Kela
Kela is responsible for organising joint testing and all associated practical measures.
Information system provider and digital service provider
The provider of the information system service (system provider or digital service provider) is responsible for the correct classification of the information system. The information system’s class determines how the key requirements set for the system are verified. More detailed information on the classification of information systems is available in Finnish in THL’s Regulation 4/2024 and its appendices (thl.fi).
The system provider is also responsible for ensuring that the information system it produces meets the key requirements concerning interoperability, data security, data protection and functionality. The compatibility of an information system or wellbeing application with Kanta is ensured through joint testing.
The system provider must notify Valvira of an information system that meets the requirements of the Client Data Act for registration in the information system register. The deployment of the information system requires that its data can be found in the social and health care information system database maintained by Valvira.
- Classification of information systems (valvira.fi)
- Information system database for social welfare and health care (Valvira.fi)
The information system, wellbeing application, digital online service, or technical Kanta intermediary service connected to the Kanta Services must have a certificate of an approved data security assessment. The system provider is responsible for organising the information security assessment together with the inspection body.
If the system service provider or the provider of the wellbeing application or the digital online service is someone other than the original system provider, the parties must mutually agree on who is responsible for system certification.
With regard to the certification of a system entity, subsystem suppliers may agree among themselves who is responsible for the certification of the system entity.
Finnish Institute for Health and Welfare (THL)
THL is responsible for the operational guidance of information management in social welfare and health care services, and publishes and maintains regulations and guidelines related to essential requirements and self-monitoring. From the viewpoint of testing and certification, THL is responsible for, e.g.:
- the operating models for health care and social welfare service providers and the related guidance
- the determination of information system classes
- procedures to be complied with in order to prove the key requirements
- regulations issued to social welfare and health care operators.
Information security inspection body
The information security inspection body assesses that the information system meets the data security requirements outlined in the Client Data Act and issues an information security certificate for a maximum of three years at a time.
Information security inspection bodies accredited by Traficom may carry out the data security assessment required by the Client Data Act.When an information system meets the key requirements set for it and Kela has issued a joint testing statement for the system, the information security inspection body will issues a certificate of the data security assessment of the system.
The Finnish Transport and Communications Agency Traficom
Traficom approves the information security inspection body that can carry out the data security assessment required by the Client Data Act. Furthermore, Traficom directs and supervises information security inspection bodies.
Valvira
The National Supervisory Authority for Welfare and Health Valvira is tasked with supervising and promoting information system compliance and their use in accordance with their intended purpose.
Valvira maintains a public information system database of social welfare and health care information systems and wellbeing applications. Valvira also has the right to carry out inspections required by its supervisory duties.
Organisations providing or organising social welfare and health care services
Organisations providing or organising social welfare and health care services are responsible for creating an information security plan and for in-house control regarding data security and data protection. The service provider is responsible for the use of compliant information systems in accordance with their intended purpose and the manufacturer's instructions.