ISO 22857:2004 provides guidance on data protection requirements to facilitate the transfer of personal health data across national borders. It does not require the harmonization of existing national standards, legislation or regulations. It is normative only in respect of international exchange of personal health data. However, it may be informative with respect to the protection of health information within national boundaries and provide assistance to national bodies involved in the development and implementation of data protection principles. The standard covers both the data protection principles that should apply to international transfers and the security policy which an organization should adopt to ensure compliance with those principles.
This International Standard aims to facilitate international health-related applications involving the transfer of personal health data. It seeks to provide the means by which data subjects, such as patients, may be assured that health data relating to them will be adequately protected when sent to, and processed in, another country.
This International Standard does not provide definitive legal advice but comprises guidance. When applying the guidance to a particular application, legal advice appropriate to that application should be sought.
National privacy and data protection requirements vary substantially and can change relatively quickly. Whereas the standard in general encompasses the more stringent of international and national requirements, it nevertheless comprises a minimum. Some countries may have some more stringent and particular requirements, and this should be checked.