Astori register under the Client Data Act and the Secondary Use Act
The Astori register, set up under the Client Data Act and the Secondary Use Act, contains data on information systems used in social welfare and health care services, on wellbeing applications linked to the MyKanta database in Kanta Services and on operating environments that are in compliance with information security and privacy protection requirements.
The Astori register is an official register maintained by Valvira under the Act on Electronic Processing of Client Data in Healthcare and Social Welfare (Client Data Act) and the Act on the Secondary Use of Health and Social Data (Secondary Data Act). It contains data on
- social welfare and health care information systems under the Client Data Act that service providers are authorised to deploy,
- client data transfer systems through which a client or patient information system can be linked to the Kanta Services,
- wellbeing applications linked to the MyKanta database in Kanta Services, and
- secondary-use operating environments that are in compliance with information security and privacy protection requirements
The data in the Astori register are governed by provisions in the Client Data Act, by regulations issued by THL and by provisions in the Secondary Use Act.
Information systems and operating environments may not be deployed unless they are entered in the Astori register
A service provider may not deploy an information system under the Client Data Act if that system is not entered in the Astori register. A service provider may also not deploy a system in a scenario where the information security certificate of the system has expired or, in the case of a category A system, it has not undergone interoperability testing required for its purpose. In such a scenario, the system will have a ‘Significant deviation’ entry in the register.
An operating environment under the Secondary Use Act may not be deployed if its details are not entered in the Astori register.
Go to the Astori register (in Finnish).
Astori register data are updated once a day.
Under the Client Data Act, Valvira maintains the Astori register to keep track of social welfare and health care information systems and wellbeing applications of which it has been notified and which fulfill the appropriate requirements. In the registration process, Valvira verifies that the system or application in question complies with the essential requirements appropriate for its purpose.
The provider of an information system service, or the producer of a wellbeing application, is responsible for ensuring that the details on the system or application in the register are up to date. If necessary, a new register notification must be submitted to Valvira, so that the compliance of the system or application with current requirements will be verified.
The authorities use the data in the Astori register e.g. for
- supervision of information system service providers and wellbeing application producers,
- supervision of social welfare and health care service providers,
- processing of registration notifications under the Act on the Supervision of Social Welfare and Health Care Services,
- deployments of Kanta Services,
- supervision of service providers under the Secondary Use Act, and
- granting data permits under the Secondary Use Act.
Service providers use the Astori register to check before deploying a system or an application that the system or application in question is registered and does not have a ‘Significant deviation’ entry that would prevent its deployment.
The data in the Astori register are also intended to help service providers in system procurement and secure operation. Under the THL Regulation on the essential requirements of social welfare and health care information systems, service providers should use the Astori register whenever entering into procurement and maintenance agreements with information system service providers and wellbeing application producers. Using the data in the register, service providers can verify that the system or application selected complies with the essential requirements appropriate for its purpose.
Service providers can also gain information about things to note when using the system or application in question. Such things typically include observations made in joint testing or information security assessments that may have a bearing on the deployment or secure use of a system or an application.
If a system or an application has an entry noting that its information security certificate includes remarks, or if an information security requirement has been approved with compensation, then the service provider may contact the system provider or application producer directly. The same procedure must be followed if the interoperability requirement has been approved with compensation.
On the front page, select whether you wish to explore data on information systems, wellbeing applications or operating environments. After this selections, a list of all information systems or wellbeing applications or operating environments in Astori is displayed on the front page.
You can use filtering to narrow the selection. Astori will apply your filters immediately; there is no separate Search button. Details on any individual system, application or operating environment can be accessed by clicking on its name in the list.
The search criteria for systems, applications and operating environments are different. When you search by name for a system or application, Astori also searches for any alternate names under which the same system or application is marketed. This helps service providers to verify that the system they are searching for is registered.
The data displayed in Astori varies by system and application, depending on their purpose and category. Category A3 patient information systems have the most comprehensive details.