On September 1, 2021, the transition period related to secure operating environments audited in accordance with the Act on the Secondary Use of Health and Social Data will be extended until April 30, 2022.
For justified reasons, the data can be disclosed for processing to unaudited but secure operating environments until 30.4.2022. According to the new amendment to the law, this requires a temporary permit that can only be valid until 30 April 2022.
This restriction does not apply to data disclosed to audited operating environments.
Primarily, the data are always disclosed to Findata’s secure operating remote environment. The use of Findata’s operating environment and the release of data to the environment will continue normally.
Existing permits
The amendment does not affect valid permits. If the data is processed on the basis of a valid permit, this may continue as it does now.
If it is desired to add new data to the data processed in an unaudited environment with a new data permit, the permit for the new data may be granted – in accordance with the amendment – only until 30 April 2022.
Ongoing audit processes
A data permit can be granted even if the assessment aiming at the certificate of the operating environment is pending at the time of granting the permit. In this case, the data is transferred to the environment in accordance with the data permit when the assessment is completed and there is a certificate.
Requirements will enter into force on 1 May 2022
From May 2022 onwards, individual level data may only be disclosed to an operating environment that meets the requirements of the regulation on secure operating environments. In addition, the operating environment must be assessed by a data security assessment body that must issue a certificate on the assessment.
The National Supervisory Authority for Welfare and Health (Valvira) maintains a public register of the operating environments notified to it that meet the requirements.
See also:
- Regulation by the Health and Social Data Permit Authority Findata: Requirements for other service providers’ secure operating environments (PDF 252 Kb, opens in a new window)
- National Supervisory Authority for Welfare and Health (Valvira): Database of secondary-use environments (opens in a new window)
- National Cyber Security Center: Accredited information security inspection bodies (opens in a new window)
- Article: Findata has issued a regulation on the requirements of secure operating environments
