Suppliers of all data systems intended for processing client and patient records are obliged to notify Valvira of all data systems deployed for production use. All such systems are also subject to the key requirements of social and healthcare data systems. The requirements concern functionality, interoperability and data security. In the systems joining the Kanta Services, some of the requirements are verified through certification.
Part of the certification process consists of joint testing and a data security audit between the Kela Kanta Services and an inspection body authorised by the Finnish Communications Regulatory Authority. As a result of an authorised certification, the system or intermediary service is awarded a certificate of conformity as prescribed by the act on the processing of client data in social and healthcare services, which is mandatory for all systems linking to the Kanta Services. The certification is renewed after a set period, before the previous authorisation or certificate of conformity expires. The certification must also be renewed if significant changes are made to the system or the requirements are substantially changed.
All organisations providing social and health services and handling client and patient data electronically, as well as those acting as Kanta intermediary services, draw up an in-house control procedure, which is also linked to the key requirements of data systems deployed.
Oversight and responsibilities
The suppliers of the data system or providers of the data system service are responsible for the classification, conformity, notification to Valvira and, when necessary, certification of their own system.
Organisations providing or organising social and healthcare services are responsible for the in-house control of data security and data protection, as well as ensuring that the systems are used in compliance with the regulations. The systems must be used in accordance with their intended use and the supplier’s instructions.
The Finnish Institute for Health and Welfare of Finland (THL) publishes and maintains regulations and guidelines on key requirements and in-house control based on legislation, decrees and national specifications. Kela carries out the joint testing of all systems joining the Kanta Services. Valvira oversees and furthers the use of data systems in accordance with their intended use and their conformity, as well as compiling a public register of social and healthcare data systems.
- Määräykset ja ohjeet THL:n sivulla [Regulations and instructions on THL website, in Finnish only]
- Järjestelmien ja välityspalveluiden tuottajien ilmoittaminen Valviralle [Notifications to Valvira by system and intermediary service providers]
- Kanta-sertifiointi ja omavalvonta - yleiskuva ja prosessit [Kanta certification and in-house control procedure – overview and processes]
- Sote-tietojärjestelmien luokittelu, sertifiointi ja omavalvonta: usein kysytyt kysymykset [Classification, certification and in-house control of social and healthcare data systems: frequently asked questions]
The obligation to draw up an in-house control procedure applies to all social and healthcare service providers, pharmacies and Kanta intermediary service providers.
- Määräys omavalvontasuunnitelmasta (pdf, in Finnish only, 2/2015) [Regulation on in-house control procedures (2/2015)]
- Appendix: Sample in-house control procedure (doc, in Finnish only)
At the time of submitting its notification to Valvira or when seeking certification, the supplier of a social and healthcare data system must provide a description of its intended use and of conformity to the operational requirements concerning the system. The notification is submitted on a system form based on uniform classification. The minimum requirements of systems produced for different intended uses are specified through national profiles.
- Määräys 2/2016: Määräys sosiaali- ja terveydenhuollon tietojärjestelmien olennaisista toiminnallisista vaatimuksista (pdf 506 kt) [Regulation 2/2016: Regulation on the key operational requirements of social and healthcare data systems (pdf 506 kb)]
- Liite 1, Määräyksen perustelut ja soveltaminen (pdf 345 kt) [Appendix 1, Reasons and application of the regulation (pdf 345 kb)]
- Liite 2, Olennaisten toiminnallisten vaatimusten luokitus (xls 349 kt) [Appendix 2, Classification of key operational requirements (xls 349 kb)]
- Liite 3a, Profiilit: Sähköisen reseptin profiilit (xls 304 kt) [Appendix 3a, Profiles: Electronic prescription profiles (xls 304 kb)]
- Patient records system for processing prescriptions, Pharmacy system
- Liite 3b, Profiilit: Kanta-arkistoon liittyvien järjestelmien vähimmäisvaatimusprofiilit (xls 334 kt) [Appendix 3b, Profiles: Minimum requirement profiles of systems linking to the Kanta repository (xls 334 kb)]
- Application or service searching for data in the Kanta repository, application utilising data retrieved from the Kanta repository, application or service delivering data into the Kanta repository, application producing data for delivery into the Kanta repository
- Liite 3c, Profiilit: Potilastiedon arkiston profiilit (xls 375 kt) [Appendix 3c, Profiles: Patient Data Repository profiles (xls 375 kb)]
- Medical records system (basic requirements), Oral healthcare system
- Liite 3d, Profiilit: Sosiaalihuollon asiakastiedon arkiston profiilit (xls 579 kt) [Appendix 3d, Profiles: Social services client records archive profiles (xls 579 kb)]
- System related to stage 1 of the client data archive for the social services sector
- System storing data in the client data archive for the social services sector in stage 1
- System for viewing data in the client data archive for the social services sector in stage 1
- Application or service storing the service provider’s own data in the client data archive for the social services sector in stage 1
- Liite 3e, Profiilit: Kuvantamisen profiilit (xls 327 kt) [Appendix 3e, Profiles: Imaging profiles (xls 327 kb)]
- System entity linked to the national Kvarkki imaging archive, system entity maintaining regional imaging archive, system utilising imaging materials from the Kvarkki archive
- Liite 3f, Profiilit: Todistusten profiilit [Appendix 3f, Profiles: Certificate profiles]
- Service that asks for certificates or statements from the Kanta archive
- Service that receives certificates or statements from the Kanta archive
- Service that produces certificates or statements for the Kanta archive
- Liite 4, Järjestelmälomake (xls 221 kt) [Appendix 4, System form (xls 221 kb)]
As a part of certification, all systems joining the Kanta Services must pass a joint testing procedure before the system is deployed for production use.
Data security auditing
As a part of certification, all systems joining the Kanta Services and Kanta intermediary services must pass an audit by a data security assessment body. As a result of an approved certification, the system or intermediary service is awarded a certificate of conformity as prescribed by the act on the processing of client data in social and healthcare services, which is mandatory for all systems linked to the Kanta Services. The certificate of conformity is valid until the end of the specified set period. The costs of data security auditing are met by each system supplier or intermediary service provider itself.
- Määräys A-luokkaan kuuluvien sosiaali- ja terveydenhuollon tietojärjestelmien olennaisista tietoturvavaatimuksista (pdf, in Finnish only, 1/2015) [Regulation on the key data security requirements of Class A social and healthcare data systems (in Finnish only, 1/2015)]
- liite: Tietoturvavaatimukset A-luokkaan kuuluville järjestelmille ja järjestelmien käyttöympäristöille (doc, in Finnish only) [Appendix: Data security requirements of Class A systems and system operating environments]
- Assessment bodies approved by the Finnish Communications Regulatory Authority (kyberturvallisuuskeskus.fi, in Finnish and Swedish only)