Cookies help us to develop our website and to improve its content and availability. Some cookies are necessary to ensure that the website functions properly. You can accept all cookies or just the necessary cookies. To change settings, click Cookie Settings. You can access the settings later from the Cookie practices page of the valvira.fi website.
Select an option below to determine which cookies to allow. When you are ready, click Save and exit. The website works even if you only agree to necessary cookies. There might be some differences, however. You can also change the settings later through our pages. Read more about the cookies on this valvira.fi website.
The necessary cookies are automatically stored on your browser when you use our web service. These cookies are used to ensure that the valvira.fi web service functions as intended.
Web analytics tool (Google Analytics) helps us to understand how our customers use the valvira.fi web service and from where they access the website.
We use the Siteimprove service to monitor the availability of the website, the functioning of links and the visibility of the website on search engines.
Information systems for social welfare and health care under the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare
Valvira promotes and enforces compliance with the essential requirements for information systems intended for the processing of client data in social services and patient data in healthcare services. These information systems include the following:
client data transfer services
social services client information systems
health care patient information systems
Any information system used for processing client or patient data must comply with the essential requirements set for that purpose. The information system supplier is responsible for ensuring and maintaining compliance with these essential requirements.
The essential requirements are divided into three areas: functional requirements, interoperability, and data security and privacy protection.
Essential requirements under the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare
Functional requirements apply to functions and data contents in the information system. The functional requirements are rooted in the substantive legislation governing social welfare and health care services, such as the Medicines Act and the Act on the Status and Rights of Patients. The functionalities and data contents required of information systems are described in detail in the THL document Classification of essential requirements (excel, thl.fi, in Finnish only). The purpose for which the information system is used determines which functionalities and data contents must be implemented in it.
The information system supplier must use the system form to describe the functionalities and data contents implemented in the system as appropriate for its purpose. If the system is in category A, the information system supplier must submit the system form:
to Kela when signing up for the joint testing
to the data security inspection body when signing up for data security assessment
to Valvira when entering the information system in the Valvira information system database
Interoperability means that information systems to be linked to the Kanta Services must store patient or client data in the Kanta Services in such a way that those data can be retrieved by and displayed in another information system. Transferring client and patient data between various service providers in social welfare and health care through the Kanta Services will only be possible if the information systems transferring data are interoperable. Interoperability requires that the information systems to be linked to the Kanta Services must be implemented according to nationally defined specifications.
Interoperability is one of the essential requirements to be verified in the joint testing arranged by Kela that information systems in categories A2 and A3 must undergo. Kanta Services in category A3 are an exception, as they will not be separately joint tested. Further information on information system categories and classification can be found on the page Information system classification.
After an acceptably completed joint testing, Kela will issue a joint testing statement and report to the information system supplier. Kela joint testing is a service provided free of charge.
Any questions concerning joint testing must be addressed to Kela Joint Testing at firstname.lastname@example.org.
Data security means that information systems used for processing client data in social welfare and patient data in health care comply with the national data security requirements relevant for their purpose in order to ensure the confidentiality, integrity and availability of client and patient data. The data security requirements for information systems are described in detail in the document Classification of essential requirements issued by the National Institute for Health and Welfare.
Confidentiality means that client and patient data can be accessed only by persons authorised to access them. In practice, confidentiality is ensured in a patient information system for instance by having the system verify that a care relationship exists before a user is allowed to access patient data.
Integrity means that client and patient data can only be amended by persons authorised to do so, which is verified for instance by the signature of the professional in question. Integrity also requires client and patient data to be up to date and unambiguous, meaning that there must be no discrepancies between the records in a patient information system and the corresponding records in the Kanta Services, for instance.
Availability means that client and patient data must be available to social welfare and health care personnel whenever they are needed. For instance, patient data stored in the Kanta Services must be retrievable by social welfare and health care service providers at all times.
A data security audit must be performed on category A information systems to verify compliance with data security requirements. This audit is performed by a Traficom-approved data security inspection body, which will issue a data security certificate and report on an acceptably completed data security audit to the information system supplier. The data security certificate is valid for a maximum of three years, and its validity can be extended by a maximum of three years at a time.
The information system supplier may choose which Traficom-approved inspection body it will invite to perform the data security audit. A data security audit performed by a data security inspection body is a service for which a fee is charged.
A data security audit performed by a data security inspection body is not required for category B information systems.Instead, the information system supplier is responsible for ensuring that the information system complies with the essential requirements relevant for its purpose. The information system supplier may choose to commission a data security audit by an inspection body for a category B information system. When registering a category B information system, the information system supplier must affirm that the information system is compliant with the essential requirements relevant for its purpose as per legislation and regulations on data security and privacy protection. The data security requirements for a category B information system are described in the profile Minimum functional requirements for systems intended for processing client or patient data issued by THL (excel, thl.fi, in Finnish only).
The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare (784/2021) sets forth obligations for information system suppliers for the compliance of client and patient data systems, to maintenance and to demonstrating compliance. An information system supplier offers or deploys an information system for processing client or patient data to a service provider.
The information system supplier is responsible for compliance with the essential requirements specified for the information system, either as the manufacturer of the information system or on behalf of the manufacturer, or on behalf of one or more manufacturers. Typically, the information system supplier is also the manufacturer.
The obligations of the information system supplier include but are not limited to:
demonstrating compliance with requirements, which for category A systems means certification and for category B systems means a report explaining that the information system complies with the essential requirements relevant for its purpose
monitoring and implementing the changes required to the information system in keeping with the time periods specified in legislation. Such changes may include adding a new functionality to the information system.
renewing the certification of any category A information systems so that the data security certificate is never out of date
The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare sets forth the obligations of social welfare and health care service providers in respect of the deployment and use of client and patient data systems and their linking to the Kanta Services. A service provider may be an arranger or a producer of social welfare and/or health care services.
The obligations of social welfare and health care service providers include but are not limited to:
using an information system which complies with the essential requirements, whose purpose is consistent with the service provider’s operations and which is registered in the Valvira information systems register
being obliged to become a user of the Kanta Services within the time periods given in legislation, if the service provider is using an information system intended for processing client and patient data
being responsible for the correctness of the data entered in the Kanta Services
deploying the new functionalities required by legislation within the time periods given
compiling log data, separately for each register, on all use and transfer of client and patient data, for the purpose of monitoring and oversight
notifying the information system supplier and Valvira of any significant nonconformities in compliance with the essential requirements. A nonconformity notification to Valvira can be submitted on the Report a nonconformity page
Senior Officer Jenni Björkman, tel. 0295 209 227 (specifically Kanta Services, patient information systems, separate imaging systems, prescription and pharmacy systems, and client data transfer services)
Senior Officer Marko Elo, tel. 0295 209 393 (specifically patient information systems, separate laboratory systems, prescription and pharmacy systems, and client data transfer services)
Senior Officer Essi Haglund, tel. 0295 209 372 (specifically client and patient information systems, separate imaging and laboratory systems, and client data transfer services)
Senior Engineer Antti Härkönen, tel. 0295 209 530 (specifically Kanta Services and patient information systems)
Senior Engineer Antti Vikström, tel. 0295 209 437 (specifically client information systems)