legislation are connected to big data architecture roles.

Integrating typical Big Data architectures and legislative requirements is not problem-free. There is tension, especially in purpose limitation, data minimisation, data accuracy and storage limitation and data processing transparency. When applying these requirements, there is a need for caution.

GDPR and Information Management Act emphasise management's last-hand responsibility for protecting data subjects' rights and good governance requirements in authorities' information management. Data protection impact assessments and information management change assessments are essential tools for risk management and data protection by default and design. Also, information management entities' instructions, education and internal auditing are important. Because applicable legislation is complex as a whole, official guidelines or mass data reference architecture could be helpful to authorities. More empirical and legal dogmatic research related to mass data use in health and social care is needed.