Foreword
Introduction
1 Scope
2 Normative references
3 Terms and definitions
4 Abbreviated terms
5 Structure of this International Standard
6 General principles and roles
   6.1 General principles
   6.2 Roles
7 Legitimising data transfer
   7.1 The concept of "adequate" data protection
   7.2 Conditions for legitimate transfer
8 Criteria for ensuring adequate data protection with
   respect to the transfer of personal health data
   8.1 The requirement for adequate data protection
   8.2 Content principles
   8.3 Procedural/enforcement mechanisms
   8.4 Contracts
   8.5 Overriding laws
   8.6 Anonymisation
   8.7 Legitimacy of Consent
9 Security policy
   9.1 General
   9.2 The purpose of the security policy
   9.3 The "level" of security policy
   9.4 High Level Security Policy: general aspects
10 High Level Security Policy: the content
   10.1 Principle One: overriding generic principle
   10.2 Principle Two: chief executive support
   10.3 Principle Three: documentation of Measures and review
   10.4 Principle Four: Data Protection Security Officer
   10.5 Principle Five: permission to process
   10.6 Principle Six: information about processing
   10.7 Principle Seven: information for the data subject
   10.8 Principle Eight: prohibition of onward data transfer
                           without consent
   10.9 Principle Nine: remedies and compensation
   10.10 Principle Ten: security of processing
   10.11 Principle Eleven: responsibilities of staff and other
         contractors
11 Rationale and Observations on Measures to support Principle
   Ten concerning security of processing
   11.1 General
   11.2 Encryption and digital signatures for transmission to
         the data importer
   11.3 Access controls and user authentication
   11.4 Audit trails
   11.5 Physical and environmental security
   11.6 Application management and network management
   11.7 Malicious software
   11.8 Breaches of security
   11.9 Business Continuity Plan
   11.10 Handling very sensitive data
   11.11 Standards
12 Personal health data in non-electronic form
Annex A (informative) Key primary international documents on
                      data protection
Annex B (informative) National documented requirements and legal
                      provisions in a range of countries
Annex C (informative) Relevant ISO and CEN Standards
Annex D (informative) Sources of advice
Annex E (informative) Exemplar contract clauses: Controller to
                      Controller
Annex F (informative) Exemplar contract clauses: Controller to
                      Processor
Annex G (informative) Handling very sensitive personal health data
Bibliography