- Kela’s role and responsibilities
- Information system supplier’s role and responsibilities
- Client organisation’s role and responsibilities
- Other operators’ role and responsibilities
Kela is responsible for organising the joint testing and all related practical measures. These include
- maintenance of Kela’s test environments
- administration and distribution of test IDs used in Kela’s test environments
- producing the test material (further information on Kela’s test material services on the Test material page)
- planning of joint tests
- drawing up and maintaining test cases
- maintaining joint testing workspaces
- coordination of joint testing
- verification and approval of test cases
- drawing up the joint testing statement and report.
Kela will approve the system supplier for joint testing when the supplier has
- delivered to Kela all information required for the planning and implementation of joint testing
- proved with preliminary test cases returned together with the registration form that the system is ready for joint testing.
Kela will select from certified information systems a cross-testing party for the information system to be tested in order to enable joint testing with an uncertified system. Kela will agree the cross-testing timetable with the parties.
Kela is under an obligation of secrecy with respect to any confidential data it has learned concerning the information system during joint testing. This kind of data includes business secrets, which are also subject to a ban on exploiting the data. During joint testing, Kela processes the data in the information systems with care and on a confidential basis.
The information system supplier is responsible for ensuring that the information system it has manufactured meets the key requirements concerning interoperability, information security, information protection and functionality. The supplier is also responsible for the technical functioning of the system, including the information system’s
- ability to produce valid documents and create CDA R2 messages in accordance with the definitions.
Kela provides a Validation service to assist the information system suppliers in their product development to verify whether the information structures of the document are correctly produced.
Please ensure these are fulfilled before registering for joint testing
Before registering for joint testing, it is the system supplier’s responsibility to make sure that it has
- become acquainted with the national certification process and the joint testing material on the kanta.fi website
- joined the Kanta client test service
- committed to complying with the Kanta client test service etiquette, in addition to which the system supplier must for their own part ensure that its client organisation also knows the client test service etiquette
- acquired IDs for logging in to the Partners website
- acquired from the Digital and Population Data Services Agency the test professional cards required in the testing, as well as the system signature certificates
- completed the functionality development work for joint testing. The interoperability of a system suitable for production is verified in joint testing, and the tested functionality will no longer be developed during joint testing
- tested its own implementation to a sufficient degree in its own test environment and in the client test environment in the Kanta Services before registering for joint testing With sufficient system testing, the system supplier ensures that the information system is ready for joint testing
- ensured that the information system to undergo joint testing is equivalent to a production-like entity. If several different components or systems take part in the formation of information to be saved in the Kanta Services, individual parts are not joint-tested, but the entire system entity that produces the information to be saved in the Kanta Services will be tested. The preliminary test cases on the registration form must also be carried out with production-like information system entity. This procedure ensures that joint testing is correctly allocated
- committed to the time schedule of joint testing.
If some test phases of the functionality that is tested for interoperability are carried out by a client organisation of the information system supplier, the supplier must find an organisation from among its clients to take part in joint testing. During joint testing, the information system supplier will support the testing of its client organisation, where necessary, e.g. in completing the test reports. The following aspects must be taken into account in the selection of the client organisation:
- The client organisation has a test environment where the contents and functionality to undergo joint testing can be tested as extensively as possible.
- The client organisation is willing to take part in joint testing and it is able to resource personnel for the preparation of testing, performing of test cases and the verification meetings for joint testing.
The information system supplier must correct any errors detected in joint testing, and the corrected system version must also be updated in the client organisation’s test environment, when necessary. The test cases of joint testing will be re-tested until there are no longer any preventive and significant errors. Information about the categorisation of test observations is available in the Terms and definitions website.
If the information system supplier notices an error in its system, the supplier must without delay notify the Kanta Services and all client organisations, which are impacted by the error, of the error and the time schedule of its correction.
If changes that have an impact on the Kanta Services are made in the information system, the information system supplier is obliged to report them to Kela. Further information is available in the Finnish Institute for Health and Welfare document “Ohje luokkaan A kuuluvien sosiaali- ja terveydenhuollon tietojärjestelmien muutosten ilmoittamisesta”(pdf, thl.fi, in Finnish only) (Instructions for notifying changes in social welfare and healthcare information systems pertaining to class A).
The client organisation of an information system supplier taking part in joint testing is responsible for having
- become acquainted with the joint testing material on the kanta.fi website
- joined the Kanta client test service
- committed to complying with the Kanta client test service etiquette
- acquired IDs for logging in to the Partners website
- acquired from the Digital and Population Data Services Agency the test professional cards required in the testing, as well as the test server and system signature certificates
- ensured that the information system it is using and which is to be connected to the Kanta Services, including any separate systems, meets the technical and functional requirements for joining. Here the client organisation can use the support of the information system supplier
- committed to the time schedule of joint testing and resourced personnel for the preparation of testing, carrying out test cases and feedback meetings for joint testing
- ensured that any approval testing of the information system or other testing carried out by the client organisation is scheduled so that it will not disturb the progress of joint testing and the planned schedule. Joint testing is not acceptance testing of the information system
- committed to drawing up a joint testing report of the joint testing it has carried out
Furthermore, the client organisation is obliged to take part in joint testing as a cross-testing party also after the system it is using has been certified.
Other operators are also linked to the joint testing carried out in the Kanta client test service, resulting in independent testing and certification. A brief description of the role of each operator from the viewpoint of the testing process is presented in the following.
The Finnish Transport and Communications Agency Traficom
Traficom approves the information security inspection body that can carry out the information security assessment required by the Client Data Act. Furthermore, Traficom directs and supervises the information security inspection bodies. Further information is available on the Traficom website:
- Ohje tietoturvallisuuden arviointilaitoksille 210/2016(Instructions for information security inspection bodies) (pdf, kyberturvallisuuskeskus.fi, in Finnish and Swedish only)
- Approved information security inspection bodies (kyberturvallisuuskeskus.fi, in Finnish and Swedish only)
Finnish Digital and Population Data Services Agency
The Digital and Population Data Services Agency (prev. Population Register Centre) produces test cards and test professional cards for information system suppliers and healthcare services. The cards are used, for example, when the system is tested in the test environments of the Kanta Services. The Digital and Population Data Services Agency also produces server certificates and system signature certificates required in the use of the Kanta Services. The Digital and Population Data Services Agency is also responsible for Suomi.fi e-Authorizations, which are used for logging in, e.g. to the Partners workspace.
Further information is available on the Digital and Population Data Services Agency website Certificates (dvv.fi)
The National Supervisory Authority for Welfare and Health Valvira is tasked with supervising and promoting the conformity of information systems, and it also has a right to carry out inspections required by the supervision. Moreover, Valvira is responsible for the register of information systems in classes A and B in the social welfare and healthcare services. It is possible to check from the register, for example, which information systems have a right to join the Kanta Services directly and what the last day of validity of each conformity certificate of each information system is.
Further information is available on the Valvira website:
- Information systems (valvira.fi, in Finnish only)
Information security inspection bodies
Information security inspection bodies approved by Traficom may carry out an information security inspection required by the Client Data Act. When an information system meets the key functional requirements set for it and Kela has issued a joint testing statement for the system, the information security inspection body will issue a conformity certificate for the system. After that, the information system may join the Kanta Services.
- Approved information security inspection bodies (kyberturvallisuuskeskus.fi, in Finnish only)
Finnish Institute for Health and Welfare (THL)
THL is responsible for the operational guidance of information management in social welfare and healthcare services. From the viewpoint of testing and certification, THL is responsible for, e.g.:
- the functional requirements of information systems in the social welfare and healthcare services
- determination of information system classes
- procedures to be complied with in order to prove the key requirements
- regulations issued to social welfare and healthcare operators.
Further information is available on the THL website: