As an enterprise architect for US based global life sciences customers, I’ve seen some of our leading innovative customers start to address handling of sensitive data in countries with strict data sovereignty rules.  This article is a playbook to help you start your journey based on other customer strategies, solutions, and experiences.

 

The Playbook

1. Come up with the use case for PHI storage
2. Initiate a transfer impact assessment (TIA) to include the scope of the PHI to determine required actions
3. Incorporate a combination of the following into the recommendation to mitigate the impact:
   1. A more robust data processing agreement (DPA) with ServiceNow
   2. Data categorization and containment
   3. Data residency/sovereignty
   4. General compliance

 

Transfer Impact Assessment

What It Is:

A Transfer Impact Assessment is a vital process used to evaluate the risks associated with transferring personal data from one country to another, particularly when dealing with sensitive data like PHI. While TIAs are traditionally focused on general personal data, expanding the scope to include medical information is crucial for organizations in the healthcare and life sciences sectors.

Why It's Important:

Countries like Germany and China have stringent data protection laws that require careful consideration of how sensitive data, especially medical information, is handled and transferred across borders. A comprehensive TIA ensures that the legal frameworks of the destination countries are evaluated and that adequate safeguards are in place to protect PHI.

What to do (not ServiceNow related):

To address the expanded scope of TIA, organizations should:

• Conduct thorough assessments that include medical and laboratory data.
• Collaborate with legal and compliance teams to ensure that all regulatory requirements are met.
• Utilize ServiceNow's built-in compliance tools to automate the monitoring of data transfers and ensure that all actions align with international regulations.  Some of these capabilities are documented later.
• Implement additional controls for regions with strict data sovereignty rules, ensuring that medical information is handled in compliance with local laws.  These capabilities are documented later in this article.

 

Data Processing Agreement (DPA)

What It Is:

A Data Processing Agreement (DPA) is a legally binding contract between a data controller (the organization) and a data processor (a service provider like ServiceNow). The DPA outlines the rights and obligations of both parties regarding the processing of personal data, ensuring that the processor handles the data in compliance with applicable data protection laws.

Why It's Important:

For global companies, having a robust DPA is essential to ensure that all data processing activities are conducted in compliance with regulations such as GDPR. The DPA also provides clarity on the responsibilities of both parties, reducing the risk of non-compliance and legal liabilities.

How to Handle It in ServiceNow:

ServiceNow offers a standardized DPA that are designed to meet the requirements of various data protection regulations. This works well for majority of our customers, however, some customers with a broad EMEA presence may need a bit more customization.  To ensure compliance:

• Review and Customize the DPA: Collaborate with your legal team to review the standard DPA provided by ServiceNow, making any necessary adjustments to reflect your specific data processing needs and regulatory requirements.
• Ensure Clarity on Responsibilities: Clearly outline the roles and responsibilities of both the data controller and the processor within the DPA. This includes specifying the types of data being processed, the purpose of the processing, and the security measures in place.
• Regularly Update the DPA: Data protection regulations are constantly evolving, so it’s important to regularly review and update the DPA to ensure ongoing compliance. ServiceNow can assist in this process by providing updates and recommendations as regulations change.

 

Data Categorization and Containment

What It Is:

Data categorization and containment involve organizing data based on its sensitivity and implementing measures to protect it. This includes techniques like role-based access controls, encryption, anonymization, and redaction, which are crucial for handling PHI and other sensitive information.

Why It's Important:

Properly categorizing and containing sensitive data helps prevent unauthorized access and ensures that the data is handled in compliance with regulations like GDPR and HIPAA. For global companies, this is especially important when dealing with data that crosses international borders where data may need to be anonymized or de-identified.

How to Handle It in ServiceNow:

ServiceNow provides robust tools for data containment, including:

• Encryption: Leverage ServiceNow Vault to encrypt sensitive data at rest and in transit, ensuring that PHI and other critical information are protected.  The scope can be as wide as the entire database or to a specific field.  Note that all data in transit is always encrypted.
• Anonymization and Redaction: Utilize ServiceNow Vault’s anonymization and redaction features to obscure only sensitive information, making it difficult for unauthorized users to identify individuals.  This will also work in note fields like the the activity stream where SSN and PII may be commingled with non-sensitive text.
• De-identified Data Models: For customers using the Healthcare and Life Sciences SKU, de-identified PHI data models can be implemented to further reduce the risk of exposing sensitive information. This ensures that only non-identifiable data is stored and processed within ServiceNow.

 

Data Residency Requirements

What It Is:

Data residency refers to the legal requirement that certain types of data, such as PHI, must be stored within the borders of the country where it was collected. This is particularly relevant for countries like Germany and China, which have strict data sovereignty rules.  ServiceNow, officially, cannot operate in China and Russia, in part, due to these rules.

Why It's Important:

For global companies, complying with data residency requirements is crucial to operating in certain markets and to avoid legal penalties and maintain the trust of customers and regulators.

How to Handle It in ServiceNow:

ServiceNow customers can approach data residency requirements in three ways: Review-Buy-Partner-Build

• Review: If your primary countries of concern are in the UK/EU (including Germany), there is a Data Privacy Framework that allows for storage and transfer of PII (not necessarily PHI) in the US.  ServiceNow participates in the Data Privacy Framework (link 1, link 2).  Please review with your Privacy and/or Legal teams to validate whether it is applicable to your situation.
• Buy: ServiceNow has a data center pair in Germany.  It is possible to have a German and US production instances and synchronize the de-identified data as needed. 
• Partner: ServiceNow partners with ISVs like InCountry and STACKIT to offer data residency solutions that keep data within the required borders.
• Build: For customers choosing to build their own solution, structured data can be stored in custom full stack cloud application.  This application will be hosted regionally.  For example, Alicloud in China or Azure/AWS DC in Germany. Since the app is purely used to capture data, it will not be a complicated stack.  Sensitive data is de-identified before being sent to the global ServiceNow instance, while non-sensitive information is processed normally. Attachments, instead of being stored within ServiceNow, are kept in a corporate Content Management System (CMS) like a regionalized SharePoint deployment with strict IP restrictions and VPN access. Knowledge professionals working with the data see redacted information and must use a VPN to access any sensitive details via deep links into the custom cloud application.

 

General Compliance: GDPR, ISO

What It Is:

General compliance frameworks like GDPR and ISO govern how organizations should handle personal data, ensuring that it is processed, stored, and transferred in a secure and lawful manner.

Why It's Important:

Compliance with these regulations is non-negotiable for global companies, particularly in sectors like healthcare and life sciences. Non-compliance can lead to legal penalties, loss of certification, and damage to reputation.

How to Handle It in ServiceNow:

ServiceNow offers several tools and processes to help organizations comply with these regulations:

• GDPR Compliance: ServiceNow provides workflows and automation to ensure GDPR compliance, including data subject access requests, consent management, and data breach notifications.
• ISO Compliance: Implement ISO-aligned processes within ServiceNow to ensure that your organization meets the rigorous standards for information security management.

 

Conclusion

I've listed some best practices and actual customer deployments working with countries with strict data sovereignty requirements.  If your business is looking to operate and capture sensitive data (like patient information) in some of these countries, please speak with your account manager to discuss next steps!