The social welfare and healthcare service providers take care of appropriate data security practices by self-monitoring their data protection and data security. Certification ensures that the information systems in use meet the data security requirements with respect to system suppliers.
All social welfare and healthcare service providers, pharmacies and Kanta transmission service providers are obliged to monitor the implementation of data protection and data security in their own operations. They must draw up a self-monitoring plan (in Finnish) describing how the organisation implements data protection and data security.
“The organisation itself must also monitor that the plan is followed and developed. Once the organisation’s own operations are in order, it will also start paying attention to data protection and data security, for example, in contracts with subcontractors,” says Development Manager Juha Mykkänen from the National Institute for Health and Welfare.
In self-monitoring, it is essential that the management is committed to data protection and data security issues. When, for example, good preconditions have been created for the work of the Data Protection Officers (in Finnish), monitoring will become a natural part of operations. A key objective is that professionals who provide services are familiar with and take into account the procedures related to data protection and data security in the processing of client and patient data.
“Self-monitoring is the most important means of ensuring that we are able to prepare for information security threats and to safeguard data protection for clients in the day-to-day operations of SOTE services. With self-monitoring, it is also possible to prove that data security and data protection issues have been managed properly. This has also been emphasised in the EU General Data Protection Regulation,” Mykkänen points out.
Self-monitoring and certification form a whole
Data security in the Kanta Services is strongly linked to the certification of information systems related to Kanta Services. Mykkänen underlines the importance of seeing certification and self-monitoring as a single whole.
“Certification and self-monitoring constitute a continuum between the information system manufacturers and the users. Self-monitoring focuses on a SOTE operator’s day-to-day activities, which must be supported in the information systems used. Certification is a procedure used in the information systems related to Kanta Services to ensure that the system is capable of joining the Kanta Services and that it meets the required data security and data protection features.”
The information system manufacturer or the information system service provider is responsible for ensuring that the system used in Kanta is certified. The certification process includes joint testing, which is carried out together with Kela’s Kanta Services, and a data security audit conducted by an information security inspection body. A system with approved certification will be issued with a conformity certificate, after which it will be available for production use in the Kanta Services.
“The certificate is valid for a certain period, after which it must be renewed. When significant changes are made to the systems, certification will also be renewed, if necessary. Certification is subject to THL’s regulations, and the authorities, such as Valvira, supervise the conformity and the implementation of self-monitoring,” Mykkänen says.
- Certification, key requirements and self-monitoring
- Blog by Juha Mykkänen: Sote-ammattilaiset ja omavalvonta tietosuojan etulinjassa (in Finnish)