All Faculty students are required to sign a non-disclosure and information security pledge. The pledge is based on the Act on the Openness of Government Activities (621/1999, section 23 on non-disclosure obligation and prohibition of use) and the Act on the Status and Rights of Patients (785/1992, sections 13 and 14 on confidentiality and secrecy). Requests for investigation of suspected breaches of the secrecy obligation are submitted to the police, and such matters can also be assessed in disciplinary proceedings in accordance with section 45 of the Universities Act (558/2009).
The Faculty’s goal is to implement the signing of the confidentiality and information security pledge through the Sisu system in the early stages of studies.
Teaching situations
The general principle is that students are under a secrecy obligation whenever patient data are used in teaching. Patients must always be referred to in a respectful manner. No attempts must be made to identify the patients in the teaching material.
Teaching material must not be distributed, stored or recorded in any way if it contains material related to patients, unless the patient has given a separate consent for this (rules for remote teaching published by the MediPeda team, in Finnish only). Students always log in to remote teaching sessions under their own name. If the teaching material for remote teaching includes material related to patients, students accessing such material must ensure that the physical space in which they do so is one where confidential information cannot be passed on to outsiders. Also in the case of groupwork, students must ensure that outsiders cannot observe the groupwork or other related discussions.
Content produced by students utilising patient data
All processing of patient data (e.g., video recording or other documentation) is carried out in accordance with valid legislation and the guidelines of the relevant care unit. The basic rule is that students do not record direct personal identifiers in their documents (e.g., patient records, case reports and research material drawn up by students). The IT equipment of the care organisation (e.g., HUS computers) are used to record personal data, unless another procedure has been agreed with the separate consent of the patient (Appendix 2 Producing teaching material at HUS). Under no circumstances must electronic material be stored on personal computers or cloud services. Students must consider whether the recording of personal data is necessary (the necessity of indicating, for example, place of treatment, exact age, gender, professional group or specific profession).
Students are responsible for ensuring that they process patient data appropriately and that the material does not fall into the hands of external parties. Students must destroy or return any teaching material containing personal data in a secure manner so that the patient data remain secret for the duration of the transfer (in accordance with the guidelines of the care organisation) and erase the data. In situations where a separate permit for a video or similar recording related to the teaching situation has been requested from the patient, the data environment in which the patient data can be processed must be determined separately (Appendix 1 University of Helsinki information security rules). Students must ensure that the material is appropriately disposed of when it is no longer needed. Printed material must be shredded into a confidential waste bin. Electronic material must be securely erased.
Social media and free time
Students are responsible for ensuring that they do not disseminate patient data or other confidential matters on social media or otherwise in their free time. When taking photos, you must ensure that no secret documents are visible in the background. Patient cases must not be discussed with outsiders or in public. For example, hospital corridors, lobbies and break rooms are considered public spaces.
Suggested reading: