Cookies help us to develop our website and to improve its content and availability. Some cookies are necessary to ensure that the website functions properly. You can accept all cookies or just the necessary cookies. To change settings, click Cookie Settings. You can access the settings later from the Cookie practices page of the valvira.fi website.
Select an option below to determine which cookies to allow. When you are ready, click Save and exit. The website works even if you only agree to necessary cookies. There might be some differences, however. You can also change the settings later through our pages. Read more about the cookies on this valvira.fi website.
The necessary cookies are automatically stored on your browser when you use our web service. These cookies are used to ensure that the valvira.fi web service functions as intended.
Web analytics tool (Google Analytics) helps us to understand how our customers use the valvira.fi web service and from where they access the website.
We use the Siteimprove service to monitor the availability of the website, the functioning of links and the visibility of the website on search engines.
Secure operating environments under the Act on the Secondary Use of Health and Social Data Main
Promotion and supervision of information security and data protection in secondary-use environments
The National Supervisory Authority for Welfare and Health (Valvira) is responsible for ensuring that environments for the secondary use of health and social data satisfy the applicable information security and data protection requirements. The requirements are based on a regulation of the Health and Social Data Permit Authority (Findata). Valvira has oversight of both the secure operating environment provided by Findata and other service providers’ secure operating environments. Valvira also keeps a public database of regulatorily compliant secure operating environments registered by service providers.
As of 1 May 2022, the secondary use of health and social data by private individuals for scientific research, the compilation of statistics and the preparation of teaching materials as well as planning and investigation tasks of the authorities requires not just a data permit but also a secure operating environment that satisfies the requirements set out in Findata’s regulation. As a rule, data sets are disclosed in Findata’s operating environment. However, the Act on the Secondary Use of Health and Social Data also allows for the disclosure of data sets in other operating environments where necessary and provided that the operating environments have been issued a certificate of conformity by an information security inspection body and entered into Valvira’s database of secondary-use environments.
Information security audits on operating environments can only be performed by information security inspection bodies accredited by the Finnish Transport and Communications Agency (Traficom). Traficom has also established a set of criteria that accredited inspection bodies must satisfy in order to perform information security audits on operating environments under the Act on the Secondary Use of Health and Social Data and issue certificates of conformity with the requirements. A list of inspection bodies that satisfy the competence criteria can be found on the website of the National Cyber Security Centre.
Under the Act, data may be disclosed to a permit holder for processing purposes before 1 May 2022, even if the data permit application does not specify a secure operating environment for the processing of data as referred to in the Act. In this case, the disclosure of data requires a fixed-term data permit that is valid no longer than until 30 April 2022.
The requirements for secondary-use environments are based on
the Act on the Secondary Use of Health and Social Data (552/2019) and
a regulation of the Health and Social Data Permit Authority (Findata).
All secondary-use environments must be entered into Valvira’s database. Only operating environments that satisfy the applicable information security and data protection requirements can be registered and deployed. Demonstrating conformity with the requirements is the service provider’s responsibility. Operating environments must also continue to satisfy the applicable information security and data protection requirements after they are deployed and for as long as they are live and included in Valvira’s database. Information security and data protection must be factored into, for example, risk management procedures, any changes introduced to operating environments and service providers’ information security management models. Service providers also have a responsibility to systematically monitor and analyse users’ experiences of their operating environments.
Service providers must be able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications as proof of their operating environment’s conformity with the requirements.
Valvira supervises operating environments under the Act on the Secondary Use of Health and Social Data by means of, for example, assessment and guidance visits, investigations and inspections.