ImageVerifierCode 换一换
格式:PDF , 页数:60 ,大小:614.38KB ,
资源ID:667340      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-667340.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(DIN EN 14484-2004 Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy German version EN 144.pdf)为本站会员(cleanass300)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

DIN EN 14484-2004 Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy German version EN 144.pdf

1、M rz 2004DEUTSCHE NORM Normenausschuss Medizin (NAMed) im DINPreisgruppe 20DIN Deutsches Institut f r Normung e.V. Jede Art der Vervielf ltigung, auch auszugsweise, nur mit Genehmigung des DIN Deutsches Institut f r Normung e. V., Berlin, gestattet.ICS 35.240.808K 9508569www.din.deXDIN EN 14484Mediz

2、inische Informatik Internationaler Austausch von unter die EUDatenschutzrichtlinie fallenden pers nlichen Gesundheitsdaten Generelle SicherheitsStatements;Deutsche Fassung EN 14484:2003, Text in EnglischHealth informatics International transfer of personal health data covered by the EU data protecti

3、on directive High level security policy; German version EN 14484:2003, text in EnglishInformatique de sant Transfert international des donnes personelles de sant couvertes par la directive europenne sur la protection des donnes personelles Politique de scurit de haut niveau;Version allemande EN 1448

4、4:2003, texte en anglaisAlleinverkauf der Normen durch Beuth Verlag GmbH, 10772 Berlinwww.beuth.deGesamtumfang 60 SeitenDIN EN 14484:2004-032Die Europische Norm EN 14484:2003 hat den Status einer DeutschenNorm.Nationales VorwortDiese Norm enthlt unter Bercksichtigung des Prsidialbeschlusses 13/1983

5、die Englische Fassung derEuropischen Norm EN 14484:2003. Diese Europische Norm wurde in der WG III Security, Safety andQuality des CEN/TC 251 Medizinische Informatik erarbeitet. Der Fachbereich G Medizinische Informatik undinsbesondere die Mitarbeiter des Arbeitsausschusses G 4 Sicherheit des Normen

6、ausschusses Medizin(NAMed) im DIN haben an der Erarbeitung mitgewirkt.EUROPEAN STANDARDNORME EUROPENNEEUROPISCHE NORMEN 14484December 2003ICS 35.240.80English versionHealth informatics - International transfer of personal health datacovered by the EU data protection directive - High level securitypo

7、licyInformatique de sant - Transfert international des donnespersonelles de sant couvertes par la directive europennesur la protection des donnes personelles - Politique descurit de haut niveauMedizinische Informatik - Internationaler Austausch vonunter die EU-Datenschutzrichtlinie fallenden persnli

8、chenGesundheitsdaten - Generelle Sicherheits-StatementsThis European Standard was approved by CEN on 13 November 2003.CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without an

9、y alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Management Centre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by tra

10、nslationunder the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the officialversions.CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,Hungary, Iceland, Irel

11、and, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and UnitedKingdom.EUROPEAN COMMITTEE FOR STANDARDIZATIONCOMIT EUROPEN DE NORMALISATIONEUROPISCHES KOMITEE FR NORMUNGManagement Centre: rue de Stassart, 36 B-1050 Brussels 2003 CEN All rights of exploit

12、ation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 14484:2003 EEN 14484:2003 (E)2Contents PageForeword. 5Introduction 61 Scope 102 Normative references . 103 Terms and definitions. 104 Abbreviated terms. 115 The European Data Protection Directive (see annex A)

13、125.1 General . 125.2 General aims: (Article 1). 125.3 Scope: electronic and non-electronic (Article 3) .125.4 Principles relating to data quality (Article 6) 125.5 Criteria for legitimacy (Article 7) 125.6 Special categories of processing, including personal health data (Article 8) 135.7 Informatio

14、n to be given to the data subject (Article 10) 135.8 Right of access to data (Article 12) . 135.9 Right to object (Article 14) . 135.10 Security of processing (Article 17) 145.11 Judicial remedies, liability and sanctions (Articles 22, 23 and 24) 145.12 Supervisory Authorities (Articles 28 and 18) .

15、 145.13 Working party on the protection of Individuals with regard to the Processing of PersonalData. 145.14 Transfer of personal data to Third Countries. 146 Requirements for the transfer of personal data to third Countries. 146.1 General . 146.2 Principles (Article 25) . 146.3 Ensuring transfers a

16、re permissible. 156.4 Grounds by which transfers to third countries are permissible 156.4.1 General . 156.4.2 Members of the EEA . 156.4.3 Depersonalisation of data 156.4.4 Consent 166.4.5 Subject to contract clauses . 166.4.6 Claiming adequacy of data protection 177 A Security Policy for third coun

17、tries. 177.1 The requirement 177.2 The purpose of the security policy 187.3 The level of the security policy 188 High Level Security Policy: general aspects188.1 Levels of abstraction in ensuring security. 188.2 Generic principles. 188.3 Non-generic Principles . 198.4 Guidelines 198.5 Measures 198.6

18、 Elements of a High Level Security Policy. 199 High Level Security Policy: the content . 199.1 Principle One: overriding generic principle . 199.1.1 General . 199.1.2 Principle One, Guideline One: fundamental rights and freedoms. 199.1.3 Principle One, Guideline Two: information about doubts 20EN 14

19、484:2003 (E)3Page9.1.4 Rationale 209.1.5 Observations as to Measures 209.2 Principle Two: chief executive support 209.2.1 General. 209.2.2 Principle Two, Guideline One: alignment with local practice 209.2.3 Principle Two, Guideline Two: organisational arrangements 209.2.4 Principle Two, Guideline Th

20、ree: regular HLSP review 209.2.5 Rationale 209.2.6 Observations as to Measures 209.3 Principle Three: documentation of Measures and review 219.3.1 General. 219.3.2 Principle Three, Guideline One: staff information. 219.3.3 Rationale 219.3.4 Observations as to Measures 219.4 Principle Four: Data Prot

21、ection Security Officer.219.4.1 General. 219.4.2 Principle Four, Guideline One: Data Protection Security Officer and organisation as aprocessor. 219.4.3 Principle Four, Guideline Two: Data Protection Security Officer and organisation as acontroller 219.4.4 Principle Four, Guideline Three: Data Prote

22、ction Security Officer qualification for office. 219.4.5 Rationale 219.4.6 Observations on Measures 229.5 Principle Five: permission to process 229.5.1 General. 229.5.2 Principle Five, Guideline One: unambiguous consent to transfer 229.5.3 Principle Five, Guideline Two: explicit consent to processin

23、g 229.5.4 Principle Five, Guideline Three: limitation to the purposes consented 229.5.5 Principle Five, Guideline Four: conditional consents. 229.5.6 Principle Five, Guideline Five: review of information concerning consent 229.5.7 Rationale 229.5.8 Observations regarding Measures 239.6 Principle Six

24、: information about processing . 239.6.1 General. 239.6.2 Principle Six, Guideline One: documentation about consented processing . 239.6.3 Principle Six, Guideline Two: quality of data collected and processed 239.6.4 Principle Six, Guideline Three: accuracy of data processed . 239.6.5 Principle Six,

25、 Guideline Four: Data Retention and Destruction Policy. 239.6.6 Principle Six, Guideline Five: data subjects access to their data 239.6.7 Principle Six, Guideline Six: objection to processing 239.6.8 Principle Six, Guideline Seven: rectification, erasure and blocking . 239.6.9 Principle Six, Guideli

26、ne Eight: identification of transferred data 249.6.10 Principle Six, Guideline Nine: action on notification of the death of a data subject . 249.6.11 Principle Six, Guideline Ten: direct marketing 249.6.12 Principle Six, Guideline Eleven: re-personalisation of de-personalised data 249.6.13 Observati

27、ons on Measures 249.7 Principle Seven: information for the data subject. 259.7.1 General. 259.7.2 Rationale 259.7.3 Observations on Measures 259.8 Principle Eight: prohibition of onward data transfer without consent 259.8.1 General. 259.8.2 Principle Eight, Guideline One: assuring protection for onw

28、ard transfers 259.8.3 Principle Eight, Guideline Two: HLSP for onward transfers 259.8.4 Principle Eight, Guideline Three: Disclosure Register . 259.8.5 Rationale 259.9 Principle Nine: remedies and compensation. 269.9.1 General. 26EN 14484:2003 (E)4Page9.9.2 Principle Nine, Guideline One: investigati

29、on of complaints. 269.9.3 Principle Nine, Guideline Two: independent arbitration. 269.9.4 Rationale 269.9.5 Observations on Measures 269.10 Principle Ten: security of processing. 269.10.1 General . 269.10.2 Principle Ten, Guideline One: risk analysis . 269.10.3 Principle Ten, Guideline Two: encrypti

30、on during transmission 279.10.4 Principle Ten, Guideline Three: proof of data integrity and authentication of origin 279.10.5 Principle Ten, Guideline Four: access control and user authentication. 279.10.6 Principle Ten, Guideline Five: Physical and Environmental Security . 279.10.7 Principle Ten, G

31、uideline Six: application management 279.10.8 Principle Ten, Guideline Seven: network management 279.10.9 Principle Ten, Guideline Eight: virus controls. 279.10.10 Principle Ten, Guideline Nine: reporting breaches of security 279.10.11 Principle Ten, Guideline Ten: Business Continuity Plans 279.10.1

32、2 Principle Ten, Guideline Eleven; audit trails 279.10.13 Principle Ten, Guideline Twelve: handling particularly sensitive data . 279.10.14 Rationale and observations on Measures 279.11 Principle Eleven: responsibilities of staff and other contractors 289.11.1 General . 289.11.2 Principle Eleven, Gu

33、ideline One: informing staff and other contractors 289.11.3 Principle Eleven, Guideline Two: instruction and training . 289.11.4 Principle Eleven, Guideline Three: staff and contractor contractual obligations 289.11.5 Rationale 289.11.6 Observation on Measures 289.12 Principle Twelve: adequacy of th

34、ird country data protection 289.12.1 General . 289.12.2 Rationale 289.12.3 Observations on Measures 289.13 Principle Thirteen: additional EU Member State particular requirements 289.13.1 Rationale 299.13.2 Observations on Measures 2910 Rationale and Observations on Measures to support Principle Ten

35、concerning security ofprocessing . 2910.1 General . 2910.2 Encryption and digital signatures for transmission to the third country 2910.3 Access controls and user authentication. 2910.4 Audit Trails. 3010.5 Physical and environmental security 3010.6 Application management and network management 3010

36、.7 Viruses . 3010.8 Breaches of security. 3010.9 Business Continuity Plan. 3010.10 Handling particularly sensitive data 3010.11 Standards. 3111 Personal health data in non-electronic form 31Annex A (normative) EU Data Protection Directive 32Annex B (informative) Useful sources of advice 53B.1 EU Sec

37、urity projects . 53B.2 CEN/ISSS 53B.3 Non-CEN Standards 53B.4 Selected web sites 54Annex C (informative) Model declaration. 55Bibliography . 57EN 14484:2003 (E)5ForewordThis document (EN 14484:2003) has been prepared by Technical Committee CEN/TC 251 “EuropeanStandardization of Health Informatics“,

38、the secretariat of which is held by SIS.This European Standard shall be given the status of a national standard, either by publication of an identicaltext or by endorsement, at the latest by June 2004, and conflicting national standards shall be withdrawn atthe latest by June 2004.Annex A is normati

39、ve. The annexes B and C are informative.According to the CEN/CENELEC Internal Regulations, the national standards organizations of the followingcountries are bound to implement this European Standard: Austria, Belgium, Czech Republic, Denmark,Finland, France, Germany, Greece, Hungary, Iceland, Irela

40、nd, Italy, Luxembourg, Malta, Netherlands,Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and the United Kingdom.EN 14484:2003 (E)6IntroductionIn the health context, information about individuals needs to be collected, stored and processed for manypurposes, the main being: direct delivery of

41、care e.g. patient records; administrative processes e.g. booking appointments; clinical research; statistics.The data required depends on the purpose. In the context of identification of individuals, data may be needed: to allow an individual to be readily and uniquely identified e.g. a combination

42、of name, address, age,sex, identification number; to confirm that two data sets belong to the same individual without any need to identify the individualhimself e.g. for record linkage and/or longitudinal statistics; for statistical purposes but with the end desire positively to prevent identificati

43、on of any individual.In all of these circumstances data about individuals are now, and will increasingly in the future, be transmittedacross national borders or be deliberately made accessible to countries other than where they are collected orstored. Data may be collected in one country and stored

44、in another, be processed in a third, and be accessiblefrom many countries or even globally. The key requirement is that all this processing should be carried out in afashion that is consistent with the: the purposes and consents of the original data collection and, in particular; all disclosures of

45、personal health data should be to appropriate individuals or organisations withinthese purposes and consents.International health-related applications require health-related data to be transmitted from one nation toanother across national borders. That is very evident in telemedicine or when data ar

46、e electronicallydispatched for example in an email or as a data file to be added to an international database. It also occurs,but less obviously, when a database in one country is viewed from an other for example over the Internet.That application may appear passive but the very act of viewing invol

47、ves disclosure of that data and isdeemed processing. Moreover it requires a download that may be automatically placed in a cache and heldthere until emptied - this also is processing and involves a particular security hazard.There is a wide range in the types of third country organisation that might

48、 be involved in receipt of personalhealth data from an EU Member State for example: healthcare establishments such as hospitals; pharmaceutical companies involved in research; contractors remotely maintaining health care systems in EU hospitals; companies holding educational data bases containing fo

49、r example radiological images withdiagnoses and case notes; companies holding banks of medical records for patients from different countries.In all applications involving personal health data there can be a potential threat to the privacy of an individual.That threat and its extent will depend on: the level to which data is protected from unauthorised access in storage or transmission; the number of persons who have authorised access; the nature of the personal health data stored;EN 14484:2003 (E)7 the level of difficulty in

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1