Significant nonconformity in complying with essential requirements

The term ‘significant nonconformity’ refers to a circumstance where an information system is no longer compliant with the essential requirements imposed on it as per the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. A nonconformity may involve a defect in the functionality, interoperability, data security or privacy protection of the system. 

Significant nonconformities include, but are not limited to:

  • flaws or errors in the information system that may compromise client or patient safety,
  • flaws or errors in the information system that may compromise data security or privacy protection
  • flaws or errors in the information system or its operating environment that may compromise the operation of social welfare and health care services,
  • a malfunction of or outage in the Kanta Services that may compromise client or patient safety or the operations of social welfare and health care services,
  • errors in the technical correctness and integrity of client and patient data stored in the Kanta Services, such that may cause extensive disruption e.g. for interoperability,
  • expiry of the data security certificate of the information system,
  • absence of a statutory function in the system.

Further information on significant nonconformities is given in THL Regulation 5/2021 chapter 10.4 Compliance nonconformities. This document can be found at the bottom of this page.

Directive on security of network and information systems (NIS Directive)

Valvira is responsible for the enforcement of the EU directive on security of network and information systems (NIS Directive) in health care in Finland. The NIS Directive requires organisations providing a service which is essential for the maintenance of critical societal and/or economic activities and key digital service providers to notify and report any data security breaches to the supervisory authority and, on a voluntary basis, to the National Cyber Security Centre.

Report significant nonconformities

A nonconformity notification must be submitted by the information system service provider to Valvira if they detect a nonconformity in their information system that poses a significant risk to client or patient safety or to information security.  Additionally, any significant nonconformity must be reported by the information system service provider not only to Valvira but also to all service providers using that information system. For a category A system, the information system service provider must also report any significant nonconformities to the Kela Kanta Services in accordance with the guideline "Action in case of disruption".

A nonconformity notification must be submitted to Valvira by the wellbeing application manufacturer if they detect a nonconformity in their wellbeing application that poses a significant risk to client or patient safety or to information security. Additionally, any significant nonconformity must be reported by the wellbeing application manufacturer to all users of the wellbeing application.

Any service provider or pharmacy noticing a significant nonconformity in an information system it is using with regard to compliance with essential requirements must report this to the information system supplier. If a significant nonconformity noticed by a service provider is such that it can put client safety, patient safety or data security at risk, the service provider must submit a nonconformity notification to Valvira.

In case of a significant nonconformity in an information system or wellbeing application putting client safety, patient safety or data security at risk, the nonconformity may also be reported by a pharmacy, by the Social Insurance Institution (Kela) or by the National Institute for Health and Welfare (THL), for instance. The Data Protection Ombudsman must be notified of any privacy protection nonconformities in compliance with the essential requirements of the information system.

Submit a nonconformity notification (In Finnish)  

You may also write a freeform nonconformity notification and send it to the Valvira registry by e-mail at [email protected]. If you send confidential information, please use the encrypted e-mail connection available at https://turvaviesti.valvira.fi. You may also send your nonconformity notification by mail to Valvira/Registry, PO Box 43, FI-00521 Helsinki.

Based on the nonconformity notification, Valvira may initiate supervisory measures in respect of the information system supplier or of the social welfare or health care service provider using the information system.

Report a data security nonconformity (NIS notification)

We recommend that any data security threats and breaches be reported to the National Cyber Security Centre at the Finnish Transport and Communications Agency Traficom. The National Cyber Security Centre will forward the notification to Valvira. 

Submit an NIS notification on the website of the National Cyber Security Centre

You may also write a freeform NIS notification and send it to the Valvira registry by e-mail at [email protected].