1、BSI Standards PublicationBS ISO 22857:2013Health informatics Guidelines on data protectionto facilitate transborder flowsof personal health dataCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted wit
2、hout license from IHS-,-,-BS ISO 22857:2013 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO 22857:2013. Itsupersedes BS ISO 22857:2004 which is withdrawn.The UK participation in its preparation was entrusted to TechnicalCommittee IST/35, Health informatics.A li
3、st of organizations represented on this committee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. The British Standards Institution 2014. Published by BSI StandardsLim
4、ited 2014ISBN 978 0 580 65294 3ICS 35.240.80Compliance with a British Standard cannot confer immunity fromlegal obligations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2014.Amendments issued since publicationDate Text affectedC
5、opyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013 ISO 2013Health informatics Guidelines on data protection to facilitate trans-border flows of personal
6、 health dataInformatique de sant Lignes directrices sur la protection des donnes pour faciliter les flux dinformation sur la sant du personnel de part et dautre des frontiresINTERNATIONAL STANDARDISO22857Second edition2013-12-15Reference numberISO 22857:2013(E)Copyright British Standards Institution
7、 Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)ii ISO 2013 All rights reservedCOPYRIGHT PROTECTED DOCUMENT ISO 2013All rights reserved. Unless otherwise specified, no par
8、t of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member bo
9、dy in the country of the requester.ISO copyright officeCase postale 56 CH-1211 Geneva 20Tel. + 41 22 749 01 11Fax + 41 22 749 09 47E-mail copyrightiso.orgWeb www.iso.orgPublished in SwitzerlandCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for
10、ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E) ISO 2013 All rights reserved iiiContents PageForeword vIntroduction vi1 Scope . 12 Normative references 13 Terms and definitions . 14 Abbreviated terms 35 Structure of this International Sta
11、ndard . 36 General principles and roles 36.1 General principles 36.2 Roles . 47 Legitimising data transfer 47.1 The concept of “adequate” data protection 47.2 Conditions for legitimate transfer 58 Criteria for ensuring adequate data protection with respect to the transfer of personal health data 68.
12、1 The requirement for adequate data protection 68.2 Content principles 68.3 Procedural/enforcement mechanisms. 98.4 Contracts . 108.5 Overriding laws . 118.6 Anonymisation . 118.7 Legitimacy of consent 129 Security policy 129.1 General 129.2 The purpose of the security policy . 129.3 The “level” of
13、security policy . 139.4 High Level Security Policy: general aspects 1310 High Level Security Policy: the content 1410.1 Principle One: overriding generic principle . 1410.2 Principle Two: chief executive support . 1510.3 Principle Three: documentation of measures and review .1610.4 Principle Four: D
14、ata protection security officer .1610.5 Principle Five: permission to process 1710.6 Principle Six: information about processing 1810.7 Principle Seven: information for the data subject .2010.8 Principle Eight: prohibition of onward data transfer without consent .2010.9 Principle Nine: remedies and
15、compensation . 2110.10 Principle Ten: security of processing 2210.11 Principle Eleven: responsibilities of staff and other contractors .2311 Rationale and observations on measures to support Principle Ten concerning security of processing 2411.1 General 2411.2 Encryption and digital signatures for t
16、ransmission to the data importer 2411.3 Access controls and user authentication . 2411.4 Audit trails . 2511.5 Physical and environmental security . 2511.6 Application management and network management 2511.7 Malicious software 2511.8 Breaches of security 2511.9 Business continuity plan . 25Copyrigh
17、t British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)iv ISO 2013 All rights reserved11.10 Handling very sensitive data 2611.11 Standards 2612 Per
18、sonal health data in non-electronic form .26Annex A (informative) Key primary international documents on data protection 27Annex B (informative) National documented requirements and legal provisions in a range of countries .32Annex C (informative) Exemplar contract clauses: Controller to controller
19、.37Annex D (informative) Exemplar contract clauses: Controller to processor .44Annex E (informative) Handling very sensitive personal health data 53Bibliography .55Copyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or netw
20、orking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)ForewordISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through I
21、SO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates
22、closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.The procedures used to develop this document and those intended for its further maintenance are described in the ISO/IEC Directives, Part 1. In particular the different approval criter
23、ia needed for the different types of ISO documents should be noted. This document was drafted in accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).Attention is drawn to the possibility that some of the elements of this document may be the subject of p
24、atent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of any patent rights identified during the development of the document will be in the Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents).Any trade name us
25、ed in this document is information given for the convenience of users and does not constitute an endorsement.For an explanation on the meaning of ISO specific terms and expressions related to conformity assessment, as well as information about ISOs adherence to the WTO principles in the Technical Ba
26、rriers to Trade (TBT) see the following URL: Foreword - Supplementary informationThe committee responsible for this document is ISO/TC 215, Health informatics.This second edition replaces the first edition (IO 22857:2004), which has been technically revised. ISO 2013 All rights reserved vCopyright B
27、ritish Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)IntroductionIn the health context, information about individuals needs to be collected, stored
28、and processed for many purposes, the main being direct delivery of care e.g. patient records; insurance; clinical research; and population health.A classification of purposes for processing personal health information is given in ISO/TS 14265 15.The data required depends on the purpose. In the conte
29、xt of identification of individuals, data may be needed to allow an individual to be readily and uniquely identified (e.g. a combination of name, address, age, sex, identification number); to confirm that two data sets belong to the same individual without any need to identify the individual himself
30、 (e.g. for record linkage and/or longitudinal statistics); and for any purpose, but where identifiable data are not required, the objective should be to prevent such identification of the individual.In all of these circumstances data about individuals are now, and will increasingly in the future, be
31、 transmitted across national/jurisdictional borders or be deliberately made accessible to countries/jurisdictions other than where they are collected or stored. Data may be collected in one country/jurisdiction and stored in another, be manipulated in a third, and be accessible from many countries/j
32、urisdictions or even globally. The key requirement is that all this processing should be carried out in a fashion that is consistent with the purposes and consents of the original data collection and, in particular, all disclosures of personal health data should be to appropriate individuals or orga
33、nisations within the boundaries of these purposes and consents.International health-related applications may require personal health data to be transmitted from one nation to another across national borders. That is very evident in telemedicine or when data are electronically dispatched for example
34、in an email or as a data file to be added to an international database. It also occurs, but less obviously, when a database in one country/jurisdiction is viewed from another for example over the Internet. That application may appear passive but the very act of viewing involves disclosure of that da
35、ta and is deemed processing. Moreover it requires a download that may be automatically placed in a cache and held there until emptied - this also is processing and involves a particular security hazard. The same circumstances may arise when data are passed across jurisdictional boundaries.There is a
36、 wide range of organisations that might be involved in receipt of personal health data from another country/jurisdiction, for example: healthcare establishments such as hospitals; research databanks held in one country but both fed and accessed in others; contractors remotely maintaining health care
37、 systems in other countries; organisations holding educational databases containing, for example, radiological images with diagnoses and case notes; companies holding banks of medical records for patients from different countries/jurisdictions;vi ISO 2013 All rights reservedCopyright British Standar
38、ds Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E) organisations involved in international or cross-jurisdictional health-related e-commerce such as e-pharmacy
39、.In all applications involving personal health data there can be a potential threat to the privacy of an individual. That threat and its extent will depend on: the level to which data are protected from unauthorised access in storage or transmission; the number of persons who have authorized access;
40、 the nature of the personal health data; the level of difficulty in identifying an individual if access to the data are obtained.Wherever health data are collected, stored, processed or published (including electronically on the Internet) the potential threat to privacy needs to be assessed and appr
41、opriate protective measures taken. Some form of risk analysis will be necessary to ascertain the required level of security measures.In addition to the standards bodies ISO, IEC, CEN and CENELEC, there are four major trans-national bodies that have produced internationally authoritative documents re
42、lating to security and data protection in the context of trans-border flows: the Organization for Economic Co-operation and Development (OECD); the Council of Europe; the United Nations (UN); the European Union (EU).The primary documents from these bodies are: OECD “Guidelines on the Protection of P
43、rivacy and Trans-border flows of Personal Data”1; OECD “Guidelines for the Security of information Systems”2; Council of Europe “Convention for the Protection of individuals with regard to Automatic Processing of Personal Data” No. 108;3 “Council of Europe Recommendation R(97)5 on the Protection of
44、Medical Data”4; UN General Assembly “Guidelines for the Regulation of Computerised Personal Data Files”5; EU Data Protection Directive on the protection of individuals with regard to the processing of personal data and free movement of that data.6Annex A provides a brief summary of the key aspects o
45、f these documents.The means and extent of the protection afforded to personal health data varies from nation to nation7and jurisdiction to jurisdiction. In some countries there is nation-wide privacy legislation, in others legislative provisions may be at a state level or equivalent. In a number of
46、countries legislation may not exist although various codes of practice or equivalent will probably be in place and/or medical laws may exist which lay down a duty on medical practitioners to safeguard confidentiality, integrity and availability.Although privacy legislation in different parts of the
47、world may mention personal health data, frequently there is no legislation specific to health except perhaps in relation to government agencies and/or medical research.Annex B comprises a brief outline of the key national standards or other documented requirements and of the legislative position con
48、cerning data protection in a range of countries. ISO 2013 All rights reserved viiCopyright British Standards Institution Provided by IHS under license with BSI - Uncontrolled Copy Not for ResaleNo reproduction or networking permitted without license from IHS-,-,-BS ISO 22857:2013ISO 22857:2013(E)Personal health data can be extremely sensitive in nature and thus there is extensive guidance and standards available both nationally and internationally on various administrative and technical security measures for the protection of personal healt
