Ethical business

The Code of Conduct translates Terveystalo’s values into concrete principles that constitute the foundation for Terveystalo’s day-to-day operations and decision-making. Ethical, responsible and compliant conduct of business is essential in Terveystalo’s operations, also due to the industry the company operates in. Terveystalo’s business is guided by the legislation governing the industry and private healthcare services, as well as the regulations and requirements established by the authorities. The work of healthcare professionals is also guided by the ethical standards of their specific professional groups.

The Code of Conduct supports the company culture and provides a framework that helps ensure compliance with Terveystalo’s values and internal guidelines as well as applicable legislation. The Code of Conduct also reflects Terveystalo’s commitments to its key stakeholders. Terveystalo is committed to promoting ethical business practices and requires that all of the company’s operations are conducted in compliance with the applicable laws and regulations. In addition to compliance with legislation and Terveystalo’s Code of Conduct, Terveystalo aims to observe generally recognised ethical standards, such as the UN Global Compact principles. Terveystalo also continuously develops its compliance program and the related processes and controls to ensure that they correspond to the changes in the operating environment.

The Code of Conduct serves as a shared compass for everyone at Terveystalo. The Code of Conduct comprises Terveystalo’s key principles regarding anti-bribery and anti-corruption, compliance with fair competition and environmental requirements, ensuring privacy and patient safety, employee equality, non-discrimination and the freedom of association, as well as the reporting of misconduct, among other things. The Code of Conduct is linked to all of the material sustainability topics related to ethical business practices as defined by Terveystalo: responsible supply chain, anti-corruption and anti-bribery, the creation and distribution of economic value added, respecting human rights, company culture, as well as patient data protection and information security.

Terveystalo does not tolerate any form of discrimination, harassment, bullying, racism or inappropriate treatment, nor does Terveystalo condone the use of child labour, any form of forced labour or other human rights violations in its own operations or its value chain or supply chain. Terveystalo respects the human rights set out in the UN Declaration of Human Rights as well as the workers’ rights defined by the International Labour Organisation (ILO) and related international conventions. The company is committed to the UN Global Compact initiative and its principles pertaining to human rights and labour rights. Terveystalo’s service providers, suppliers and other partners are also expected to observe the same principles and respect internationally recognised human rights. Principles related to human rights are included in Terveystalo’s Code of Conduct and Supplier Code of Conduct.

Everyone at Terveystalo is required to observe the Code of Conduct, regardless of their business unit or role in the company. Terveystalo also expects its partners and subcontractors to observe the same ethical principles. Terveystalo’s Board of Directors approves the Code of Conduct. Terveystalo’s executives and management are responsible for the communication and implementation of and monitoring compliance with the Code of Conduct. Terveystalo’s Legal & Compliance department supports the organisation with issues related to the Code of Conduct and provides related training to the personnel. Terveystalo’s Code of Conduct is published and available to everyone on the company’s website.

Terveystalo Group also expects its suppliers to observe high standards of sustainable business with regard to ethical, social and environmental perspectives, as well as occupational health and safety. Each year, Terveystalo purchases services, materials and supplies for its clinics from approximately 5,000 suppliers. Of these, the 190 largest suppliers account for about 80 percent of total purchasing expenditure. The largest procurement categories are subcontracted services, such as cleaning, consulting and laboratory services, as well as the renting of business premises, pharmaceutical products, ICT procurement, and healthcare supplies and equipment.

Terveystalo Group’s Supplier Code of Conduct sets out the minimum requirements that all suppliers and partners need to satisfy in order to engage in business with Terveystalo and its subsidiaries. All of Terveystalo’s contract suppliers and suppliers participating in tendering processes are required to accept Terveystalo’s Supplier Code of Conduct. The topics covered by the Supplier Code of Conduct include, for example, health and safety, environmental protection, human rights, labour rights, ethics and integrity in business, and systems for managing the responsibility of operations. Sustainable operating practices are developed in cooperation with Terveystalo’s contractual partners.

The Supplier Code of Conduct includes a commitment to compliance with, among other things, internationally recognized human rights, as defined in the UN’s Universal Declaration of Human Rights, international fundamental rights at work as defined in the conventions of the International Labour Organisation (ILO), the UN Guiding Principles on Business and Human Rights, international standards pertaining to environmental protection, and all laws and regulations issued by the authorities in all of the operating countries of contract suppliers and suppliers participating in tendering processes. Terveystalo’s Supplier Code of Conduct was last updated in late 2023. The Supplier Code of Conduct is published and available to everyone on the Terveystalo website. Other policies and documents that support Terveystalo’s responsible procurement and supplier cooperation include Terveystalo’s procurement policy, the related procurement guidelines, the supplier management handbook, and audit plans.

To ensure compliance with the Supplier Code of Conduct and other contractual terms, Terveystalo conducts supplier self-assessments and regular audits. The audits are carried out on a targeted basis, approximately 2–3 times per year on average. The suppliers to be audited are selected on the basis of sources of risk associated with the supplier, or due to the supplier having a significant impact on profit performance. Supplier audits are carried out by the company’s own procurement personnel and include a preliminary information form completed by the supplier, an interview with the supplier, a site visit and feedback sessions. The objective of supplier audits is to develop supplier cooperation and ensure that the audited supplier’s operations satisfy the contractual requirements pertaining to the content of the service, responsibility, quality and information security. The outcomes of audits can include identified strengths, observations on development areas, slight or significant deviations, or potential breaches of agreement. Terveystalo provides the audited supplier with a written summary of the audit results and potential deviations. For any identified deviations, an action plan is required to rectify the deviations and ensure compliance with the contractual requirements. Three supplier audits were carried out in 2023. The subjects included two cleaning service providers and a workwear partner, including workwear laundry services and workwear manufacturing. The audits did not reveal any significant deviations.

One important aspect of Terveystalo’s culture of doing the right thing is that everyone who acts on behalf of or with Terveystalo, and every customer, partner and supplier, feels that they can freely report any suspicions of misconduct and trust that Terveystalo will take appropriate measures to investigate any actions that are or are suspected of being in violation of the Code of Conduct. Terveystalo has online training on the Code of Conduct aimed at everyone in Terveystalo. The training includes instructions on highlighting and reporting misconduct. Terveystalo’s Code of Conduct emphasises that actual or suspected violations of the Code of Conduct must be reported to the supervisor, the supervisor’s supervisor or Terveystalo’s Legal & Compliance department. Suspected misconduct can also be reported via Terveystalo’s reporting channel (WhistleB), which is open to everyone. The reporting channel can be used, for example, if the suspicion concerns serious misconduct or if, due to the sensitivity of the matter, it is necessary to report it anonymously. The reporting channel enables anonymous reporting of observed or suspected misconduct at http://www.report.whistleb.com/en/terveystalo. The reporting channel has been in use since 2017, and it has established itself as one of the possible channels for reporting suspected misconduct or violations.

The principles and practices according to which all parties operating within Terveystalo’s organisation or as Terveystalo’s partners can report suspected crimes, violations, misconduct or other deviations confidentially are set out in the processing instructions for Terveystalo’s reporting channel. The processing instructions for the reporting channel include the principles and practices related to, among other things, the submission of reports, the processing and investigation of reports, sensitive data and data storage, processing time limits, disqualification of the processor, protection of the person who submitted the report, and the functions and persons that process reports. The processing instructions do not supersede the rules or obligations arising from national legislation or EU law.

Terveystalo encourages all of its employees and private practitioners to report any potential misconduct without delay. The reporting channel can be used to submit reports concerning actual or suspected misconduct related to, for example, the following topics: consumer protection, the prevention of money laundering and terrorist financing, violations of financial market rules and regulations, violations of procurement legislation or unfair competition, environmental protection, violations of data protection legislation and regulations governing the security of network and information systems, taxation, product safety and compliance, violations of the Code of Conduct, as well as actual or suspected violations of the applicable industry-specific regulations, including the Radiation Act and the Medicines Act. The processing instructions for the reporting channel are therefore linked to all of the material sustainability topics related to ethical business practices as defined by Terveystalo: responsible supply chain, anti-corruption and anti-bribery, the creation and distribution of economic value added, respecting human rights, company culture as well as patient data protection and information security.

In 2023, Terveystalo received a total of 13 (19) reports through the reporting channel. Of the reports received in 2023 whose investigation has been completed, a violation of the Code of Conduct was observed in two instances, which led to a disciplinary process. For certain reports received late in the year, the investigations are yet to be completed. The findings arising from the reports and completed investigations have been taken into consideration in the development of Terveystalo’s processes.

Investigation of suspected misconduct

All reports and suspicions of misconduct are investigated without delay, independently and impartially regardless of the channel used to report the observed or suspected misconduct, or whether the suspicion of misconduct arises in connection with normal operating activities. In accordance with the law, Terveystalo maintains confidentiality with regard to the identity of the reporter and the subject of the report, as well as other aspects of the report. Terveystalo protects persons who submit reports in accordance with the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, as amended). Even though a reported suspected violation proves to be unwarranted, there are no negative consequences to the reporter provided that the reporter has acted in good faith. Terveystalo does not allow any kind of retaliation, such as threats, punishments or discrimination against persons who submit reports or persons participating in investigations of reports. Actions to prevent reporting, or to influence the content of a report, are also prohibited.

Reports are only processed by persons designated to process reports in the HR or Legal & Compliance function and, where necessary, specialists and Terveystalo’s external advisors appointed on an investigation-specific basis. The designated persons are updated as necessary. The persons who process reports are clearly indicated on the website of the reporting channel. If any of the persons who process reports are potentially disqualified from processing a report, the reporter is encouraged to point this out when submitting their report so that the persons who process reports can take the necessary measures to ensure the impartial processing of the report. Disqualified persons will not participate in the processing of the report. Terveystalo’s Senior Vice President, People and Careers processes reports concerning HR matters, the Chief Medical Officer processes reports concerning medical matters, and the Data Protection Officer processes reports concerning data protection. Reports concerning other matters are processed by Terveystalo’s Legal & Compliance function. During the course of an investigation, other specialists can also be appointed to the investigation team if necessary. Where necessary, in investigations of reports concerning an employment relationship, the supervisor of the reporter’s supervisor is also engaged in the investigation at an early stage, unless the supervisor’s supervisor is the subject of the report or if engaging them in the investigation is otherwise not appropriate. The subject of the report is heard during the investigation if possible. Where necessary, assistance can be sought from external advisors who are specialists in the subject matter of the report. Any significant cases of misconduct are reported to Terveystalo’s management and the Audit Committee of the Board of Directors.

The steps involved in the processing of reports are described in more detail in the processing instructions for Terveystalo’s reporting channel, which are available to everyone on the company’s website in Finnish. The processing instructions for the reporting channel apply to Terveystalo Group’s employees, private practitioners, shareholders, management, trainees and other persons who have observed violations in the course of their work, and who have submitted a report through Terveystalo’s reporting channel or to a Terveystalo representative (supervisor, management), unless otherwise stated in the processing instructions. However, in Sweden, Feelgood Svenska AB and its subsidiaries have their own internal reporting channel. Terveystalo’s executives and management are responsible for the communication and implementation of and monitoring compliance with the Code of Conduct. Violations of the processing instructions for the reporting channel must be reported to Terveystalo’s Legal & Compliance function. The processing instructions and the related processes were revised in early 2023 following the entry into force of the Act on the Protection of Persons Reporting Infringements of European Union and National Law (1171/2022, as amended). The processing instructions are updated as necessary.

Privacy protection is a core value for Terveystalo, and the realisation of data protection is on the responsibility of everyone who works at Terveystalo, or for Terveystalo. Terveystalo respects the privacy of all groups of people. Special attention is paid to the appropriate and legally compliant processing of personal data at Terveystalo. Terveystalo provides its personnel with training and instructions on the processing of personal data and emphasises the particular confidentiality and protection of patient data. A revised online data protection course aimed for everyone at Terveystalo was introduced in the fall of 2023. In connection with this, the course content was revised and moved to a new online platform to improve the user experience.

The digitalisation of healthcare presents significant opportunities for improving access to care, the effectiveness of care and the early identification of risks. Terveystalo has made significant investments in the development of digital services and tools. As digital services increase in importance and reshape the industry, the requirements concerning data protection and information security increase accordingly. At Terveystalo, patient data is stored in information security certified patient information systems. Terveystalo’s patient information systems in Finland are category A systems and they have undergone information security certification in accordance with the regulations related to providing Kanta services. In addition, Terveystalo’s data protection and information security are regularly audited in accordance with the ISO 9001:2015 certification, both internally and by an external party.

Terveystalo applies the appropriate physical, technical and administrative protection measures to protect data from misuse. These measures include, among other things, control and filtering of network traffic, use of encryption techniques and secure data centres, appropriate access control, controlled granting of access rights and supervising their use, issuing instructions to personnel participating in personal data processing, and risk management related to the planning, implementation and maintenance of services. Terveystalo chooses its subcontractors carefully and uses agreements and other arrangements to ensure that they process data in compliance with the law and good data protection practices.

Data protection and information security policies provide guidance for data protection practices and the realisation of data protection on high level

The data protection policy sets out the principles, obligations, responsibilities, organisation, operating practices and monitoring practices that Terveystalo observes in the implementation and development of data protection. The data protection policy serves as the basis for data protection procedures and guidelines, and its purpose is to ensure the realisation of the rights and freedoms of Terveystalo’s customers, personnel and individual stakeholders with regard to personal data. The data protection policy sets out the principles and methods for ensuring the appropriate processing of personal data throughout its lifecycle. It also ensures compliance with legislation governing privacy, data protection and other applicable special laws. The data protection policy describes the processing principles of personal data that govern all activities at Terveystalo. The principles are lawfulness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality.

Terveystalo fosters the realisation of the legal rights of data subjects by informing the data subjects about the processing of personal data and by specifying operating models and instructions for the situations in which the data subjects wish to exercise their aforementioned rights. In accordance with the legislation, a privacy statement and other documentation required by legislation or the authorities are prepared on the processing of personal data. As a rule, data subjects are informed of the processing of personal data in connection with the collection of personal data. Data subjects can read the privacy statement on the controllers’ websites and operating locations. Other additional information on the processing of personal data is available on the company’s website or in the service in question.

Everyone working at Terveystalo, or for Terveystalo, is responsible for the realisation of data protection in Terveystalo Group. Terveystalo’s personnel must comply with the data protection policy, and everyone has a duty to process personal data appropriately and to highlight any observed deficiencies in data protection. The parties responsible for the implementation and management of data protection are Group management, the directors responsible for specific functions, and unit directors in their respective areas of responsibility. As required by law, Terveystalo Group has a Data Protection Officer who performs duties in accordance with the General Data Protection Regulation and reports directly to Group management in accordance with the law. Terveystalo has data protection working groups that discuss and monitor issues related to data protection and develop related functions and activities.

The data protection policy is confirmed by Terveystalo Group’s CEO. Terveystalo’s Legal Affairs is responsible for maintaining the policy. The data protection policy is updated as necessary.

Data protection is closely linked to information security, and the realisation of data protection is contingent on information security measures. Information security includes, among other things, contractual, organisational and technical measures that ensure the confidentiality and integrity of information, access to systems and the realisation of the rights of data subjects. The purpose of information security is to protect data and information systems. The objectives, responsibilities, and implementation methods of information security at Terveystalo are set out in the information security policy. The key objectives of the information security policy are the protection of personal data that is in Terveystalo’s possession (e.g. customer and patient data), as well as material subject to intellectual property rights and copyright, and ensuring their appropriate processing; compliance with obligations stipulated by laws, decrees, norms, official regulations and contracts; the identification of threats to Terveystalo’s operations and the appropriate management of information risks, and ensuring the reliability and cost-effectiveness of information processing.

Information security is an integral part of security and development of all of Terveystalo’s operations. Everyone working at Terveystalo, or for Terveystalo, is responsible for ensuring information security at work. In addition to complying with any received instructions, everyone is also responsible for helping others to follow working practices that ensure information security. The unit director is responsible for ensuring that each employee and private practitioner working at the unit has actual capabilities for taking information security into account at work and for ensuring that any observed deficiencies are rectified. The Chief Financial Officer is in charge of the management and development of information security. The Director responsible for information security appointed by the Chief Financial Officer is in charge of day-to-day information security management. The duties of the Director responsible for information security include the promotion of projects related to development of information security, the development of guidelines, advice and training, the specification of technical information security requirements, monitoring and reporting on the information security situation, and processing information security deviations in cooperation with the Data Protection Officer, the Group’s general administration and the business areas. The Director responsible for information security reports to the Group Executive Team members responsible for information security and digital services.

The Director responsible for information security is authorised and obligated to conduct assessments and audits related to information security. The Director responsible for information security is responsible for taking action to eliminate any identified information security threats and deviations and reporting them to the authorities if necessary. Everyone working at Terveystalo has an obligation to report any observed information security deficiencies and problems to the information security organisation. The information security policy is developed according to the observations made. The Director responsible for information security is in charge of the development efforts.

Terveystalo’s internal control and risk management policy sets out the purpose, objectives and responsibilities of internal control and risk management, as well as describes the risk classification and risk management structures and the risk assessment process. The internal control and risk management policy is approved by the Board of Directors. The internal control and risk management policy is linked to all of the material sustainability topics related to ethical business practices as defined by Terveystalo: responsible supply chain, anti-corruption and anti-bribery, the creation and distribution of economic value added, respecting human rights, company culture as well as patient data protection and information security.

The purpose of internal control is to ensure that Terveystalo’s operations are efficient and effective, the information used by the management in decision-making is reliable, the operating principles are observed, and the company operates in compliance with laws and regulations. Internal control supports the supervisory work of the Board of Directors and comprises any measures and procedures aiming to ensure the achievement of said goals. Internal control covers the organisation’s internal operating environment, goal setting, risk management, control measures, information flow, communications, and monitoring. Internal control is integrated into Terveystalo’s management and reporting system. Internal control is carried out by Terveystalo’s Board of Directors, the Audit Committee, Group management, operational management and employees, as well as the Group’s internal audit and quality assurance function. The Group has an outsourced internal audit function.

The purpose of risk management is to support the achievement of business goals by supporting decision-making. It helps to ensure the fulfilment of the customer promise, patient safety and occupational safety, high-quality services, financial performance, business continuity, a good company image, and corporate social responsibility. Risk management also involves conscious risk-taking to seize opportunities. The objectives of risk management include, among other things, ensuring Terveystalo’s clinical quality and patient safety, the fulfilment of customer promises, business continuity and the achievement of strategic and operational targets, as well as ensuring personnel competence and occupational safety, as well as information security and data protection. Terveystalo’s Board of Directors is responsible for the adequacy of risk management. The CEO is in charge of the organisation of risk management and guides and monitors risk management at the executive level. The other members of the Executive Team support the CEO in implementing risk management, monitoring operational risks, assessing risks, and implementing measures related to risks.

Terveystalo’s internal control, risk management and internal auditing are described in more detail in Terveystalo’s Corporate Governance Statement.

Terveystalo’s Code of Conduct includes a commitment to fair competition. Terveystalo competes fairly, with integrity and in compliance with the applicable legislation. All Terveystalo employees are required to comply with laws, regulations and internal guidelines pertaining to competition, including Terveystalo Group’s competition law guidelines. The Group's competition law guidelines include, among other things, instructions on compliance with competition rules in relation to competitors, suppliers, private practitioners and customers, as well as instructions pertaining to memberships in industry associations. The competition law guidelines are linked to the following material sustainability topics related to ethical business practices as defined by Terveystalo: responsible supply chain, anti-corruption and anti-bribery, the creation and distribution of economic value added and company culture.

The Group Executive Team member in charge of legal affairs is responsible for the competition law guidelines. Each member of the Executive Team is responsible for compliance with the guidelines in their respective areas of responsibility. Terveystalo’s Legal Affairs unit is responsible for maintaining the competition law guidelines. The guidelines are updated as necessary.

In the area of anti-corruption and anti-bribery, Terveystalo complies with the law and other applicable regulations and guidelines. Terveystalo is also committed to the UN Global Compact initiative and its anti-corruption principles. Terveystalo’s operations are also guided by the Code of Conduct, which includes anti-corruption and anti-bribery guidelines regarding, for example, giving and accepting gifts and hospitality as well as the avoidance of conflicts of interest.

The prevention of corruption and bribery is included in Terveystalo’s Code of Conduct, which addresses the giving and accepting of gifts and hospitality, sponsorships, accepting and making donations as well as understanding and avoiding conflicts of interest. All of Terveystalo’s contract suppliers and suppliers participating in tendering processes are required to accept Terveystalo’s Supplier Code of Conduct, which includes anti-corruption and anti-bribery guidelines and requirements, among other things. Terveystalo’s Code of Conduct and Supplier Code of Conduct are published and available to everyone on the company’s website.

Terveystalo’s Code of Conduct emphasises that gifts or other benefits that could affect business decisions or have considerable personal or financial value are not given or accepted in Terveystalo. Terveystalo has mandatory online training on the Code of Conduct for all employees. The aim of the training is to provide an improved understanding of key compliance-related themes, such as the avoidance of conflicts of interest and the prevention of bribery.

Political influence is included in Terveystalo’s Code of Conduct, according to which Terveystalo does not support political activities. Terveystalo does not make financial contributions to political parties or organisations, directly or indirectly, nor does Terveystalo fund the election campaigns of individual candidates.

In addition to customers, personnel, private practitioners and shareholders, Terveystalo’s key stakeholders include the authorities and societal decision-makers that influence the legislation governing Terveystalo’s industry and the drafting of such legislation. Terveystalo’s other key stakeholders include the supervisory authorities and the media, in addition to which Terveystalo also engages in close interaction with lobbyists within the sector. Open dialogue and effective cooperation with key stakeholders enable a more predictable operating environment for all parties.

The development and renewal of healthcare is a shared goal for Terveystalo, the authorities and decision-makers. Terveystalo engages in open dialogue on issues related to the healthcare sector with the authorities and societal decision-makers. The channels of interaction include open dialogue, meetings and staying in touch through, among other things, participation in various working groups and events. Terveystalo also has representatives in several organisations. The most significant of these are the Confederation of Finnish Industries, the Central Chamber of Commerce, the Helsinki Region Chamber of Commerce, the Finnish Association of Private Care Providers HALI, the Association of Finnish Private Healthcare Providers, the Finnish Association of Purchasing and Logistics LOGY, and FIBS ry. Terveystalo conducts open dialogue with industry organisations on topics related to the industry and engages in diverse cooperation with organisations such as, among others, the Finnish Association of Private Care Providers HALI and the Association of Finnish Private Healthcare Providers. The cooperation channels include working groups and various events.

Observed or suspected misconduct related to the Code of Conduct, can be reported anonymously at http://www.report.whistleb.com/en/terveystalo. All suspected misconduct and violations are investigated appropriately and confidentially regardless of the channel used to report the suspected misconduct, or whether the suspected misconduct is observed in connection with normal operating activities. Potential incidents related to corruption or bribery are reported to Terveystalo’s management and the Audit Committee of the Board of Directors. The processing of reports received through the reporting channel is described in more detail above in the section on the processing instructions for the reporting channel and in the processing instructions for Terveystalo’s reporting channel, which are published on the company’s website in Finnish. To ensure compliance with the Supplier Code of Conduct and other contractual terms, Terveystalo conducts supplier self-assessments and regular audits.

No cases of corruption or bribery were reported in 2023. Terveystalo continues to develop its anti-corruption and anti-bribery compliance program and related processes to reflect the changes in its operating environment. Terveystalo also focuses on ensuring compliance with legislation pertaining to economic sanctions.