Operating environments under the Act on the Secondary Use of Health and Social Data
The National Supervisory Authority for Welfare and Health (Valvira) is responsible for ensuring that environments for the secondary use of health and social data satisfy the applicable information security and data protection requirements. These requirements for operating environments are derived from the Act on the Secondary Use of Health and Social Data and from regulation 1/2022 issued by the Finnish Social and Health Data Permit Authority Findata. Valvira maintains the public Astori register that contains data on registered regulatorily compliant operating environments.
Secondary use of the health and social data of private individuals for scientific research or compiling statistics, for preparing teaching materials and for planning and investigative activities by the authorities requires a data permit as per the Act on the Secondary Use of Health and Social Data. Data from datasets specified in the data permit must be processed in a secure operating environment as described in Findata regulation 1/2022. Datasets to which access is granted with a data permit pursuant to the Act on the Secondary Use of Health and Social Data are principally delivered to an operating environment maintained by Findata. For a justifiable reason, it is also possible to deliver datasets to another operating environment compliant with the same requirements.
Compliant environments must be registered in the Astori public register maintained by Valvira prior to implementation. An operating environment must have been granted an information security certificate as per Findata regulation 1/2022 in order to be eligible for registration. Information security certificates are issued by an inspection body approved by the Finnish Transport and Communications Agency Traficom. Read more about registration on the ‘Operating environment registration’ page. Operating environment service providers must be able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications as proof of their operating environment’s conformity with the requirements.
The requirements for information security and data protection must be met throughout the entire time that the operating environment is in production use, and the operating environment must remain registered in the Astori register. Information security and data protection must be factored into e.g. risk management procedures, any changes introduced to operating environments and service providers’ information security management models. Service providers also have a responsibility to systematically monitor and analyse users’ experiences of their operating environments.
Valvira supervises operating environments under the Act on the Secondary Use of Health and Social Data by means of, for example, assessment and guidance visits, investigations and inspections.
Frequently Asked Questions about operating environments
A ‘secure operating environment’ refers to any technical, organisational and physical data processing environment the information security of which has been ensured by means of appropriate administrative and technical safeguards. ‘Appropriate safeguards’ refers to measures consistent with the requirements given in the Act on the Secondary Use of Health and Social Data and in regulation 1/2022 issued by the Finnish Social and Health Data Permit Authority Findata.