The operating environment requirements will apply in accordance with the transitional provisions of the Act on the Secondary Use of Health and Social Data from 1 May 2022. The requirements apply to data permits and amendment permits issued by both Findata and public data controllers.
As of May 1, 2022, personal data based on a data permit may only be disclosed to audited environments that meet the requirements of the Act and Findata’s regulation on secure operating environments.
The entry into force of the requirements does not affect valid permits. If the project has been granted a permit to process data in an unaudited environment, the processing may continue in that environment until the permit expires.
Apply for an amendment permit in a timely manner
A change was made to the transitional provision of the Act on September 1, 2021, which has made it possible to transfer data to unaudited operating environments. This has required a temporary data permit valid until 30 April 2022 at the latest.
If you have been granted a data permit until April 30, 2022 and want to continue processing the data after that, you must apply for an amendment of your permit and transfer the data to Findata’s Kapseli or another audited environment. If you submit an amendment application no later than April 30, 2022, we may process it as an amendment permit instead of a new data permit. This is a cheaper and faster option for the applicant. You can see an estimate of the queuing situation on the front page and the permit fees on the Pricing page.
Data permit requires an audited environment
From May onwards, it is only possible to transfer data in accordance with the data permits to operating environments that meet the requirements of the Act and Findata’s regulation, and which have passed an audit and for which there is a valid certificate.
The primary analysis environment for the data is always Findata’s Kapseli. The use of the Kapseli and the delivery of the data there will continue normally after 1.5.2022.
The applicant may, for a justified reason, request the transfer of the data to another audited environment when applying the permit. Valvira maintains a Toini database of secondary-use environments that meet data security and data protection requirements and to which data can be transferred.
New data cannot be transferred abroad if the environment has not been audited. However, it is possible to add foreign users to the Kapseli. The Ministry of Social Affairs and Health is preparing a government proposal related to the Act and international data transfers.
Amendment permits are subject to requirements, with the exception of changes to processors of personal data
Amendment permits are subject to the same requirements as new data permits with one exception: changes to processors of personal data do not require compliance with the operating environment requirements.
If an amendment permit is granted to a valid data permit, for example with regard to the period of validity of the permit, monitoring years or variables, the data must be transferred to an audited operating environment that meets the requirements of the law.
Data requests are not affected
Requirements for secure environments do not affect data requests for statistics. The statistical data requested is provided to the client, and its analysis is not subject to the same data security requirements as the individual-level material.
By law, we respond to all data requests, regardless of whether the request concerns the data of one or more data controllers.
Ongoing audit processes
We may grant a data permit even though an audit of the operating environment is pending at the time the permit is granted.
In this case, the data will be transferred to the environment in accordance with the data permit when the audit is completed and there is a certificate in Valvira’s Toini database.
Read more
- Act on the Secondary Use of Health and Social Data (PDF 5.4 Mb)
- Toini, database of secondary-use environments (valvira.fi)
- Regulation on secure operating environments
- Regulation by the Finnish Social and Health Data Permit Authority Findata: Requirements for other service providers’ secure operating environments (PDF 67 Kb)
- Annex 1: Requirements for a Secure Operating Environment (PDF 235 Kb)
- See also: Accredited information security inspection bodies (Finnish Transport and Communications Agency Traficom, National Cyber Security Centre)