Certification parties and responsibilities

Certification parties and responsibilities

In addition to the information system provider and Kela, the certification process for a health care and social welfare information system also involves other authorities which have their own responsibilities in the certification process.

Kela

Kela is responsible for organising joint testing and all associated practical measures.

Information system and wellbeing application supplier

The information system service provider (hereinafter the system provider) is responsible for ensuring that the information system is classified correctly. The information system’s class determines how the key requirements set for the system are verified. More detailed information on the classification of information systems is available in Finnish in THL’s Regulation 4/2024 and its appendices (thl.fi)

The system provider is also responsible for ensuring that the information system it produces meets the key requirements concerning interoperability, data security, data protection and functionality. The compatibility of an information system or wellbeing application with Kanta is ensured through joint testing

The system provider must notify Valvira of an information system that meets the requirements of the Client Data Act for registration in the information system register. The deployment of the information system requires that its data can be found in the social and health care information system database maintained by Valvira.

An information system, wellbeing application or technical Kanta intermediary service linking to the Kanta Services must have a certificate of an approved data security assessment. The system provider is responsible for organising the information security assessment together with the inspection body.

If the system provider or the manufacturer of the wellbeing application differs from the original manufacturer of the system, the parties must mutually agree on who is responsible for certifying the system. 

With regard to the certification of a system entity, subsystem suppliers may agree among themselves who is responsible for the certification of the system entity.

Finnish Institute for Health and Welfare (THL)

THL is responsible for the operational guidance of information management in social welfare and health care services, and publishes and maintains regulations and guidelines related to essential requirements and self-monitoring. From the viewpoint of testing and certification, THL is responsible for, e.g.:

  • the operating models for health care and social welfare service providers and the related guidance
  • the determination of information system classes
  • procedures to be complied with in order to prove the key requirements
  • regulations issued to social welfare and health care operators.

Further information is available on the THL website: information management in social welfare and health care (thl.fi).

Information security inspection body

The information security inspection body assesses that the information system meets the data security requirements outlined in the Client Data Act and issues an information security certificate for a maximum of three years at a time.

Information security inspection bodies accredited by Traficom may carry out the data security assessment required by the Client Data Act.When an information system meets the key requirements set for it and Kela has issued a joint testing statement for the system, the information security inspection body will issues a certificate of the data security assessment of the system.

The Finnish Transport and Communications Agency Traficom

Traficom approves the information security inspection body that can carry out the data security assessment required by the Client Data Act. Furthermore, Traficom directs and supervises information security inspection bodies.

Valvira 

The National Supervisory Authority for Welfare and Health Valvira is tasked with supervising and promoting information system compliance and their use in accordance with their intended purpose.

Valvira maintains a public information system database of social welfare and health care information systems and wellbeing applications. Valvira also has the right to carry out inspections required by its supervisory duties.

Organisations providing or organising social welfare and health care services

Organisations providing or organising social welfare and health care services are responsible for creating an information security plan and for in-house control regarding data security and data protection. The service provider is responsible for the use of compliant information systems in accordance with their intended purpose and the manufacturer's instructions.

Last updated 1.10.2024