Operating environments under the Act on the Secondary Use of Health and Social Data

The Finnish Supervisory Agency supervises and promotes that the operating environments for social and health data referred to in the Act on the Secondary Use of Health and Social Data comply with data protection and information security requirements. These requirements for operating environments are derived from the Act on the Secondary Use of Health and Social Data and from regulation 1/2022 issued by the Finnish Social and Health Data Permit Authority Findata. The Finnish Supervisory Agency maintains the public Astori register that contains data on registered regulatorily compliant operating environments.

Secondary use of the health and social data of private individuals for scientific research or compiling statistics, for preparing teaching materials and for planning and investigative activities by the authorities requires a data permit as per the Act on the Secondary Use of Health and Social Data. Data from datasets specified in the data permit must be processed in a secure operating environment as described in Findata regulation 1/2022. 

Compliant environments must be registered in the Astori public register maintained by the Finnish Supervisory Agency prior to implementation. An operating environment must have been granted an information security certificate as per Findata regulation 1/2022 in order to be eligible for registration. Information security certificates are issued by an inspection body approved by the Finnish Transport and Communications Agency Traficom. Read more about registration on the Operating environment registration page.

Operating environment service providers must be able to produce a valid certificate from an information security inspection body, up-to-date documentation and, if necessary, technical specifications as proof of their operating environment’s conformity with the requirements.  Data protection and information security requirements must be met throughout the production use of the operating environment. The operating environment’s service provider must monitor changes in the requirements set for the operating environment and the experiences accumulated during production use.

The Finnish Supervisory Agency supervises operating environments under the Act on the Secondary Use of Health and Social Data by means of, for example, assessment and guidance visits, investigations and inspections.

See also

• Astori register under the Client Data Act and the Secondary Use Act

Legislation

• Act on the Secondary Use of Health and Social Data (552/2019) (in Finnish)

Files

• Findata regulation: Requirements for other service providers’ secure operating environments (pdf) (in Finnish)

Contact information

Customer service for health and social services

Ask our customer service by using service form
By e-mail: [email protected]
By calling: +358 295 256 930 (Monday–Friday 9:00–15:00)​