Certification, key requirements and in-house control

Certification, key requirements and in-house control

Certification is a process through which conformity to the key requirements applicable to a data system is verified. Certification concerns all data systems joining the Kanta Services and Kanta intermediary services.

Suppliers of all data systems intended for processing client and patient records are obliged to notify Valvira of all data systems deployed for production use. All such systems are also subject to the key requirements of social and healthcare data systems. The requirements concern functionality, interoperability and data security. In the systems joining the Kanta Services, some of the requirements are verified through certification.

Part of the certification process consists of joint testing and a data security audit between the Kela Kanta Services and an inspection body authorised by the Finnish Communications Regulatory Authority. As a result of an authorised certification, the system or intermediary service is awarded a certificate of conformity as prescribed by the act on the processing of client data in social and healthcare services, which is mandatory for all systems linking to the Kanta Services. The certification is renewed after a set period, before the previous authorisation or certificate of conformity expires. The certification must also be renewed if significant changes are made to the system or the requirements are substantially changed.

All organisations providing social and health services and handling client and patient data electronically, as well as those acting as Kanta intermediary services, draw up an in-house control procedure, which is also linked to the key requirements of data systems deployed.

Oversight and responsibilities

The suppliers of the data system or providers of the data system service are responsible for the classification, conformity, notification to Valvira and, when necessary, certification of their own system.

Organisations providing or organising social and healthcare services are responsible for the in-house control of data security and data protection, as well as ensuring that the systems are used in compliance with the regulations. The systems must be used in accordance with their intended use and the supplier’s instructions.

The National Institute for Health and Welfare of Finland (THL) publishes and maintains regulations and guidelines on key requirements and in-house control based on legislation, decrees and national specifications. Kela carries out the joint testing of all systems joining the Kanta Services. Valvira oversees and furthers the use of data systems in accordance with their intended use and their conformity, as well as compiling a public register of social and healthcare data systems.

In-house control

The obligation to draw up an in-house control procedure applies to all social and healthcare service providers, pharmacies and Kanta intermediary service providers.

Operational requirements

At the time of submitting its notification to Valvira or when seeking certification, the supplier of a social and healthcare data system must provide a description of its intended use and of conformity to the operational requirements concerning the system. The notification is submitted on a system form based on uniform classification. The minimum requirements of systems produced for different intended uses are specified through national profiles. 

Joint testing

As a part of certification, all systems joining the Kanta Services must pass a joint testing procedure before the system is deployed for production use.

Data security auditing

As a part of certification, all systems joining the Kanta Services and Kanta intermediary services must pass an audit by a data security assessment body. As a result of an approved certification, the system or intermediary service is awarded a certificate of conformity as prescribed by the act on the processing of client data in social and healthcare services, which is mandatory for all systems linked to the Kanta Services. The certificate of conformity is valid until the end of the specified set period. The costs of data security auditing are met by each system supplier or intermediary service provider itself.

Further information

  • Queries related to joint testing kantakehitys@kanta.fi
  • Queries related to certification or in-house control procedures to kantapalvelut@thl.fi

Find out more

Last updated 20.07.2018