ISO 22857:2004

INTERNATIONAL ISO
STANDARD 22857
First edition
2004-04-01
Health informatics — Guidelines on data
protection to facilitate trans-border flows
of personal health information
Informatique de santé — Lignes directrices sur la protection des
données pour faciliter les flux d'information sur la santé du personnel de
part et d'autre des frontières

Reference number
©
ISO 2004
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but
shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In
downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat
accepts no liability in this area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation
parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In
the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2004
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means,
electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or
ISO's member body in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.org
Web www.iso.org
Published in Switzerland
ii © ISO 2004 – All rights reserved

Contents Page
Foreword. vii
Introduction . ix
1 Scope. 1
2 Normative references . 1
3 Terms and definitions. 1
4 Abbreviated terms. 3
5 Structure of this International Standard. 3
6 General principles and roles. 3
6.1 General principles. 3
6.2 Roles. 4
7 Legitimising data transfer . 4
7.1 The concept of “adequate” data protection.4
7.2 Conditions for legitimate transfer . 5
8 Criteria for ensuring adequate data protection with respect to the transfer of personal
health data . 6
8.1 The requirement for adequate data protection . 6
8.2 Content principles. 6
8.3 Procedural/enforcement mechanisms. 8
8.4 Contracts. 10
8.5 Overriding laws . 10
8.6 Anonymisation . 11
8.7 Legitimacy of Consent. 11
9 Security policy. 12
9.1 General. 12
9.2 The purpose of the security policy . 12
9.3 The “level” of security policy . 12
9.4 High Level Security Policy: general aspects. 13
10 High Level Security Policy: the content . 14
10.1 Principle One: overriding generic principle .14
10.2 Principle Two: chief executive support . 15
10.3 Principle Three: documentation of Measures and review . 15
10.4 Principle Four: Data Protection Security Officer . 16
10.5 Principle Five: permission to process. 16
10.6 Principle Six: information about processing . 17
10.7 Principle Seven: information for the data subject. 19
10.8 Principle Eight: prohibition of onward data transfer without consent. 19
10.9 Principle Nine: remedies and compensation . 20
10.10 Principle Ten: security of processing. 21
10.11 Principle Eleven: responsibilities of staff and other contractors . 22
11 Rationale and Observations on Measures to support Principle Ten concerning security of
processing . 23
11.1 General. 23
11.2 Encryption and digital signatures for transmission to the data importer. 23
11.3 Access controls and user authentication.23
11.4 Audit trails. 23
11.5 Physical and environmental security. 24
11.6 Application management and network management.24
11.7 Malicious software .24
11.8 Breaches of security .24
11.9 Business Continuity Plan .24
11.10 Handling very sensitive data.24
11.11 Standards .25
12 Personal health data in non-electronic form .25
Annex A (informative) Key primary international documents on data protection .26
Annex B (informative) National documented requirements and legal provisions in a range of
countries .32
Annex C (informative) Relevant ISO and CEN Standards.35
Annex D (informative) Sources of advice.36
Annex E (informative) Exemplar contract clauses: Controller to Controller.38
Annex F (informative) Exemplar contract clauses: Controller to Processor.47
Annex G (informative) Handling very sensitive personal health data .57
Bibliography.59

iv © ISO 2004 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies
(ISO member bodies). The work of preparing International Standards is normally carried out through ISO
technical committees. Each member body interested in a subject for which a technical committee has been
established has the right to be represented on that committee. International organizations, governmental and
non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the
International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2.
The main task of technical committees is to prepare International Standards. Draft International Standards
adopted by the technical committees are circulated to the member bodies for voting. Publication as an
International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this document may be the subject of patent
rights. ISO shall not be held responsible for identifying any or all such patent rights.
ISO 22857 was prepared by Technical Committee ISO/TC 215, Health informatics.
Introduction
In the health context, information about individuals needs to be collected, stored and processed for many
purposes, the main being
 direct delivery of care e.g. patient records;
 administrative processes e.g. booking appointments;
 clinical research;
 statistics.
The data required depends on the purpose. In the context of identification of individuals, data may be needed
 to allow an individual to be readily and uniquely identified e.g. a combination of name, address, age, sex,
identification number;
 to confirm that two data sets belong to the same individual without any need to identify the individual
himself e.g. for record linkage and/or longitudinal statistics;
 for statistical purposes but with the end desire positively to prevent identification of any individual.
In all of these circumstances data about individuals are now, and will increasingly in the future, be transmitted
across national borders or be deliberately made accessible to countries other than where they are collected or
stored. Data may be collected in one country and stored in another, be manipulated in a third, and be
accessible from many countries or even globally. The key requirement is that
 all this processing should be carried out in a fashion that is consistent with the purposes and consents of
the original data collection and, in particular,
 all disclosures of personal health data should be to appropriate individuals or organisations within the
boundaries of these purposes and consents.
International health-related applications may require personal health data to be transmitted from one nation to
another across national borders. That is very evident in telemedicine or when data are electronically
dispatched for example in an email or as a data file to be added to an international database. It also occurs,
but less obviously, when a database in one country is viewed from another for example over the Internet. That
application may appear passive but the very act of viewing involves disclosure of that data and is deemed
‘processing’. Moreover it requires a download that may be automatically placed in a cache and held there until
'emptied' - this also is processing and involves a particular security hazard.
There is a wide range of organisations that might be involved in receipt of personal health data from another
country for example
 healthcare establishments such as hospitals;
 pharmaceutical companies involved in research;
 contractors remotely maintaining health care systems in other countries;
 organisations holding educational data bases containing, for example, radiological images with diagnoses
and case notes;
vi © ISO 2004 – All rights reserved

 companies holding banks of medical records for patients from different countries;
 organisations involved in international health-related e-commerce such as e-pharmacy.
In all applications involving personal health data there can be a potential threat to the privacy of an individual.
That threat and its extent will depend on
 the level to which data are protected from unauthorised access in storage or transmission;
 the number of persons who have authorised access;
 the nature of the personal health data;
 the level of difficulty in identifying an individual if access to the data is obtained;
 the difficulty in obtaining unauthorised access.
Wherever health data are collected, stored, processed or published (including electronically on the Internet)
the potential threat to privacy needs to be assessed and appropriate protective measures taken. Some form of
risk analysis will normally be necessary to ascertain the required level of security measures.
In addition to the standards bodies ISO, IEC, CEN and CENELEC, there are four major trans-national bodies
that have produced internationally authoritative documents relating to security and data protection in the
context of trans-border flows
 the Organisation for Economic Co-operation and Development (OECD);
 the Council of Europe;
 the United Nations (UN);
 the European Union (EU).
The primary documents from these bodies are
 OECD “Guidelines on the Protection of Privacy and Trans-border flows of Personal Data” [1];
 OECD “Guidelines for the Security of information Systems” [2];
 Council of Europe “Convention for the Protection of individuals with regard to Automatic Processing of
Personal Data” No. 108 [3];
 “Council of Europe Recommendation R(97)5 on the Protection of Medical Data” [4];
 UN General Assembly “Guidelines for the Regulation of Computerised Personal Data Files” [5];
 EU Data Protection Directive on the protection of individuals with regard to the processing of personal
data and free movement of that data [6].
Annex A provides a brief summary of the key aspects of these documents.
The means and extent of the protection afforded to personal health data varies from nation to nation [7]. In
some countries there is nation-wide privacy legislation, in others legislative provisions may be at a state level
or equivalent. In a number of countries no legislation may exist although various codes of practice or
equivalent will probably be in place and/or ‘medical’ laws may exist which lay down a duty on medical
practitioners to safeguard confidentiality.
Although privacy legislation in different parts of the world may mention personal health data, frequently there
is no legislation specific to health except perhaps in relation to government agencies and/or medical research.
Annex B comprises a brief outline of the key national standards or other documented requirements and of the
legislative position concerning data protection in a range of countries.
Personal health data can be extremely sensitive in nature and thus there is extensive guidance and standards
available both nationally and internationally on various administrative and technical 'security measures' for the
protection of personal health data (see Annexes C and D).
This International Standard seeks to draw on, and harmonise, data protection requirements relating to the
transfer of personal health data across international boundaries as given in authoritative international
documents. It also seeks to take into account a range of national requirements so as to avoid, as far as
practicable, conflict between the requirements of this International Standard and national specifications.
This International Standard applies, however, solely to transfer of personal health data across national
borders. It explicitly does not seek to specify national data protection requirements. The creation of a set of
requirements aimed at being acceptable to all countries, whether they be transmitting or receiving personal
health data to/from other countries, inevitably means adopting the most stringent of requirements. This means
that organisations in some countries would need to apply extra or more severe data protection requirements
when transmitting to, or receiving personal health data from, other countries than might be necessary for
handling such data within their own boundaries. Although that might be the case, that does not mean that
those extra or more severe requirements must be applied to solely national applications.
Articles 25 and 26 of the EU Data Protection Directive lay down the conditions under which transfer of
personal data from an EU Member State to a non-EU Member State is permitted. CEN Standards [11] [12]
provide guidance on meeting such conditions and on a high level security policy which importers of personal
health data from EU Member States should implement. This International Standard seeks to be consistent
with both these CEN standards.

viii © ISO 2004 – All rights reserved

INTERNATIONAL STANDARD ISO 22857:2004(E)

Health informatics — Guidelines on data protection to facilitate
trans-border flows of personal health information
1 Scope
This International Standard provides guidance on data protection requirements to facilitate the transfer of
personal health data across national borders. It does not require the harmonisation of existing national
standards, legislation or regulations. It is normative only in respect of international exchange of personal
health data. However it may be informative with respect to the protection of health information within national
boundaries and provide assistance to national bodies involved in the development and implementation of data
protection principles. The International Standard covers both the data protection principles that should apply to
international transfers and the security policy which an organisation should adopt to ensure compliance with
those principles.
Where a multilateral treaty between a number of countries has been agreed e.g. the EU Data Protection
Directive, the terms of that treaty will take precedence.
This International Standard aims to facilitate international health-related applications involving the transfer of
personal health data. It seeks to provide the means by which data subjects, such as patients, may be assured
that health data relating to them will be adequately protected when sent to, and processed in, another country.
This International Standard does not provide definitive legal advice but comprises guidance. When applying
the guidance to a particular application legal advice appropriate to that application should be sought.
National privacy and data protection requirements vary substantially and can change relatively quickly.
Whereas this International Standard in general encompasses the more stringent of international and national
requirements it nevertheless comprises a minimum. Some countries may have some more stringent and
particular requirements and this should be checked.
2 Normative references
This International Standard does not contain normative references.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply. They seek to be consistent with
similar terms in other international documents.
NOTE Throughout the text, the word “he” should be understood to mean “he or she” and the word “his” to mean “his
or her”.
3.1
the application
the international application to which this International Standard is being applied unless obviously to the
contrary
3.2
Commission
European Commission unless obviously otherwise
3.3
controller
the natural or legal person, public authority, agency or any other body which alone or jointly with others
determines the purposes and means of the processing of personal data
3.4
data subject
the identified or identifiable natural person, which is the subject of personal data
3.5
data subject's consent
any freely given specific and informed indication of his wishes by which the data subject signifies his
agreement to personal data relating to him being processed
3.6
EU Directive
the EU Data Protection Directive [6] unless stated otherwise
3.7
identifiable person
one who can be identified, directly or indirectly, in particular by reference to an identification number or one or
more factors specific to his physical, physiological, mental, economic, cultural or social identity
3.8
participants
data exporters and data importers
3.9
personal data
any information relating to an identified or identifiable natural person
3.10
personal health data
any personal data relevant to the health of an identified or identifiable natural person
3.11
primary controller
the controller who is the data exporter responsible for all matters relating to ensuring consent of the data
subject to the transfer of his personal health data to another country
3.12
processor
a natural or legal person, public authority, agency or any other body which processes personal data on behalf
of the controller
3.13
processing of personal data (processing)
any operation or set of operations which is performed upon personal data, whether or not by automatic means,
such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use,
disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking,
erasure or destruction
3.14
data importer
a natural or legal person, public authority, agency or any other body located in one country which receives
data from a data exporter in another country
2 © ISO 2004 – All rights reserved

3.15
data exporter
a natural or legal person, public authority, agency or any other body located in one country which sends data
to a data importer in another country
4 Abbreviated terms
The following abbreviated terms are used
 EEA European Economic Area;
 EU European Union;
 HLSP High Level Security Policy;
 OECD Organisation for Economic Co-operation and Development;
 UN United Nations.
5 Structure of this International Standard
This International Standard is structured as follows:
 Clause 6 lists some general principles reflecting those in international documents on this subject and
deals with the main roles of data importers and exporters, and data controllers and processors.
 Clause 7 introduces, in general, the two main requirements for a transfer of personal health data to be
legitimate in the context of this International Standard and on which the remainder of the International
Standard is based; namely consent and adequacy of data protection.
 Clause 8 deals in detail with these two main general requirements, lays down all the criteria for adequacy
and takes further the concept of consent.
 Clause 9 requires the data importer to have a high level data protection policy in place and explains what
is meant in this International Standard by “high level”.
 Clause 10 lays down the detailed requirements for a high level policy which will ensure the criteria for
adequacy of data protection are actually assured.
 Clause 11 provides detailed requirements for those aspects of a data importer's policy which relate to the
administrative and technical means for ensuring security of data processing.
 Clause 12 deals with personal health data in non-electronic forms.
6 General principles and roles
6.1 General principles
 Participants shall protect the fundamental rights and freedoms of natural persons regarding their rights to
privacy with respect to the processing of personal health data.
 The responsibilities and accountability of participants shall be explicit and transparent to data subjects.
 Consistent with maintaining security, data subjects shall be able to gain appropriate knowledge of, and be
informed about, the existence and general extent of measures, practices and procedures for the security
of the application involved in the processing of personal health data relating to them.
 The application and the security of the application shall respect the rights and legitimate interests of all
affected parties.
 Security levels, costs, measures, practices and procedures shall be appropriate and proportionate to the
value and degree of reliance on the application and the severity, probability and extent of potential harm
to a data subject.
 Measures, practices and procedures for the security of an application shall be co-ordinated and
integrated with each other and with other measures, practices and procedures of the participants in the
application so as to create a coherent system of security.
 Participants shall act in a timely co-ordinated manner to prevent and respond to breaches of security
regarding the application.
 The security measures relating to the application shall be reassessed periodically.
 The security of the application shall be compatible with the legitimate use and flow of data and
information in a democratic society.
6.2 Roles
6.2.1 Data exporters and data importers
An exchange of personal health data across an international border involves a 'data exporter' responsible for
transmitting the data from one country and a 'data importer' which receives the data in another country. Each
has obligations to the other.
A 'data exporter' shall not transfer data to a 'data importer' unless the 'importer' complies with the relevant
parts of this International Standard.
A 'data importer' shall not participate in an application unless the 'data exporter' complies with the relevant
parts of this International Standard.
6.2.2 Controllers and processors
A 'data controller' has the authority to determine the purpose and means of processing whereas a 'processor'
processes the data on behalf of a controller and according to instructions from a controller (see definitions).
Each participant in an application shall be designated either as a 'controller' or as a 'processor'.
7 Legitimising data transfer
7.1 The concept of “adequate” data protection
This International Standard is based on the concept of ensuring “adequate” data protection in transferring
personal health data across national borders.
Whilst “adequate” protection includes satisfactory administrative and technical security measures for the
protection of data, it encompasses other substantial matters.
A data subject will expect that the rights he has come to expect regarding his personal health data will be
respected by any importer when such data is transferred to another country. The extent and nature of the
rights which a data subject will have come to expect will depend on the country in which he resides and its
4 © ISO 2004 – All rights reserved

culture. If it is known or suspected that such rights might not be respected by a data importer, the data subject
will expect to be fully informed so as to be able to consent or otherwise to a transfer proceeding. On the other
hand a data subject will, in some circumstances, expect data to be transferred even where data protection
may not be “adequate” in the terms of this International Standard e.g. where his vital interests are concerned
in a health emergency.
Data subjects will expect personal health data to be protected during the process of transfer and for a data
importer to have “adequate” safeguards in place when it is received. Those safeguards would include
administrative security and technical measures to encompass for example access controls, data integrity,
audit trails, data accuracy etc. They will also expect the importing organisation to have staff competent and
trained in the handling of personal health data. The expectation will be that the data importer will have in place
a security policy covering such matters.
Data subjects will additionally expect to know what is happening to their data, to have access to it if necessary
and to have the opportunity to address any perceived inaccuracies.
A data subject will expect to have given consent to a transfer and to have been fully informed on matters
relevant to that consent.
Finally, data subjects will expect to be able to make a complaint if the terms under which a transfer has taken
place seem to have been breached and for such a complaint to be investigated impartially and, if necessary,
by an independent body. Where the data subject suffers damage through a breach in conditions they will
expect to be able to pursue redress in a defined and fair manner.
This International Standard addresses all these matters under the umbrella of ensuring “adequate” data
protection. It details the criteria for ensuring “adequate” data protection (Clause 8) and the content of a high
level security policy which a data importer would be expected to implement to ensure that “adequacy” of data
protection was in practice assured (Clauses 9, 10 and 11).
7.2 Conditions for legitimate transfer
7.2.1 Consent as a condition of transfer
Personal health data shall not be transferred unless the data subject has unambiguously given his consent
excepting where the transfer is necessary to protect the vital interest of the data subject.
7.2.2 Conditions for transfer
Personal health data shall not be transferred to a data importer unless either the importer ensures an
adequate level of protection (see Clause 8) or one of the following conditions apply:
a) the data subject has given his consent unambiguously to the proposed transfer in the knowledge of the
inadequacies that exist (note that although 7.2.1 requires consent in all circumstances, the requirement
here is that such consent must be with the knowledge of the inadequacies that cause the participants to
resort to this condition - see also sub-clause 8.7); or
b) the transfer is necessary for the performance of a contract between the data subject and the controller or
the implementation of pre-contractual measures taken in response to the data subject's request; or
c) the transfer is necessary for the conclusion or performance of a contract concluded in the interest of the
data subject between the controller and a third party; or
d) the transfer is necessary or legally required on important public interest grounds, or for the establishment,
exercise or defence of legal claims; or
e) the transfer is necessary in order to protect the vital interests of the data subject; or
f) the transfer is made from a register which according to laws or regulations is intended to provide
information to the public and which is open to consultation either by the public in general or by any person
who can demonstrate legitimate interest, to the extent that the conditions laid down in law for consultation
are fulfilled in the particular case; or
g) where the controller adduces sufficient guarantees through appropriate contractual clauses examples of
which are given in Annexes E and F.
NOTE Sub-clause 8.4 makes it a requirement that in all cases “the application shall be governed by a contract
between the participants” but is essentially silent on the form that such a contract should take. However where (g) above
applies, particular attention needs to be paid to the contract to ensure it covers any inadequacies in data protection which
would otherwise apply such as in matters of redress, investigation of complaints etc. It is for this reason that the examples
in Annexes E and F are given.
8 Criteria for ensuring adequate data protection with respect to the transfer of
personal health data
8.1 The requirement for adequate data protection
A controller shall not transfer personal health data to a data importer unless the importer provides adequate
data protection. There are two essential elements of adequacy.
 Content principles: The adequacy of the data protection provisions in the processing of the personal
health data by the data importer and the obligations placed on those responsible for them.
 Procedural/enforcement requirements: The means for ensuring that such provisions are followed in
practice and for ensuring the rights of data subjects.
8.2 Content principles
The content principles are given in sub-clauses 8.2.1 to 8.2.6.
8.2.1 The purpose limitation, data quality and proportionality principle
In the context of the application and subject to the allowable exemptions given in sub-clause 8.2.7, personal
health data shall be
a) processed fairly and lawfully;
b) transferred for specified, explicit and legitimate purposes and not further processed in a way incompatible
with those purposes;
c) adequate, relevant and not excessive in relation to the purposes for which they are transferred and/or
further processed;
d) accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that data
which are inaccurate or incomplete, having regard to the purposes for which they were transferred or for
which they are further processed, are erased or rectified;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the
purposes for which the data were transferred or for which they are further processed. Participants may
agree to personal health data being stored for longer periods for historical, statistical or scientific use
provided such use does not impact on the data subject. However the data subject should be informed of
any such agreement.
6 © ISO 2004 – All rights reserved

8.2.2 The transparency principle
In the context of the application and subject to the exemptions in sub-clause 8.2.7 the data subject shall be
provided with the following information:
a) the identity of the data exporter and the data importer and of his representative if any;
b) the purposes of the processing for which the data is to be transferred;
c) the existence of the rights of access to, and the right to rectify, any data in the application which relates to
him;
d) liabilities, remedies and sanctions in respect to any breaches of his rights;
e) the retention period of the data particularly relating to medico-legal requirements and any policy regarding
the death of a data subject;
f) any matter which may affect his giving of consent to the transfer;
g) any other information which this International Standard specifies.
8.2.3 The rights of access, rectification and opposition principle
In the context of the application, and subject to the exemptions in sub-clause 8.2.7, the data subject shall have
the following rights:
a) to obtain without constraint at reasonable intervals and without excessive delay or expense
 confirmation as to whether or not data relating to him are being processed and information at least as
to the purposes of the processing, the categories of data concerned, and the data importers or
categories of data importer to whom the data are disclosed,
 communication to him in an intelligible form of the data undergoing processing and of any available
information as to their source;
b) as appropriate to have rights to rectification, erasure or blocking of data the processing of which does not
comply with the provisions of this International Standard, in particular because of the incomplete or
inaccurate nature of the data;
c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking
carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort;
d) to object at any time on grounds relating to his particular situation to the processing of data relating to him.
Where there is a justified objection, the processing instigated by the controller shall no longer involve
those data.
8.2.4 Restrictions on onward transfer principle
Further transfers of the personal health data by the importer of the original data transfer shall not be permitted
unless the second data importer (i.e. the importer of the onward transfer) also affords adequate protection in
accordance with sub-clause 7.2 and other relevant requirements of this International Standard.
8.2.5 The security principle
Technical and organisational security measures shall be taken by the data importer that are appropriate to the
risks presented by the processing.
8.2.6 Additional principles applying to specific circumstances
Direct marketing: The data subject shall have the right to object, on request and free of charge, to the
processing of personal data relating to him which the participants anticipate being processed for the purposes
of direct marketing, or to be informed before personal data are disclosed for the first time to third parties or
used on their behalf for the purposes of direct marketing, and to be expressly offered the right to object free of
charge to such disclosures or uses. Data subjects shall be informed of this right.
Death of the data subject: The way in which the confidentiality of personal health data is handled after the
death of a data subject varies in national legislation e.g. the UK Data Protection Act applies only to living
persons. However there are many circumstances where the health records of a dead individual could reveal
personal health data relevant to some other individual and be of detriment to them. The records may refer
explicitly to other individuals e.g. a member of the dead person’s family. If an individual dies of a condition
deriving from an inheritable genetic deficiency, his records may reveal matters relevant to his offspring.
Participants in the application shall come to an explicit agreement about what to do in circumstances of death.
That agreement may depend on the countries involved and how they treat health records e.g. any laws or
rules which may apply to the length of time health records must be retained after death. Different property
rights may also apply e.g. if a patient is the legal owner of his records then after death such records may be a
part oh his estate and subject to probate. Since a patient’s permission to allow his personal health data to be
processed and passed to a third party may depend on what would happen to such data should he die,
patients shall be informed of any arrangements made concerning the handling of such data after his death.
8.2.7 Exemptions to content principles
Participants may agree exemptions to content principles 8.2.1, 8.2.2, 8.2.3 (a), (b) and (c), where the
exemption constitutes a necessary measure to safeguard
a) national security;
b) defence;
c) public security;
d) the prevention, investigation, detection and prosecution of criminal offences, or of breaches of ethics for
regulated professions;
e) an important economic or financial interest of a participant’s country, including monetary, budgetary and
taxation matters;
f) a monitoring, inspection or regulatory function connected, even occasionally, with the exercise of official
authority in cases referred to in (c), (d) and (e);
g) the protection of the data subject or of the rights and freedoms of others.
Where participants agree to any exemption the data subject shall be informed as part of the giving of his
consent unless so doing is contrary to the law applying to the data exporter.
8.3 Procedural/enforcement mechanisms
8.3.1 General
Even if the “content principles” are built into the rules for processing, storage, transfer etc of personal health
data, the rights of individuals will not be assured unless the rules are followed and, if not, individuals have an
effective form of redress.
8 © ISO 2004 – All rights reserved

Whereas a number of international and national documents, for example from the OECD [1] [2] the Council of
Europe [3] [4] and the UN [5], agree upon the essence of the requirements concerning the rights of individuals,
the means for ensuring their effectiveness varies substantially.
Some countries ensure that the means for ensuring effectiveness are embedded in law through Data
Protection/Privacy Commissioners or equivalent with monitoring and complaint investigative functions, and
legal provisions such as liability, sanctions and remedies. An example is the EU Member States.
Many national and international guides and rules, whilst they may exhort similar rights for individuals
 may not be so comprehensive;
 may not require enshrinement in law;
 may not cover all health sectors e.g. may cover only the public sector.
Thus to judge adequacy of data protection provided by a data importer requires assessment of the judicial and
other mechanisms in place. Such an assessment sh
...