Report significant nonconformities
Information system suppliers must submit a nonconformity notification to Valvira if they observe any significant nonconformities in their information systems in respect of compliance with essential requirements. Examples of a significant nonconformity would be flaws in the functionality of an information system or faults in interoperability, data security or privacy protection. Further information on when you should submit a nonconformity notification to Valvira is given under What are significant nonconformities?
A significant nonconformity must be reported by the information system supplier not only to Valvira but also to all service providers using that information system. For a category A system, the information system supplier must also report any significant nonconformities to the Kela Kanta Services in accordance with the Action in case of disruption guideline (kanta.fi).
Any service provider noticing a significant nonconformity in an information system it is using with regard to compliance with essential requirements must report this to the information system supplier. If a significant nonconformity noticed by a service provider is such that it can put client safety, patient safety or data security at risk, the service provider must submit a nonconformity notification to Valvira.
In case of a significant nonconformity putting client safety, patient safety or data security at risk, the nonconformity may also be reported by a pharmacy, by Kela or by THL, for instance. The Data Protection Ombudsman must be notified of any privacy protection nonconformities in compliance with the essential requirements of the information system.
Please note, Fill in the nonconformity notification link is not yet operational. Make a free nonconformity notification and deliver it to Valvira's registry office at kirjaamo@valvira.fi. If you send confidential information by e-mail, use a secure e-mail connection at the address https://turvaviesti.valvira.fi.
You can also send the nonconformity notification to Valvira/Kirjaamo, PO Box 43, 00521 Helsinki.
Based on the nonconformity notification, Valvira may initiate supervisory measures in respect of the information system supplier or of the social welfare or health care service provider using the information system.
What are significant nonconformities?
The term significant nonconformity refers to a circumstance where an information system is no longer compliant with the essential requirements imposed on it as per the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. A nonconformity may involve a defect in functionality, interoperability, data security or privacy protection.
Significant nonconformities include, but are not limited to:
-
flaws or errors in the information system that may compromise client or patient safety
-
flaws or errors in the information system that may compromise data security or privacy protection
-
flaws or errors in the information system or its operating environment that may compromise the operation of social welfare and health care services
-
a malfunction of or outage in the Kanta Services that may compromise client or patient safety or the operations of social welfare and health care services
-
errors in the technical correctness and integrity of client and patient data stored in the Kanta Services, such that may cause extensive disruption e.g. for interoperability
-
expiry of the data security certificate of the information system
-
absence of a statutory function in the system
If a system is obviously malfunctioning, Valvira has the authority to rule that the system is exhibiting a significant nonconformity in compliance with essential requirements, regardless of whether the malfunction in question is explicitly defined as a significant nonconformity in THL Regulations, functional requirements or any other specifications.