MSD has implemented a comprehensive global privacy program that promotes accountable privacy and data protection practices across our business and with our collaborative partners and suppliers.
In 4Q 2013, our program was certified under the Asia Pacific Economic Cooperation Cross-Border Privacy Rules System. MSD is the first healthcare company in the world to achieve this certification. Our program is designed to assure that four core privacy values are embedded into the way we conduct our business, without regard to how our business, technology or other external factors may change.
Our global privacy program is structured around a system of five core elements consistent with recognized standards for implementing an accountable privacy program. While the principle of accountability was first recognized in the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the “Guidelines”) issued, in 1980, by the Organisation for Economic Co-operation and Development (OECD), the essential elements for an accountable privacy program were first expressed in 2009 by the Accountability Project, an initiative led by the Centre for Information Policy Leadership, with participation from privacy regulators, data protection authorities, business and academia. MSD established its system in 2010 and joined the Accountability Project in 2011.
In 2013, the OECD published its first revision to the Guidelines since 1980. The revised Guidelines set forth a new standard for implementing accountability through privacy management programs. Our global privacy program is consistent with the standards of the revised Guidelines. Our program is modeled for continuous improvement, based on changes within our business and in the external environment that affect inherent privacy risks and the effectiveness of our privacy controls. The five core elements are:
- Promote and maintain a corporate culture that respects privacy and protects information about people
- Communicate timely information about updates to privacy laws, regulations, rules, guidelines and policy issues
Policies & Standards
- Implement privacy and data-protection policies and standards that set forth operational principles and procedures, governance, accountability, incident handling and individual redress
- Implement a privacy-training curriculum designed to support the core elements of “Awareness” and “Policies & Standards,” and to provide functional knowledge aligned to roles and responsibilities
Demonstrate the effectiveness of our program by:
- Prospectively building and documenting appropriate privacy and data-protection requirements into MSD processes and systems that will be maintained throughout process and system life cycles
- Periodically verifying privacy and data protection compliance through audits, assessments and investigations
- Reporting to government authorities as required by law
- Management acknowledgement and responsibility for ensuring that requirements are addressed
- Define baseline and target metrics to determine the effectiveness, maturity and risks associated with the privacy program
- Collect and analyze data for each metric and evaluate program effectiveness, maturity and risks, and areas for enhancement, improvement and risk mitigation
Consistent with our privacy values, we continue to believe that trust is core to our privacy mission. We define Privacy TRUST as supporting each of the operational privacy and data protection principles to which we adhere:
T—Transparency: Being clear about how personal information is collected, used and disclosed (supports our privacy principle of Notice)
R—Respecting Choices: Such as whether or not people want to participate in our programs (supports our privacy principle of Choice)
U—Understanding Perspectives: Including that people have different levels of concerns about their privacy based on cultural perspectives and personal experiences (supports our privacy principle of Necessity)
S—Security: Protecting personal information from loss, misuse, unauthorized access, disclosure, alteration or destruction (supports our privacy principles of Data Integrity, Security and Data Transfer)
T—Treating our stakeholders in a manner consistent with the company’s values (supports our privacy principles of Access, Correction, Enforcement and Dispute Resolution)
Global Cross-Border Data Flows
As a U.S.-based corporation, we have relied on the Safe Harbor Framework for transfers of personal data from the European Economic Area (“EEA”) to the United States (the “Safe Harbor”) as a primary mechanism for facilitating cross-border data flow originating from European countries. We also have utilized the Safe Harbor principles to support the development of our comprehensive privacy program, including incorporation of Safe Harbor standards for movement of personal data to and from other countries.
MSD was one of the first pharmaceutical companies to certify its adherence to the Safe Harbor Framework. We first certified in November 2001. U.S. organizations that certify to the U.S.-EU Safe Harbor are recognized as providing adequate protection for personal data transferred from the EEA, and organizations that certify to the U.S.-Swiss Safe Harbor are recognized as providing adequate protection for personal data transferred from Switzerland. Our Safe Harbor certification applies to transfers of personal information about a broad range of stakeholders from the EEA and, since 2009, from Switzerland, including employees, customers, patients, clinical investigators, healthcare professionals and others. We have reaffirmed our adherence to the Safe Harbor annually since 2001.
In 2013, MSD became the first healthcare company in the world, and the second multinational company, to be certified under the new Asia Pacific Economic Cooperation Cross-Border Privacy Rules System (APEC CBPR). The APEC CBPR system provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. Achievement of APEC certification demonstrates to our customers, patients and other stakeholders our strong commitment to accountable, values-based, privacy and data protection practices in every region of the world in which we operate.
Privacy Risk & Effectiveness
Consistent with our commitments to accountability and continuous improvement of our program, in 2011 we developed a quantitative approach to consistently evaluate privacy risk and determine the impact of control effectiveness on privacy risks across our operations. We continue to apply this approach to new activities and initiatives to provide consistent guidance on required privacy standards and controls. In connection with our annual privacy compliance review, we also evaluated global and country operations, and we utilized this quantitative approach to determine opportunities for improvement in specific areas and across our program.
Transparency & Privacy
We aspire to be a leader in privacy transparency practices. We aim to achieve this by explaining our privacy practices in ways that enable our stakeholders to make meaningful choices about how we collect, use and disclose personal information about them.
Since 2007, we have developed and published standardized comprehensive privacy notices for major categories of stakeholders about whom we collect, use and disclose personal information across our business. We adopted a format first proposed in 2007 for the U.S. financial services industry.1 This standard format uses a tabular approach to categorize the information provided in the notices in order to make them easier to understand, and easier for people who interact with us in multiple ways to compare our practices. All of our standardized comprehensive notices, available in multiple languages, are published online.
1 The proposed Model Privacy Notice was included in the Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act, 72 FR 14940 (March 29, 2007).