Health informatics — Guidelines on data protection to facilitate transborder flows of personal health data

This standard provides guidance on data protection requirements to facilitate the transfer of personal health data across national or jurisdictional borders. It is normative only in respect of international or trans-jurisdictional exchange of personal health data. However, it can be informative with respect to the protection of health information within national/jurisdictional boundaries and provide assistance to national or jurisdictional bodies involved in the development and implementation of data protection principles. The standard covers both the data protection principles that apply to international or trans-jurisdictional transfers and the security policy which an organisation adopts to ensure compliance with those principles. The standard aims to facilitate international and trans-jurisdictional health-related applications involving the transfer of personal health data. It seeks to provide the means by which health data relating to data subjects, such as patients, will be adequately protected when sent to, and processed in, another country/jurisdiction.

Main sections:

· Scope

· Normative references

· Terms and definitions

· Abbreviated terms

· Structure of this International Standard

· General principles and roles

· Legitimising data transfer

· Criteria for ensuring adequate data protection with respect to the transfer of personal health data

· Security policy

· High Level Security Policy: the content

· Rationale and observations on measures to support Principle Ten concerning security of processing

· Personal health data in non-electronic form

· Annex A: Key primary international documents on data protection

· Annex B: National documented requirements and legal provisions in a range of countries

· Annex C: Exemplar contract clauses: Controller to controller

· Annex D: Exemplar contract clauses: Controller to processor

· Annex E: Handling very sensitive personal health data