A ‘secure operating environment’ refers to any technical, organisational and physical data processing environment the information security of which has been ensured by means of appropriate administrative and technical safeguards. For safeguards to be considered ‘appropriate’, they must comply with the Act on the Secondary Use of Health and Social Data and satisfy the requirements set out in Findata’s regulation.
A ‘service provider’ in this context refers to any operator who provides services relating to a secure operating environment to its customers. Where an operating environment consists of components supplied by multiple service providers, a single service provider needs to be chosen to represent all the service providers involved in Valvira’s database of secondary-use environments. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database.
FAQ – Frequently Asked Questions
Where a hospital district’s secondary-use environment for scientific research is established by an IT service provider, which of the two – the hospital district or the IT service provider – is responsible for registering the environment with Valvira?
The hospital district and the IT service provider need to decide between themselves which of the organisations assumes ultimate responsibility for the service provider’s obligations and the environment’s regulatory compliance. In particular, they must ensure that the certificate of conformity issued by the competent information security inspection body identifies the correct organisation as the service provider responsible for the operating environment and that the same organisation is entered into Valvira’s database. The organisation designated as the service provider must have either a business ID or a VAT number. The designated service provider can agree to delegate certain practical responsibilities to its partner. The organisations can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database. The service provider is asked to name a contact person as part of the registration process.
Registration requests can be submitted and changes to entries in the database reported via the secure form submission portal or by emailing a PDF form to
Enquiries related to supervision can be sent by email to
Enquiries related to advice and guidance can be sent by email to
Elina Niemelä Senior Officer Tel. +358 295 209 255