Classification of information systems for social welfare and healthcare

The system certification and registration process begins with a classification by the information system supplier. The category of a system has a key impact on how the essential requirements of the system are to be verified. 

Information systems intended for processing client and patient data are classified into categories A and B, with category A further divided into subcategories A1, A2 and A3. The information system supplier is responsible for information system classification. Information system classification is to be undertaken according to the criteria given in THL Regulation 4/2024 and its appendix Examples of system classification. The aforementioned documents can be found at the bottom of this page.

In unclear cases, it is THL that will decide whether a system should belong to category A or B.Any questions concerning information system classification should be directed to THL at: [email protected].

The category of an information system determines how compliance with the essential requirements is to be verified before a social welfare or health care service provider is allowed to deploy the system. The category is also relevant for the registration process; for instance, it determines which documents have to be submitted before Valvira can register the system.

Conducting a risk assessment

Information system service suppliers must conduct a risk assessment of their respective systems when classifying them. This risk assessment must consider the scope of use of the information system and the sensitivity of the data to be processed in it. Instructions on conducting the risk assessment can be found in the aforementioned document Examples of system classification. THL has released a risk assessment tool that can be used as an aid. The aforementioned document and risk assessment tool can be found at the bottom of this page.