Significant nonconformity in complying with essential requirements
A significant nonconformity in an information system may endanger client or patient safety or information security. A nonconformity may affect the system’s functional requirements, interoperability, or information security.
A significant nonconformity is, for example
- a deficiency or error in a system that may pose a risk to client or patient safety
- a deficiency or error in a system that may pose a risk to information security or data protection
- a deficiency or error in a system or operating environment that may pose a risk to the operation of health and social services
- an error or interruption in Kanta services, which may pose a risk to client or patient safety or the operation of health and social services
- an error in the technical accuracy or integrity of the data stored in Kanta services, which may cause, issues such as, large-scale interoperability disruptions
- expiration of an information system’s information security certificate
- the absence of a provision-based function in the information system.
For more information on significant nonconformities, see Chapter 10.4 Compliance nonconformities in THL regulation 5/2024. See the end of this page for the document.
Report a significant nonconformity
Information system service supplier
The information system service supplier must notify the Finnish Supervisory Agency if there is a nonconformity in the system it produces that poses a significant risk to client or patient safety or information security.
The supplier must also inform all users of the system of any significant nonconformity. If the system is a Category A system, the supplier must also notify Kela's Kanta services of any significant nonconformity in accordance with the instructions on how to act in fault situations.
Wellbeing app creators
A wellbeing app creator must notify the Finnish Supervisory Agency if there is a nonconformity in the application it manufactures that poses a significant risk to client or patient safety or information security. The creator must also inform all the application's users of the significant nonconformity.
Service provider and pharmacy
The service provider and the pharmacy must notify the information system service supplier if they find that there is a significant nonconformity in the fulfilment of essential requirements in the system they use.
If a significant nonconformity observed by the service provider may pose a risk to client or patient safety or information security, the service provider must submit a nonconformity notification to the Finnish Supervisory Agency. If a nonconformity in a pharmacy system may pose a significant risk to the operation of the pharmacy, the pharmacy must notify the Finnish Medicines Agency Fimea of the nonconformity.
Other reporters
If a significant nonconformity in a system or application endangers client or patient safety or information security, Kela and the Finnish Institute for Health and Welfare must also report the nonconformity to the Finnish Supervisory Agency.
Submit a nonconformity notification (in Finnish)
You can also submit a free-form nonconformity notification to the Finnish Supervisory Agency’s registry at kirjaamo(at)lvv.fi. If you send confidential information, use the secure email connection. You can also send a nonconformity notification by post to Finnish Supervisory Agency, P.O.Box 20, FI-13035 LVV.
The Finnish Supervisory Agency may undertake supervision on the basis of a nonconformity notification. Supervision may focus on the information system service supplier or the service provider using the information system.
Contact information
Customer service for health and social services
Ask our customer service by using service form
By e-mail: [email protected]
By calling: +358 295 256 930 (Monday–Friday 9:00–15:00)