Cookies help us to develop our website and to improve its content and availability. Some cookies are necessary to ensure that the website functions properly. You can accept all cookies or just the necessary cookies. To change settings, click Cookie Settings. You can access the settings later from the Cookie practices page of the valvira.fi website.
Select an option below to determine which cookies to allow. When you are ready, click Save and exit. The website works even if you only agree to necessary cookies. There might be some differences, however. You can also change the settings later through our pages. Read more about the cookies on this valvira.fi website.
The necessary cookies are automatically stored on your browser when you use our web service. These cookies are used to ensure that the valvira.fi web service functions as intended.
Web analytics tool (Google Analytics) helps us to understand how our customers use the valvira.fi web service and from where they access the website.
We use the Siteimprove service to monitor the availability of the website, the functioning of links and the visibility of the website on search engines.
A ‘secure operating environment’ refers to any technical, organisational and physical data processing environment the information security of which has been ensured by means of appropriate administrative and technical safeguards. For safeguards to be considered ‘appropriate’, they must comply with the Act on the Secondary Use of Health and Social Data and satisfy the requirements set out in Findata’s regulation.
A ‘service provider’ in this context refers to any operator who provides services relating to a secure operating environment to its customers. Where an operating environment consists of components supplied by multiple service providers, a single service provider needs to be chosen to represent all the service providers involved in Valvira’s database of secondary-use environments. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database.
FAQ – Frequently Asked Questions
Why should secure operating environments be registered in the Valvira register?
The registration of secure operating environments for secondary use are required by Act on the Secondary Use of Health and Social Data. Registration is part of the demonstration of requirements compliance with the operating environment. The service provider of the operating environment is responsible for the legal oblications imposed on it and for the requirements for a secure operating environment, which must be met at the time of registration and thereafter. Valvira´s task is to supervisor and promote compliance with the data protection and data security requirements of secure operating environments. If necessary, Valvira can perform inspections of registered operating environments.
Registration is also relevant to the disclosing of data referred to in the Secondary Act. Data which requires data permit may only be released to compliant and registered operating environments.
Where a hospital district’s secondary-use environment for scientific research is established by an IT service provider, which of the two – the hospital district or the IT service provider – is responsible for registering the environment with Valvira?
The hospital district and the IT service provider need to decide between themselves which of the organisations assumes ultimate responsibility for the service provider’s obligations and the environment’s regulatory compliance. In particular, they must ensure that the certificate of conformity issued by the competent information security inspection body identifies the correct organisation as the service provider responsible for the operating environment and that the same organisation is entered into Valvira’s database. The organisation designated as the service provider must have either a business ID or a VAT number. The designated service provider can agree to delegate certain practical responsibilities to its partner. The organisations can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database. The service provider is asked to name a contact person as part of the registration process.
Registration requests can be submitted and changes to entries in the database reported via the secure form submission portal or by emailing a PDF form to
Enquiries related to supervision can be sent by email to
Enquiries related to advice and guidance can be sent by email to