Findata has issued a regulation specifying the information security requirements for secure processing environments used for secondary use of social and health data.
These requirements apply to all purposes covered by the Act on the Secondary Use of Health and Social Data, including:
- Scientific research
- Statistics
- Teaching (only for preparing teaching materials, not actual teaching)
- Planning and investigation tasks of public authorities
Since 1 May 2022, compliance with these requirements has been mandatory for any data processed outside Findata’s Kapseli environment. In addition, the processing environment must be assessed by a data security assessment body that must issue a certificate on the assessment.
The regulation allows for different technical solutions. Secure environments may range from:
- A physically and technically secure space with an isolated analysis device
- Cloud-based solutions, provided they meet the required security standards
Foreign researchers’ processing environments must also comply with these requirements. Compliance can be demonstrated through internationally recognised security certifications, verified by an approved Finnish assessment body.
Read more on the Regulation on processing environments page.