Significant nonconformity in complying with essential requirements
The term ‘significant nonconformity’ refers to a circumstance where an information system is no longer compliant with the essential requirements imposed on it as per the Act on the Electronic Processing of Client Data in Healthcare and Social Welfare. A nonconformity may involve a defect in the functionality, interoperability, data security or privacy protection of the system.
Significant nonconformities include, but are not limited to:
- flaws or errors in the information system that may compromise client or patient safety,
- flaws or errors in the information system that may compromise data security or privacy protection
- flaws or errors in the information system or its operating environment that may compromise the operation of social welfare and health care services,
- a malfunction of or outage in the Kanta Services that may compromise client or patient safety or the operations of social welfare and health care services,
- errors in the technical correctness and integrity of client and patient data stored in the Kanta Services, such that may cause extensive disruption e.g. for interoperability,
- expiry of the data security certificate of the information system,
- absence of a statutory function in the system.
If a system is obviously malfunctioning, Valvira has the authority to rule that the system is exhibiting a significant nonconformity in compliance with essential requirements, regardless of whether the malfunction in question is explicitly defined as a significant nonconformity in THL Regulations, functional requirements or any other specifications.
Further information on significant nonconformities is given in THL Regulation 5/2021 chapter 10.4 Compliance nonconformities. This document can be found at the bottom of this page.
Directive on security of network and information systems (NIS Directive)
Valvira is responsible for the enforcement of the EU directive on security of network and information systems (NIS Directive) in health care in Finland. The NIS Directive requires organisations providing a service which is essential for the maintenance of critical societal and/or economic activities and key digital service providers to notify and report any data security breaches to the supervisory authority and, on a voluntary basis, to the National Cyber Security Centre.
Report significant nonconformities
Information system suppliers must submit a nonconformity notification to Valvira if they observe any significant nonconformities in their information systems in respect of compliance with essential requirements. A significant nonconformity must be reported by the information system supplier not only to Valvira but also to all service providers using that information system. For a category A system, the information system supplier must also report any significant nonconformities to the Kela Kanta Services in accordance with the Action in case of disruption guideline.
Any service provider noticing a significant nonconformity in an information system it is using with regard to compliance with essential requirements must report this to the information system supplier. If a significant nonconformity noticed by a service provider is such that it can put client safety, patient safety or data security at risk, the service provider must submit a nonconformity notification to Valvira.
In case of a significant nonconformity putting client safety, patient safety or data security at risk, the nonconformity may also be reported by a pharmacy, by the Social Insurance Institution (Kela) or by the National Institute for Health and Welfare (THL), for instance. The Data Protection Ombudsman must be notified of any privacy protection nonconformities in compliance with the essential requirements of the information system.
You may also write a freeform nonconformity notification and send it to the Valvira registry by e-mail at [email protected]. If you send confidential information by e-mail, please use the encrypted e-mail connection available at https://turvaviesti.valvira.fi. You may also send your nonconformity notification by mail to Valvira/Registry, PO Box 43, FI-00521 Helsinki.
Based on the nonconformity notification, Valvira may initiate supervisory measures in respect of the information system supplier or of the social welfare or health care service provider using the information system.
Report a data security nonconformity (NIS notification)
We recommend that any data security threats and breaches be reported to the National Cyber Security Centre at the Finnish Transport and Communications Agency Traficom. The National Cyber Security Centre will forward the notification to Valvira.
You may also write a freeform NIS notification and send it to the Valvira registry by e-mail at [email protected].