A NEN 7510 certificate preserves evidence of carrying the patient or client data carefully and in a responsible way. Not only for your own organization, but also towards the stakeholders. In order to get certified for the NEN 7510, requirements of the standard must be met. But does the NEN 7510 standard apply to all organizations? The standard obviously applies for care institutions, but what about other organizations? We will try to answer this question via this blog.
Clusters NEN 7510
The Board of Accreditation has set up a protocol which includes two clusters. This is established for the certification of Information Security Management Systems in the care sector. This is known as NEN 7510.
- Z-cluster: Care institutions
- B-cluster: Owners of personal care information, which differs from care institutions.
In this document, additional measures are set up in accordance with the scope of ISMS and the Statement of Applicability. Owners of personal care information are required to demonstrate an interface with a care institution. When this is not the case, the certificate can’t be issued. Yet, there is some unclarity about what that exactly means.
Having an interface is defined as followed:
Ownership of personal health information in which this information is used for a care institution.
It explicitly has been added that when an organization delivers a software but doesn’t perform owners measurements, there’s no interface.
‘’Ownership’’ is defined by AVG as ‘’processing’’. Even when there’s only ‘’storage’’ of personal care information, there is an interface. This partly depends on whether there is personal care information or not.
Personal health information
This concerns information about someone who is related to physical or mental condition of the person in question, or the provision of health care services to the person in question. The following can also be included:
- Information about the person’s registration for care services provision;
- Information about payments, or qualifying with the personal care;
- An appointed number to a person, symbol or speciality as an unique identification of the person for medical purposes.
- All information about the person who will be gathered during providing care services to the person;
- Adopted information to a test or research about a body part or body substance, and
- Identification of a person (for instance a care professional) as provider of care to the person.
Personal health care information doesn’t include anonymized information. This is either on it’s own or combined with other information available for the holder. Anonymized means the person’s identity that concerns the information, can’t be established based on the information.
When do you qualify with a NEN 7510 certification?
Would you like to know whether a NEN 7510 certification suits your organization? We have indicated below which aspects must be met.
- There is demonstrable interface with a care institution as we have described above
- The scope clarifies which activities, products and services relate to the ownership of personal care information and which are outsourced.
- The declaration of applicability must indicate which ownership measures are applicable to the outsourced activities, products and services which relate to the ownership of personal care information.
Also, the commitment to the law and regulations will be emphasised more, in which the organization doesn’t only need to have a clear view about the law and regulations applicable to the organization but also towards the customers, as far as this is relevant for the activities performed for the customers. The reason for this is that the organization can consider the context of the customers during offering the service or product.
We hope this information provided more clarity with regards to the question: ‘’When does my organization qualify for a NEN 7510 certificate?”
Would you like to have more information or do you have questions? Please contact us via +31 (0)73 220 2020 or firstname.lastname@example.org .13 January 2021