- Kela’s role and responsibilities
- Information system supplier’s role and responsibilities
- Client organisation’s role and responsibilities
- Other operators’ role and responsibilities
Kela’s role and responsibilities
Kela is responsible for organising the joint testing and all related practical measures. These include
- maintenance of Kela’s test environments
- administration and distribution of test IDs used in Kela’s test environments
- producing the test material (further information on Kela’s test material services on the Test material page)
- planning of joint tests
- drawing up and maintaining test cases
- maintaining joint testing workspaces
- coordination of joint testing
- verification and approval of test cases
- drawing up the joint testing statement and report.
Kela accepts a system or application supplier for joint testing when the supplier has
- delivered to Kela all information required for the planning and implementation of joint testing
- proved with preliminary test cases returned together with the registration form that the system is ready for joint testing.
If the joint testing includes a cross-testing phase, Kela will select from certified information systems a cross-testing party for the information system to be tested. Kela will agree the cross-testing timetable with the parties.
Kela’s other responsibilities:
- maintenance of Kela’s test environments
- technical and functional requirements for the information systems in healthcare and social welfare and the wellbeing applications
- guidance and advice related to deployment.
Kela is under an obligation of secrecy with respect to any confidential data it has learned concerning the information system or wellbeing application during joint testing. This kind of data includes business secrets, which are also subject to a prohibition on exploiting the data. During joint testing, Kela processes the data in the information systems and applications with care and on a confidential basis.
Role and responsibilities of the information system and wellbeing application supplier
The information system or application supplier (hereinafter the system supplier) is responsible for ensuring that the information system it has manufactured meets the key requirements concerning interoperability, information security, information protection and functionality. The supplier is also responsible for the technical functioning of the system, including the information system’s
- availability
- performance
- ability to produce valid documents and create CDA R2 messages in accordance with the definitions.
Kela provides a Validation service to assist the information system suppliers in their product development to verify whether the information structures of the document are correctly produced.
Please ensure these are fulfilled before registering for joint testing
Before registering for joint testing, it is the system supplier’s responsibility to make sure that it has
- become acquainted with the national certification process and the joint testing material on the kanta.fi website
- joined the Kanta client test service
- committed to complying with the Kanta client test service etiquette, in addition to which the system supplier must for their own part ensure that its potential client organisation also knows the client test service etiquette
- acquired IDs for logging in to the Partners website
- acquired the test cards (dvv.fi) and the test server and test system signature certificates (dvv.fi) required in the testing from the Digital and Population Data Services Agency
- completed the functionality development work for joint testing. The interoperability of a system suitable for production is verified in joint testing, and the tested functionality will no longer be developed during joint testing
- tested its own implementation to a sufficient degree in its own test environment and in the client test environment in the Kanta Services before registering for joint testing With sufficient system testing, the system supplier ensures that the information system is ready for joint testing
- ensured that the information system to undergo joint testing is equivalent to a production-like entity. If several different components or systems take part in the formation of information to be saved in the Kanta Services, individual parts are not joint-tested, but the entire system entity that produces the information to be saved in the Kanta Services will be tested. The preliminary test cases on the registration form must also be carried out with production-like information system entity. This procedure ensures that joint testing is correctly allocated
- ensured that a sufficient amount of time has been reserved for joint testing and taken into account, e.g. time limits imposed by legislation.
If some test phases of the functionality that is tested for interoperability are carried out by a client organisation of the information system supplier, the supplier must find an organisation from among its clients to take part in joint testing. During joint testing, the information system supplier will support the testing of its client organisation, where necessary, e.g. in completing the test reports.
The following aspects must be taken into account in the selection of the client organisation:
- The client organisation has a test environment where the contents and functionality to undergo joint testing can be tested as extensively as possible.
- The client organisation is willing to take part in joint testing and it is able to resource personnel for the preparation of testing, performing of test cases and the verification meetings for joint testing.
- The information system supplier must correct any errors detected in joint testing, and the corrected system version must also be updated in the client organisation’s test environment, when necessary. The test cases of joint testing will be re-tested until no significant errors are found.
If the information system supplier notices an error in its system, the supplier must without delay notify the Kanta Services and all client organisations, which are impacted by the error, of the error and the time schedule of its correction.
If changes that have an impact on the Kanta Services are made in the information system, the information system supplier is obliged to report them to Kela.
Further information about the reporting of changes is available from the appendices of regulations 4/2021 and 6/2021 of the Finnish Institute for Health and Welfare (thl.fi, in Finnish):
- Reporting of changes in class A healthcare and social welfare information systems
- Reporting of changes in class A wellbeing applications that have joined Kanta PHR.
Client organisation’s role and responsibilities
If a client organisation takes part in joint testing, the client organisation of the information system supplier is responsible for having
- become acquainted with the joint testing material on the kanta.fi website
- joined the Kanta client test service
- committed to complying with the Kanta client test service etiquette
- acquired IDs for logging in to the Partners website
- acquired from the Digital and Population Data Services Agency the test professional cards required in the testing, as well as the test server and system signature certificates
- ensured that the information system it is using and which is to be connected to the Kanta Services, including any separate systems, meets the technical and functional requirements for joining. Here the client organisation can use the support of the information system supplier
- reserved a sufficient amount of time for joint testing and resourced personnel for the preparation of testing, carrying out test cases and inspection meetings for joint testing
- ensured that any approval testing of the information system or other testing carried out by the client organisation is scheduled so that it will not disturb the progress of joint testing and the planned schedule. Joint testing is not acceptance testing of the information system
- committed to drawing up a joint testing report of the joint testing it has carried out
Furthermore, the client organisation is obliged to take part in joint testing as a cross-testing party also after the system it is using has been certified.
Other operators’ role and responsibilities
Other operators are also linked to the joint testing carried out in the Kanta client test service, resulting in independent testing and certification. A brief description of the role of each operator from the viewpoint of the testing process is presented in the following.
The Finnish Transport and Communications Agency Traficom
Traficom approves the information security inspection body that can carry out the information security assessment required by the Client Data Act. Furthermore, Traficom directs and supervises the information security inspection bodies. Further information is available on the Traficom website:
- Instructions for information security inspection bodies 210/2016 (pdf, kyberturvallisuuskeskus.fi, in Finnish and Swedish only)
- Approved information security inspection bodies (kyberturvallisuuskeskus.fi, in Finnish and Swedish only)
Finnish Digital and Population Data Services Agency
The Digital and Population Data Services Agency (DVV) produces test cards and test professional cards for information system suppliers and healthcare services. The cards are used, for example, when the system is tested in the test environments of the Kanta Services. The Digital and Population Data Services Agency also produces server certificates and system signature certificates required in the use of the Kanta Services. The Digital and Population Data Services Agency is also responsible for Suomi.fi e-Authorizations, which are used for logging in, e.g. to the Partners workspace.
Further information is available on the Digital and Population Data Services Agency website Certificates (dvv.fi)
Valvira
The National Supervisory Authority for Welfare and Health Valvira is tasked with supervising and promoting the conformity of information systems, and it also has a right to carry out inspections required by the supervision.
Moreover, Valvira is responsible for the register of class A and B information systems in the healthcare and social welfare services and class A wellbeing applications. It is possible to check from the register, for example, which information systems have a right to join the Kanta Services directly and what the last effective day of conformity is for each information system.
An organisation producing healthcare and social welfare services can join the Kanta Services with the information system after the up-to-date data concerning the system is available in the Valvira information system register.
Further information is available on the Valvira website:
Information security inspection bodies
Information security inspection bodies approved by Traficom may carry out an information security inspection required by the Client Data Act. When an information system meets the key requirements set for it and Kela has issued a joint testing statement for the system, the information security inspection body will issue a certificate on the information security inspection for the system.
Finnish Institute for Health and Welfare (THL)
THL is responsible for the operational guidance of information management in social welfare and healthcare services. From the viewpoint of testing and certification, THL is responsible for, e.g.:
- the operating models for healthcare and social welfare service providers and the related guidance
- determination of information system classes
- procedures to be complied with in order to prove the key requirements
- regulations issued to social welfare and healthcare operators.
Further information is available on the THL website: