scope:

This International Standard provides guidance on data protection requirements to facilitate the transfer of personal health data across national or jurisdictional borders. It does not require the harmonisation of existing national or jurisdictional standards, legislation or regulations. It is normative only in respect of international or trans-jurisdictional exchange of personal health data. However it may be informative with respect to the protection of health information within national/jurisdictional boundaries and provide assistance to national or jurisdictional bodies involved in the development and implementation of data protection principles. The International Standard covers both the data protection principles that should apply to international or transjurisdictional transfers and the security policy which an organisation should adopt to ensure compliance with those principles. Where a multilateral treaty between a number of countries has been agreed (e.g. the EU Data Protection Directive), the terms of that treaty will take precedence. This International Standard aims to facilitate international and trans-jurisdictional health-related applications involving the transfer of personal health data. It seeks to provide the means by which data subjects, such as patients, may be assured that health data relating to them will be adequately protected when sent to, and processed in, another country/jurisdiction. This International Standard does not provide definitive legal advice but comprises guidance. When applying the guidance to a particular application legal advice appropriate to that application should be sought. National privacy and data protection requirements vary substantially and can change relatively quickly. Whereas this International Standard in general encompasses the more stringent of international and national requirements it nevertheless comprises a minimum. Some countries/jurisdictions may have some more stringent and particular requirements and this should be checked.