Findata has issued a regulation on the requirements set for other service providers’ secure operating environments. The regulation concerns the secondary use of social and health data.
According to the Act on Secondary Use, the analysis of data at individual level is only permitted in environments that meet the requirements of the regulation as of 1 May 2021. The requirements require the same level of information security as is required for Findata’s own operating environment.
This regulation applies to all purposes laid down in the Act on Secondary Use for which a data permit is required under the Act on Secondary Use. These purposes include scientific research, statistics, education and the planning and reporting duty of an authority. With regard to teaching, the regulation pertains to the preparation of teaching materials, not actual teaching.
You can find out more about the regulation by clicking the link below.
Regulation by the Health and Social Data Permit Authority Findata: Requirements for other service providers’ secure operating environments (PDF 252 Kb, opens in a new window)
What is changing?
Findata grants temporary data permits for the secondary use of register data in the social and health care sector. Once the permit has been granted, Findata will submit the data gathered from different registers to a secure remote access environment for analysis.
As a rule, the materials are always disclosed to Findata’s operating environment. However, the Act on the Openness of Government Activities makes it possible to disclose information to other operating environments, if necessary.
If an individual controller within the scope of the Act on Secondary Use has made a decision on a data permit concerning data included in their own registers, they must disclose the data to a secure environment referred to in the Act on Secondary Use as well.
The now issued regulation describes the operational, administrative and technical requirements that other service providers, such as hospital districts, must implement in a secure environment.
Before the regulation entered into effect, a round for comments was organised from 22 May to 26 June 2020, during which a total of 54 comments were submitted. These comments were taken into account in the preparation of the regulation.
What effects does the regulation have?
As of 1 May 2021, the implementation of the requirements laid down in the regulation is a prerequisite for the disclosure of data to be processed by the permit holder for secondary purposes in an environment other than Findata’s secure operating environment. In addition, the operating environment must be assessed by a information security inspection body that must issue a certificate on the assessment.
The requirements take into account the solutions in existing environments and enable the utilisation of different technical solutions.
At its simplest, a secure environment can be a physically and technically secure space with a terminal device for analyzing data that is isolated from the Internet and other devices. On the other hand, technical solutions based on cloud services are also possible, as long as the service provider ensures the required level of information security.
The operating environments of foreign researchers must also meet the data protection and security requirements laid down in the regulation. Their validity can be demonstrated by means of certificates based on international audits, the compliance of which is verified by an assessment body approved in Finland.
It is possible to import other materials and researchers’ own tools into the operating environments as long as they are in accordance with the process defined by the service provider and under the supervision of the service provider.
Regulation by the Health and Social Data Permit Authority Findata: Requirements for other service providers’ secure operating environments (PDF 252 kb, opens in a new window)