ImageVerifierCode 换一换
格式:PDF , 页数:79 ,大小:651.01KB ,
资源ID:667341      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-667341.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(DIN EN 14485-2004 Health informatics - Guidance for handling personal health data in international applications in the context of the EU data protection directive German version EN.pdf)为本站会员(figureissue185)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

DIN EN 14485-2004 Health informatics - Guidance for handling personal health data in international applications in the context of the EU data protection directive German version EN.pdf

1、M rz 2004DEUTSCHE NORM Normenausschuss Medizin (NAMed) im DINPreisgruppe 24DIN Deutsches Institut f r Normung e.V. Jede Art der Vervielf ltigung, auch auszugsweise, nur mit Genehmigung des DIN Deutsches Institut f r Normung e. V., Berlin, gestattet.ICS 35.240.808 ; 9502553www.din.deXDIN EN 14485Medi

2、zinische Informatik Anleitung zur Verwendung von pers nlichen Gesundheitsdaten in internationalen Anwendungen vor dem Hintergrund der EUDatenschutzrichtlinie;Deutsche Fassung EN 14485:2003, Text in EnglischHealth informatics Guidance for handling personal health data in international applications in

3、 the context of the EU data protection directive; German version EN 14485:2003, text in EnglishInformatique de sant Guide pour manipuler des donnes personnelles de sant dans des applications internationales dans le contexte de la directive europenne sur la protection des donnes personelles;Version a

4、llemande EN 14485 : 2003, texte en anglaisAlleinverkauf der Normen durch Beuth Verlag GmbH, 10772 Berlinwww.beuth.deGesamtumfang 79 SeitenB55EB1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9NormCD - Stand 2007-03 DIN EN 14485:2004-032Die Europische Norm EN 14485:2003 hat den Status einer DeutschenNorm.Nat

5、ionales VorwortDiese Norm enthlt unter Bercksichtigung des Prsidialbeschlusses 13/1983 die Englische Fassung derEuropischen Norm EN 14485:2003. Diese Europische Norm wurde in der WG III Security, Safety andQuality des CEN/TC 251 Medizinische Informatik erarbeitet. Der Fachbereich G Medizinische Info

6、rmatik undinsbesondere die Mitarbeiter des Arbeitsausschusses G 4 Sicherheit des Normenausschusses Medizin(NAMed) im DIN haben an der Erarbeitung mitgewirkt.B55EB1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9NormCD - Stand 2007-03 EUROPEAN STANDARDNORME EUROPENNEEUROPISCHE NORMEN 14485December 2003ICS 35

7、.240.80English versionHealth informatics - Guidance for handling personal health datain international applications in the context of the EU dataprotection directiveInformatique de sant - Guide pour manipuler des donnespersonnelles de sant dans des applicationsinternationales dans le contexte de la d

8、irective europennesur la protection des donnes personellesMedizinische Informatik - Anleitung zur Verwendung vonpersnlichen Gesundheitsdaten in internationalenAnwendungen vor dem Hintergrund der EU-DatenschutzrichtlinieThis European Standard was approved by CEN on 13 November 2003.CEN members are bo

9、und to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this EuropeanStandard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such nationalstandards may be obtained on application to the Ma

10、nagement Centre or to any CEN member.This European Standard exists in three official versions (English, French, German). A version in any other language made by translationunder the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the

11、officialversions.CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and UnitedKingdom.EUROPEAN COMMITTEE

12、FOR STANDARDIZATIONCOMIT EUROPEN DE NORMALISATIONEUROPISCHES KOMITEE FR NORMUNGManagement Centre: rue de Stassart, 36 B-1050 Brussels 2003 CEN All rights of exploitation in any form and by any means reservedworldwide for CEN national Members.Ref. No. EN 14485:2003 EB55EB1B3E14C22109E918E8EA43EDB30F0

13、9CC9B7EF8DD9NormCD - Stand 2007-03 EN 14485:2003 (E)2Contents PageForeword . 5Introduction. 61 Scope 92 Normative references 93 Terms and definitions. 94 Abbreviated terms. 115 General solutions to exchanging personal health data between compliant and non-compliantcountries 115.1 General approach 11

14、6 Judging the adequacy of data protection. 126.1 General . 126.2 Content Principles. 126.3 Procedural/Enforcement Mechanisms 146.4 Third Countries that have ratified the Council of Europe Convention 108 . 146.5 Industry self-regulation 157 Making adequate provisions 167.1 Introduction . 167.2 Meetin

15、g the “Content Principles“ 167.3 Providing for the “Procedural/Enforcement Mechanisms“ 177.3.1 General . 177.3.2 Providing redress 177.3.3 Support and help to data subjects 177.3.4 Adequate compliance . 187.3.5 Onward transfers. 187.3.5 Direct marketing and sale of data 187.4 Overriding law . 188 Pe

16、rmissible derogations, Articles 26.1 and 26.2 198.1 Article 26.1 . 198.1.1 General . 198.1.2 Consent 208.2 Article 26.2 . 209 Anonymisation 209.1 Definition of personal data. 209.2 Rendering personal data anonymous. 2110 Notification to Supervisory Authorities 2110.1 Introduction . 2110.2 Implementa

17、tion of Articles 18 to 20. 2111 Steps in establishing an international application with adequate data protection safeguardsfrom the view point of an EU data controller2211.1 Introduction . 2211.2 Step One: Can the data be non-personal? . 2211.3 Step Two: Is the recipient third country an EEA country

18、? . 2311.4 Step Three: Is the recipient country recognised by the Commission as having adequatedata protection provisions?. 2311.5 Step Four: Is the recipient organisation in compliance with arrangements formally recognisedby the Commission as providing adequate data protection provisions? . 24B55EB

19、1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9NormCD - Stand 2007-03 EN 14485:2003 (E)3Page11.6 Step Five; If the recipient third country is not EEA, has it signed the Council of EuropeConvention 108? . 2411.7 Step Six: Is the recipient country applying to become a member of the EU? 2411.8 Step Seven: Ca

20、n adequacy of data protection be established? 2411.9 Step Eight: If adequacy of data protection cannot be established can the derogations inArticle 26.1 provide a solution? 2411.10 Step Nine: If adequacy of data protection cannot be established can the derogation inArticle 26.2 regarding contractual

21、 clauses provide a solution? 2611.11 Step Ten: If transfer of personal data health data to the recipient third country is permissible hasthe recipient implemented adequate security measures and can the application proceed? . 2612 Steps in establishing an international application with adequate data

22、protection safeguardsfrom the viewpoint of a non-EU data controller. 2612.1 Establishing data protection adequacy in the EU . 2613 Model contract clauses 27Published models . 2714 Security measures 2714.1 Introduction . 2714.2 General security 2814.3 Security contracts with processors and with contr

23、ollers in non-compliant countries. 2814.4 Security policy 2814.5 Risk analysis . 2914.6 Security organisation and allocation of duties 2914.7 Reporting of security incidents or breaches . 2914.8 Staff and contractor contracts. 2914.9 Training and awareness. 3014.10 Transmission of data 3014.11 Limit

24、ations of purpose and access. 3014.12 Onward transfers 3014.13 Audit trails . 3114.14 Loss, damage and destruction 3114.15 Business Continuity Plans. 3114.16 Network Security. 3114.17 Patients Rights 3114.18 Compliance 3214.19 Standards. 3215 Declaration of grounds on which transfers are to take pla

25、ce 3215.1 Statement of grounds. 32Annex A (informative) Key primary international documents on data protection. 33A.1 EU Data Protection Directive . 33A.1.1 General. 33A.1.2 Coverage 33A.1.3 Rules for lawfulness of processing 33A.1.4 Special categories of processing 34A.1.5 Data subjects rights. 34A

26、.1.6 Security of processing . 35A.1.7 Supervisory Authorities . 35A.1.8 Remedies and sanctions 35A.1.9 Transfer of personal data to third countries 35A.2 Organisation for Economic Co-operation and Development (OECD) . 36A.3 Council of Europe . 36A.4 United Nations General Assembly 37A.4.1 General. 3

27、7A.4.2 Principles concerning minimum guarantees that should be provided in any nationalegislation . 37B55EB1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9NormCD - Stand 2007-03 EN 14485:2003 (E)4PageA.4.3 Application of the Guidelines to personal data files kept by governmental internationalorganisations.

28、 38Annex B (informative) Text of Articles 25 and 26 of the EU Data Protection Directive . 39B.1 Article 25: Principles. 39B.2 Article 26: Derogations. 39Annex C (informative) Text of Article 28 of the EU Data Protection Directive 41Annex D (informative) Questionnaire for Assessing Data Protection Ad

29、equacy 43Annex E (informative) Safe harbour privacy principles 49Annex F (informative) Standards and sources of advice . 52F.1 EU Security projects . 52F.2 CEN/ISSS 52F.3 Non-CEN Standards 52F.4 Selected web sites 53Annex G (informative) Model Declaration of Grounds upon which Transfer of Personal H

30、ealth Datais Regarded as in Compliance with the EU Data Protection Directive 54Annex H (informative) Model contractual clauses for controller to controller transfers to a countrywith inadequate data protection provisions56H.1 Introduction . 56H.2 Model standard contractual clauses . 57Annex I (infor

31、mative) Model contractual clauses for controller to processor transfers to a countrywith inadequate data protection provisions.67I.1 Introduction . 67I.2 Model standard contractual clauses . 68Bibliography 76B55EB1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9NormCD - Stand 2007-03 EN 14485:2003 (E)5Forew

32、ordThis document (EN 14485:2003) has been prepared by Technical Committee CEN/TC 251 “EuropeanStandardization of Health Informatics“, the secretariat of which is held by SIS.This European Standard shall be given the status of a national standard, either by publication of an identical text orby endor

33、sement, at the latest by June 2004, and conflicting national standards shall be withdrawn at the latest byJune 2004.The annexes A, B, C, D, E, F, G, H and I are informative.According to the CEN/CENELEC Internal Regulations, the national standards organizations of the followingcountries are bound to

34、implement this European Standard: Austria, Belgium, Czech Republic, Denmark, Finland,France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal,Slovakia, Spain, Sweden, Switzerland and the United Kingdom.B55EB1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9N

35、ormCD - Stand 2007-03 EN 14485:2003 (E)6IntroductionIn the health context, information about individuals needs to be collected, stored and processed for many purposes,the main being: administrative processes e.g. booking appointments; direct delivery of care e.g. patient records; clinical research;

36、statistics.The data required will depend on the purpose. In the context of identification of individuals, data may be needed: to allow an individual to be readily and uniquely identified e.g. a combination of name, address, age, sex,identification number; to confirm that two data sets belong to the

37、same individual without any need to identify the individual himselfe.g. for record linkage and/or longitudinal statistics; for statistical purposes with the desire positively to prevent identification of any individual.In all of these circumstances data about individuals are now, and will increasing

38、ly in the future, be transmittedacross national borders or be deliberately made accessible to countries other than where they are collected orstored. Data may be collected in one country and stored in another, be processed in a third, and be accessiblefrom many countries or even globally.Internation

39、al health-related applications will require health-related data to be transmitted from one nation toanother.That is very evident in telemedicine or when data are electronically dispatched for example in an email or as a datafile to be added to an international database. It also occurs, but less obvi

40、ously, when a database in one country isviewed from the other for example over the Internet. That application may appear passive but the very act ofviewing involves disclosure of that data and is deemed processing. Moreover it requires a download that may beautomatically placed in a cache and held t

41、here until emptied - this also is processing.In all applications involving personal health data there can be a potential threat to the privacy of an individual. Thatthreat and its extent will depend on: the level to which data is protected from unauthorised access in storage or transmission; the num

42、ber of persons who have authorised access; the nature of the personal data stored; the level of difficulty in identifying an individual if access to the data is obtained.Wherever health data are collected, stored, processed or published (including electronically on the Internet) thepotential threat

43、to privacy needs to be assessed and appropriate protective measures taken. Some form of riskanalysis should be undertaken to ascertain the required level of security measures.In addition to the standards bodies CEN, CENELEC, ISO and IEC there are three major trans-national bodies thathave produced i

44、nternationally authoritative documents relating to security and data protection: the European Union (EU); the Organisation for Economic Co-operation and Development (OECD);B55EB1B3E14C22109E918E8EA43EDB30F09CC9B7EF8DD9NormCD - Stand 2007-03 EN 14485:2003 (E)7 the Council of Europe; the United Nation

45、s (UN).The primary documents from these bodies are: EU Data Protection Directive “on the protection of individuals with regard to the processing of personaldata and free movement of that data“ 1; OECD “Guidelines on the Protection of Privacy and Trans-border flows of Personal Data“ 2; OECD “Guidelines for the Security of Information Systems“ 3; Council of Europe “Convention for the Protection of individuals with regard to Automatic Processing ofPersonal Da

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1