In all that we do, we strive to be good data stewards to balance our data needs with our responsibilities to the people and communities we serve.
Data about people—whether our employees, patients, physicians, veterinarians and other health professionals, customers, business partners, or other stakeholders—is essential to fulfilling our corporate mission and to operating our global research-intensive biopharmaceutical and animal health businesses.
Over the past 15 years, we have developed and continually improved a comprehensive global privacy program that promotes organizational accountability for privacy, data governance and data protection across our business and with our collaborative partners and suppliers. On March 1, 2016, we became the first company in the world to obtain regulatory approval in the European Union (EU) for binding corporate rules based on an existing Asia Pacific Economic Cooperation (APEC) cross-border privacy rules certified program. Our achievement demonstrated that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the growing regulatory challenges in this area.1
Our holistic approach to privacy has its origins in biomedical research ethics and the protection of participants in the research studies that we sponsor and conduct. We have adapted human subject research ethics standards for risk-benefit analysis, transparency, anonymization, coding and prior review to other activities and processes involving data about people. We also have established a set of privacy values to guide all of our privacy, data stewardship and data protection decisions. These core tenets serve as the foundational ethical framework for our comprehensive global privacy program and our compliance with the continually evolving legal and regulatory standards for privacy and data protection.
First established in 2001, our global privacy program was designed from inception to develop and drive innovative solutions for facilitating efficient and responsible global data access, use and transfer. Key milestones in the development of our program include the following.
2001—Established International Data Transfers—EU
In 2001, we were the first pharmaceutical company to be certified under the former U.S.-EU Safe Harbor Framework, the first multilateral government arrangement for facilitating international data transfers.2 Our initial certification, and the annual reaffirmation of our adherence to the Safe Harbor Framework, applied to the full scope of research, manufacturing, commercial and corporate business processes. As countries in other regions adopted comprehensive and sectoral privacy and data protection laws and regulations, we expanded the principles, standards and processes enabling our certification to support compliance globally.
In 2007, we demonstrated our aspiration to being a leader in privacy transparency practices in two key areas:
- We adopted global standards for personal data security incident management in response to the proliferation of security breach notification laws.
- We began developing and publishing standardized comprehensive privacy notices for major categories of stakeholders about whom we collect, use and disclose personal information across our business. We adopted a format first proposed in 2007 for the financial services industry. This format categorizes the information in the notices to make them easier to understand, and easier for people who interact with us in multiple ways to compare our practices. Since their original publication, we have disclosed and provided examples of our practices for reporting personal information to government authorities. All of our standardized comprehensive notices are available online.
2009—International Data Transfers—Switzerland
After expanding our safe harbor policies to Switzerland and advocating for a safe harbor framework for data transfers from Switzerland to the U.S., we certified our adherence to the U.S.-Swiss Safe Harbor Framework in 2009, shortly after it became available.
Consistent with our commitment to ethical standards, accountability and continuous improvement of our program, in 2011 we developed a novel quantitative approach to evaluating privacy risk and determining the impact of control effectiveness on privacy risks across our operations. We continue to refine our privacy risk strategy in preparation for compliance with the risk analysis requirements of the new EU General Data Protection Regulation (GDPR), and have been invited to present our approach at seminars and workshops with regulators and industry representatives.3
In 2012, we enhanced senior management accountability for privacy across our global operations by instituting an annual management privacy certification program aligned with regulatory guidance issued by Canadian regulators that year.4 In 2014, we enhanced the certification to address key risk areas and expanded the certifier population to include additional layers of management responsible for those risks.
2013—International Data Transfers—Asia Pacific Economic Cooperation
In 2013, we became the first health care company in the world, and the second multinational company, to be certified under the new Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) system.5 APEC CBPR certification provides a framework for organizations to ensure protection of personal information transferred from participating APEC economies.
2014–2015 – International Data Transfers – EU and APEC Interoperability
In 2014, we filed an application for approval of our global privacy program under the EU binding corporate rules (BCRs) cooperation procedure. BCRs serve as an externally enforceable code of conduct for ensuring the protection of personal information transferred between entities and across country borders within a corporate group. In March 2014, EU and APEC officials announced a referendum for facilitating approval under both systems. Our company launched its APEC CBPR/EU BCR dual-certification project in the summer of 2014 in an effort to drive interoperability in practice between the two systems by seeking to demonstrate how an accountable global privacy program can serve as the basis for approval and ongoing compliance with the requirements of both systems. Between Q4 2014 and Q4 2015, we presented progress on our case study to regulators and other stakeholders in over 10 locations across the EU, North America and Asia Pacific.
2016—First Company to Achieve EU BCR Approval Based on APEC CBPRs
On March 1, 2016, MSD became the first company in the world to obtain regulatory approval in the European Union (EU) for binding corporate rules based on an existing Asia Pacific Economic Cooperation (APEC) cross-border privacy rules certified program. Our achievement demonstrated that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the complex regulatory challenges to international data transfers following the invalidation of the U.S.-EU Safe Harbor Framework in October 2015.
1 Wandall, H., and Cooper, D. “How to Align APEC and EU Cross-Border Transfer Rules.” Law360, April 12, 2016. Cooper, D., and Wandall, H. “Dual certification: A tale of two frameworks.” Privacy and Data Protection. Volume 16, Issue 5. May 2016.
3 https://www.huntonprivacyblog.com/2015/02/05/role-risk-management-data-protection-theory-practice/; https://www.pdpc.gov.sg; https://www.truste.com/events/privacy-risk/
4 “Getting Accountability Right with a Privacy Management Program.” https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf. Similar accountability guidelines subsequently have been issued by regulators in Australia, Colombia and Hong Kong, and the expectations for implementing accountability through a privacy management program also were included in the 2013 revision to the Organisation for Economic Co-operation and Development Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.
|Number of countries in which we conducted privacy compliance verification and risk assessment||137||137||137||137||137|
|Change in program control effectiveness (over 2010 baseline)||32%||37%||39%||41%||45%|
|Number of concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated1||229||68||212||151||143|
|Percentage of reported concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated2||68%||23%||26%||18%||96%|
|Number of privacy breaches requiring notification by our company to individuals or government authorities||2||0||0||1||0|
|Number of privacy breaches requiring notification by third parties working for our company to individuals or government authorities||3||2||1||1||3|
|1 Privacy concerns include all concerns about our privacy practices escalated to our company’s Privacy Office. Substantiated concerns are those that are determined to be consistent with our own privacy standards or that involve loss of, theft or unauthorized access to personal data.|
2 In 2015, because of the scope of lost or stolen devices known to be encrypted, we ceased inclusion of lost or stolen MSD devices in our incident metrics.