DIN EN 14484-2004 Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy German version EN 144.pdf

1、M rz 2004DEUTSCHE NORM Normenausschuss Medizin (NAMed) im DINPreisgruppe 20DIN Deutsches Institut f r Normung e.V. Jede Art der Vervielf ltigung, auch auszugsweise, nur mit Genehmigung des DIN Deutsches Institut f r Normung e. V., Berlin, gestattet.ICS 35.240.808K 9508569www.din.deXDIN EN 14484Mediz

2、inische Informatik Internationaler Austausch von unter die EUDatenschutzrichtlinie fallenden pers nlichen Gesundheitsdaten Generelle SicherheitsStatements;Deutsche Fassung EN 14484:2003, Text in EnglischHealth informatics International transfer of personal health data covered by the EU data protecti

3、on directive High level security policy; German version EN 14484:2003, text in EnglishInformatique de sant Transfert international des donnes personelles de sant couvertes par la directive europenne sur la protection des donnes personelles Politique de scurit de haut niveau;Version allemande EN 1448

4、4:2003, texte en anglaisAlleinverkauf der Normen durch Beuth Verlag GmbH, 10772 Berlinwww.beuth.deGesamtumfang 60 SeitenDIN EN 14484:2004-032Die Europische Norm EN 14484:2003 hat den Status einer DeutschenNorm.Nationales VorwortDiese Norm enthlt unter Bercksichtigung des Prsidialbeschlusses 13/1983

5、die Englische Fassung derEuropischen Norm EN 14484:2003. Diese Europische Norm wurde in der WG III Security, Safety andQuality des CEN/TC 251 Medizinische Informatik erarbeitet. Der Fachbereich G Medizinische Informatik undinsbesondere die Mitarbeiter des Arbeitsausschusses G 4 Sicherheit des Normen

6、ausschusses Medizin(NAMed) im DIN haben an der Erarbeitung mitgewirkt.EUROPEAN STANDARDNORME EUROPENNEEUROPISCHE NORMEN 14484December 2003ICS 35.240.80English versionHealth informatics - International transfer of personal health datacovered by the EU data protection directive - High level securitypo

7、licyInformatique de sant - Transfert international des donnespersonelles de sant couvertes par la directive europennesur la protection des donnes personelles - Politique descurit de haut niveauMedizinische Informatik - Internationaler Austausch vonunter die EU-Datenschutzrichtlinie fallenden persnli

8、chenGesundheitsdaten - Generelle Sicherheits-StatementsThis European Standard was approved by CEN on 13 November 2003.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without an

9、y alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Management Centre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by tra

10、nslationunder the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,Hungary, Iceland, Irel

11、and, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and UnitedKingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMIT EUROPEN DE NORMALISATIONEUROPISCHES KOMITEE FR NORMUNGManagement Centre: rue de Stassart, 36 B-1050 Brussels 2003 CEN All rights of exploit

12、ation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 14484:2003 EEN 14484:2003 (E)2Contents PageForeword. 5Introduction 61 Scope 102 Normative references . 103 Terms and definitions. 104 Abbreviated terms. 115 The European Data Protection Directive (see annex A)

13、125.1 General . 125.2 General aims: (Article 1). 125.3 Scope: electronic and non-electronic (Article 3) .125.4 Principles relating to data quality (Article 6) 125.5 Criteria for legitimacy (Article 7) 125.6 Special categories of processing, including personal health data (Article 8) 135.7 Informatio

14、n to be given to the data subject (Article 10) 135.8 Right of access to data (Article 12) . 135.9 Right to object (Article 14) . 135.10 Security of processing (Article 17) 145.11 Judicial remedies, liability and sanctions (Articles 22, 23 and 24) 145.12 Supervisory Authorities (Articles 28 and 18) .

15、 145.13 Working party on the protection of Individuals with regard to the Processing of PersonalData. 145.14 Transfer of personal data to Third Countries. 146 Requirements for the transfer of personal data to third Countries. 146.1 General . 146.2 Principles (Article 25) . 146.3 Ensuring transfers a

16、re permissible. 156.4 Grounds by which transfers to third countries are permissible 156.4.1 General . 156.4.2 Members of the EEA . 156.4.3 Depersonalisation of data 156.4.4 Consent 166.4.5 Subject to contract clauses . 166.4.6 Claiming adequacy of data protection 177 A Security Policy for third coun

17、tries. 177.1 The requirement 177.2 The purpose of the security policy 187.3 The level of the security policy 188 High Level Security Policy: general aspects188.1 Levels of abstraction in ensuring security. 188.2 Generic principles. 188.3 Non-generic Principles . 198.4 Guidelines 198.5 Measures 198.6

18、 Elements of a High Level Security Policy. 199 High Level Security Policy: the content . 199.1 Principle One: overriding generic principle . 199.1.1 General . 199.1.2 Principle One, Guideline One: fundamental rights and freedoms. 199.1.3 Principle One, Guideline Two: information about doubts 20EN 14

19、484:2003 (E)3Page9.1.4 Rationale 209.1.5 Observations as to Measures 209.2 Principle Two: chief executive support 209.2.1 General. 209.2.2 Principle Two, Guideline One: alignment with local practice 209.2.3 Principle Two, Guideline Two: organisational arrangements 209.2.4 Principle Two, Guideline Th

20、ree: regular HLSP review 209.2.5 Rationale 209.2.6 Observations as to Measures 209.3 Principle Three: documentation of Measures and review 219.3.1 General. 219.3.2 Principle Three, Guideline One: staff information. 219.3.3 Rationale 219.3.4 Observations as to Measures 219.4 Principle Four: Data Prot

21、ection Security Officer.219.4.1 General. 219.4.2 Principle Four, Guideline One: Data Protection Security Officer and organisation as aprocessor. 219.4.3 Principle Four, Guideline Two: Data Protection Security Officer and organisation as acontroller 219.4.4 Principle Four, Guideline Three: Data Prote

22、ction Security Officer qualification for office. 219.4.5 Rationale 219.4.6 Observations on Measures 229.5 Principle Five: permission to process 229.5.1 General. 229.5.2 Principle Five, Guideline One: unambiguous consent to transfer 229.5.3 Principle Five, Guideline Two: explicit consent to processin

23、g 229.5.4 Principle Five, Guideline Three: limitation to the purposes consented 229.5.5 Principle Five, Guideline Four: conditional consents. 229.5.6 Principle Five, Guideline Five: review of information concerning consent 229.5.7 Rationale 229.5.8 Observations regarding Measures 239.6 Principle Six

24、: information about processing . 239.6.1 General. 239.6.2 Principle Six, Guideline One: documentation about consented processing . 239.6.3 Principle Six, Guideline Two: quality of data collected and processed 239.6.4 Principle Six, Guideline Three: accuracy of data processed . 239.6.5 Principle Six,

25、 Guideline Four: Data Retention and Destruction Policy. 239.6.6 Principle Six, Guideline Five: data subjects access to their data 239.6.7 Principle Six, Guideline Six: objection to processing 239.6.8 Principle Six, Guideline Seven: rectification, erasure and blocking . 239.6.9 Principle Six, Guideli

26、ne Eight: identification of transferred data 249.6.10 Principle Six, Guideline Nine: action on notification of the death of a data subject . 249.6.11 Principle Six, Guideline Ten: direct marketing 249.6.12 Principle Six, Guideline Eleven: re-personalisation of de-personalised data 249.6.13 Observati

27、ons on Measures 249.7 Principle Seven: information for the data subject. 259.7.1 General. 259.7.2 Rationale 259.7.3 Observations on Measures 259.8 Principle Eight: prohibition of onward data transfer without consent 259.8.1 General. 259.8.2 Principle Eight, Guideline One: assuring protection for onw

28、ard transfers 259.8.3 Principle Eight, Guideline Two: HLSP for onward transfers 259.8.4 Principle Eight, Guideline Three: Disclosure Register . 259.8.5 Rationale 259.9 Principle Nine: remedies and compensation. 269.9.1 General. 26EN 14484:2003 (E)4Page9.9.2 Principle Nine, Guideline One: investigati

29、on of complaints. 269.9.3 Principle Nine, Guideline Two: independent arbitration. 269.9.4 Rationale 269.9.5 Observations on Measures 269.10 Principle Ten: security of processing. 269.10.1 General . 269.10.2 Principle Ten, Guideline One: risk analysis . 269.10.3 Principle Ten, Guideline Two: encrypti

30、on during transmission 279.10.4 Principle Ten, Guideline Three: proof of data integrity and authentication of origin 279.10.5 Principle Ten, Guideline Four: access control and user authentication. 279.10.6 Principle Ten, Guideline Five: Physical and Environmental Security . 279.10.7 Principle Ten, G

31、uideline Six: application management 279.10.8 Principle Ten, Guideline Seven: network management 279.10.9 Principle Ten, Guideline Eight: virus controls. 279.10.10 Principle Ten, Guideline Nine: reporting breaches of security 279.10.11 Principle Ten, Guideline Ten: Business Continuity Plans 279.10.1

32、2 Principle Ten, Guideline Eleven; audit trails 279.10.13 Principle Ten, Guideline Twelve: handling particularly sensitive data . 279.10.14 Rationale and observations on Measures 279.11 Principle Eleven: responsibilities of staff and other contractors 289.11.1 General . 289.11.2 Principle Eleven, Gu

33、ideline One: informing staff and other contractors 289.11.3 Principle Eleven, Guideline Two: instruction and training . 289.11.4 Principle Eleven, Guideline Three: staff and contractor contractual obligations 289.11.5 Rationale 289.11.6 Observation on Measures 289.12 Principle Twelve: adequacy of th

34、ird country data protection 289.12.1 General . 289.12.2 Rationale 289.12.3 Observations on Measures 289.13 Principle Thirteen: additional EU Member State particular requirements 289.13.1 Rationale 299.13.2 Observations on Measures 2910 Rationale and Observations on Measures to support Principle Ten

35、concerning security ofprocessing . 2910.1 General . 2910.2 Encryption and digital signatures for transmission to the third country 2910.3 Access controls and user authentication. 2910.4 Audit Trails. 3010.5 Physical and environmental security 3010.6 Application management and network management 3010

36、.7 Viruses . 3010.8 Breaches of security. 3010.9 Business Continuity Plan. 3010.10 Handling particularly sensitive data 3010.11 Standards. 3111 Personal health data in non-electronic form 31Annex A (normative) EU Data Protection Directive 32Annex B (informative) Useful sources of advice 53B.1 EU Sec

37、urity projects . 53B.2 CEN/ISSS 53B.3 Non-CEN Standards 53B.4 Selected web sites 54Annex C (informative) Model declaration. 55Bibliography . 57EN 14484:2003 (E)5ForewordThis document (EN 14484:2003) has been prepared by Technical Committee CEN/TC 251 “EuropeanStandardization of Health Informatics“,

38、the secretariat of which is held by SIS.This European Standard shall be given the status of a national standard, either by publication of an identicaltext or by endorsement, at the latest by June 2004, and conflicting national standards shall be withdrawn atthe latest by June 2004.Annex A is normati

39、ve. The annexes B and C are informative.According to the CEN/CENELEC Internal Regulations, the national standards organizations of the followingcountries are bound to implement this European Standard: Austria, Belgium, Czech Republic, Denmark,Finland, France, Germany, Greece, Hungary, Iceland, Irela

40、nd, Italy, Luxembourg, Malta, Netherlands,Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and the United Kingdom.EN 14484:2003 (E)6IntroductionIn the health context, information about individuals needs to be collected, stored and processed for manypurposes, the main being: direct delivery of

41、care e.g. patient records; administrative processes e.g. booking appointments; clinical research; statistics.The data required depends on the purpose. In the context of identification of individuals, data may be needed: to allow an individual to be readily and uniquely identified e.g. a combination

42、of name, address, age,sex, identification number; to confirm that two data sets belong to the same individual without any need to identify the individualhimself e.g. for record linkage and/or longitudinal statistics; for statistical purposes but with the end desire positively to prevent identificati

43、on of any individual.In all of these circumstances data about individuals are now, and will increasingly in the future, be transmittedacross national borders or be deliberately made accessible to countries other than where they are collected orstored. Data may be collected in one country and stored

44、in another, be processed in a third, and be accessiblefrom many countries or even globally. The key requirement is that all this processing should be carried out in afashion that is consistent with the: the purposes and consents of the original data collection and, in particular; all disclosures of

45、personal health data should be to appropriate individuals or organisations withinthese purposes and consents.International health-related applications require health-related data to be transmitted from one nation toanother across national borders. That is very evident in telemedicine or when data ar

46、e electronicallydispatched for example in an email or as a data file to be added to an international database. It also occurs,but less obviously, when a database in one country is viewed from an other for example over the Internet.That application may appear passive but the very act of viewing invol

47、ves disclosure of that data and isdeemed processing. Moreover it requires a download that may be automatically placed in a cache and heldthere until emptied - this also is processing and involves a particular security hazard.There is a wide range in the types of third country organisation that might

48、 be involved in receipt of personalhealth data from an EU Member State for example: healthcare establishments such as hospitals; pharmaceutical companies involved in research; contractors remotely maintaining health care systems in EU hospitals; companies holding educational data bases containing fo

49、r example radiological images withdiagnoses and case notes; companies holding banks of medical records for patients from different countries.In all applications involving personal health data there can be a potential threat to the privacy of an individual.That threat and its extent will depend on: the level to which data is protected from unauthorised access in storage or transmission; the number of persons who have authorised access; the nature of the personal health data stored;EN 14484:2003 (E)7 the level of difficulty in