Protection, availability and integrity of both company and personal data, as well as appropriate use, are vital considerations with implications for Johnson & Johnson’s ability to conduct business, build and maintain trust, and remain compliant with laws and regulations.
It is incumbent upon Johnson & Johnson to protect the privacy of those who entrust us with their personal information and ensure our products are secure and safe. Our employees, healthcare professionals, patients, consumers, and all those who do business with us trust and expect that we will protect information in accordance with legal requirements and our policies.
Data security is a top priority for Johnson & Johnson. We view information security as a business enabler that facilitates digital initiatives and are, therefore, making data security investments and continuously working to ensure company data—including all personal data—are appropriately protected. The Johnson & Johnson Information Security and Risk Management (ISRM) organization, led by the Company’s Chief Information Security Officer, has a developed robust program to achieve this objective, maintaining and constantly enhancing capabilities to protect company networks and data against evolving cyber threats. The program consists of an experienced team of seasoned security professionals; industry-leading policies and processes; and an array of protection, detection and response technologies and capabilities, which is periodically assessed by independent, external consulting firms to both gauge effectiveness and drive continued maturity and improvement.
The Information Security team has global reach with a presence in all regions of the world, and provides ongoing security consulting to all Johnson & Johnson businesses, ensuring they are informed of program policies, procedures and requirements. These activities include cyber-education and awareness for employees, including mandatory annual training that underscores the importance of appropriate data handling and protection.
In addition to protection of data, the security of the Company’s supply chain and connected medical devices is paramount. Product safety depends on a sound approach to security that protects not just the product, but all the components and processes that help produce it. To support this objective, the Company has taken steps to increase the cyber security profile of both our supply chain systems and our medical devices products throughout their lifecycle. For connected medical devices, these steps have included the development of a comprehensive security framework for product development and operation. A section has been added on our Company website expressly for providing researchers, or other third parties, who identify security flaws in our products a mechanism to inform us so we can evaluate their finds and take necessary corrective action.
As a leader in the healthcare industry, Johnson & Johnson is also engaged with external stakeholders to raise the security level of the industry. Examples include partnering with the U.S. Food and Drug Administration on guidelines for managing medical device security, and collaborating with other healthcare companies and organizations on mechanisms to improve the overall industry security posture. The Johnson & Johnson Information Security team also maintains close working relationships with peer companies, industry associations, and government agencies both to share best practices and to collaborate on effective solutions to address the increasing threats and attack methods faced by both public- and private-sector organizations today.
The Johnson & Johnson Executive Committee, Regulatory, Compliance & Government Affairs Committee of the Board of Directors, Chief Compliance Officer and Compliance Committee, and ISRM each oversee compliance of Johnson & Johnson operating companies across a wide range of topics, including Information Security and Privacy.
It is our responsibility to protect the privacy of those who entrust us with personal information. This includes our employees, healthcare professionals, patients, consumers, and all those who do business with Johnson & Johnson. These stakeholders expect that we will protect personal information in accordance with legal requirements, and we evolve our policies and practices to continuously deliver on that expectation. While there are varying requirements relating to privacy, we use a Privacy Framework that constitutes a baseline applicable to all our operating companies that process Personal Information.
This Privacy Framework sets forth mechanisms and procedures designed to assist our Company in complying with privacy obligations. This Framework describes the basic privacy principles and organizational compliance standards. Each Johnson & Johnson operating company is responsible for complying with all applicable privacy obligations. Obligations may derive from:
- Country or local laws and regulations;
- Johnson & Johnson Corporate policies applicable to the processing of Personal Information such as Privacy Policies and guidance issued by the Privacy organization;
- Policies specific to a Johnson & Johnson operating company; and
- Contractual or other agreements by which a Johnson & Johnson operating company is bound, including privacy statements and consents.
The Global Privacy Team (GPT) and ISRM teams strengthen the embedding of privacy reviews and privacy risk assessments in our organizations, reinforcing a formal breach notification and escalation process, and strengthen the audit, monitoring and testing strategy. In addition, we consistently monitor the environment and update our local Privacy Policies in accordance with new requirements or changes in the law of the countries in which we operate.
Responsibilities for privacy compliance span many organizations within Johnson & Johnson, and are comprised of the following:
- Privacy Compliance Program Management and Guidance: Through the Chief Privacy Officer and the GPT, Johnson & Johnson Health Care Compliance & Privacy (HCC&P) manages a privacy compliance program and framework, and guides operating companies with respect to their compliance with privacy obligations.
- Operational Management: Operational management at each Johnson & Johnson operating company is accountable for establishing and implementing privacy compliance for that operating company’s operations.
- Resources: The GPT assists operating companies with designating privacy resources, considering their local requirements and the risk environments.
- Support: Other Johnson & Johnson organizations and departments support HCC&P and the operational management teams of operating companies in complying with privacy obligations.
We have continued to work on our programs to meet new regulatory requirements for privacy around the world. In Europe in particular, in accordance with Europe’s General Data Protection Regulation, we have strengthened the Johnson & Johnson Privacy Framework to protect against increased risk, and we continue to maintain trust among our stakeholders. Through robust planning and governance structure, the program works with senior leaders, business partners and process owners across the enterprise to make sure that appropriate levels of privacy are embedded in all our business processes – from training through implementation. Some of these enhancements will have global application, including our global privacy incident and breach notification process, the renewed data privacy impact assessment, and the third-party business partner risk assessment, all of which have been prepared for roll-out in 2018.
In 2017, important work was done to prepare for the digital assets updates we are planning for 2018, addressing new notice, consent and other data subject requirements. In addition, we announced the appointment of our European Data Protection Officer (DPO), who will assume this role at a group and cross-sector level supported by a DPO team. A similar role was created in the Philippines, as per the local requirements. We also continued our efforts to strengthen the privacy risk assessment reviews and updates for management, leading to a better understanding of the privacy risk at enterprise level.