Cookies help us to develop our website and to improve its content and availability. Some cookies are necessary to ensure that the website functions properly. You can accept all cookies or just the necessary cookies. To change settings, click Cookie Settings. You can access the settings later from the Cookie practices page of the valvira.fi website.
Select an option below to determine which cookies to allow. When you are ready, click Save and exit. The website works even if you only agree to necessary cookies. There might be some differences, however. You can also change the settings later through our pages. Read more about the cookies on this valvira.fi website.
The necessary cookies are automatically stored on your browser when you use our web service. These cookies are used to ensure that the valvira.fi web service functions as intended.
Web analytics tool (Google Analytics) helps us to understand how our customers use the valvira.fi web service and from where they access the website.
We use the Siteimprove service to monitor the availability of the website, the functioning of links and the visibility of the website on search engines.
Information systems intended for processing client and patient data in social services and health care are classified into categories A and B, with category A further divided into subcategories A1, A2 and A3. The information system supplier is responsible for information system classification. Information system classification is to be undertaken according to the criteria given in THL Regulation 4/2021 and its appendix Examples of system classification.
In unclear cases, it is THL that will decide whether a system should belong to category A or B. Any questions concerning information system classification should be directed to THL at: email@example.com
The category of an information system determines how compliance with the essential requirements is to be verified before a social welfare or health care service provider is allowed to deploy the system. The category is also relevant for the registration process; for instance, it determines which documents have to be submitted before Valvira can register the system.
Category A includes information systems for processing client and patient data in social welfare and health care such that they are linked to the Kanta Services, either directly or through a client data transfer service, or generate data structures or documents to be stored in the Kanta Services. Category A further includes information systems where extensive volumes of client and patient data are processed such that ensuring their privacy protection requires a data security audit performed by a data security inspection body.
Category A is further divided into subcategories:
A1: The system must be subjected to a data security audit, for which a data security certificate will be issued. Category A1 information systems are not subjected to joint testing. Client data transfer services, for instance, are in category A1.
A2: The system must acceptably pass joint testing, for which a joint testing report will be issued. The system must also be subjected to a data security audit, for which a data security certificate will be issued. Systems storing administrative data in the Kanta Services and separate specialist systems, for instance, are in category A2.
A3: The system must acceptably pass joint testing, for which a joint testing report will be issued. However, the joint testing requirement does not apply to the Kanta Services. The system must also be subjected to a data security audit, for which a data security certificate will be issued. Patient record systems linked to the Kanta Services used in health care, and client data systems used in social services, are in category A3. The Kela Kanta Services are also in category A3.
Category B includes information systems which are used for processing client and patient data in social welfare and health care but which:
are not directly connected to the Kanta Services
do not generate documents to be stored in the Kanta Services
are not subject to the requirement for a data security audit on the basis of a risk assessment as in category A1
Social welfare and health care services may also use information systems, software packages or applications that are not information systems within the definition given in the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, even though they may be used for processing the name and address details of health care patients or social welfare clients.
Section 3(6) of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare specifies which systems are subject to the obligations given in the Act:
An information system is defined as an entity consisting of information processing equipment, software and other information processing elements which, according to the functionalities designed by the manufacturer, is intended for the electronic processing of client data, for the storing and upkeep of client documents or for linking to national information system services.
For the purpose of the above definition, ‘client data’ subsumes both the client data entered in social welfare documents and the patient data entered in health care documents.
The following are examples of information systems that are unclassified software packages or applications:
Generic word processing or office software
Administrative support systems used by social welfare or health care service providers, such as meal order systems, materials management systems or user authorisation administration systems
Invoicing systems used by social welfare or health care service providers
Generic communications systems or applications, e.g. chat software
Valvira neither registers nor oversees information systems that do not belong to category A or B as per the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare.
In any and all processing of client and patient data, general data security and privacy protection requirements and other legislation and regulations concerning the creating, processing and storage of client and patient data must be complied with in all circumstances. These regulations are binding upon service providers regardless of how they actually create and store the client and patient data entries.