Valvira keeps a public database of regulatorily compliant secure operating environments registered by service providers. The authorities use the database, for example, to manage secondary-use data permits and for supervision purposes. Organisations that analyse data sets under the Act on the Secondary Use of Health and Social Data can also use the database to check whether their service provider’s operating environment has valid information security certification as required by law. Information security certification is required of all operating environments that are used to analyse data sets for the purposes specified in the Act on the Secondary Use of Health and Social Data that are subject to a data permit. These include scientific research, the compilation of statistics, planning and investigation tasks of the authorities as well as the preparation of teaching materials.
Public database of secondary-use environments (TOINI)
TOINI database, version 1.0 (will be published after first secondary-use environment registration)
Registration and registration fees
Secondary-use environments must be entered into Valvira’s database before deployment, once they have been issued a certificate of conformity by an information security inspection body. Registration under the Act on the Secondary Use of Health and Social Data is subject to a fee. The amount of the fee is based on Valvira’s list of fees and charges. Service providers must take certain steps to prepare for an information security audit. The auditors need to be able to establish a comprehensive picture of each service provider’s information security, which is why it is important to allow enough time for the process.
It is the service provider’s responsibility to register their operating environments with Valvira. Secondary-use environments cannot be added to Valvira’s database until they have been issued a certificate of conformity by an information security inspection body. It is the service provider’s responsibility to ensure that their operating environment has valid information security certification.
A ‘service provider’ in this context refers to any operator who provides services relating to a secure operating environment to its customers. Where an operating environment consists of components supplied by multiple service providers, a single service provider identifiable by a single business ID or VAT number needs to be chosen to represent all the service providers involved in Valvira’s database. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database. The service provider is asked to name a contact person as part of the registration process.
1.A The competent information security inspection body submits a certificate of conformity based on an information security audit performed on the operating environment to Valvira’s registry at kirjaamo (at) valvira.fi.
1.B The service provider responsible for the operating environment submits a request for the registration of the operating environment to Valvira’s registry at kirjaamo (at) valvira.fi.
2. Valvira starts the registration process based on the first submission concerning the operating environment.
3A and 3B. Valvira compares the certificate of conformity against the service provider’s registration request and checks that the information supplied satisfies the registration criteria. If it does not, Valvira requests further information or changes.
4. Once all the necessary information has been supplied, Valvira adds the operating environment to its public database and notifies the service provider.
5. The service provider responsible for the operating environment receives confirmation of registration.
6. Valvira bills the service provider for the registration fee.
7. The service provider pays the bill.
Changes to entries in the database
Service providers are responsible for keeping Valvira up to date on any material changes made to their operating environments, their own organisation and the certificate of conformity issued by the competent information security inspection body.
Changes to entries in the database can be reported to Valvira in two ways:
2. Fill in a notification of changes (PDF form) and attach it to an email to Valvira’s registry at email@example.com with the subject line “Changes to entries in the database of secondary-use environments”.
Changes that need to be reported to Valvira include the following:
Renaming of the operating environment (each environment must have a unique name, and the name reported to Valvira must be the same that is used to market the environment to customers)
Renaming of the service provider
Change in the service provider’s business ID or VAT number
Replacement of the service provider’s contact person and changes in contact information
Changes in the certificate issued by the competent information security inspection body
Changes affecting the validity of certification
Changes in restrictions imposed by the competent information security inspection body
Other essential changes in the certificate of conformity
A fee is payable for registering changes relating to certificates issued by information security inspection bodies, cancellations of certification and failed certification audits as well as improvement notices and restrictions. Other changes can be reported free of charge.