Database of secondary-use environments
Valvira keeps a public database of operating environments registered by service providers which fulfil the set information security and data protection requirements. The authorities use the database e.g. to manage secondary-use data permits and for supervision purposes. Organisations that analyse datasets under the Act on the Secondary Use of Health and Social Data can also use the database to check whether their service provider’s operating environment has valid information security certification as required by law. Information security certification is required of all operating environments that are used to analyse datasets for the purposes specified in the Act on the Secondary Use of Health and Social Data that are subject to a data permit. These include scientific research, the compilation of statistics, planning and investigation tasks of the authorities as well as the preparation of teaching materials.
Entering a registration in the database
Secondary-use environments must be entered in the database maintained by Valvira before they are taken into use. The service provider of an operating environment must enter the environment in the database once the environment has been issued a certificate of conformity by an information security inspection body. Service providers must take certain steps to prepare for an information security audit. The auditors need to be able to establish a comprehensive picture of each service provider’s information security, which is why it is important to allow enough time for the process.
Here, ‘service provider’ means an operator offering customers services in an information-secure user environment. If an operating environment consists of components supplied by multiple service providers, a single service provider identifiable by a single business ID or VAT number needs to be chosen to represent all the service providers involved in Valvira’s database. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database. The service provider is asked to name a contact person as part of the registration process.