Transparency, protection, availability and integrity of personal data, as well as appropriate use, are vital considerations with implications for our ability to conduct business, build and maintain trust, and remain compliant with laws and regulations. It is incumbent upon Johnson & Johnson to protect the privacy of those who entrust us with their personal information. Our employees, health care professionals, patients, consumers, and all those who do business with us trust and expect that we will protect personal information in accordance with legal requirements and our policies.
While there are varying legal requirements throughout the world relating to privacy compliance, Johnson & Johnson uses a Privacy Framework that constitutes a baseline applicable to all our operating companies that process Personal Information.
This Privacy Framework sets forth mechanisms and procedures designed to assist Johnson & Johnson companies in complying with their privacy obligations. This Framework describes the basic privacy principles and organizational compliance standards. Each Johnson & Johnson operating company is responsible for complying with all applicable privacy obligations. Obligations may derive from:
The Privacy Framework self-assessment programs and the Information Security Risk Management (ISRM) programs support the implementation of the privacy principles in Johnson & Johnson across the enterprise. Entities within the Johnson & Johnson Family of Companies assess the implementation of the Privacy Framework safeguards and controls in their organizations. The Privacy Self-Assessment Program has supported the implementation of these measures. The company Information Security Policies, which are managed and updated regularly by ISRM, set forth global security standards. ISRM provides processes and tools to identify compliance with these policies in support of having controls in place for the protection of personal information, both within internal Johnson & Johnson systems and when entrusted to third parties.
All our Johnson & Johnson companies are bound by inter-affiliate data transfer agreements with respect to personal data collected and processed, and are therefore required to comply with the data privacy and security standards, when data are being transferred within the group. Similar guarantees are in place with our vendors who collect and process personal data on behalf of Johnson & Johnson operating companies. The data transfer agreements meet the strict standards of, among others, the European Standard Clauses.
Privacy complaints are investigated, addressed and monitored by the operating companies involved with the support of the Privacy organization in collaboration with IT Risk Management and the Law Department. Both the Global Privacy and the ISRM teams oversee privacy and security incidents and breaches, and recommend remediation where necessary or appropriate. Significant issues are required to be reported to executive management in conformance with the Johnson & Johnson Escalation Procedure.
Because of various legislative updates to privacy laws and the introduction of the General Data Protection Regulation in Europe, the Global Privacy Compliance Framework is being updated to reflect these new requirements.
The Global Privacy Team (GPT) and ISRM teams are further strengthening the embedding of privacy reviews and privacy risk assessments in our organizations, reinforcing a formal breach notification and escalation process, strengthening the audit, monitoring and testing strategy, reinforcing the formal training requirements and ensuring the vendor selection and contracting process address both privacy and security requirements,
In addition, we consistently monitor the environment and update our local Privacy Policies in accordance with new requirements or changes in the law of the countries in which we operate.
Overview of Privacy & Personal Data Protection
Responsibilities for privacy compliance span many organizations within Johnson & Johnson, and are comprised of the following:
Policies and Procedures
Policies and procedures for the processing of Personal Information are established as follows: