Regulation on secure operating environments

Findata has issued a regulation on the requirements set for other service providers’ secure operating environments. The regulation concerns the secondary use of social and health data.

According to the Act on Secondary Use, the analysis of data at individual level is only permitted in environments that meet the requirements of the regulation as of 1 May 2022. The requirements require the same level of information security as is required for Findata’s own operating environment.

This regulation applies to all purposes laid down in the Act on Secondary Use for which a data permit is required under the Act on Secondary Use. These purposes include scientific research, statistics, education and the planning and reporting duty of an authority. With regard to teaching, the regulation pertains to the preparation of teaching materials, not actual teaching.

The entry into force of the requirements does not affect existing, valid permits. If data are processed on the basis of a valid permit previously granted, the processing of that data may continue in the same environment after 1 May 2022.

See the regulation

The regulation was updated in January 2022. The new regulation replaces the previous regulation of 5 October 2020 (THL / 2492 / 4.00.00 / 2020). The updated regulation contains its own copy of the criteria for issuing the certificate, in addition to which the requirements are described in more detail.

Trusted authentication sources

The trusted authentication sources mentioned in the regulation for secure operating environments of other service providers are currently:

  • Haka
  • Virtu

In addition, if necessary, we will arrange a user ID for foreign customers with a separate order, which will enable the use of the services.

Network Connections to a Secure Processing Environment

In certain situations, it may be necessary to establish network connections to a secure processing environment. Such situations include, for example, automatic software updates, connections to centralized repositories/libraries, or performing federated analyses.

If the service provider needs to establish connections out of the processing environment or from an individual user environment, the following points must be considered:

  • The need for the connection is justified, and in the case of an individual user environment, the purpose of the connection does not conflict with the conditions of the data permit.
  • The party at the destination address of the connection is identified and assessed as reliable.
  • The establishment, management, and monitoring of the connection are carried out by the service provider.
  • The connection is protected by a firewall, and only the network traffic necessary for the use case is allowed.
  • No personal data is allowed to be transferred through the connection.
  • Any significant changes to the operating environment must be reported to the accredited information security inspection body.