Supervision of secondary-use environments
Demonstrating conformity with the requirements is the service provider’s responsibility. In practice, this means being able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications.
Valvira supervises operating environments by means of, for example, assessment and guidance visits, investigations and inspections. Valvira also has the right to use external experts to evaluate the regulatory compliance of secure operating environments. External experts can be used both to assist in inspections and to study and test service providers’ operating environments. Valvira’s supervision mostly focuses on service providers and organisations that rely on secondary-use environments but can also be extended to other organisations if necessary. Both plan-based and reactive supervision approaches are used.
Registration requests can be submitted and changes to entries in the database reported via the secure form submission portal or by emailing a PDF form to
kirjaamo(at)valvira.fi
Enquiries related to supervision can be sent by email to
kirjaamo(at)valvira.fi
Enquiries related to advice and guidance can be sent by email to
toisiokaytonvalvonta(at)valvira.fi
Accredited information security inspection bodies (kyberturvallisuuskeskus.fi)
Act on the Secondary Use of Health and Social Data (552/2019) (finlex.fi, in Finnish)
Registration in the Toini register and changes in the information content of register (valvira.fi)
Health and Social Data Permit Authority’s remote access environment (findata.fi)
Frequently asked questions about the Act on the Secondary Use of Health and Social Data (stm.fi)
Valvira’s fees and charges (valvira.fi, in Finnish)