BS-ISO-22857-2004.pdf

BRITISH STANDARD BS ISO 22857:2004 Health informatics Guidelines on data protection to facilitate trans-border flows of personal health information ICS 35.240.80 ? Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI BS ISO 22857:2004 This British Standard was published under the authority of the Standards Policy and Strategy Committee on 7 March 2005 © BSI 7 March 2005 ISBN 0 580 45580 7 National foreword This British Standard reproduces verbatim ISO 22857:2004 and implements it as the UK national standard. The UK participation in its preparation was entrusted to Technical Committee IST/35, Health informatics, which has the responsibility to: A list of organizations represented on this committee can be obtained on request to its secretary. Cross-references The British Standards which implement international publications referred to in this document may be found in the BSI Catalogue under the section entitled “International Standards Correspondence Index”, or by using the “Search” facility of the BSI Electronic Catalogue or of British Standards Online. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. Compliance with a British Standard does not of itself confer immunity from legal obligations. aid enquirers to understand the text; present to the responsible international/European committee any enquiries on the interpretation, or proposals for change, and keep the UK interests informed; monitor related international and European developments and promulgate them in the UK. Summary of pages This document comprises a front cover, an inside front cover, the ISO title page, pages ii to viii, pages 1 to 60, an inside back cover and a back cover. The BSI copyright notice displayed in this document indicates when the document was last issued. Amendments issued since publication Amd. No. DateComments Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI Reference number ISO 22857:2004(E) © OSI 4002 INTERNATIONAL STANDARD ISO 22857 First edition 2004-04-01 Health informatics Guidelines on data protection to facilitate trans-border flows of personal health information Informatique de santé Lignes directrices sur la protection des données pour faciliter les flux d'information sur la santé du personnel de part et d'autre des frontières BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) DPlcsid Fremia ihTs PDF file may ctnoian emdebt dedyfepcaes. In ccaocnadrw eith A'ebods licensilop gnic,y this file mairp eb ynted iv roweb detu slahl ton ide ebtlnu deess the typefaces whice era hml era deddebicsnede to i dnanstlaled t noeh computfrep reormign tide ehtin.g In wodlnidaot gnhis file, trapise atpecc tiereht nser ehnopsiiblity fo not infriigngn A'ebods licensilop gnic.y ehT ISO tneClar Secrteiraat caceptl on siibality in this .aera Ai ebods a tredamafo kr Aebod SystemI sncotaropr.de teDails fo teh softwacudorp erts sut deo crtaee this PDF file cna f ebi dnuon tlareneG eh Info leratit evo the file; tP ehDc-Frtaeion marapterew setpo erimizde for irpnti.gn Evyre caer neeb sah taken to sneeru that the file is suitlbae fosu re yb ISO memdob rebeis. In tlnu ehikletneve y ttah lborp aem leratit gno it is f,dnuo plsaee inform ttneC ehlar Secrteiraat ta the serddaig sleb nevwo. © ISO 4002 All irthgs erse.devr lnUeto sswrehise specified, on trap fo this lbupictaion maeb y cudorperro de tuilizi den yna form ro na ybm ynae,s lecetrinoc ro mecinahcal, inclidung tohpcoiypodna gn micrfoilm, wittuoh repmissii non writign from ietI rehSa Ot tsserdda eh ebolw or IS'Os memreb i ydobn the cnuotrfo y ttseuqer ehe.r ISO cirypothg fofice saCe tsopale 65 eneG 1121-HC 02 av leT. 4 + 10 947 22 1 11 xaF0 947 22 14 + 9 74 E-mail coirypthgiso.o gr We bwww.is.o gro Pulbisdehi n Switlrez dna ii © ISO 4002 Allr ithgsr esedevr BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) I ©SO 4002 All irthgs ersedevr iii Contents Page Foreword.vii Introduction .ix 1 Scope1 2 Normative references .1 3 Terms and definitions.1 4 Abbreviated terms.3 5 Structure of this International Standard.3 6 General principles and roles3 6.1 General principles.3 6.2 Roles.4 7 Legitimising data transfer4 7.1 The concept of “adequate” data protection.4 7.2 Conditions for legitimate transfer .5 8 Criteria for ensuring adequate data protection with respect to the transfer of personal health data .6 8.1 The requirement for adequate data protection6 8.2 Content principles.6 8.3 Procedural/enforcement mechanisms8 8.4 Contracts10 8.5 Overriding laws .10 8.6 Anonymisation 11 8.7 Legitimacy of Consent11 9 Security policy.12 9.1 General.12 9.2 The purpose of the security policy .12 9.3 The “level” of security policy 12 9.4 High Level Security Policy: general aspects13 10 High Level Security Policy: the content .14 10.1 Principle One: overriding generic principle.14 10.2 Principle Two: chief executive support15 10.3 Principle Three: documentation of Measures and review15 10.4 Principle Four: Data Protection Security Officer.16 10.5 Principle Five: permission to process16 10.6 Principle Six: information about processing .17 10.7 Principle Seven: information for the data subject.19 10.8 Principle Eight: prohibition of onward data transfer without consent19 10.9 Principle Nine: remedies and compensation.20 10.10 Principle Ten: security of processing.21 10.11 Principle Eleven: responsibilities of staff and other contractors22 11 Rationale and Observations on Measures to support Principle Ten concerning security of processing.23 11.1 General.23 11.2 Encryption and digital signatures for transmission to the data importer.23 11.3 Access controls and user authentication.23 11.4 Audit trails23 11.5 Physical and environmental security24 BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) iv I ©SO 4002 All irthgs ersedevr 11.6 Application management and network management24 11.7 Malicious software 24 11.8 Breaches of security.24 11.9 Business Continuity Plan.24 11.10 Handling very sensitive data24 11.11 Standards.25 12 Personal health data in non-electronic form25 Annex A (informative) Key primary international documents on data protection .26 Annex B (informative) National documented requirements and legal provisions in a range of countries 32 Annex C (informative) Relevant ISO and CEN Standards.35 Annex D (informative) Sources of advice.36 Annex E (informative) Exemplar contract clauses: Controller to Controller38 Annex F (informative) Exemplar contract clauses: Controller to Processor47 Annex G (informative) Handling very sensitive personal health data.57 Bibliography59 BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) I ©SO 4002 All irthgs ersedevr v Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 22857 was prepared by Technical Committee ISO/TC 215, Health informatics. BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) vi I ©SO 4002 All irthgs ersedevr Introduction In the health context, information about individuals needs to be collected, stored and processed for many purposes, the main being direct delivery of care e.g. patient records; administrative processes e.g. booking appointments; clinical research; statistics. The data required depends on the purpose. In the context of identification of individuals, data may be needed to allow an individual to be readily and uniquely identified e.g. a combination of name, address, age, sex, identification number; to confirm that two data sets belong to the same individual without any need to identify the individual himself e.g. for record linkage and/or longitudinal statistics; for statistical purposes but with the end desire positively to prevent identification of any individual. In all of these circumstances data about individuals are now, and will increasingly in the future, be transmitted across national borders or be deliberately made accessible to countries other than where they are collected or stored. Data may be collected in one country and stored in another, be manipulated in a third, and be accessible from many countries or even globally. The key requirement is that all this processing should be carried out in a fashion that is consistent with the purposes and consents of the original data collection and, in particular, all disclosures of personal health data should be to appropriate individuals or organisations within the boundaries of these purposes and consents. International health-related applications may require personal health data to be transmitted from one nation to another across national borders. That is very evident in telemedicine or when data are electronically dispatched for example in an email or as a data file to be added to an international database. It also occurs, but less obviously, when a database in one country is viewed from another for example over the Internet. That application may appear passive but the very act of viewing involves disclosure of that data and is deemed processing. Moreover it requires a download that may be automatically placed in a cache and held there until 'emptied' - this also is processing and involves a particular security hazard. There is a wide range of organisations that might be involved in receipt of personal health data from another country for example healthcare establishments such as hospitals; pharmaceutical companies involved in research; contractors remotely maintaining health care systems in other countries; organisations holding educational data bases containing, for example, radiological images with diagnoses and case notes; BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) I ©SO 4002 All irthgs ersedevr vii companies holding banks of medical records for patients from different countries; organisations involved in international health-related e-commerce such as e-pharmacy. In all applications involving personal health data there can be a potential threat to the privacy of an individual. That threat and its extent will depend on the level to which data are protected from unauthorised access in storage or transmission; the number of persons who have authorised access; the nature of the personal health data; the level of difficulty in identifying an individual if access to the data is obtained; the difficulty in obtaining unauthorised access. Wherever health data are collected, stored, processed or published (including electronically on the Internet) the potential threat to privacy needs to be assessed and appropriate protective measures taken. Some form of risk analysis will normally be necessary to ascertain the required level of security measures. In addition to the standards bodies ISO, IEC, CEN and CENELEC, there are four major trans-national bodies that have produced internationally authoritative documents relating to security and data protection in the context of trans-border flows the Organisation for Economic Co-operation and Development (OECD); the Council of Europe; the United Nations (UN); the European Union (EU). The primary documents from these bodies are OECD “Guidelines on the Protection of Privacy and Trans-border flows of Personal Data” 1; OECD “Guidelines for the Security of information Systems” 2; Council of Europe “Convention for the Protection of individuals with regard to Automatic Processing of Personal Data” No. 108 3; “Council of Europe Recommendation R(97)5 on the Protection of Medical Data” 4; UN General Assembly “Guidelines for the Regulation of Computerised Personal Data Files” 5; EU Data Protection Directive on the protection of individuals with regard to the processing of personal data and free movement of that data 6. Annex A provides a brief summary of the key aspects of these documents. The means and extent of the protection afforded to personal health data varies from nation to nation 7. In some countries there is nation-wide privacy legislation, in others legislative provisions may be at a state level or equivalent. In a number of countries no legislation may exist although various codes of practice or equivalent will probably be in place and/or medical laws may exist which lay down a duty on medical practitioners to safeguard confidentiality. BS ISO 22857:2004 Licensed Copy: sheffieldun sheffieldun, na, Sun Nov 26 02:54:38 GMT+00:00 2006, Uncontrolled Copy, (c) BSI IS:75822 O4002(E) viii I ©SO 4002 All irthgs ersedevr Although privacy legislation in different parts of the world may mention personal health data, frequently there is no legislation specific to health except perhaps in relation to government agencies and/or medical research. Annex B comprises a brief outline of the key national standards or other documented requirements and of the legislative position concerning data protection in a range of countries. Personal health data can be extremely sensitive in nature and thus there is extensive guidance and standards available both nationally and internationally on various administrative and technical 'security measures' for the protection of personal health data (se