ImageVerifierCode 换一换
格式:PDF , 页数:70 ,大小:1.40MB ,
资源ID:586459      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-586459.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(BS ISO 22857-2013 Health informatics Guidelines on data protection to facilitate transborder flows of personal health data《健康信息学 个人卫生信息传输的数据保护指导方针》.pdf)为本站会员(eveningprove235)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

BS ISO 22857-2013 Health informatics Guidelines on data protection to facilitate transborder flows of personal health data《健康信息学 个人卫生信息传输的数据保护指导方针》.pdf

1、BSI Standards PublicationBS ISO 22857:2013Health informatics Guidelines on data protectionto facilitate transborder flowsof personal health dataCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted wit

2、hout license from IHS-,-,-BS ISO 22857:2013 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO 22857:2013. Itsupersedes BS ISO 22857:2004 which is withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A li

3、st of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLim

4、ited 2014ISBN 978 0 580 65294 3ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedC

5、opyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013 ISO 2013Health informatics Guidelines on data protection to facilitate trans-border flows of personal

6、 health dataInformatique de sant Lignes directrices sur la protection des donnes pour faciliter les flux dinformation sur la sant du personnel de part et dautre des frontiresINTERNATIONAL STANDARDISO22857Second edition2013-12-15Reference numberISO 22857:2013(E)Copyright British Standards Institution

7、 Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)ii ISO 2013 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2013All rights reserved. Unless otherwise specified, no par

8、t of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member bo

9、dy in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for

10、ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E) ISO 2013 All rights reserved iiiContents PageForeword vIntroduction vi1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms 35 Structure of this International Sta

11、ndard . 36 General principles and roles 36.1 General principles 36.2 Roles . 47 Legitimising data transfer 47.1 The concept of “adequate” data protection 47.2 Conditions for legitimate transfer 58 Criteria for ensuring adequate data protection with respect to the transfer of personal health data 68.

12、1 The requirement for adequate data protection 68.2 Content principles 68.3 Procedural/enforcement mechanisms. 98.4 Contracts . 108.5 Overriding laws . 118.6 Anonymisation . 118.7 Legitimacy of consent 129 Security policy 129.1 General 129.2 The purpose of the security policy . 129.3 The “level” of

13、security policy . 139.4 High Level Security Policy: general aspects 1310 High Level Security Policy: the content 1410.1 Principle One: overriding generic principle . 1410.2 Principle Two: chief executive support . 1510.3 Principle Three: documentation of measures and review .1610.4 Principle Four: D

14、ata protection security officer .1610.5 Principle Five: permission to process 1710.6 Principle Six: information about processing 1810.7 Principle Seven: information for the data subject .2010.8 Principle Eight: prohibition of onward data transfer without consent .2010.9 Principle Nine: remedies and

15、compensation . 2110.10 Principle Ten: security of processing 2210.11 Principle Eleven: responsibilities of staff and other contractors .2311 Rationale and observations on measures to support Principle Ten concerning security of processing 2411.1 General 2411.2 Encryption and digital signatures for t

16、ransmission to the data importer 2411.3 Access controls and user authentication . 2411.4 Audit trails . 2511.5 Physical and environmental security . 2511.6 Application management and network management 2511.7 Malicious software 2511.8 Breaches of security 2511.9 Business continuity plan . 25Copyrigh

17、t British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)iv ISO 2013 All rights reserved11.10 Handling very sensitive data 2611.11 Standards 2612 Per

18、sonal health data in non-electronic form .26Annex A (informative) Key primary international documents on data protection 27Annex B (informative) National documented requirements and legal provisions in a range of countries .32Annex C (informative) Exemplar contract clauses: Controller to controller

19、.37Annex D (informative) Exemplar contract clauses: Controller to processor .44Annex E (informative) Handling very sensitive personal health data 53Bibliography .55Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or netw

20、orking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through I

21、SO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates

22、closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criter

23、ia needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of p

24、atent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name us

25、ed in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Ba

26、rriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 215, Health informatics.This second edition replaces the first edition (IO 22857:2004), which has been technically revised. ISO 2013 All rights reserved vCopyright B

27、ritish Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)IntroductionIn the health context, information about individuals needs to be collected, stored

28、and processed for many purposes, the main being direct delivery of care e.g. patient records; insurance; clinical research; and population health.A classification of purposes for processing personal health information is given in ISO/TS 14265 15.The data required depends on the purpose. In the conte

29、xt of identification of individuals, data may be needed to allow an individual to be readily and uniquely identified (e.g. a combination of name, address, age, sex, identification number); to confirm that two data sets belong to the same individual without any need to identify the individual himself

30、 (e.g. for record linkage and/or longitudinal statistics); and for any purpose, but where identifiable data are not required, the objective should be to prevent such identification of the individual.In all of these circumstances data about individuals are now, and will increasingly in the future, be

31、 transmitted across national/jurisdictional borders or be deliberately made accessible to countries/jurisdictions other than where they are collected or stored. Data may be collected in one country/jurisdiction and stored in another, be manipulated in a third, and be accessible from many countries/j

32、urisdictions or even globally. The key requirement is that all this processing should be carried out in a fashion that is consistent with the purposes and consents of the original data collection and, in particular, all disclosures of personal health data should be to appropriate individuals or orga

33、nisations within the boundaries of these purposes and consents.International health-related applications may require personal health data to be transmitted from one nation to another across national borders. That is very evident in telemedicine or when data are electronically dispatched for example

34、in an email or as a data file to be added to an international database. It also occurs, but less obviously, when a database in one country/jurisdiction is viewed from another for example over the Internet. That application may appear passive but the very act of viewing involves disclosure of that da

35、ta and is deemed processing. Moreover it requires a download that may be automatically placed in a cache and held there until emptied - this also is processing and involves a particular security hazard. The same circumstances may arise when data are passed across jurisdictional boundaries.There is a

36、 wide range of organisations that might be involved in receipt of personal health data from another country/jurisdiction, for example: healthcare establishments such as hospitals; research databanks held in one country but both fed and accessed in others; contractors remotely maintaining health care

37、 systems in other countries; organisations holding educational databases containing, for example, radiological images with diagnoses and case notes; companies holding banks of medical records for patients from different countries/jurisdictions;vi ISO 2013 All rights reservedCopyright British Standar

38、ds Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E) organisations involved in international or cross-jurisdictional health-related e-commerce such as e-pharmacy

39、.In all applications involving personal health data there can be a potential threat to the privacy of an individual. That threat and its extent will depend on: the level to which data are protected from unauthorised access in storage or transmission; the number of persons who have authorized access;

40、 the nature of the personal health data; the level of difficulty in identifying an individual if access to the data are obtained.Wherever health data are collected, stored, processed or published (including electronically on the Internet) the potential threat to privacy needs to be assessed and appr

41、opriate protective measures taken. Some form of risk analysis will be necessary to ascertain the required level of security measures.In addition to the standards bodies ISO, IEC, CEN and CENELEC, there are four major trans-national bodies that have produced internationally authoritative documents re

42、lating to security and data protection in the context of trans-border flows: the Organization for Economic Co-operation and Development (OECD); the Council of Europe; the United Nations (UN); the European Union (EU).The primary documents from these bodies are: OECD “Guidelines on the Protection of P

43、rivacy and Trans-border flows of Personal Data”1; OECD “Guidelines for the Security of information Systems”2; Council of Europe “Convention for the Protection of individuals with regard to Automatic Processing of Personal Data” No. 108;3 “Council of Europe Recommendation R(97)5 on the Protection of

44、Medical Data”4; UN General Assembly “Guidelines for the Regulation of Computerised Personal Data Files”5; EU Data Protection Directive on the protection of individuals with regard to the processing of personal data and free movement of that data.6Annex A provides a brief summary of the key aspects o

45、f these documents.The means and extent of the protection afforded to personal health data varies from nation to nation7and jurisdiction to jurisdiction. In some countries there is nation-wide privacy legislation, in others legislative provisions may be at a state level or equivalent. In a number of

46、countries legislation may not exist although various codes of practice or equivalent will probably be in place and/or medical laws may exist which lay down a duty on medical practitioners to safeguard confidentiality, integrity and availability.Although privacy legislation in different parts of the

47、world may mention personal health data, frequently there is no legislation specific to health except perhaps in relation to government agencies and/or medical research.Annex B comprises a brief outline of the key national standards or other documented requirements and of the legislative position con

48、cerning data protection in a range of countries. ISO 2013 All rights reserved viiCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)Personal health data can be extremely sensitive in nature and thus there is extensive guidance and standards available both nationally and internationally on various administrative and technical security measures for the protection of personal healt

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1