BS ISO 22857:2013

Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviated terms
5 Structure of this International Standard
6 General principles and roles
7 Legitimising data transfer
8 Criteria for ensuring adequate data protection
   with respect to the transfer of personal
   health data
9 Security policy
10 High Level Security Policy: the content
11 Rationale and Observations on Measures to support
   Principle Ten concerning security of processing
12 Personal health data in non-electronic form
Annex A (informative) - Key primary international
        documents on data protection
Annex B (informative) - National documented
        requirements and legal provisions in a
        range of countries
Annex C (informative) - Exemplar contract clauses:
        Controller to controller
Annex D (informative) - Exemplar contract clauses:
        Controller to processor
Annex E (informative) - Handling very sensitive
        personal health data
Bibliography

Specifies guidance on data protection requirements to facilitate the transfer of personal health data across national or jurisdictional borders.

This International Standard provides guidance on data protection requirements to facilitate the transfer of personal health data across national or jurisdictional borders.

It does not require the harmonization of existing national or jurisdictional standards, legislation or regulations. It is normative only in respect of international or trans-jurisdictional exchange of personal health data. However it can be informative with respect to the protection of health information within national/jurisdictional boundaries and provide assistance to national or jurisdictional bodies involved in the development and implementation of data protection principles.

This International Standard covers both the data protection principles that apply to international or trans-jurisdictional transfers and the security policy which an organization adopts to ensure compliance with those principles.

Where a multilateral treaty between a number of countries has been agreed (e.g. the EU Data Protection Directive), the terms of that treaty will take precedence.

This International Standard aims to facilitate international and trans-jurisdictional health-related applications involving the transfer of personal health data. It seeks to provide the means by which health data relating to data subjects, such as patients, will be adequately protected when sent to, and processed in, another country/jurisdiction.

This International Standard does not provide definitive legal advice but comprises guidance. When applying the guidance to a particular application, legal advice appropriate to that application can be sought.

National privacy and data protection requirements vary substantially and can change relatively quickly. Whereas this International Standard in general encompasses the more stringent of international and national requirements it nevertheless comprises a minimum. Some countries/jurisdictions may have some more stringent and particular requirements.