1、 Reference number ISO/TS 14265:2011(E) ISO 2011TECHNICAL SPECIFICATION ISO/TS 14265 First edition 2011-11-01 Health informatics Classification of purposes for processing personal health information Informatique de sant Classification des besoins pour le traitement des informations de sant personnell
2、es ISO/TS 14265:2011(E) COPYRIGHT PROTECTED DOCUMENT ISO 2011 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from eit
3、her ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2011 All rights reservedISO/TS 14265:2011(E) I
4、SO 2011 All rights reserved iiiContents Page Foreword iv 0 Introduction v 0.1 Rationale v 0.2 Background v 0.3 Context for defining data purposes vi 1 Scope 1 2 Terms and definitions . 2 3 Abbreviated terms . 4 4 Conformance . 4 5 Context . 4 6 Terminology for classifying purposes for processing per
5、sonal health information 5 Annex A (informative) Examples . 7 Bibliography 13 ISO/TS 14265:2011(E) iv ISO 2011 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing Intern
6、ational Standards is normally carried out through ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with
7、 ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical
8、 committees is to prepare International Standards. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. In other circumstances
9、, particularly when there is an urgent market requirement for such documents, a technical committee may decide to publish other types of normative document: an ISO Publicly Available Specification (ISO/PAS) represents an agreement between technical experts in an ISO working group and is accepted for
10、 publication if it is approved by more than 50 % of the members of the parent committee casting a vote; an ISO Technical Specification (ISO/TS) represents an agreement between the members of a technical committee and is accepted for publication if it is approved by 2/3 of the members of the committe
11、e casting a vote. An ISO/PAS or ISO/TS is reviewed after three years in order to decide whether it will be confirmed for a further three years, revised to become an International Standard, or withdrawn. If the ISO/PAS or ISO/TS is confirmed, it is reviewed again after a further three years, at which
12、 time it must either be transformed into an International Standard or be withdrawn. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO/TS 14265 was
13、prepared by Technical Committee ISO/TC 215, Health informatics. ISO/TS 14265:2011(E) ISO 2011 All rights reserved v0 Introduction 0.1 Rationale A fundamental principle underlying the use of personal health data is that it is essential to know the purposes for which data was originally collected and
14、that all subsequent processing activities be the same as, or consistent with, the original purpose. This principle, when applied in conjunction with a standardized list of purposes, forms the foundation for a correspondence of permitted purpose between different users, systems, organizations or poli
15、cy domains who might need to share personal health information. Interoperability standards, and their progressive adoption by e-health programmes, are expanding the capacity for organizations to exchange health data. For this to occur on a wide scale, the majority of decisions regarding requests for
16、 health data will need to take place automatically. In order that data processing activities (collection, storage, access, analysis, linkage, communication, disclosure and retention) are appropriate, it is important that policies are defined in fully computable ways that are themselves interoperable
17、. Interoperable policies will enable requests between heterogeneous systems and services to be evaluated consistently. In order for automatic processing policies to be defined and operationalized, it is important that governance structures, processes and rules are applied to the design of informatio
18、n and information technology at an enterprise or inter-enterprise level through a number of administrative mechanisms. These mechanisms include enterprise architecture/frameworks, standards, strategy, procedures, laws, regulations, principles and policy, and include operational controls such as comm
19、ittees, budgets, plans, and responsibility agreements (e.g. information sharing agreements, service level agreements and contracts). It is recognized that not all disclosures will take place automatically, and that individual (human) decisions will at times be made, taking policies and governance ar
20、rangements into account. For ethical and legal reasons, it is normally the case that information is used only for the purpose for which it was collected or created. This purpose can be specified explicitly and consented to. Consent to use data for a particular purpose can also be implied, although i
21、t is almost always a requirement that the purposes be declared. Where data are intended for further and different purposes, a new purpose can require a new consent. For example, in some jurisdictions, data collected for health care cannot automatically be used for research, nor information collected
22、 for research used for care, without obtaining new consent. Knowing the purpose for which access to information is intended is essential in order to determine if access to data for processing activities are appropriate. Increasingly, this problem has become not only one of determining that a user ha
23、s permission to access particular items of information but also that the user has permission to use them for a specified purpose. It is therefore essential to ensure that the context within which access and use is asserted is the correct one. Purpose (or use, purpose of use, or context of use) when
24、clearly defined, helps to ensure that access to protected information items is granted to properly authorized users under a specific, appropriate and unambiguous policy. The explicit declaration of intended purpose prior to being granted access also helps to ensure that users understand that such ac
25、cess does not imply that use is also permitted for other undeclared, inconsistent purposes. Purpose of use helps bring clarity to situations where there are multiple and potentially conflicting contextually sensitive policies for identical users access to identical information items. 0.2 Background
26、ISO/TS 22600-1 defines a generic architectural approach for policy services, and a generic framework for defining policies in a formal way. However, like any generic architecture, a structural framework to support policy interoperability has to be instantiated for use. A policy domain needs also to
27、specify which information properties they wish to take into account when making processing decisions. They need to specify a high level policy model containing those properties, to which all instances of that kind of policy must conform. ISO/TS 14265:2011(E) vi ISO 2011 All rights reservedISO/TS 136
28、06-4 defines such a policy model for requesting and providing electronic health record (EHR) extracts i.e. for one particular use case. Even if two or more parties share a common policy model, this is not sufficient to support policy bridging (automated inter-policy negotiation): the terms used for
29、each property within the shared policy model need to be mutually understood between requesters and providers of health information. In other words, the properties and terms used in the request (collection) policy need to have a computable correspondence with the terms and policies of the recipients
30、disclosure policy in order for an automated access decision to be made. Historically, data uses have been categorized as Primary and Secondary. Because these are relative terms, they only have meaning when one knows the perspective of the user. This then has the further problem of giving the impress
31、ion that some purposes are more important than others when it could be argued that the secondary use of health information for the benefit of society is an important purpose. It is therefore proposed that those terms be replaced with explicit and neutral but informative labels. Data collected for in
32、clusion in an EHR is initially collected for the purpose of care, although it may be subsequently used for other purposes. Explicitly stating those uses rather than using a generic label such as “secondary use” will improve communications, transparency and support appropriate use of data. This Techn
33、ical Specification is intended to be a semantic complement to ISO/TS 22600-1 and ISO/TS 13606-4, which both provide formal architectural and modelled representations of policies, but do not themselves include a vocabulary for purpose. However, it is not a requirement for a jurisdiction to adopt eith
34、er of these two specifications in order to use this classification of purposes. There are other standards that define interoperability vocabularies which might also be used to instantiate parts of a policy. ISO/TS 13606-4 defines a standard vocabulary for the sensitivity of EHR data, and for functio
35、nal roles. ISO/TS 21298 defines a vocabulary for structural roles (and replicates the ISO/TS 13606-4 vocabulary for functional roles). ISO 10181-3 provides the definition of access control information (ACI) essential for defining access control policy. 0.3 Context for defining data purposes Defining
36、 data purposes is the critical first step in subsequent activities of data collection and various kinds of processing. Only once the intended purpose of data is known is it possible to assess if access to data or other processing activities are appropriate, for example: what is appropriate to collec
37、t, how it should be used, to whom it should be disclosed, and for how long it should be retained. When making an access decision, authorization is a separate axis from purpose, and as such is not included in this classification. Authorization for collection, use or disclosure will be different in di
38、fferent jurisdictions, countries or situations, and will depend upon the environment within which the data are used. Authorization can be obtained in a number of ways, e.g. by consent, by law, by policy. In any given environment, different uses can require different authority. For example, the use o
39、f data for research might require explicit consent of the individual, but use of data for the persons direct care might rely upon implied consent. For data to be used in an investigation, legal authority and proof of a subpoena to force its disclosure and permit its collection might be required. Aut
40、hority is an additional control over data collection or disclosure so that it can be made available for use (to collect, use or disclose data without sufficient or appropriate authorization might create legal risks or other risks for the user). When first collected or created, data have some purpose
41、s which ought to be defined and explicitly stated, unless there are well recognized grounds for regarding the intended purposes as transparent within the context of capture, and if the data subject is expected to be adequately aware of this (i.e. if there is implied informed consent based on what th
42、e data subject knows or should have known). Later, when the data are requested for use within an organization or team, or disclosed for use by external parties, the requester might ISO/TS 14265:2011(E) ISO 2011 All rights reserved viiintend a different purpose. In jurisdictions where a new or additi
43、onal purpose is permitted (in other words, where a new purpose is assigned to data after its collection), it might be necessary to compare the new purpose with the original authorized purpose, in order to decide if the new purpose is permitted. In jurisdictions where it is permitted to use data coll
44、ected for one purpose for a new purpose, before any access is granted it might be necessary to compare the two purposes (the original consented or otherwise authorized purpose and the new intended purpose for which the access or disclosure is made) in order to decide if the new use is permitted. Aft
45、er accessing data intended for some purpose related to use or disclosure, that purpose might need to be recorded in an audit trail. This is the case even if the access is supported by law: there ought still to be a purpose that is declared and documented. A justifiable purpose ought to exist on the
46、part of those who seek to collect data. In some circumstances, as is the case in some investigations, the requestor might have the authority to demand information without providing a purpose. Collection of data, whether directly from the individual or indirectly from another body, ought to limit dat
47、a collected to that which is required to satisfy a justifiable need on the part of the collecting organization (“collection limitation”). Justification of a need forms part of the governance and high level policy setting of an organization or jurisdiction. Defined purpose also indicates the context
48、for the collection of informed consent. Informed consent is a mechanism whereby a person is able to control the collection, use and/or disclosure of their data; it is important that the consent mechanism allows the data subject to make a free and informed choice. The reference to “knowledge” in the
49、phrase “knowledge and consent” refers to the data subjects right to know about the uses to which the data will be put after they are collected. In some cases, such as when data are sought for purposes under law, once disclosed, the data are then subject to the permitted uses of the recipient, e.g. in a legal investigation. What matters when data are disclosed as required or permitted by law, or permitted by agreement, is the legal authority of the body disclosing the data. However, it might also be necessary that data be disclosed only for a
