Database of secondary-use environments
Valvira keeps a public database of operating environments registered by service providers which fulfil the set information security and data protection requirements. The authorities use the database e.g. to manage secondary-use data permits and for supervision purposes. Organisations that analyse datasets under the Act on the Secondary Use of Health and Social Data can also use the database to check whether their service provider’s operating environment has valid information security certification as required by law. Information security certification is required of all operating environments that are used to analyse datasets for the purposes specified in the Act on the Secondary Use of Health and Social Data that are subject to a data permit. These include scientific research, the compilation of statistics, planning and investigation tasks of the authorities as well as the preparation of teaching materials.
Public database of secondary-use environments (TOINI) (Excel, updated 5.6.2023) (In Finnish)
Entering a registration in the database
Secondary-use environments must be entered in the database maintained by Valvira before they are taken into use. The service provider of an operating environment must enter the environment in the database once the environment has been issued a certificate of conformity by an information security inspection body. Service providers must take certain steps to prepare for an information security audit. The auditors need to be able to establish a comprehensive picture of each service provider’s information security, which is why it is important to allow enough time for the process.
Here, ‘service provider’ means an operator offering customers services in an information-secure user environment. If an operating environment consists of components supplied by multiple service providers, a single service provider identifiable by a single business ID or VAT number needs to be chosen to represent all the service providers involved in Valvira’s database. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database. The service provider is asked to name a contact person as part of the registration process.
Submit a registration request via our secure message service.
1A. The information security inspection body sends a certificate of the information security audit performed on the operating environment to Valvira’s registry at [email protected].
1B. The service provider of the operating environment submits a request for the registration of the operating environment via the Valvira secure message service.
2. Valvira takes the operating environment registration under consideration once the service provider has submitted a request for registration.
3A and 3B. Valvira compares the certificate of conformity against the service provider’s registration request and checks that the information supplied satisfies the registration criteria. If it does not, Valvira requests further information or changes.
4. Valvira adds the operating environment to the public database. Once all the necessary information has been supplied, Valvira notifies the service provider that the operating environment has been added to the database.
5. The service provider responsible for the operating environment receives confirmation of registration.
6. Valvira bills the service provider for the registration fee.
7. The service provider pays the invoice for the registration fee.
Service providers are responsible for keeping Valvira up to date on any material changes made to their operating environments, their own organisation and the certificate of conformity issued by the competent information security inspection body.
Submit a change to a database entry via our secure message service.
Material changes that need to be reported to Valvira include the following:
- renaming of the operating environment (each environment must have a unique name, and the name reported to Valvira must be the same that is used to market the environment to customers)
- renaming of the service provider
- change in the service provider’s business ID or VAT number
- replacement of the service provider’s contact person and changes in contact information
- changes in the certificate issued by the competent information security inspection body
- changes affecting the validity of certification
- changes in restrictions imposed by the competent information security inspection body
- other material changes in the certificate of conformity
Please note that a fee is payable for registering changes relating to certificates issued by information security inspection bodies, cancellations of certification and failed certification audits as well as improvement notices and restrictions. All other changes can be registered free of charge.
Registration under the Act on the Secondary Use of Health and Social Data is subject to a fee. The amount of the fee is based on Valvira’s list of fees and charges.
Registration made under the Act on the Secondary Use of Health and Social Data:
- Registration of a certificate issued by an information security inspection body costs EUR 1,200.
- Registration of changes to a certificate issued by an information security inspection body costs EUR 750.
- Registration of cancellation or rejection of a certificate issued by an information security inspection body costs EUR 500.
- Registration of an improvement notice or restriction issued by an information security inspection body costs EUR 300.
Request for registration
Notification of change in registration entry
Frequently Asked Questions about the registration of secondary-use environments
Registration of secondary-use environments is required in the Act on the Secondary Use of Health and Social Data. Registration forms part of demonstrating that the operating environment conforms to the requirements. The service provider of an operating environment is responsible for observing the statutory obligations and information security requirements imposed on secure operating environments; these must be complied with at the time of registration and thereafter. In addition to maintaining the database, Valvira supervises and promotes compliance with the information security and data protection requirements for secure operating environments. For instance, Valvira may conduct inspections of registered operating environments.
Registration is also relevant for the purpose of disclosing datasets as referred to in the Act on the Secondary Use of Health and Social Data. Datasets requiring a data permit can only be delivered to secondary-use environments which conform to the requirements set and which are registered.
A ‘service provider’ in this context refers to any operator who provides services relating to a secure operating environment to its customers. If an operating environment consists of components supplied by multiple service providers, a single service provider needs to be chosen to represent all the service providers involved in Valvira’s database of secondary-use environments. The service providers involved can agree on their contractual relationships and the division of responsibilities between themselves. Valvira coordinates any visits and correspondence relating to guidance and supervision with the service provider entered into the database.