Action to be taken in fault situation and suspected data breaches

Action to be taken in fault situation and suspected data breaches

All service providers, including the authorities and private companies, are responsible for the functioning of the service they provide, as well as for communications. Service providers must agree on local/regional procedures in case of exceptional situations. Service providers must have their own instructions for fault situations, as well as data protection guidelines for suspected data breaches.

In the event of a fault in a Kanta service, it must be checked whether there is a fault notification on the kanta.fi website. If there isn't, the helpdesk of the organisation in question or the information system supplier must be contacted. The helpdesk will assess the nature of the problem and decide on any further measures.

In suspected personal data breaches, the matter is reported to a party, which is designated by the organisation in question, who will then launch the necessary measures. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. The provisions in the EU General Data Protection Regulation shall be complied with in personal data breaches.

Reporting a fault to Kela

The helpdesk or information system supplier of a service provider using Kanta services must report any faults they detect to the technical support of Kela whenever one or more of the following criteria are met:

  • The fault is not related to a pharmacy, client or patient data system used by the service provider, but it is localised to the Kela service entity.
  • The fault gives reason for suspecting that patient safety or the service received by a social welfare service client may be jeopardised. The fault is directly or indirectly linked to Kanta services.
  • The fault gives reason to suspect that there is a problem with an information system that may jeopardise the data protection of a patient or client. The fault is directly or indirectly linked to Kanta services.
  • The fault prevents or significantly slows down the use of the service.
  • The extent of the fault cannot be ascertained, and it may have an impact on other operators in addition to the service provider.

A fault is reported to Kela’s technical support using the fault report form. The form is sent as an email attachment to tekninentuki@kanta.fi.

In addition to sending a fault report form, faults that are critical or have an extensive impact must also be reported by telephone to the technical support, tel. 020 634 7787.

An actual or suspected personal data breach of the data in the Prescription Centre or the patient data management service shall also be reported to Kela’s technical support.

Kela’s technical support and fault notification

Kela’s technical support provides a 24-hour service to the support organisations of service providers and system suppliers, to citizens using My Kanta Pages and encountering technical problems, and the users of the Kelain service. The technical support is also responsible for fault notifications with respect to services provided by Kela. An RSS feed of the fault notifications is available on request.

Technical support in extensive fault situations

  • publishes fault notifications on the kanta.fi website
  • sends fault notifications to the service providers and stakeholders by email and/or text message
  • notifies of faults at the start and end of the fault and when the situation changes.

The recipients of the fault notifications are informed of any planned changes and maintenance work carried out on the service

  • two weeks in advance by email and with the maintenance notices online on kanta.fi
  • the day before the change or maintenance work takes place by text message.

The service provider shall give the contact details of the recipients of fault notifications when taking the system into use and maintain the contact details in Kanta Extranet.

Action to be taken by social welfare and healthcare services

Fault that prevents the use of the Prescription Centre in the healthcare services

Prescriptions are issued as online, paper or telephone prescriptions, and they are recorded in the patient data system. During a fault, prescription data is not automatically recorded in the Prescription Centre, and it is not recorded manually after the disruption. The procedure for social welfare and healthcare services in fault situations is only available in Finnish and in Swedish.

Fault that prevents the use of the Patient Data Repository or the client data archive for social welfare services

The patient and client data system automatically saves all entries made in it during a fault once the archive is back in use. The procedure for social welfare and healthcare services in fault situations is only available in Finnish and in Swedish.

Action to be taken by pharmacies

Essential medication of patients is safeguarded in any fault situations in Kanta services. The procedure for pharmacies in fault situations is only available in Finnish and in Swedish.

Action to be taken by citizens in fault situations

Find out about instructions for citizens in fault situations.  

Incident report to Valvira

In a situation where patient safety has or is suspected of having been compromised, both the system supplier and the service provider are obliged to send an incident report to Valvira.

Reporting an actual or suspected personal data breach 

An actual or suspected personal data breach shall be reported to the controller as soon as possible. If the service provider is the controller themselves, it must investigate the situation and, if necessary, report the matter to the Office of the Data Protection Ombudsman within 72 hours. If necessary, the data subjects must be notified of the matter. Various parties must assist the controller in the investigation of personal data breaches and the limitation of their impacts. The procedure of the personal data breach instructions of pharmacies and social welfare and healthcare services is only available in Finnish and in Swedish.

Action to be taken by the authorities in serious incidents or exceptional situations

The authorities (THL, Kela, Valvira, VRK, STM, Fimea) will assess the severity of the incident. In the event of a serious incident or exceptional situation, the authorities will provide instructions on what to do during the situation and how to resume normal operations. The instructions drawn up on the basis of the assessment will be sent to the contact persons notified by the service providers, and these persons will distribute the instructions within their own organisation.

Find out more

Last updated 15.04.2019