2016 Health for Humanity Report
2016 Health for Humanity Report
2016 Health for Humanity Report
Share
Data Protection & Privacy
expand


Transparency, protection, availability and integrity of personal data, as well as appropriate use, are vital considerations with implications for our ability to conduct business, build and maintain trust, and remain compliant with laws and regulations. It is incumbent upon Johnson & Johnson to protect the privacy of those who entrust us with their personal information. Our employees, health care professionals, patients, consumers, and all those who do business with us trust and expect that we will protect personal information in accordance with legal requirements and our policies.

expand


While there are varying legal requirements throughout the world relating to privacy compliance, Johnson & Johnson uses a Privacy Framework that constitutes a baseline applicable to all our operating companies that process Personal Information.

This Privacy Framework sets forth mechanisms and procedures designed to assist Johnson & Johnson companies in complying with their privacy obligations. This Framework describes the basic privacy principles and organizational compliance standards. Each Johnson & Johnson operating company is responsible for complying with all applicable privacy obligations. Obligations may derive from:

  • Country or local laws and regulations;
  • Johnson & Johnson Corporate policies applicable to the processing of Personal Information such as, Privacy Policies and guidance issued by the Privacy organization in collaboration with the Law Department, Information Security Policies for the protection of information, and the Records & Information Management (RIM) Policy and Standards for preservation of data;
  • Policies specific to a Johnson & Johnson operating company; and
  • Contractual or other agreements by which a Johnson & Johnson operating company is bound, including privacy statements and consents.

The Privacy Framework self-assessment programs and the Information Security Risk Management (ISRM) programs support the implementation of the privacy principles in Johnson & Johnson across the enterprise. Entities within the Johnson & Johnson Family of Companies assess the implementation of the Privacy Framework safeguards and controls in their organizations. The Privacy Self-Assessment Program has supported the implementation of these measures. The company Information Security Policies, which are managed and updated regularly by ISRM, set forth global security standards. ISRM provides processes and tools to identify compliance with these policies in support of having controls in place for the protection of personal information, both within internal Johnson & Johnson systems and when entrusted to third parties.

All our Johnson & Johnson companies are bound by inter-affiliate data transfer agreements with respect to personal data collected and processed, and are therefore required to comply with the data privacy and security standards, when data are being transferred within the group. Similar guarantees are in place with our vendors who collect and process personal data on behalf of Johnson & Johnson operating companies. The data transfer agreements meet the strict standards of, among others, the European Standard Clauses.

Privacy complaints are investigated, addressed and monitored by the operating companies involved with the support of the Privacy organization in collaboration with IT Risk Management and the Law Department. Both the Global Privacy and the ISRM teams oversee privacy and security incidents and breaches, and recommend remediation where necessary or appropriate. Significant issues are required to be reported to executive management in conformance with the Johnson & Johnson Escalation Procedure.

Because of various legislative updates to privacy laws and the introduction of the General Data Protection Regulation in Europe, the Global Privacy Compliance Framework is being updated to reflect these new requirements.

The Global Privacy Team (GPT) and ISRM teams are further strengthening the embedding of privacy reviews and privacy risk assessments in our organizations, reinforcing a formal breach notification and escalation process, strengthening the audit, monitoring and testing strategy, reinforcing the formal training requirements and ensuring the vendor selection and contracting process address both privacy and security requirements,

In addition, we consistently monitor the environment and update our local Privacy Policies in accordance with new requirements or changes in the law of the countries in which we operate.

Overview of Privacy & Personal Data Protection

Responsibilities for privacy compliance span many organizations within Johnson & Johnson, and are comprised of the following:

  • Oversight: The Johnson & Johnson Executive Committee, Regulatory, Compliance & Government Affairs Committee of the Board of Directors, Chief Compliance Officer and Compliance Committee; each oversee compliance of Johnson & Johnson operating companies across a wide range of topics, including Privacy.
  • Privacy Compliance Program Management and Guidance: Through the Chief Privacy Officer and the GPT, Johnson & Johnson Health Care Compliance & Privacy (HCC&P) manages a privacy compliance program and framework and guides operating companies with respect to their compliance with privacy obligations.
  • Operational Management: Operational management at each Johnson & Johnson operating company is accountable for establishing and implementing privacy compliance for that operating company’s operations.
  • Resources: The GPT assists operating companies with designating privacy resources,taking into account their local requirements and the risk environments
  • Support: Other Johnson & Johnson organizations and departments support HCC&P and the operational management teams of operating companies in complying with privacy obligations.

Policies and Procedures

Policies and procedures for the processing of Personal Information are established as follows:

  • Policies on Privacy: In close collaboration with the Law Department, HCC&P establishes Privacy Policies and supporting procedures, guides, and tools (including, for example, privacy assessment tools, and template notices, consents, and contractual provisions), which each Johnson & Johnson operating company is required to implement considering its own business activities, Personal Information collection and processing activities, and risk.
  • Other Johnson & Johnson Corporate Policies: The ISRM organization has established and periodically reviews and updates both Information Security Policies and RIM Policies and Standards. The Information Security Policies provide a robust set of requirements for the protection of information assets, including Personal Information, supporting compliance with legal and regulatory obligations while also addressing evolving cyber threats. Each Johnson & Johnson operating company is required to comply with these policies when transmitting, storing or processing Personal Information.
  • Additional Local Policies: Johnson & Johnson operating companies may establish additional policies, standards, procedures, guides, or tools to address their own specific Privacy requirements.
expand

  • Because of various legislative updates to privacy laws and the introduction of the General Data Protection Regulation in Europe, the Global Privacy Compliance Framework is being updated to reflect these new requirements.
  • The GPT and ISRM teams are further strengthening the embedding of privacy reviews and privacy risk assessments in our organizations, reinforcing a formal breach notification and escalation process, strengthening the audit, monitoring and testing strategy, reinforcing the formal training requirements and ensuring the vendor selection and contracting process address both privacy and security requirements.
  • In addition, we are constantly working on updating our local Privacy Policies in accordance with new requirements or changes in the law of the countries in which we operate.
2016 Health for Humanity Report

More Resources

Sign in to post a comment