SIST EN 14484:2004

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.YDUQRVWLMedizinische Informatik - Internationaler Austausch von unter die EU-Datenschutzrichtlinie fallenden persönlichen Gesundheitsdaten - Generelle Sicherheits-StatementsInformatique de santé - Transfert international des données personelles de santé couvertes par la directive européenne sur la protection des données personelles - Politique de sécurité de haut niveauHealth informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy35.240.80Uporabniške rešitve IT v zdravstveni tehnikiIT applications in health care technologyICS:Ta slovenski standard je istoveten z:EN 14484:2003SIST EN 14484:2004en01-maj-2004SIST EN 14484:2004SLOVENSKI
STANDARD



SIST EN 14484:2004



EUROPEAN STANDARDNORME EUROPÉENNEEUROPÄISCHE NORMEN 14484December 2003ICS 35.240.80English versionHealth informatics - International transfer of personal health datacovered by the EU data protection directive - High level securitypolicyInformatique de santé - Transfert international des donnéespersonelles de santé couvertes par la directive européennesur la protection des données personelles - Politique desécurité de haut niveauMedizinische Informatik - Internationaler Austausch vonunter die EU-Datenschutzrichtlinie fallenden persönlichenGesundheitsdaten - Generelle Sicherheits-StatementsThis European Standard was approved by CEN on 13 November 2003.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Management Centre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and UnitedKingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMITÉ EUROPÉEN DE NORMALISATIONEUROPÄISCHES KOMITEE FÜR NORMUNGManagement Centre: rue de Stassart, 36
B-1050 Brussels© 2003 CENAll rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 14484:2003 ESIST EN 14484:2004



EN 14484:2003 (E)2ContentspageForeword.4Introduction.51Scope.92Normative references.93Terms and definitions.94Abbreviated terms.105The European Data Protection Directive (see annex A).115.1General.115.2General aims: (Article 1).115.3Scope: electronic and non-electronic (Article 3).115.4Principles relating to data quality (Article 6).115.5Criteria for legitimacy (Article 7).115.6Special categories of processing, including personal health data (Article 8).125.7Information to be given to the data subject (Article 10).125.8Right of access to data (Article 12).125.9Right to object (Article 14).125.10Security of processing (Article 17).125.11Judicial remedies, liability and sanctions (Articles 22, 23 and 24).135.12Supervisory Authorities (Articles 28 and 18).135.13Working party on the protection of Individuals with regard to the Processing of Personal Data.135.14Transfer of personal data to Third Countries.136Requirements for the transfer of personal data to third Countries.136.1General.136.2Principles (Article 25).136.3Ensuring transfers are permissible.146.4Grounds by which transfers to third countries are permissible.147A Security Policy for third countries.167.1The requirement.167.2The purpose of the security policy.167.3The ‘level’ of the security policy.168High Level Security Policy: general aspects.178.1Levels of abstraction in ensuring security.17Generic principles.178.3Non-generic Principles.178.4Guidelines.188.5Measures.188.6Elements of a High Level Security Policy.189High Level Security Policy: the content.189.1Principle One: overriding generic principle.189.2Principle Two: chief executive support.199.3Principle Three: documentation of Measures and review.199.4Principle Four: Data Protection Security Officer.209.5Principle Five: permission to process.209.6Principle Six: information about processing.219.7Principle Seven: information for the data subject.239.8Principle Eight: prohibition of onward data transfer without consent.239.9Principle Nine: remedies and compensation.249.10Principle Ten: security of processing.25SIST EN 14484:2004



EN 14484:2003 (E)39.11Principle Eleven: responsibilities of staff and other contractors.269.12Principle Twelve: adequacy of third country data protection.269.13Principle Thirteen: additional EU Member State particular requirements.2710Rationale and Observations on Measures to support Principle Ten concerning security ofprocessing.2710.1General.2710.2Encryption and digital signatures for transmission to the third country.2710.3Access controls and user authentication.2710.4Audit Trails.2810.5Physical and environmental security.2810.6Application management and network management.2810.7Viruses.2810.8Breaches of security.2810.9Business Continuity Plan.2810.10Handling particularly sensitive data.2810.11Standards.2911Personal health data in non-electronic form.29Annex A (normative)
EU Data Protection Directive.30Annex B (informative)
Useful sources of advice.50B.1EU Security projects.50B.2CEN/ISSS.50B.3Non-CEN Standards.50B.4Selected web sites.51Annex C (informative)
Model declaration.52Bibliography.54SIST EN 14484:2004



EN 14484:2003 (E)4ForewordThis document (EN 14484:2003) has been prepared by Technical Committee CEN/TC 251 "EuropeanStandardization of Health Informatics", the secretariat of which is held by SIS.This European Standard shall be given the status of a national standard, either by publication of an identical text orby endorsement, at the latest by June 2004, and conflicting national standards shall be withdrawn at the latest byJune 2004.Annex A is normative. The annexes B and C are informative.According to the CEN/CENELEC Internal Regulations, the national standards organizations of the followingcountries are bound to implement this European Standard: Austria, Belgium, Czech Republic, Denmark, Finland,France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal,Slovakia, Spain, Sweden, Switzerland and the United Kingdom.SIST EN 14484:2004



EN 14484:2003 (E)5IntroductionIn the health context, information about individuals needs to be collected, stored and processed for many purposes,the main being:· direct delivery of care e.g. patient records;· administrative processes e.g. booking appointments;· clinical research;· statistics.The data required depends on the purpose. In the context of identification of individuals, data may be needed:· to allow an individual to be readily and uniquely identified e.g. a combination of name, address, age, sex,identification number;· to confirm that two data sets belong to the same individual without any need to identify the individualhimself e.g. for record linkage and/or longitudinal statistics;· for statistical purposes but with the end desire positively to prevent identification of any individual.In all of these circumstances data about individuals are now, and will increasingly in the future, be transmittedacross national borders or be deliberately made accessible to countries other than where they are collected orstored.
Data may be collected in one country and stored in another, be processed in a third, and be accessiblefrom many countries or even globally. The key requirement is that all this processing should be carried out in afashion that is consistent with the:· the purposes and consents of the original data collection and, in particular;· all disclosures of personal health data should be to appropriate individuals or organisations withinthese purposes and consents.International health-related applications require health-related data to be transmitted from one nation to anotheracross national borders.
That is very evident in telemedicine or when data are electronically dispatched forexample in an email or as a data file to be added to an international database.
It also occurs, but less obviously,when a database in one country is viewed from an other for example over the Internet.
That application mayappear passive but the very act of viewing involves disclosure of that data and is deemed ‘processing’. Moreover itrequires a download that may be automatically placed in a cache and held there until 'emptied' - this also isprocessing and involves a particular security hazard.There is a wide range in the types of third country organisation that might be involved in receipt of personal healthdata from an EU Member State for example:· healthcare establishments such as hospitals;· pharmaceutical companies involved in research;· contractors remotely maintaining health care systems in EU hospitals;· companies holding educational data bases containing for example radiological images with diagnosesand case notes;· companies holding banks of medical records for patients from different countries.In all applications involving personal health data there can be a potential threat to the privacy of an individual. Thatthreat and its extent will depend on:· the level to which data is protected from unauthorised access in storage or transmission;· the number of persons who have authorised access;· the nature of the personal health data stored;· the level of difficulty in identifying an individual if access to the data is obtained;SIST EN 14484:2004



EN 14484:2003 (E)6· the difficulty in obtaining unauthorised access.Wherever health data are collected, stored, processed or published (including electronically on the Internet) thepotential threat to privacy needs to be assessed and appropriate protective measures taken.
Some form of riskanalysis should be undertaken to ascertain the required level of security measures.In addition to the standards bodies CEN, CENELEC, ISO and IEC there are three major trans-national bodies thathave produced internationally authoritative documents relating to security and data protection:· the European Union (EU);· the Organisation for Economic Co-operation and Development (OECD);· the Council of Europe;· the United Nations (UN).The primary documents from these bodies are:· EU Data Protection Directive "on the protection of individuals with regard to the processing of personaldata and free movement of that data" [1];· OECD "Guidelines on the Protection of Privacy and Trans-border flows of Personal Data" [2];· OECD "Guidelines for the Security of Information Systems" [3];· Council of Europe "Convention for the Protection of individuals with regard to Automatic Processing ofPersonal Data" No. 108 [4];· "Council of Europe Recommendation R(97)5 on the Protection of Medical Data" [5];· UN General Assembly "Guidelines for the Regulation of Computerised Personal Data Files" [6].The means and extent of the protection afforded to personal health data varies from nation to nation [7].
In somecountries there is nation-wide privacy legislation, in others legislative provisions may be at a state level orequivalent. In a number of countries no legislation may exist although various codes of practice or equivalent willprobably be in place and/or ‘medical’ laws which lay down a duty on medical practitioners to safeguardconfidentiality.Although privacy legislation in different parts of the world may mention personal health data, frequently there is nolegislation specific to health except perhaps in relation to government agencies and/or medical research.The EU Directive on Data Protection (see text in annex A) aims to create uniform legislative data protectionprovisions throughout the EU. The Directive also applies to non-community countries of the European EconomicArea by virtue of the EEA Treaty Decision 83/1999 of 25 June 1999. The majority of countries of Central andEastern Europe and Cyprus which are applicants to become members of the EU, are also looking to introducelegislation in conformance with the Directive.The Directive makes it permissible for personal data to be passed across EU borders.
However, the transfer ofpersonal data from an EU country to a non-EU country is controlled by Articles 25 and 26.In essence, subject to specific 'derogations', Article 25 allows transfer of personal data to a third country only if thatthird country ensures an 'adequate level of protection'.The 'adequacy of protection' is to be assessed (Article 25.2) in the light of all the circumstances with 'particularconsideration' to be given to particular factors including:· the nature of the data;· the purpose and duration of the proposed processing operation(s);· the rules of law applying;· the professional rules and security measures which are
complied with;· the country concerned.In the health context personal health data can be extremely sensitive in nature and is recognised as such by theDirective. There is extensive guidance available both nationally and internationally on 'security measures' for theprotection of personal health data (see annex B).As noted above there is in many countries a mix of general and specific legal or quasi-legal requirements coveringpersonal health data protection plus professional codes covering ethical aspects including safeguardingSIST EN 14484:2004



EN 14484:2003 (E)7confidentiality. These two aspects may not necessarily be consistent and may in some aspects be in conflict. ThisEuropean Standard, although referring to both, deals primarily with the legal context deriving from implementationof the Data Protection Directive. Ethical codes generally contain material that goes beyond formal legalrequirements. The guidance in this standard should not diminish compliance with such more extensive documents.Indeed ensuring conformance with legal rules is only one aspect of ensuring confidentiality is protected. In thatcontext it should be noted that the European Group on Ethics in Science and New Technologies [8], is of theopinion that “personal data should be considered in the framework of the rights of personality, even if in somecases they may be subject transactions” and, “since personal data continue to reflect the data subject’s identity,they cannot be treated as entirely separate from him/her”. The Group observed that consequently “some countriesregard sensitive personal health data as inalienable to protect the dignity of the individual”.
The InternationalMedical Informatics Association is in the process of developing and accepting a code of ethics for healthinformation professionals [18].Article 26 of the Directive details the 'derogations' under which an EU Member State may permit transfer ofpersonal data to a third country without an adequate level of data protection.
The full list is in annex A.
Thederogations include where:· the data subject has given his unambiguous consent;· it is necessary to protect the data subject’s vital interests;· the “controller adduces adequate safeguards with respect to the privacy and fundamental rights andfreedoms of individuals”; “such safeguards may in particular result from appropriate contract clauses”.Under Article 29 of the EU Directive an EU Working Party, on the Protection of Individuals with regard toProcessing of Personal Data, was created.
Its findings provide important interpretations and views on theDirective.EN 14485,
Health informatics - Guidance for handling personal health data in international applications in thecontext of the EU data protection directive [9] provides guidance on the general measures that should be taken torender permissible transfer of personal health data form an
EU Member State or another country.These general measures comprise guidance for ensuring that such transfers are permissible under the Directive.Whilst it indicates the actions that a non-EU organisation should take to render such transfers permissible, thestandard does not make explicit the essential elements that such an organisation should include in its securitypolicy covering these types of international applications.This standard addresses these aspects and provides guidance on the policy which an organisation in a non-EUcountry should adopt to demonstrate compliance with the measures necessary to make permissible the transfer ofpersonal health data to it from an EU country in the context of the EU Directive.This standard is based on the premise that all organisations processing personal health data in internationalapplications should reflect all of their obligations under the EU Data Protection Directive in their security policies.
Itwould be of considerable benefit to data subjects, which for health data includes patients, if all such organisationshad a high level security policy addressing these matters which:· made clear the organisation's expectations of all its staff involved in the processing of personal healthdata in an international application (often expressed in contracts of employment);· was available to any data subject on request;· was part of the documentation which would assist in reassuring an EU Supervisory Authority of anorganisation's compliance with the Directive;· would help reassure other bodies with which the organisation was associated in the context of healthdata.Whereas the Directive renders it permissible for personal health data to be transferred to other EU Member States(strictly also EEA Member States), data controllers nevertheless have the obligation to ensure EU/EEAorganisations have implemented necessary requirements for processing.
A high level security organisation policystandard will assist EU controllers in:· specifying and assessing the adequacy of the data protection provisions of others with whom they aredealing;· demonstrating to others the adequacy of their own provisions.SIST EN 14484:2004



EN 14484:2003 (E)8Article 25 of the Directive prohibits the transfer of personal data to non-EEA countries unless they have adequatedata protection provisions in the context of the Directive.
Article 26 details allowable derogations in the context ofthat prohibition.Those EU organisations seeking to engage with organisations in non-EEA countries in international applicationsinvolving personal health data, will at least need to assure themselves that the non-EU party:· is in compliance with any measures which will ensure adequacy of their data protection in the contextof the EU Directive (these go beyond solely technical security aspects); or· will ensure compliance with the terms of any derogations available.The High Level Security Policy which this standard addresses will assist:· EU organisations in laying down conditions on non-EEA parties to render permissible the transfer ofpersonal health data;· non-EU organisations in complying with the requirements of the Directive in the context of the transferof personal health data to them from an EEA body.SIST EN 14484:2004



EN 14484:2003 (E)91 ScopeThis European Standard provides guidance on a High Level Security Policy for third country organisations and isrestricted to aspects relevant to personal health data transferred from a compliant country to a third country (seedefinitions).This European Standard provides guidance on the High Level Security Policy which should be adopted by thirdcountry organisations involved in international informatics applications which entail transmission of person healthdata from an EU Member State to a non-EU Member State whose data protection is inadequate in the context ofthe EU Data Protection Directive [1].
Its purpose is to assist in the application of the EU Directive.The European Standard does not provide definitive legal advice but comprises guidance.
When applying theguidance to a particular application legal advice appropriate to that application should be sought.Whereas this guidance will be useful in the formulation of a high level policy for EU organisations, its scope isrestricted to organisations in third countries (see definitions).2 Normative referencesNot applicable.3 Terms and definitionsFor the purposes of this European Standard, the following terms and definitions apply. Where a term is defined inthe EU Data Protection Directive (Article 2) that definition is used for the purposes of this European Standard.
Incountries in which the EU Directive has not been implemented, other definitions for these terms may be in use andmay have a legal status and therefore care should be taken in utilising this standard in those circumstances.3.1identifiable personperson who can be identified, directly or indirectly, in particular by reference to an identification number or one ormore factors specific to his physical, physiological, mental, economic, cultural or social identity3.2compliant countrycountry whose legislation complies with the EU Data Protection Directive and is recognised as such by theEuropean Commission3.3controllernatural or legal person, public authority, agency or any other body which alone or jointly with others determines thepurposes and means of the processing of personal data; where the purposes and means of processing aredetermined by national or Community laws or regulations, the controller or the specific criteria for his nominationmay be designated by national or Community law3.4data subjectidentified or identifiable natural person, which is the subject of personal data3.5personal dataany information relating to an identified or identifiable natural personSIST EN 14484:2004



EN 14484:2003 (E)103.6personal data filing systemany structured set of personal data which are accessible according to specific criteria, whether centralised,decentralised or dispersed on a functional or geographical basis allowing easy access to the personal data3.7personal health dataany information relevant to the health or sex life of an identified or identifiable natural person3.8processing of personal dataprocessing any operation or set of operations which is performed upon personal data, whether or not by automaticmeans, such as collection, recording, organisation storage, adaptation or alteration, retrieval, consultation, use,disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking,erasure or destruction3.9processornatural or legal person, public authority, agency or any other body which pr
...