Finland is moving toward one of the most consequential data-governance reforms in its modern healthcare system—one that could fundamentally redefine the boundary between patient confidentiality and state security.
A draft law currently before Parliament would significantly expand the circumstances under which police and other authorities may access patient-related information held by healthcare providers. While the government frames the proposal as a practical response to crime prevention and national security concerns, critics warn it risks undermining one of the pillars of Nordic welfare states: trust in public healthcare.
What the Law Proposes
Under the draft legislation submitted in December, social and healthcare professionals would be legally obliged to confirm whether an individual is present in a healthcare facility when requested by the police, customs authorities, or the Border Guard.
The disclosure requirement would apply not only to serious crimes punishable by at least two years’ imprisonment, but also to lesser offences, including traffic endangerment. In addition, authorities could request information on broadly defined national security grounds—without the law specifying what level or type of threat would justify access.
In parallel, the Ministry of the Interior is advancing related reforms to the Police Act and data-sharing legislation. These proposals would:
- Expand access rights for police, customs, and border authorities
- Allow data sharing across agencies despite confidentiality rules if deemed in the “public interest”
- Permit limited data transfers to private actors in cases involving threats to life, health, or critical infrastructure
- Grant the Finnish Immigration Service (Migri) wider authority to access and share presence data on wanted individuals without a formal request
Government Rationale: Operational Efficiency
The government argues that current confidentiality rules have, in practice, hindered basic law-enforcement work. Officials cite cases where suspects could not be identified after committing violent acts inside hospitals because staff were legally barred from confirming their presence.
From the state’s perspective, the reform is less about mass surveillance and more about removing administrative blind spots between public authorities in an increasingly complex security environment.
Medical and Legal Pushback
Professional bodies see the matter very differently.
The Finnish Medical Association (Lääkäriliitto), joined by nine other organisations including Tehy and Talentia, has issued a rare joint warning that the proposal cuts directly against medical ethics and patient rights. In their view, the law would compel healthcare professionals to act as extensions of law enforcement—an obligation they argue is incompatible with their duty of care.
“Trust is the basis of all care. If a patient cannot be sure that their presence in a clinic or hospital will remain confidential, they may not seek help at all,” the Medical Association stated.
Crucially, critics emphasise that the law would not only affect criminal suspects. It would apply to the entire population, giving authorities access to information currently classified as highly sensitive under Finnish and EU data-protection frameworks.
Adjustments, but Core Concerns Remain
Following public consultation, the Ministry of Social Affairs and Health narrowed the scope of the proposal. An early draft would have required disclosures even for offences such as shoplifting committed outside healthcare premises. The revised version limits mandatory reporting to incidents occurring within healthcare facilities.
While this change reduced the most extreme scenarios, legal scholars note that the central issue remains unresolved: once confidentiality is weakened in principle, future expansions become easier to justify.
Why This Matters Beyond Healthcare
For business leaders and policymakers, the debate reaches far beyond hospitals.
Finland’s economy is deeply intertwined with data-intensive sectors—health technology, AI-driven diagnostics, life sciences, and digital public services. These industries depend not only on regulatory clarity, but also on public confidence that sensitive data will not be repurposed beyond its original intent.
There is also a broader Nordic context. Compared with Sweden, Norway, and Denmark, Finland has traditionally taken a stricter approach to medical confidentiality. Any departure from this norm could influence cross-border cooperation, data portability, and alignment with forthcoming EU initiatives such as the European Health Data Space.
Privacy advocates warn that Finland may be following a wider European trend: incremental expansion of state data access, often justified by security concerns, with safeguards lagging behind.
As the Medical Association put it, “Data protection is not just a technical requirement. It is a cornerstone of individual rights.”
Where Things Stand Now
As of early 2026, parliamentary committees are reviewing the proposals, and further amendments remain possible. The government has signalled its intention to move quickly, citing the evolving security landscape and the need for interoperable public-sector data systems.
Whether lawmakers can reconcile operational efficiency with long-standing ethical and legal norms will determine not only the fate of this legislation, but also Finland’s reputation as a high-trust, rights-based digital society.
Looking Ahead
Next article direction: How Finland’s healthcare data debate compares with similar reforms in Sweden, Denmark, and Germany—and what it means for Nordic health-tech investment and cross-border data flows.
Stay connected: Share your perspective or continue the conversation with Nordic Business Journal at editorial@nordicbusinessjournal.com and follow us for in-depth coverage on regulation, technology, and trust in the Nordic economies.