Operating environments under the Act on the Secondary Use of Health and Social Data

The National Supervisory Authority for Welfare and Health (Valvira) is responsible for ensuring that environments for the secondary use of health and social data satisfy the applicable information security and data protection requirements. These requirements for operating environments are derived from the Act on the Secondary Use of Health and Social Data and from regulation 1/2022 issued by the Finnish Social and Health Data Permit Authority Findata. Valvira keeps a public database of regulatorily compliant secure operating environments registered by service providers.

Secondary use of the health and social data of private individuals for scientific research or compiling statistics, for preparing teaching materials and for planning and investigative activities by the authorities requires a data permit as per the Act on the Secondary Use of Health and Social Data. Data from datasets specified in the data permit must be processed in a secure operating environment as described in Findata regulation 1/2022. Datasets to which access is granted with a data permit pursuant to the Act on the Secondary Use of Health and Social Data are principally delivered to an operating environment maintained by Findata. For a justifiable reason, it is also possible to deliver datasets to another operating environment compliant with the same requirements.

Compliant operating environments must be entered in the Valvira database of secondary-use environments before they are taken into use. An operating environment must have been granted an information security certificate as per Findata regulation 1/2022 in order to be eligible for registration. Information security certificates are issued by an inspection body approved by the Finnish Transport and Communications Agency Traficom. Read more about registration on our page ‘Database of secondary-use environments’. Operating environment service providers must be able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications as proof of their operating environment’s conformity with the requirements. 

The requirements for information security and data protection must be met throughout the entire time that the operating environment is in production use, and the operating environment must remain registered with Valvira. Information security and data protection must be factored into e.g. risk management procedures, any changes introduced to operating environments and service providers’ information security management models. Service providers also have a responsibility to systematically monitor and analyse users’ experiences of their operating environments.

Valvira supervises operating environments under the Act on the Secondary Use of Health and Social Data by means of, for example, assessment and guidance visits, investigations and inspections.