Key terminology and further information

Key terminology

Secure operating environment

A ‘secure operating environment’ refers to any technical, organisational and physical data processing environment the information security of which has been ensured by means of appropriate administrative and technical safeguards. For safeguards to be considered ‘appropriate’, they must comply with the Act on the Secondary Use of Health and Social Data and satisfy the requirements set out in Findata’s regulation.

Service provider

A ‘service provider’ in this context refers to any operator who provides services relating to a secure operating environment to its customers. Where an operating environment consists of components supplied by multiple service providers, a single service provider needs to be chosen to represent all the service providers involved in Valvira’s database of secondary-use environments. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database.

FAQ – Frequently Asked Questions

Registration

1A. Question

​​​​​​​Why should secure operating environments be registered in the Valvira register?

1A. Answer

​​​​​​​​​​​​​​The registration of secure operating environments for secondary use are required by Act on the Secondary Use of Health and Social Data. Registration is part of the demonstration of requirements compliance with the operating environment. The service provider of the operating environment is responsible for the legal oblications imposed on it and for the requirements for a secure operating environment, which must be met at the time of registration and thereafter. Valvira´s task is to supervisor and promote compliance with the data protection and data security requirements of secure operating environments. If necessary, Valvira can perform inspections of registered operating environments.

Registration is also relevant to the disclosing of data referred to in the Secondary Act. Data which requires data permit may only be released to compliant and registered operating environments.

2A. Question

Where a hospital district’s secondary-use environment for scientific research is established by an IT service provider, which of the two – the hospital district or the IT service provider – is responsible for registering the environment with Valvira?

2A. Answer

The hospital district and the IT service provider need to decide between themselves which of the organisations assumes ultimate responsibility for the service provider’s obligations and the environment’s regulatory compliance. In particular, they must ensure that the certificate of conformity issued by the competent information security inspection body identifies the correct organisation as the service provider responsible for the operating environment and that the same organisation is entered into Valvira’s database. The organisation designated as the service provider must have either a business ID or a VAT number. The designated service provider can agree to delegate certain practical responsibilities to its partner. The organisations can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database. The service provider is asked to name a contact person as part of the registration process.