Health informatics - Guidance for handling personal health data in international applications in the context of the EU data protection directive

This European Standard provides guidance on data protection for those involved in international informatics applications which entail transmission of person health data from an EU Member State to a non-EU Member State.  Its purpose is to assist in the application of the EU Directive on Data Protection [1].

Medizinische Informatik - Anleitung zur Verwendung von persönlichen Gesundheitsdaten in internationalen Anwendungen vor dem Hintergrund der EU-Datenschutzrichtlinie

Informatique de santé - Guide pour manipuler des données personnelles de santé dans des applications internationales dans le contexte de la directive européenne sur la protection des données personelles

Zdravstvena informatika – Navodilo za ravnanje z osebnimi zdravstvenimi podatki v mednarodni uporabi in v skladu z določili Direktive EU o varstvu podatkov

General Information

Status
Published
Publication Date
30-Apr-2004
Technical Committee
Current Stage
6060 - National Implementation/Publication (Adopted Project)
Start Date
01-May-2004
Due Date
01-May-2004
Completion Date
01-May-2004

Buy Standard

Standard
SIST EN 14485:2004
English language
76 pages
sale 10% off
Preview
sale 10% off
Preview

e-Library read for
1 day

Standards Content (sample)

SLOVENSKI STANDARD
SIST EN 14485:2004
01-maj-2004
=GUDYVWYHQDLQIRUPDWLND±1DYRGLOR]DUDYQDQMH]RVHEQLPL]GUDYVWYHQLPLSRGDWNL
YPHGQDURGQLXSRUDELLQYVNODGX]GRORþLOL'LUHNWLYH(8RYDUVWYXSRGDWNRY
Health informatics - Guidance for handling personal health data in international
applications in the context of the EU data protection directive

Medizinische Informatik - Anleitung zur Verwendung von persönlichen Gesundheitsdaten

in internationalen Anwendungen vor dem Hintergrund der EU-Datenschutzrichtlinie

Informatique de santé - Guide pour manipuler des données personnelles de santé dans

des applications internationales dans le contexte de la directive européenne sur la

protection des données personelles
Ta slovenski standard je istoveten z: EN 14485:2003
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN 14485:2004 en

2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------
SIST EN 14485:2004
---------------------- Page: 2 ----------------------
SIST EN 14485:2004
EUROPEAN STANDARD
EN 14485
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2003
ICS 35.240.80
English version
Health informatics - Guidance for handling personal health data
in international applications in the context of the EU data
protection directive

Informatique de santé - Guide pour manipuler des données Medizinische Informatik - Anleitung zur Verwendung von

personnelles de santé dans des applications persönlichen Gesundheitsdaten in internationalen

internationales dans le contexte de la directive européenne Anwendungen vor dem Hintergrund der EU-

sur la protection des données personelles Datenschutzrichtlinie
This European Standard was approved by CEN on 13 November 2003.

CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European

Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national

standards may be obtained on application to the Management Centre or to any CEN member.

This European Standard exists in three official versions (English, French, German). A version in any other language made by translation

under the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the official

versions.

CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,

Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and United

Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36 B-1050 Brussels

© 2003 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 14485:2003 E

worldwide for CEN national Members.
---------------------- Page: 3 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)
Contents
page

Foreword......................................................................................................................................................................5

Introduction .................................................................................................................................................................6

1 Scope ..............................................................................................................................................................9

2 Normative references ....................................................................................................................................9

3 Terms and definitions....................................................................................................................................9

4 Abbreviated terms .......................................................................................................................................10

5 General solutions to exchanging personal health data between compliant and non-compliant

countries.......................................................................................................................................................11

5.1 General approach .............................................................................................................................11

6 Judging the adequacy of data protection .................................................................................................11

6.1 General.............................................................................................................................................11

6.2 Content Principles.............................................................................................................................12

6.3 Procedural/Enforcement Mechanisms..............................................................................................14

6.4 Third Countries that have ratified the Council of Europe Convention 108 .......................................14

6.5 Industry self-regulation......................................................................................................................15

7 Making adequate provisions.......................................................................................................................16

7.1 Introduction .......................................................................................................................................16

7.2 Meeting the "Content Principles" ......................................................................................................16

7.3 Providing for the "Procedural/Enforcement Mechanisms"................................................................16

7.4 Overriding law ...................................................................................................................................18

8 Permissible derogations, Articles 26.1 and 26.2 ......................................................................................19

8.1 Article 26.1 ........................................................................................................................................19

8.1.2 Consent.............................................................................................................................................19

8.2 Article 26.2 ........................................................................................................................................20

9 Anonymisation .............................................................................................................................................20

9.1 Definition of personal data ................................................................................................................20

9.2 Rendering personal data anonymous...............................................................................................20

10 Notification to Supervisory Authorities.....................................................................................................21

10.1 Introduction .......................................................................................................................................21

10.2 Implementation of Articles 18 to 20 ..................................................................................................21

11 Steps in establishing an international application with adequate data protection safeguards

from the view point of an EU data controller ............................................................................................21

11.1 Introduction .......................................................................................................................................21

11.2 Step One: Can the data be non-personal?.......................................................................................22

11.3 Step Two: Is the recipient third country an EEA country? ................................................................23

11.4 Step Three: Is the recipient country recognised by the Commission as having adequate data

protection provisions?.......................................................................................................................23

11.5 Step Four: Is the recipient organisation in compliance with arrangements formally recognised

by the Commission as providing adequate data protection provisions? ..........................................23

11.6 Step Five; If the recipient third country is not EEA, has it signed the Council of Europe

Convention 108?...............................................................................................................................23

11.7 Step Six: Is the recipient country applying to become a member of the EU? ..................................23

11.8 Step Seven: Can adequacy of data protection be established?.......................................................24

11.9 Step Eight: If adequacy of data protection cannot be established can the derogations in

Article 26.1 provide a solution?.........................................................................................................24

11.10 Step Nine: If adequacy of data protection cannot be established can the derogation in Article

26.2 regarding contractual clauses provide a solution? ...................................................................26

---------------------- Page: 4 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)

11.11 Step Ten: If transfer of personal data health data to the recipient third country is permissible

has the recipient implemented adequate security measures and can the application proceed?.....26

12 Steps in establishing an international application with adequate data protection safeguards

from the viewpoint of a non-EU data controller .......................................................................................26

12.1 Establishing data protection adequacy in the EU.............................................................................26

13 Model contract clauses ...............................................................................................................................26

Published models...........................................................................................................................................26

14 Security measures.......................................................................................................................................27

14.1 Introduction .......................................................................................................................................27

14.2 General security................................................................................................................................27

14.3 Security contracts with processors and with controllers in non-compliant countries........................28

14.4 Security policy...................................................................................................................................28

14.5 Risk analysis.....................................................................................................................................28

14.6 Security organisation and allocation of duties ..................................................................................29

14.7 Reporting of security incidents or breaches .....................................................................................29

14.8 Staff and contractor contracts...........................................................................................................29

14.9 Training and awareness ...................................................................................................................29

14.10 Transmission of data ........................................................................................................................29

14.11 Limitations of purpose and access ...................................................................................................29

14.12 Onward transfers ..............................................................................................................................30

14.13 Audit trails .........................................................................................................................................30

14.14 Loss, damage and destruction..........................................................................................................30

14.15 Business Continuity Plans ................................................................................................................30

14.16 Network Security...............................................................................................................................30

14.17 Patients Rights..................................................................................................................................31

14.18 Compliance.......................................................................................................................................31

14.19 Standards..........................................................................................................................................31

15 Declaration of grounds on which transfers are to take place.................................................................31

15.1 Statement of grounds .......................................................................................................................31

Annex A (informative) Key primary international documents on data protection............................................32

A.1 EU Data Protection Directive ............................................................................................................32

A.1.3 Rules for lawfulness of processing ...................................................................................................32

A.1.4 Special categories of processing......................................................................................................32

A.1.5 Data subject's rights..........................................................................................................................33

A.1.6 Security of processing ......................................................................................................................34

A.1.7 Supervisory Authorities.....................................................................................................................34

A.1.8 Remedies and sanctions ..................................................................................................................34

A.1.9 Transfer of personal data to third countries......................................................................................34

A.2 Organisation for Economic Co-operation and Development (OECD) ..............................................35

A.3 Council of Europe .............................................................................................................................35

A.4 United Nations General Assembly....................................................................................................36

A.4.1 General .............................................................................................................................................36

A.4.2 Principles concerning minimum guarantees that should be provided in any national legislation.....36

A.4.3 Application of the Guidelines to personal data files kept by governmental international

organisations.....................................................................................................................................37

Annex B (informative) Text of Articles 25 and 26 of the EU Data Protection Directive..................................38

B.1 Article 25: Principles .........................................................................................................................38

B.2 Article 26: Derogations .....................................................................................................................38

Annex C (informative) Text of Article 28 of the EU Data Protection Directive ................................................40

Annex D (informative) Questionnaire for Assessing Data Protection Adequacy ...........................................42

Annex E (informative) Safe harbour privacy principles.....................................................................................48

Annex F (informative) Standards and sources of advice ..................................................................................51

F.1 EU Security projects .........................................................................................................................51

F.2 CEN/ISSS .........................................................................................................................................51

F.3 Non-CEN Standards .........................................................................................................................51

F.4 Selected web sites............................................................................................................................52

---------------------- Page: 5 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)

Annex G (informative) Model Declaration of Grounds upon which Transfer of Personal Health Data is

Regarded as in Compliance with the EU Data Protection Directive.......................................................53

Annex H (informative) Model contractual clauses for controller to controller transfers to a country

with inadequate data protection provisions .............................................................................................55

H.1 Introduction .......................................................................................................................................55

H.2 Model standard contractual clauses .................................................................................................55

Annex I (informative) Model contractual clauses for controller to processor transfers to a country

with inadequate data protection provisions .............................................................................................66

I.1 Introduction .......................................................................................................................................66

I.2 Model standard contractual clauses .................................................................................................66

Bibliography ..............................................................................................................................................................75

---------------------- Page: 6 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)
Foreword

This document (EN 14485:2003) has been prepared by Technical Committee CEN/TC 251 "European

Standardization of Health Informatics", the secretariat of which is held by SIS.

This European Standard shall be given the status of a national standard, either by publication of an identical text or

by endorsement, at the latest by June 2004, and conflicting national standards shall be withdrawn at the latest by

June 2004.
The annexes A, B, C, D, E, F, G, H and I are informative.

According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following

countries are bound to implement this European Standard: Austria, Belgium, Czech Republic, Denmark, Finland,

France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal,

Slovakia, Spain, Sweden, Switzerland and the United Kingdom.
---------------------- Page: 7 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)
Introduction

In the health context, information about individuals needs to be collected, stored and processed for many purposes,

the main being:
• administrative processes e.g. booking appointments;
• direct delivery of care e.g. patient records;
• clinical research;
• statistics.

The data required will depend on the purpose. In the context of identification of individuals, data may be needed:

• to allow an individual to be readily and uniquely identified e.g. a combination of name, address, age, sex,

identification number;

• to confirm that two data sets belong to the same individual without any need to identify the individual himself

e.g. for record linkage and/or longitudinal statistics;

• for statistical purposes with the desire positively to prevent identification of any individual.

In all of these circumstances data about individuals are now, and will increasingly in the future, be transmitted

across national borders or be deliberately made accessible to countries other than where they are collected or

stored. Data may be collected in one country and stored in another, be processed in a third, and be accessible

from many countries or even globally.

International health-related applications will require health-related data to be transmitted from one nation to

another.

That is very evident in telemedicine or when data are electronically dispatched for example in an email or as a data

file to be added to an international database. It also occurs, but less obviously, when a database in one country is

viewed from the other for example over the Internet. That application may appear passive but the very act of

viewing involves disclosure of that data and is deemed ‘processing’. Moreover it requires a download that may be

automatically placed in a cache and held there until 'emptied' - this also is processing.

In all applications involving personal health data there can be a potential threat to the privacy of an individual. That

threat and its extent will depend on:

• the level to which data is protected from unauthorised access in storage or transmission;

• the number of persons who have authorised access;
• the nature of the personal data stored;

• the level of difficulty in identifying an individual if access to the data is obtained.

Wherever health data are collected, stored, processed or published (including electronically on the Internet) the

potential threat to privacy needs to be assessed and appropriate protective measures taken. Some form of risk

analysis should be undertaken to ascertain the required level of security measures.

In addition to the standards bodies CEN, CENELEC, ISO and IEC there are three major trans-national bodies that

have produced internationally authoritative documents relating to security and data protection:

• the European Union (EU);
• the Organisation for Economic Co-operation and Development (OECD);
• the Council of Europe;
---------------------- Page: 8 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)
• the United Nations (UN).
The primary documents from these bodies are:

• EU Data Protection Directive "on the protection of individuals with regard to the processing of personal

data and free movement of that data" [1];

• OECD "Guidelines on the Protection of Privacy and Trans-border flows of Personal Data" [2];

• OECD "Guidelines for the Security of Information Systems" [3];

• Council of Europe "Convention for the Protection of individuals with regard to Automatic Processing of

Personal Data" No. 108 [4];

• "Council of Europe Recommendation R(97)5 on the Protection of Medical Data" [5];

• UN General Assembly "Guidelines for the Regulation of Computerised Personal Data Files" [6].

Annex A provides a synopsis of the key documents published by these bodies.

The means and extent of the protection afforded to personal health data varies from nation to nation [7]. In some

countries there is nation-wide privacy legislation, in others legislature provisions may be at a state level or

equivalent and in a number no legislation may exist although various codes of practice or equivalent will probably

be in place.

Although privacy legislation in different parts of the world may mention personal health data, frequently there is no

legislation specific to health except perhaps in relation to government agencies and/or medical research.

The EU Directive on Data Protection aims to create uniform legislative data protection provisions throughout the

EU. The Directive also applies to non-community countries of the European Economic Area by virtue of the EEA

Treaty Decision 83/1999 of 25 June 1999.

The passing of personal data from any one of these conforming nations to another ('third') country is controlled by

Articles 25 and 26 of the Directive the full text of which is in annex B. In essence, subject to specific 'derogations',

Article 25 allows transfer of personal data to a third country only if that third country ensures an 'adequate level of

protection'. The 'adequacy of protection' is to be assessed (Article 25.2) in the light of all the circumstances with

'particular consideration' to be given to particular factors including:
• the nature of the data;
• the purpose and duration of the proposed processing operation(s);
• the rules of law applying;
• the professional rules and security measures which are complied with.

In the health context personal health data can be extremely sensitive in nature and is so recognised by the

Directive. However rules of law specific to health are not common with the exception perhaps of medical research.

Nevertheless 'professional rules' applying to the medical and other healthcare professions concerning the

protection of patient confidentiality are present in most countries with significant 'penalties' associated with non-

compliance. There is in addition extensive guidance available both nationally and internationally on 'security

measures' for the protection of personal health data (see annex F and clause 2).

In many countries therefore there is a mix of general and specific legal or quasi-legal requirements covering data

protection plus professional codes covering ethical aspects including safeguarding confidentiality. These two

aspects may not necessarily be consistent and may in some aspects be in conflict. This European Standard,

although referring to both, deals primarily with the context deriving from implementation of the Data Protection

Directive. Ethical codes often contain material that goes beyond formal legal requirements. The guidance in this

standard should not diminish compliance with such more extensive documents. Indeed ensuring conformance with

legal rules is only one aspect of ensuring confidentiality is protected. In that context it should be noted that the

European Group on Ethics in Science and New Technologies to the Commission [8], is of the opinion that

“personal data should be considered in the framework of the rights of personality, even if in some cases they may

be subject transactions” and, “since personal data continue to reflect the data subject’s identity, they cannot be

treated as entirely separate from him/her”. The Group observed that consequently “some countries regard sensitive

personal health data as inalienable to protect the dignity of the individual”.

Article 26 of the Directive details the 'derogations' under which an EU Member State may permit transfer of

personal data to a third country without an adequate level of data protection. The full list is in annex B. They

include where:
---------------------- Page: 9 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)
• the data subject has given his unambiguous consent;
• it is necessary to protect the data subject's vital interests;

• the "controller adduces adequate safeguards with respect to the privacy and fundamental rights and

freedom of individuals and as regards the exercise of the corresponding rights; such safeguards may in

particular result from appropriate contract clauses".

Under Article 29 of the EU Directive an EU Working Party on the Protection of Individuals with regard to Processing

of Personal Data was created. Its findings provide important interpretations and views on the Directive and these

are frequently referred to in this standard.

This standard provides guidance on measures that should be taken to protect personal data in applications which

involve transfer of personal health data across national boundaries and in particular between EU and other

countries which conform to the EU Directive, and those which may not. In that context it considers the use of

contract clauses to achieve adequate safeguards.
---------------------- Page: 10 ----------------------
SIST EN 14485:2004
EN 14485:2003 (E)
1 Scope

This European Standard provides guidance on data protection for those involved in international informatics

applications which entail transmission of person health data from an EU Member State to a non-EU Member State.

Its purpose is to assist in the application of the EU Directive on Data Protection [1].

The European Standard does not provide definitive legal advice but comprises guidance. When applying the

guidance to a particular application legal advice appropriate to that application should be sought.

2 Normative references
Not applicable.
3 Terms and definitions

For the purposes of this European Standard, the following terms and definitions. Where a term is defined in the EU

Data Protection Directive [1] that definition is used for the purposes of this European Standard. In countries in

which the EU Directive has not been implemented, other definitions for these terms may be in use and may have a

legal st
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.