Protection, availability and integrity of both company and personal data, as well as appropriate use, are vital considerations with implications for Johnson & Johnson’s ability to conduct business, build and maintain trust, and remain compliant with laws and regulations.
It is incumbent upon Johnson & Johnson to protect the privacy of those who entrust us with their personal information, and to ensure our products are secure and safe. Our employees, healthcare professionals, patients, consumers, and all those who do business with us trust and expect that we will protect information in accordance with legal requirements and our policies.
Data security is a top priority for Johnson & Johnson. We view information security as a business enabler that facilitates digital initiatives and are, therefore, making data security investments and continuously working to ensure company data—including all personal data—are appropriately protected. The Johnson & Johnson Information Security and Risk Management (ISRM) organization, led by the Company’s Chief Information Security Officer, has developed a robust program to achieve this objective, maintaining and constantly enhancing capabilities to protect company networks and data against evolving cyber threats. The program consists of an experienced team of seasoned security professionals; industry-leading policies and processes; and an array of protection, detection and response technologies and capabilities, which is periodically assessed by independent, external consulting firms to both gauge effectiveness and drive continued maturity and improvement.
The Johnson & Johnson Executive Committee, Regulatory Compliance Committee of the Board of Directors, Chief Compliance Officer and Compliance Committee and ISRM each oversee compliance of Johnson & Johnson operating companies across a wide range of topics, including Information Security and Privacy.
The Information Security team has global reach with a presence in all regions of the world, and provides ongoing security consulting to all Johnson & Johnson businesses, ensuring they are informed of program policies, procedures and requirements. These activities include mandatory annual training that underscores the importance of appropriate data handling and protection, Mock Phishing campaigns across the Company to raise awareness to phishing attacks that are routinely used by threat actors, and periodic security awareness events at Johnson & Johnson sites around the globe to reinforce key cyber security protection principles with company associates.
In addition to protection of data, the security of the Company’s supply chain and connected medical devices is paramount. Product safety depends on a sound approach to security that protects not just the product, but all the components and processes that help produce it. To support this objective, the Company has taken steps to increase the cyber security profile of both our supply chain systems and our medical device products throughout their lifecycles. For connected medical devices, these steps have included the development of a comprehensive security framework for product development and operation. A section has been added on our Company website expressly for providing researchers or other third parties, who identify security flaws in our products, a mechanism to inform us, so we can evaluate their finds and take necessary corrective action.
As a leader in the healthcare industry, Johnson & Johnson is also engaged with external stakeholders to raise the security level of the industry. Examples include partnering with the U.S. Food and Drug Administration on guidelines for managing medical device security and collaborating with other healthcare companies and organizations on mechanisms to improve the overall industry security posture. The Johnson & Johnson Information Security team also maintains close working relationships with peer companies, industry associations, and government agencies, both to share best practices and to collaborate on effective solutions to address the increasing threats and attack methods faced by both public- and private-sector organizations today.
It is our responsibility to protect the privacy of those who entrust us with personal information. This includes our employees, healthcare professionals, patients, consumers, and all those who do business with Johnson & Johnson. These stakeholders expect that we will protect personal information in accordance with legal requirements, and we evolve our policies and practices to continuously deliver on that expectation. While there are varying requirements relating to privacy, we use a Privacy Framework that constitutes a baseline applicable to all our operating companies that process Personal Information.
This Privacy Framework sets forth mechanisms and procedures designed to assist our Company in complying with privacy obligations. This Framework describes the basic privacy principles and organizational compliance standards. Each Johnson & Johnson operating company is responsible for complying with all applicable privacy obligations. Obligations may derive from:
- Country or local laws and regulations;
- Johnson & Johnson Corporate Policies applicable to the processing of Personal Information, such as Privacy Policies and guidance issued by the Privacy organization;
- Policies specific to a Johnson & Johnson operating company; and
- Contractual or other agreements by which a Johnson & Johnson operating company is bound, including privacy statements and consents.
The Global Privacy Team (GPT) and the ISRM teams strengthen the embedding of privacy reviews and privacy risk assessments in our organizations, reinforcing a formal breach notification and escalation process, and strengthen the audit, monitoring and testing strategy. In addition, we consistently monitor the environment and update our local Privacy Policies in accordance with new requirements or changes in the law of the countries in which we operate.
Responsibilities for privacy compliance span many organizations within Johnson & Johnson, and are comprised of the following:
- Privacy Compliance Program Management and Guidance: Through the Chief Privacy Officer and the GPT, Johnson & Johnson Global Privacy manages a privacy compliance program and framework, and guides operating companies with respect to their compliance with privacy obligations.
- Operational Management: Operational management at each Johnson & Johnson operating company is accountable for establishing and implementing privacy compliance for that operating company’s operations.
- Resources: The GPT assists operating companies with designating privacy resources, considering their local requirements and the risk environments.
- Support: Other Johnson & Johnson organizations and departments support HCC and Privacy and the operational management teams of operating companies in complying with privacy obligations.
We continue to enhance our global privacy programs to meet or exceed new and expanding regulatory requirements for privacy and data protection around the world, such as Europe’s recent General Data Protection Regulation, new or anticipated laws in the United States, and new requirements in other parts of the globe, such as Brazil, China, Japan, Korea, Singapore, and elsewhere. In connection with these new standards and our ongoing commitment to protect the privacy of those who entrust us with their personal information, we have also strengthened the Johnson & Johnson Privacy Framework to protect against increased risk, have added privacy-focused resources in critical regions and markets, and have strengthened the privacy risk assessment reviews and updates for management, leading to a better understanding and management of the privacy risk across the Enterprise.