SIST EN 14485:2004

SLOVENSKI STANDARD
SIST EN 14485:2004
01-maj-2004
=GUDYVWYHQDLQIRUPDWLND±1DYRGLOR]DUDYQDQMH]RVHEQLPL]GUDYVWYHQLPLSRGDWNL
YPHGQDURGQLXSRUDELLQYVNODGX]GRORþLOL'LUHNWLYH(8RYDUVWYXSRGDWNRY
Health informatics - Guidance for handling personal health data in international
applications in the context of the EU data protection directive
Medizinische Informatik - Anleitung zur Verwendung von persönlichen Gesundheitsdaten
in internationalen Anwendungen vor dem Hintergrund der EU-Datenschutzrichtlinie
Informatique de santé - Guide pour manipuler des données personnelles de santé dans
des applications internationales dans le contexte de la directive européenne sur la
protection des données personelles
Ta slovenski standard je istoveten z: EN 14485:2003
ICS:
35.240.80 Uporabniške rešitve IT v IT applications in health care
zdravstveni tehniki technology
SIST EN 14485:2004 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

---------------------- Page: 1 ----------------------

SIST EN 14485:2004

---------------------- Page: 2 ----------------------

SIST EN 14485:2004
EUROPEAN STANDARD
EN 14485
NORME EUROPÉENNE
EUROPÄISCHE NORM
December 2003
ICS 35.240.80
English version
Health informatics - Guidance for handling personal health data
in international applications in the context of the EU data
protection directive
Informatique de santé - Guide pour manipuler des données Medizinische Informatik - Anleitung zur Verwendung von
personnelles de santé dans des applications persönlichen Gesundheitsdaten in internationalen
internationales dans le contexte de la directive européenne Anwendungen vor dem Hintergrund der EU-
sur la protection des données personelles Datenschutzrichtlinie
This European Standard was approved by CEN on 13 November 2003.
CEN members are bound to comply with the CEN/CENELEC Internal Regulations which stipulate the conditions for giving this European
Standard the status of a national standard without any alteration. Up-to-date lists and bibliographical references concerning such national
standards may be obtained on application to the Management Centre or to any CEN member.
This European Standard exists in three official versions (English, French, German). A version in any other language made by translation
under the responsibility of a CEN member into its own language and notified to the Management Centre has the same status as the official
versions.
CEN members are the national standards bodies of Austria, Belgium, Czech Republic, Denmark, Finland, France, Germany, Greece,
Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal, Slovakia, Spain, Sweden, Switzerland and United
Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
Management Centre: rue de Stassart, 36  B-1050 Brussels
© 2003 CEN All rights of exploitation in any form and by any means reserved Ref. No. EN 14485:2003 E
worldwide for CEN national Members.

---------------------- Page: 3 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
Contents
page
Foreword.5
Introduction .6
1 Scope .9
2 Normative references .9
3 Terms and definitions.9
4 Abbreviated terms .10
5 General solutions to exchanging personal health data between compliant and non-compliant
countries.11
5.1 General approach .11
6 Judging the adequacy of data protection .11
6.1 General.11
6.2 Content Principles.12
6.3 Procedural/Enforcement Mechanisms.14
6.4 Third Countries that have ratified the Council of Europe Convention 108 .14
6.5 Industry self-regulation.15
7 Making adequate provisions.16
7.1 Introduction .16
7.2 Meeting the "Content Principles" .16
7.3 Providing for the "Procedural/Enforcement Mechanisms".16
7.4 Overriding law .18
8 Permissible derogations, Articles 26.1 and 26.2 .19
8.1 Article 26.1 .19
8.1.2 Consent.19
8.2 Article 26.2 .20
9 Anonymisation .20
9.1 Definition of personal data .20
9.2 Rendering personal data anonymous.20
10 Notification to Supervisory Authorities.21
10.1 Introduction .21
10.2 Implementation of Articles 18 to 20 .21
11 Steps in establishing an international application with adequate data protection safeguards
from the view point of an EU data controller .21
11.1 Introduction .21
11.2 Step One: Can the data be non-personal?.22
11.3 Step Two: Is the recipient third country an EEA country? .23
11.4 Step Three: Is the recipient country recognised by the Commission as having adequate data
protection provisions?.23
11.5 Step Four: Is the recipient organisation in compliance with arrangements formally recognised
by the Commission as providing adequate data protection provisions? .23
11.6 Step Five; If the recipient third country is not EEA, has it signed the Council of Europe
Convention 108?.23
11.7 Step Six: Is the recipient country applying to become a member of the EU? .23
11.8 Step Seven: Can adequacy of data protection be established?.24
11.9 Step Eight: If adequacy of data protection cannot be established can the derogations in
Article 26.1 provide a solution?.24
11.10 Step Nine: If adequacy of data protection cannot be established can the derogation in Article
26.2 regarding contractual clauses provide a solution? .26
2

---------------------- Page: 4 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
11.11 Step Ten: If transfer of personal data health data to the recipient third country is permissible
has the recipient implemented adequate security measures and can the application proceed?.26
12 Steps in establishing an international application with adequate data protection safeguards
from the viewpoint of a non-EU data controller .26
12.1 Establishing data protection adequacy in the EU.26
13 Model contract clauses .26
Published models.26
14 Security measures.27
14.1 Introduction .27
14.2 General security.27
14.3 Security contracts with processors and with controllers in non-compliant countries.28
14.4 Security policy.28
14.5 Risk analysis.28
14.6 Security organisation and allocation of duties .29
14.7 Reporting of security incidents or breaches .29
14.8 Staff and contractor contracts.29
14.9 Training and awareness .29
14.10 Transmission of data .29
14.11 Limitations of purpose and access .29
14.12 Onward transfers .30
14.13 Audit trails .30
14.14 Loss, damage and destruction.30
14.15 Business Continuity Plans .30
14.16 Network Security.30
14.17 Patients Rights.31
14.18 Compliance.31
14.19 Standards.31
15 Declaration of grounds on which transfers are to take place.31
15.1 Statement of grounds .31
Annex A (informative)  Key primary international documents on data protection.32
A.1 EU Data Protection Directive .32
A.1.3 Rules for lawfulness of processing .32
A.1.4 Special categories of processing.32
A.1.5 Data subject's rights.33
A.1.6 Security of processing .34
A.1.7 Supervisory Authorities.34
A.1.8 Remedies and sanctions .34
A.1.9 Transfer of personal data to third countries.34
A.2 Organisation for Economic Co-operation and Development (OECD) .35
A.3 Council of Europe .35
A.4 United Nations General Assembly.36
A.4.1 General .36
A.4.2 Principles concerning minimum guarantees that should be provided in any national legislation.36
A.4.3 Application of the Guidelines to personal data files kept by governmental international
organisations.37
Annex B (informative)  Text of Articles 25 and 26 of the EU Data Protection Directive.38
B.1 Article 25: Principles .38
B.2 Article 26: Derogations .38
Annex C (informative)  Text of Article 28 of the EU Data Protection Directive .40
Annex D (informative)  Questionnaire for Assessing Data Protection Adequacy .42
Annex E (informative)  Safe harbour privacy principles.48
Annex F (informative)  Standards and sources of advice .51
F.1 EU Security projects .51
F.2 CEN/ISSS .51
F.3 Non-CEN Standards .51
F.4 Selected web sites.52
3

---------------------- Page: 5 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
Annex G (informative)  Model Declaration of Grounds upon which Transfer of Personal Health Data is
Regarded as in Compliance with the EU Data Protection Directive.53
Annex H (informative)  Model contractual clauses for controller to controller transfers to a country
with inadequate data protection provisions .55
H.1 Introduction .55
H.2 Model standard contractual clauses .55
Annex I (informative)  Model contractual clauses for controller to processor transfers to a country
with inadequate data protection provisions .66
I.1 Introduction .66
I.2 Model standard contractual clauses .66
Bibliography .75
4

---------------------- Page: 6 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
Foreword
This document (EN 14485:2003) has been prepared by Technical Committee CEN/TC 251 "European
Standardization of Health Informatics", the secretariat of which is held by SIS.
This European Standard shall be given the status of a national standard, either by publication of an identical text or
by endorsement, at the latest by June 2004, and conflicting national standards shall be withdrawn at the latest by
June 2004.
The annexes A, B, C, D, E, F, G, H and I are informative.
According to the CEN/CENELEC Internal Regulations, the national standards organizations of the following
countries are bound to implement this European Standard: Austria, Belgium, Czech Republic, Denmark, Finland,
France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Luxembourg, Malta, Netherlands, Norway, Portugal,
Slovakia, Spain, Sweden, Switzerland and the United Kingdom.
5

---------------------- Page: 7 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
Introduction
In the health context, information about individuals needs to be collected, stored and processed for many purposes,
the main being:
• administrative processes e.g. booking appointments;
• direct delivery of care e.g. patient records;
• clinical research;
• statistics.
The data required will depend on the purpose. In the context of identification of individuals, data may be needed:
• to allow an individual to be readily and uniquely identified e.g. a combination of name, address, age, sex,
identification number;
• to confirm that two data sets belong to the same individual without any need to identify the individual himself
e.g. for record linkage and/or longitudinal statistics;
• for statistical purposes with the desire positively to prevent identification of any individual.
In all of these circumstances data about individuals are now, and will increasingly in the future, be transmitted
across national borders or be deliberately made accessible to countries other than where they are collected or
stored. Data may be collected in one country and stored in another, be processed in a third, and be accessible
from many countries or even globally.
International health-related applications will require health-related data to be transmitted from one nation to
another.
That is very evident in telemedicine or when data are electronically dispatched for example in an email or as a data
file to be added to an international database. It also occurs, but less obviously, when a database in one country is
viewed from the other for example over the Internet. That application may appear passive but the very act of
viewing involves disclosure of that data and is deemed ‘processing’. Moreover it requires a download that may be
automatically placed in a cache and held there until 'emptied' - this also is processing.
In all applications involving personal health data there can be a potential threat to the privacy of an individual. That
threat and its extent will depend on:
• the level to which data is protected from unauthorised access in storage or transmission;
• the number of persons who have authorised access;
• the nature of the personal data stored;
• the level of difficulty in identifying an individual if access to the data is obtained.
Wherever health data are collected, stored, processed or published (including electronically on the Internet) the
potential threat to privacy needs to be assessed and appropriate protective measures taken. Some form of risk
analysis should be undertaken to ascertain the required level of security measures.
In addition to the standards bodies CEN, CENELEC, ISO and IEC there are three major trans-national bodies that
have produced internationally authoritative documents relating to security and data protection:
• the European Union (EU);
• the Organisation for Economic Co-operation and Development (OECD);
• the Council of Europe;
6

---------------------- Page: 8 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
• the United Nations (UN).
The primary documents from these bodies are:
• EU Data Protection Directive "on the protection of individuals with regard to the processing of personal
data and free movement of that data" [1];
• OECD "Guidelines on the Protection of Privacy and Trans-border flows of Personal Data" [2];
• OECD "Guidelines for the Security of Information Systems" [3];
• Council of Europe "Convention for the Protection of individuals with regard to Automatic Processing of
Personal Data" No. 108 [4];
• "Council of Europe Recommendation R(97)5 on the Protection of Medical Data" [5];
• UN General Assembly "Guidelines for the Regulation of Computerised Personal Data Files" [6].
Annex A provides a synopsis of the key documents published by these bodies.
The means and extent of the protection afforded to personal health data varies from nation to nation [7]. In some
countries there is nation-wide privacy legislation, in others legislature provisions may be at a state level or
equivalent and in a number no legislation may exist although various codes of practice or equivalent will probably
be in place.
Although privacy legislation in different parts of the world may mention personal health data, frequently there is no
legislation specific to health except perhaps in relation to government agencies and/or medical research.
The EU Directive on Data Protection aims to create uniform legislative data protection provisions throughout the
EU. The Directive also applies to non-community countries of the European Economic Area by virtue of the EEA
Treaty Decision 83/1999 of 25 June 1999.
The passing of personal data from any one of these conforming nations to another ('third') country is controlled by
Articles 25 and 26 of the Directive the full text of which is in annex B. In essence, subject to specific 'derogations',
Article 25 allows transfer of personal data to a third country only if that third country ensures an 'adequate level of
protection'. The 'adequacy of protection' is to be assessed (Article 25.2) in the light of all the circumstances with
'particular consideration' to be given to particular factors including:
• the nature of the data;
• the purpose and duration of the proposed processing operation(s);
• the rules of law applying;
• the professional rules and security measures which are complied with.
In the health context personal health data can be extremely sensitive in nature and is so recognised by the
Directive. However rules of law specific to health are not common with the exception perhaps of medical research.
Nevertheless 'professional rules' applying to the medical and other healthcare professions concerning the
protection of patient confidentiality are present in most countries with significant 'penalties' associated with non-
compliance. There is in addition extensive guidance available both nationally and internationally on 'security
measures' for the protection of personal health data (see annex F and clause 2).
In many countries therefore there is a mix of general and specific legal or quasi-legal requirements covering data
protection plus professional codes covering ethical aspects including safeguarding confidentiality. These two
aspects may not necessarily be consistent and may in some aspects be in conflict. This European Standard,
although referring to both, deals primarily with the context deriving from implementation of the Data Protection
Directive. Ethical codes often contain material that goes beyond formal legal requirements. The guidance in this
standard should not diminish compliance with such more extensive documents. Indeed ensuring conformance with
legal rules is only one aspect of ensuring confidentiality is protected. In that context it should be noted that the
European Group on Ethics in Science and New Technologies to the Commission [8], is of the opinion that
“personal data should be considered in the framework of the rights of personality, even if in some cases they may
be subject transactions” and, “since personal data continue to reflect the data subject’s identity, they cannot be
treated as entirely separate from him/her”. The Group observed that consequently “some countries regard sensitive
personal health data as inalienable to protect the dignity of the individual”.
Article 26 of the Directive details the 'derogations' under which an EU Member State may permit transfer of
personal data to a third country without an adequate level of data protection. The full list is in annex B. They
include where:
7

---------------------- Page: 9 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
• the data subject has given his unambiguous consent;
• it is necessary to protect the data subject's vital interests;
• the "controller adduces adequate safeguards with respect to the privacy and fundamental rights and
freedom of individuals and as regards the exercise of the corresponding rights; such safeguards may in
particular result from appropriate contract clauses".
Under Article 29 of the EU Directive an EU Working Party on the Protection of Individuals with regard to Processing
of Personal Data was created. Its findings provide important interpretations and views on the Directive and these
are frequently referred to in this standard.
This standard provides guidance on measures that should be taken to protect personal data in applications which
involve transfer of personal health data across national boundaries and in particular between EU and other
countries which conform to the EU Directive, and those which may not. In that context it considers the use of
contract clauses to achieve adequate safeguards.
8

---------------------- Page: 10 ----------------------

SIST EN 14485:2004
EN 14485:2003 (E)
1 Scope
This European Standard provides guidance on data protection for those involved in international informatics
applications which entail transmission of person health data from an EU Member State to a non-EU Member State.
Its purpose is to assist in the application of the EU Directive on Data Protection [1].
The European Standard does not provide definitive legal advice but comprises guidance. When applying the
guidance to a particular application legal advice appropriate to that application should be sought.
2 Normative references
Not applicable.
3 Terms and definitions
For the purposes of this European Standard, the following terms and definitions. Where a term is defined in the EU
Data Protection Directive [1] that definition is used for the purposes of this European Standard. In countries in
which the EU Directive has not been implemented, other definitions for these terms may be in use and may have a
legal st
...