Classification of information systems for healthcare and social welfare

Category A includes social welfare and healthcare client information systems that

• are linked to Kanta services directly or through a client data transfer service  
• create data structures or documents to be stored in Kanta services  
• are used for processing client data on a large scale, and in which ensuring data protection requires an information security assessment carried out by an information security inspection body. 

Category A is further divided into subcategories:

• A1: An information security assessment must be carried out for the system, for which it will be issued an information security certificate. No joint testing is carried out on Category A1 systems. Category A1 includes, for example, customer information transfer services. 
• A2: Joint testing must be carried out for the system, for which it will be issued a joint testing statement. An information security assessment must also be carried out for the system, for which it will be issued an information security certificate. Category A2 includes, for example, systems storing administrative data in Kanta services and separate systems in a specialised field. 
• A3: Joint testing must be carried out for the system, for which it will be issued a joint testing statement. An information security assessment must also be carried out for the system, for which it will be issued an information security certificate. Category A3 includes health care patient record systems linked to Kanta services and social welfare client information systems. Kela's Kanta services are also in Category A3.

Category B includes an information system in which social welfare and healthcare client data is processed,

• which is not directly related to Kanta services 
• which does not produce documents stored in Kanta services 
• which is not subject to the Category A1 requirement for assessing information security based on a risk assessment. 

Although a Category B system is not subject to joint testing and is not required to undergo an information security assessment by an information security inspection body, a Category B system must be implemented and meet the essential requirements for its intended purpose. 

You can find examples of Category B systems in THL’s document Examples of the classification of systems and wellbeing applications. See the end of this page for the documents.

Social welfare and healthcare services may also use systems, software, or applications that are not the systems referred to in the Act on the Processing of Client Data in Healthcare and Social Welfare, even though they contain information on such information as the name and address of healthcare patients or social welfare clients.  

An information system referred to in the Act on the Processing of Client Data in Healthcare and Social Welfare refers to software, a system or a subsystem that is designed to be used

• in the electronic processing of client documents 
• when storing client documents in Kanta services 
• for attaching something to national information system services, i.e. Kanta services, or for the processing of wellbeing data in social welfare or healthcare. 

Examples of unclassified software and applications:

• general word processing or office software 
• administrative support systems used by a social welfare or healthcare service provider, such as meal order systems, material management systems, or user authorisation management systems 
• invoicing systems used by social welfare and healthcare service providers 
• general systems or applications used for communication, such as various chat software. 

THL’s document Examples of the classification of systems and wellbeing applications describes in more detail what kind of software is not in accordance with the Act on the Processing of Client Data in Healthcare and Social Welfare. See the end of this page for the document. 

The Finnish Supervisory Agency does not register or supervise systems that are not Category A or B systems under the Act on the Processing of Client Data in Healthcare and Social Welfare. 

General information security and data protection requirements and other provisions related to the preparation, processing, and storage of client data must be taken into account in the processing of client data in all situations. The provisions apply to the service provider regardless of how client data is recorded and stored.