Secure operating environments under the Act on the Secondary Use of Health and Social Data
Promotion and supervision of information security and data protection in secondary-use environments
The National Supervisory Authority for Welfare and Health (Valvira) is responsible for ensuring that environments for the secondary use of health and social data satisfy the applicable information security and data protection requirements. The requirements are based on a regulation of the Health and Social Data Permit Authority (Findata). Valvira has oversight of both the secure operating environment provided by Findata and other service providers’ secure operating environments. Valvira also keeps a public database of regulatorily compliant secure operating environments registered by service providers.
As of 1 May 2022, the secondary use of health and social data by private individuals for scientific research, the compilation of statistics and the preparation of teaching materials as well as planning and investigation tasks of the authorities requires not just a data permit but also a secure operating environment that satisfies the requirements set out in Findata’s regulation. As a rule, data sets are disclosed in Findata’s operating environment. However, the Act on the Secondary Use of Health and Social Data also allows for the disclosure of data sets in other operating environments where necessary and provided that the operating environments have been issued a certificate of conformity by an information security inspection body and entered into Valvira’s database of secondary-use environments.
Information security audits on operating environments can only be performed by information security inspection bodies accredited by the Finnish Transport and Communications Agency (Traficom). Traficom has also established a set of criteria that accredited inspection bodies must satisfy in order to perform information security audits on operating environments under the Act on the Secondary Use of Health and Social Data and issue certificates of conformity with the requirements. A list of inspection bodies that satisfy the competence criteria can be found on the website of the National Cyber Security Centre.
Under the Act, data may be disclosed to a permit holder for processing purposes before 1 May 2022, even if the data permit application does not specify a secure operating environment for the processing of data as referred to in the Act. In this case, the disclosure of data requires a fixed-term data permit that is valid no longer than until 30 April 2022.
The requirements for secondary-use environments are based on
- the Act on the Secondary Use of Health and Social Data (552/2019) and
- a regulation of the Health and Social Data Permit Authority (Findata).
All secondary-use environments must be entered into Valvira’s database. Only operating environments that satisfy the applicable information security and data protection requirements can be registered and deployed. Demonstrating conformity with the requirements is the service provider’s responsibility. Operating environments must also continue to satisfy the applicable information security and data protection requirements after they are deployed and for as long as they are live and included in Valvira’s database. Information security and data protection must be factored into, for example, risk management procedures, any changes introduced to operating environments and service providers’ information security management models. Service providers also have a responsibility to systematically monitor and analyse users’ experiences of their operating environments.
Service providers must be able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications as proof of their operating environment’s conformity with the requirements.
Valvira supervises operating environments under the Act on the Secondary Use of Health and Social Data by means of, for example, assessment and guidance visits, investigations and inspections.
Obligations of the information system supplier
The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) sets forth obligations for information system suppliers for the compliance of client and patient data systems, to maintenance and to demonstrating compliance. An information system supplier offers or deploys an information system for processing client or patient data to a service provider.
The information system supplier is responsible for compliance with the essential requirements specified for the information system, either as the manufacturer of the information system or on behalf of the manufacturer, or on behalf of one or more manufacturers. Typically, the information system supplier is also the manufacturer.
The obligations of the information system supplier include but are not limited to:
-
demonstrating compliance with requirements, which for category A systems means certification and for category B systems means a report explaining that the information system complies with the essential requirements relevant for its purpose
-
monitoring and implementing the changes required to the information system in keeping with the time periods specified in legislation. Such changes may include adding a new functionality to the information system.
-
renewing the certification of any category A information systems so that the data security certificate is never out of date
-
notifying Valvira about any substantial changes made to the information system and about termination of the use of the information system. The notification to Valvira may be made using the register notification on the Register an information system page
-
notifying all service providers using the system of any significant nonconformities
-
notifying Valvira of any significant nonconformities A nonconformity notification to Valvira can be submitted on the Report a nonconformity page
Obligations of the information system supplier
The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) sets forth obligations for information system suppliers for the compliance of client and patient data systems, to maintenance and to demonstrating compliance. An information system supplier offers or deploys an information system for processing client or patient data to a service provider.
The information system supplier is responsible for compliance with the essential requirements specified for the information system, either as the manufacturer of the information system or on behalf of the manufacturer, or on behalf of one or more manufacturers. Typically, the information system supplier is also the manufacturer.
The obligations of the information system supplier include but are not limited to:
-
demonstrating compliance with requirements, which for category A systems means certification and for category B systems means a report explaining that the information system complies with the essential requirements relevant for its purpose
-
monitoring and implementing the changes required to the information system in keeping with the time periods specified in legislation. Such changes may include adding a new functionality to the information system.
-
renewing the certification of any category A information systems so that the data security certificate is never out of date
-
notifying Valvira about any substantial changes made to the information system and about termination of the use of the information system. The notification to Valvira may be made using the register notification on the Register an information system page
-
notifying all service providers using the system of any significant nonconformities
-
notifying Valvira of any significant nonconformities A nonconformity notification to Valvira can be submitted on the Report a nonconformity page
The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare sets forth the obligations of social welfare and health care service providers in respect of the deployment and use of client and patient data systems and their linking to the Kanta Services. A service provider may be an arranger or a producer of social welfare and/or health care services.
The obligations of social welfare and health care service providers include but are not limited to:
-
using an information system which complies with the essential requirements, whose purpose is consistent with the service provider’s operations and which is registered in the Valvira information systems register
-
being obliged to become a user of the Kanta Services within the time periods given in legislation, if the service provider is using an information system intended for processing client and patient data
-
being responsible for the correctness of the data entered in the Kanta Services
-
deploying the new functionalities required by legislation within the time periods given
-
compiling log data, separately for each register, on all use and transfer of client and patient data, for the purpose of monitoring and oversight
-
notifying the information system supplier and Valvira of any significant nonconformities in compliance with the essential requirements. A nonconformity notification to Valvira can be submitted on the Report a nonconformity page
Senior Officer Jenni Björkman, tel. 0295 209 227 (specifically Kanta Services, patient information systems, separate imaging systems, prescription and pharmacy systems, and client data transfer services)
Senior Officer Marko Elo, tel. 0295 209 393 (specifically patient information systems, separate laboratory systems, prescription and pharmacy systems, and client data transfer services)
Senior Officer Essi Haglund, tel. 0295 209 372 (specifically client and patient information systems, separate imaging and laboratory systems, and client data transfer services)
Senior Engineer Antti Härkönen, tel. 0295 209 530 (specifically Kanta Services and patient information systems)
Senior Engineer Antti Vikström, tel. 0295 209 437 (specifically client information systems)