BS EN 14485:2003
Current
The latest, up-to-date edition.
Health informatics. Guidance for handling personal health data in international applications in the context of the EU data protection directive
Hardcopy , PDF
English
09-01-2004
Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviated terms
5 General solutions to exchanging personal health data between
compliant and non-compliant countries
5.1 General approach
6 Judging the adequacy of data protection
6.1 General
6.2 Content Principles
6.3 Procedural/Enforcement Mechanisms
6.4 Third Countries that have ratified the Council of Europe
Convention 108
6.5 Industry self-regulation
7 Making adequate provisions
7.1 Introduction
7.2 Meeting the "Content Principles"
7.3 Providing for the "Procedural/Enforcement Mechanisms"
7.4 Overriding law
8 Permissible derogations, Articles 26.1 and 26.2
8.1 Article 26.1
8.1.1 General
8.1.2 Consent
8.2 Article 26.2
9 Anonymisation
9.1 Definition of personal data
9.2 Rendering personal data anonymous
10 Notification to Supervisory Authorities
10.1 Introduction
10.2 Implementation of Articles 18 to 20
11 Steps in establishing an international application with adequate
data protection safeguards from the view point of an EU data
controller
11.1 Introduction
11.2 Step One: Can the data be non-personal?
11.3 Step Two: Is the recipient third country an EEA country?
11.4 Step Three: Is the recipient country recognised by the
Commission as having adequate data protection provisions?
11.5 Step Four: Is the recipient organisation in compliance with
arrangements formally recognized by the Commission as
providing adequate data protection provisions?
11.6 Step Five; If the recipient third country is not EEA, has
it signed the Council of Europe Convention
11.7 Step Six: Is the recipient country applying to become a
member of the EU?
11.8 Step Seven: Can adequacy of data protection be established?
11.9 Step Eight: If adequacy of data protection cannot be
established can the derogations in Article 26.1 provide
a solution?
11.10 Step Nine: If adequacy of data protection cannot be
established can the derogation in Article 26.2
regarding contractual clauses provide a solution?
11.11 Step Ten: If transfer of personal data health data to the
recipient third country is permissible has the recipient
implemented adequate security measures and can the
application proceed?
12 Steps in establishing an international application with
adequate data protection safeguards from the viewpoint
of a non-EU data controller
12.1 Establishing data protection adequacy in the EU
13 Model contract clauses
13.1 Published models
14 Security measures
14.1 Introduction
14.2 General security
14.3 Security contracts with processors and with controllers in
non-compliant countries
14.4 Security policy
14.5 Risk analysis
14.6 Security organisation and allocation of duties
14.7 Reporting of security incidents or breaches
14.8 Staff and contractor contracts
14.9 Training and awareness
14.10 Transmission of data
14.11 Limitations of purpose and access
14.12 Onward transfers
14.13 Audit trails
14.14 Loss, damage and destruction
14.15 Business Continuity Plans
14.16 Network Security
14.17 Patients Rights
14.18 Compliance
14.19 Standards
15 Declaration of grounds on which transfers are to take place
15.1 Statement of grounds
Annex A (informative) Key primary international documents on
data protection
A.1 EU Data Protection Directive
A.1.1 General
A.1.2 Coverage
A.1.3 Rules for lawfulness of processing
A.1.4 Special categories of processing
A.1.5 Data subject's rights
A.1.6 Security of processing
A.1.7 Supervisory Authorities
A.1.8 Remedies and sanctions
A.1.9 Transfer of personal data to third countries
A.2 Organisation for Economic Co-operation and Development
(OECD)
A.3 Council of Europe
A.4 United Nations General Assembly
A.4.1 General
A.4.2 Principles concerning minimum guarantees that
should be provided in any national legislation
A.4.3 Application of the Guidelines to personal data
files kept by governmental international
organisations
Annex B (informative) Text of Articles 25 and 26 of the EU Data
Protection Directive
B.1 Article 25: Principles
B.2 Article 26: Derogations
Annex C (informative) Text of Article 28 of the EU Data
Protection Directive
Annex D (informative) Questionnaire for Assessing Data
Protection Adequacy
Annex E (informative) Safe harbour privacy principles
Annex F (informative) Standards and sources of advice
F.1 EU Security projects
F.2 CEN/ISSS
F.3 Non-CEN Standards
F.4 Selected web sites
Annex G (informative) Model Declaration of Grounds upon which
Transfer of Personal Health Data is Regarded as in
Compliance with the EU Data Protection Directive
Annex H (informative) Model contractual clauses for controller to
controller transfers to a country with inadequate data
protection provisions
H.1 Introduction
H.2 Model standard contractual clauses
Annex I (informative) Model contractual clauses for controller to
processor transfers to a country with inadequate data
protection provisions
I.1 Introduction
I.2 Model standard contractual clauses
Bibliography
Contains guidance on data protection for those involved in international informatics applications which entail transmission of person health data from an EU Member State to a non-EU Member State. Its purpose is to assist in the application of the EU Directive on Data Protection [1].
Committee |
IST/35
|
DevelopmentNote |
Supersedes 02/653354 DC (02/2004)
|
DocumentType |
Standard
|
Pages |
80
|
PublisherName |
British Standards Institution
|
Status |
Current
|
Supersedes |
This European Standard provides guidance on data protection for those involved in international informatics applications which entail transmission of person health data from an EU Member State to a non-EU Member State. Its purpose is to assist in the application of the EU Directive on Data Protection [1].
Standards | Relationship |
EN 14485:2003 | Identical |
I.S. EN 14485:2004 | Identical |
UNE-EN 14485:2004 | Identical |
UNI EN 14485 : 2004 | Identical |
NF EN 14485 : 2004 | Identical |
NBN EN 14485 : 2004 | Identical |
DIN EN 14485:2004-03 | Identical |
NEN EN 14485 : 2004 | Identical |
SN EN 14485 : 2004 | Identical |
NS EN 14485 : 1ED 2004 | Identical |
EN 14484:2003 | Health informatics - International transfer of personal health data covered by the EU data protection directive - High level security policy |
ENV 13608-2:2000 | Health informatics - Security for healthcare communication - Part 2: Secure data objects |
ENV 13608-3:2000 | Health informatics - Security for healthcare communication - Part 3: Secure data channels |
ENV 12388 : DRAFT 1996 | MEDICAL INFORMATICS - ALGORITHM FOR DIGITAL SIGNATURE SERVICES IN HEALTH CARE |
ENV 12924 : DRAFT 1997 | MEDICAL INFORMATICS - SECURITY CATEGORISATION AND PROTECTION FOR HEALTHCARE INFORMATION SYSTEMS |
ENV 12251 : DRAFT 2000 | HEALTH INFORMATICS - SECURE USER IDENTIFICATION FOR HEALTH CARE - MANAGEMENT AND SECURITY OF AUTHENTICATION BY PASSWORDS |
ENV 13608-1:2000 | Health informatics - Security for healthcare communication - Part 1: Concepts and terminology |
ENV 13729 : DRAFT 2000 | HEALTH INFORMATICS - SECURE USER IDENTIFICATION - STRONG AUTHENTICATION USING MICROPROCESSOR CARDS |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.