
Secure operating environments under the Act on the Secondary Use of Health and Social Data
Secure operating environments under the Act on the Secondary Use of Health and Social Data Main
Promotion and supervision of information security and data protection in secondary-use environments
The National Supervisory Authority for Welfare and Health (Valvira) is responsible for ensuring that environments for the secondary use of health and social data satisfy the applicable information security and data protection requirements. The requirements are based on a regulation of the Health and Social Data Permit Authority (Findata). Valvira has oversight of both the secure operating environment provided by Findata and other service providers’ secure operating environments. Valvira also keeps a public database of regulatorily compliant secure operating environments registered by service providers.
As of 1 May 2022, the secondary use of health and social data by private individuals for scientific research, the compilation of statistics and the preparation of teaching materials as well as planning and investigation tasks of the authorities requires not just a data permit but also a secure operating environment that satisfies the requirements set out in Findata’s regulation. As a rule, data sets are disclosed in Findata’s operating environment. However, the Act on the Secondary Use of Health and Social Data also allows for the disclosure of data sets in other operating environments where necessary and provided that the operating environments have been issued a certificate of conformity by an information security inspection body and entered into Valvira’s database of secondary-use environments.
Information security audits on operating environments can only be performed by information security inspection bodies accredited by the Finnish Transport and Communications Agency (Traficom). Traficom has also established a set of criteria that accredited inspection bodies must satisfy in order to perform information security audits on operating environments under the Act on the Secondary Use of Health and Social Data and issue certificates of conformity with the requirements. A list of inspection bodies that satisfy the competence criteria can be found on the website of the National Cyber Security Centre.
Under the Act, data may be disclosed to a permit holder for processing purposes before 1 May 2022, even if the data permit application does not specify a secure operating environment for the processing of data as referred to in the Act. In this case, the disclosure of data requires a fixed-term data permit that is valid no longer than until 30 April 2022.
The requirements for secondary-use environments are based on
- the Act on the Secondary Use of Health and Social Data (552/2019) and
- a regulation of the Health and Social Data Permit Authority (Findata).
All secondary-use environments must be entered into Valvira’s database. Only operating environments that satisfy the applicable information security and data protection requirements can be registered and deployed. Demonstrating conformity with the requirements is the service provider’s responsibility. Operating environments must also continue to satisfy the applicable information security and data protection requirements after they are deployed and for as long as they are live and included in Valvira’s database. Information security and data protection must be factored into, for example, risk management procedures, any changes introduced to operating environments and service providers’ information security management models. Service providers also have a responsibility to systematically monitor and analyse users’ experiences of their operating environments.
Service providers must be able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications as proof of their operating environment’s conformity with the requirements.
Valvira supervises operating environments under the Act on the Secondary Use of Health and Social Data by means of, for example, assessment and guidance visits, investigations and inspections.