Health informatics - Guidance for handling personal health data in international applications in the context of the EU data protection directive; German version EN 14485:2003, text in English
German title
Medizinische Informatik - Anleitung zur Verwendung von persönlichen Gesundheitsdaten in internationalen Anwendungen vor dem Hintergrund der EU-Datenschutzrichtlinie; Deutsche Fassung EN 14485:2003, Text Englisch
Buy securely with a credit card or pay upon receipt of invoice
All transactions are encrypted
Content
Content (en)
Die Europäische Norm EN 14485:2003 hat den Status einer Deutschen Norm.
Foreword
Introduction
Scope
Normative references
Terms and definitions
Abbreviated terms
General solutions to exchanging personal health data between compliant and non-compliant countries
General approach
Judging the adequacy of data protection
General
Content Principles
Procedural/Enforcement Mechanisms
Third Countries that have ratified the Council of Europe Convention 108
Industry self-regulation
Making adequate provisions
Introduction
Meeting the “Content Principles”
Providing for the “Procedural/Enforcement Mechanisms”
General
Providing redress
Support and help to data subjects
Adequate compliance
Onward transfers
Direct marketing and sale of data
Overriding law
Permissible derogations, Articles 26.1 and 26.2
Article 26.1
General
Consent
Article 26.2
Anonymisation
Definition of personal data
Rendering personal data anonymous
Notification to Supervisory Authorities
Introduction
Implementation of Articles 18 to 20
Steps in establishing an international application with adequate data protection safeguards from the view point of an EU data controller
Introduction
Step One: Can the data be non-personal?
Step Two: Is the recipient third country an EEA country?
Step Three: Is the recipient country recognised by the Commission as having adequate data protection provisions?
Step Four: Is the recipient organisation in compliance with arrangements formally recognised by the Commission as providing adequate data protection provisions?
Step Five; If the recipient third country is not EEA, has it signed the Council of Europe Convention 108?
Step Six: Is the recipient country applying to become a member of the EU?
Step Seven: Can adequacy of data protection be established?
Step Eight: If adequacy of data protection cannot be established can the derogations in Article 26.1 provide a solution?
Step Nine: If adequacy of data protection cannot be established can the derogation in Article 26.2 regarding contractual clauses provide a solution?
Step Ten: If transfer of personal data health data to the recipient third country is permissible has the recipient implemented adequate security measures and can the application proceed?
Steps in establishing an international application with adequate data protection safeguards from the viewpoint of a non-EU data controller
Establishing data protection adequacy in the EU
Model contract clauses
Security measures
Introduction
General security
Security contracts with processors and with controllers in non-compliant countries
Security policy
Risk analysis
Security organisation and allocation of duties
Reporting of security incidents or breaches
Staff and contractor contracts
Training and awareness
Transmission of data
Limitations of purpose and access
Onward transfers
Audit trails
Loss, damage and destruction
Business Continuity Plans
Network Security
Patients Rights
Compliance
Standards
Declaration of grounds on which transfers are to take place
Statement of grounds
Key primary international documents on data protection (informativ)
EU Data Protection Directive
General
Coverage
Rules for lawfulness of processing
Special categories of processing
Data subject's rights
Security of processing
Supervisory Authorities
Remedies and sanctions
Transfer of personal data to third countries
Organisation for Economic Co-operation and Development (OECD)
Council of Europe
United Nations General Assembly
General
Principles concerning minimum guarantees that should be provided in any national legislation
Application of the Guidelines to personal data files kept by governmental international organisations
Text of Articles 25 and 26 of the EU Data Protection Directive (informativ)
Article 25: Principles
Article 26: Derogations
Text of Article 28 of the EU Data Protection Directive (informativ)
Supervisory authority
Questionnaire for Assessing Data Protection Adequacy (informativ)
Safe harbour privacy principles (informativ)
Standards and sources of advice (informativ)
EU Security projects
CEN/ISSS
Non-CEN Standards
Selected web sites
Model Declaration of Grounds upon which Transfer of Personal Health Data is Regarded as in Compliance with the EU Data Protection Directive (informativ)
Model contractual clauses for controller to controller transfers to a country with inadequate data protection provisions (informativ)
Introduction
Model standard contractual clauses
Definitions
Details of the transfer
Third-party beneficiary clause
Obligations of the data exporter
Obligations of the data importer
Liability
Mediation and jurisdiction
Cooperation with supervisory authorities
Termination of the Clauses
Governing Law
Variation of the contract
to the contractual clauses
Mandatory data protection requirements referred to in Clause 5 (b)
Mandatory data protection principles referred to in the second paragraph of Clause 5(b)
Model contractual clauses for controller to processor transfers to a country with inadequate data protection provisions (informativ)
Introduction
Model standard contractual clauses
Definitions
Details of the transfer
Third-party beneficiary clause
Obligations of the data exporter
Obligations of the data importer ()
Liability
Mediation and jurisdiction
Cooperation with supervisory authorities
Governing Law
Variation of the contract
Obligation after the termination of personal data processing services
to the contractual clauses
This Appendix forms part of the Clauses and must be completed and signed by the parties
Bibliography (informativ)
ICS
35.240.80
DOI
https://dx.doi.org/10.31030/9502553
Cooperation at DIN
Please get in touch with the relevant contact person at DIN if you have problems understanding the content of the standard or need advice on how to apply it.