In the previous article about ISO 13131, our Data Privacy expert Roland Schnitter explored the structure and content of this standard. He also examined how ISO 13131 interfaces with quality management system standards like ISO 13485 and ISO 27001 and discussed the potential for effort reduction through the elimination of redundancies. So, how does ISO 13131 ensure that our highly sensitive telehealth data actually remains secure?
In summary, adhering to ISO 13131:2021 offers a robust starting point for understanding the fundamental requirements necessary before processing any personal data. The standard is crafted to facilitate the establishment of an initial level of responsibility within a company and to distribute mandates in a logical and coherent manner. On a process level, ISO 13131 provides comprehensive guidance and considerations on crucial topics. By integrating these processes with essential quality and information security requirements, a sustainable and easily applicable management system can be achieved, ensuring effective data protection in telehealth services.
Data protection, also known as privacy, gained significant attention in May 2018 with the implementation of the General Data Protection Regulation (GDPR) in the EU. Since then, the world has continuously evolved in terms of the interpretation of personal data, the content of personal data, cross-border transfers, and more. This is especially relevant for telehealth services, which inherently involve the processing of personal data, including special categories of personal data. GDPR and similar regulations must be adhered to by all parties involved in the personal data processing chain, in accordance with their roles in this chain. While some might dismiss this as merely the responsibility of the data controller, I would caution that such a stance is risky—potentially costing up to 4% of your annual turnover. However, ISO 13131 can assist in integrating these aspects into your overall quality and information management system.
Key elements of personal data processing in ISO 13131
You might wonder how this works. ISO 13131 already outlines several crucial elements for personal data processing. Firstly, the standard differentiates between various types of actors involved in a detailed assessment (e.g., data subjects like patients, healthcare personnel, etc., as listed in section 3 of the standard). This is a fundamental aspect that must be controlled in personal data processing.
Service Level Agreements and data protection
Additionally, section 8 of the standard addresses the main aspects required for service level agreements between actors. When all participating parties in the processing adhere to these guidelines, a suitable contractual basis is established, protecting every entity during an investigation.
Building sustainability and reliability in data privacy
Section 11 of the standard provides further relevant parts necessary to build sustainability and reliability behind privacy needs. This includes so-called healthcare mandates, which can be translated into the legitimate basis for personal data processing. This section also offers more detailed descriptions regarding informed consent.
Patient rights and data omission
Furthermore, section 11 supports identifying where the healthcare recipient (patient) can opt out of data processing or omit parts of their personal data. This might be applicable when telehealth processing is only necessary for performance reasons in the applied healthcare process.
Confidentiality and identity of processed data
Section 14 of ISO 13131 continues with data protection considerations, focusing on the confidentiality and identity of processed data.
Following ISO 13131:2021 establishes a solid foundation for understanding and implementing basic data protection requirements, helping companies distribute responsibilities logically. Combining this standard with necessary quality and information security processes enables the creation of a sustainable and effective management system.
For more information, don’t hesitate to contact our data privacy expert Roland Schnitter via roland.schnitter@eumediq.eu!