The Sections of the Act on the Secondary Use of Health and Social Data on the requirements for a secure operating environment are applied in accordance with the transitional provisions of the Act as of 1 May 2021.
From May onwards, individual data based on a data access authorisation may only be disclosed to an operating environment that meets the requirements of the regulation on data security environments in Findata. In addition, the operating environment must be assessed by a data security assessment body that must issue a certificate on the assessment.
Primarily, the data are always disclosed to Findata’s secure operating remote environment. The use of Findata’s operating environment and the release of data to the environment will continue normally after 1 May 2021.
The requirements’ entry into force does not affect valid permits. If the data is processed on the basis of a valid permit, this may continue as it does now.
Pending applications and amendment applications
Due to high demand, many applications in Findata are currently being processed or pending.
We apply the requirements for operating environments on applications submitted on or after 1 May 2021. If a data permit application that can be processed has been submitted to Findata by 30 April 2021, the requirements will not apply even if the actual permit decision is made after 1 May 2021.
With regard to applications for changes to the data access authorisation, we use case-by-case discretion. The processing may continue in the environment in which the original authorisation is used, if this is still justified after the change. This also applies to amendment applications submitted on or after 1 May 2021.
If the assessment aiming at the certificate of the operating environment is pending at the time of granting the permit, we may grant the data permit conditionally. In this case, the data is transferred to the environment in accordance with the data permit when the assessment is completed.
