Classification of information systems for social welfare and healthcare
The system certification and registration process begins with a classification by the information system supplier. The category of a system has a key impact on how the essential requirements of the system are to be verified.
Information systems intended for processing client and patient data are classified into categories A and B, with category A further divided into subcategories A1, A2 and A3. The information system supplier is responsible for information system classification. Information system classification is to be undertaken according to the criteria given in THL Regulation 4/2024 and its appendix Examples of system classification. The aforementioned documents can be found at the bottom of this page.
In unclear cases, it is THL that will decide whether a system should belong to category A or B.Any questions concerning information system classification should be directed to THL at: [email protected].
The category of an information system determines how compliance with the essential requirements is to be verified before a social welfare or health care service provider is allowed to deploy the system. The category is also relevant for the registration process; for instance, it determines which documents have to be submitted before Valvira can register the system.
Category A includes information systems which are used for processing client and patient data in social welfare and health care and which
- are linked to the Kanta Services either directly or through a client data transfer service,
- generate data structures or documents to be stored in the Kanta Services,
- are used for processing extensive volumes of client and patient data such that ensuring their privacy protection requires a data security audit performed by a data security inspection body.
Category A is further divided into subcategories:
- A1: The system must be subjected to a data security audit, for which a data security certificate will be issued. Category A1 information systems are not subjected to joint testing. Client data transfer services, for instance, are in category A1.
- A2: The system must acceptably pass joint testing, for which a joint testing report will be issued. The system must also be subjected to a data security audit, for which a data security certificate will be issued. Systems storing administrative data in the Kanta Services and separate specialist systems, for instance, are in category A2.
- A3: The system must acceptably pass joint testing, for which a joint testing report will be issued. However, the joint testing requirement does not apply to the Kanta Services. The system must also be subjected to a data security audit, for which a data security certificate will be issued. Patient record systems linked to the Kanta Services used in health care, and client data systems used in social services, are in category A3. The Kela Kanta Services are also in category A3.
Category B includes information systems which are used for processing client and patient data in social welfare and health care but which
- are not directly connected to the Kanta Services,
- do not generate documents to be stored in the Kanta Services,
- are not subject to the requirement for a data security audit on the basis of a risk assessment as in category A1.
Although joint testing is not performed on category B systems and no data security audit performed by a data security inspection body is required, information systems in category B must nevertheless fulfil and comply with the essential requirements relevant for their purpose. These requirements are described in the THL profile Minimum requirements for systems intended for processing client and patient data. This profile can be found at the bottom of this page.
Examples of information systems in category B can be found in the THL document Examples of information system classification. This document can be found at the bottom of this page.
Social welfare and health care services may also use information systems, software packages or applications that are not information systems within the definition given in the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare, even though they may be used for processing the name and address details of health care patients or social welfare clients. The Act on the Electronic Processing of Client Data in Healthcare and Social Welfare specifies which systems are subject to the obligations given in the Act. An information system as referred to in that Act is an integrated entity consisting of IT devices, software and other IT equipment, designed to be used:
- for electronic processing of client data in social welfare or of patient data in health care,
- for the storage and maintenance of client or patient documents,
- for national information system services, i.e. interfacing with the Kanta Services.
The following are examples of information systems that are unclassified software packages or applications:
- generic word processing or office software,
- administrative support systems used by social welfare or health care service providers, such as meal order systems, materials management systems or user authorisation administration systems,
- invoicing systems used by social welfare or health care service providers,
- generic communications systems or applications, e.g. chat software.
Detailed information on what kinds of software package are considered not to fall within the scope of the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare is given in the THL document Examples of system classification. This document can be found at the bottom of this page.
Valvira neither registers nor oversees information systems that do not belong to category A or B as per the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare.
In any and all processing of client and patient data, general data security and privacy protection requirements and other legislation and regulations concerning the creating, processing and storage of client and patient data must be complied with in all circumstances. These regulations are binding upon service providers regardless of how they actually create and store the client and patient data entries.
Conducting a risk assessment
Information system service suppliers must conduct a risk assessment of their respective systems when classifying them. This risk assessment must consider the scope of use of the information system and the sensitivity of the data to be processed in it. Instructions on conducting the risk assessment can be found in the aforementioned document Examples of system classification. THL has released a risk assessment tool that can be used as an aid. The aforementioned document and risk assessment tool can be found at the bottom of this page.