We have implemented a comprehensive global privacy program that promotes accountable privacy and data protection practices across our business and with our collaborative partners and suppliers.
In 4Q 2013, our program was certified under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System. Our company was the first healthcare company in the world to achieve this certification. Our program is designed to assure that four core privacy values are embedded into the way we conduct our business, without regard to how our business, technology or other external factors may change. In 4Q 2014, we filed an application with the Belgian Privacy Commission for approval of its global privacy program under the European Union (EU) Binding Corporate Rules (BCR) cooperation procedure. Our company is the first company in the world to file an application for EU BCR approval based on an existing APEC CBPR certification. The aim of our dual certification strategy is to promote globally interoperable privacy standards across the more than 50 countries and economies combined in APEC and the European Economic Area.
Our global privacy program is structured around a system of five core elements consistent with recognized standards for implementing an accountable privacy program. While the principle of accountability was first recognized in the Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (the “Guidelines”), issued in 1980 by the Organisation for Economic Co-operation and Development (OECD), the essential elements for an accountable privacy program were first expressed in 2009 by the Accountability Project, an initiative originated by the Centre for Information Policy Leadership, with participation from privacy regulators, data protection authorities, business and academia. Our company established its system of five core elements in 2010, joined the Accountability Project in 2011, and has been an ongoing participant in its development, which is now led by the Information Accountability Foundation.
In 2013, the OECD published its first revision to the Guidelines since 1980. The revised Guidelines set forth a new standard for implementing accountability through privacy management programs. Our global privacy program is consistent with the standards of the revised Guidelines. Our program is modeled for continuous improvement, based on changes within our business and in the external environment that affect inherent privacy risks and the effectiveness of our privacy controls. The five core elements are:
- Promote and maintain a corporate culture that respects privacy and protects information about people
- Communicate timely information about updates to privacy laws, regulations, rules, guidelines and policy issues
Policies & Standards
- Implement privacy and data-protection policies and standards that set forth operational principles and procedures, governance, accountability, incident handling and individual redress
- Implement a privacy-training curriculum designed to support the core elements of “Awareness” and “Policies & Standards,” and to provide functional knowledge aligned to roles and responsibilities
- Demonstrate the effectiveness of our program by:
- Prospectively building and documenting appropriate privacy and data-protection requirements into our company’s processes and systems that will be maintained throughout process and system life cycles
- Periodically verifying privacy and data protection compliance through audits, assessments and investigations
- Reporting to government authorities as required by law
- Management acknowledgement and responsibility for ensuring that requirements are addressed
- Define baseline and target metrics to determine the effectiveness, maturity and risks associated with the privacy program
- Collect and analyze data for each metric and evaluate program effectiveness, maturity and risks, as well as areas for enhancement, improvement and risk mitigation
In keeping with our privacy values, we continue to believe that trust is at the core of our privacy mission. We define Privacy TRUST as supporting each of the operational privacy and data protection principles to which we adhere:
T—Transparency: Being clear about how personal information is collected, used and disclosed (supports our privacy principle of Notice)
R—Respecting Choices: Such as whether or not people want to participate in our programs (supports our privacy principle of Choice)
U—Understanding Perspectives: Including that people have different levels of concern about their privacy based on cultural perspectives and personal experiences (supports our privacy principle of Necessity
S—Security: Protecting personal information from loss, misuse, unauthorized access, disclosure, alteration or destruction (supports our privacy principles of Data Integrity, Security and Data Transfer)
T—Treating our stakeholders in a manner consistent with the company’s values (supports our privacy principles of Access, Correction, Enforcement and Dispute Resolution)
Global Cross-Border Data Flows
As a U.S.-based corporation, we have relied on the Safe Harbor Framework for transfers of personal data from the European Economic Area (“EEA”) to the United States (the “Safe Harbor”) as a primary mechanism for facilitating cross-border data flow originating from European countries. We also have utilized the Safe Harbor principles to support the development of our comprehensive privacy program, including incorporation of Safe Harbor standards for movement of personal data to and from other countries.
Our company was one of the first pharmaceutical companies to certify its adherence to the Safe Harbor Framework. We first certified in November 2001. U.S. organizations that certify to the U.S.-EU Safe Harbor are recognized as providing adequate protection for personal data transferred from the EEA, and organizations that certify to the U.S.-Swiss Safe Harbor are recognized as providing adequate protection for personal data transferred from Switzerland. Our Safe Harbor certification applies to transfers of personal information about a broad range of stakeholders from the EEA and, since 2009, from Switzerland, including employees, customers, patients, clinical investigators, healthcare professionals and others. We have reaffirmed our adherence to the Safe Harbor Framework annually since 2001.
One key component of our approach to facilitating efficient cross-border data flows is annual management privacy certification. Each year, senior company organizational leaders, including the leaders of operating entities in countries around the world, certify their accountability for the implementation of privacy standards and requirements in the organizations and activities they lead.
In 2013, we became the first healthcare company in the world, and the second multinational company, to be certified under the new Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System. The APEC CBPR System provides a framework for organizations to ensure protection of personal information transferred among participating APEC economies. Achievement of APEC certification demonstrates to our customers, patients and other stakeholders our strong commitment to accountable, values-based privacy and data protection practices in every region of the world in which we operate. At the end of 2014, we filed an application for approval of our global privacy program under the European Union (EU) Binding Corporate Rules (BCR) co-operation procedure. BCR serves as an externally enforceable code of conduct for ensuring protection of personal information transferred among entities and across country borders within a corporate group. n March 2014, EU and APEC officials announced a referential for facilitating approval under both systems. Our company launched its APEC CBPR to EU BCR dual certification project in the summer of 2014 in an effort to drive interoperability in practice between the two systems by seeking to demonstrate how an accountable global privacy program can serve as the basis for approval and ongoing compliance with the requirements of both systems.
Privacy Risk & Effectiveness
In keeping with our commitments to accountability and continuous improvement of our program, in 2011 we developed a quantitative approach to consistently evaluating privacy risk and determining the impact of control effectiveness on privacy risks across our operations. We continue to apply this approach to new activities and initiatives to provide consistent guidance on required privacy standards and controls. In connection with our annual privacy compliance review, we also evaluated global and country operations, and we continue to pursue this quantitative approach to determine opportunities for improvement in specific areas and across our program.
Transparency & Privacy
We aspire to being a leader in privacy transparency practices. We aim to achieve this by explaining our privacy practices in ways that enable our stakeholders to make meaningful choices about how we collect, use and disclose personal information about them.
Since 2007, we have been developing and publishing standardized comprehensive privacy notices for major categories of stakeholders about whom we collect, use and disclose personal information across our business. We adopted a format first proposed in 2007 for the U.S. financial services industry.1 This standard format uses a tabular approach to categorize the information provided in the notices in order to make them easier to understand, and easier for people who interact with us in multiple ways to compare our practices. All of our standardized comprehensive notices, available in multiple languages, are published online.
1 The proposed Model Privacy Notice was included in the Interagency Proposal for Model Privacy Form under the Gramm-Leach-Bliley Act, 72 FR 14940 (March 29, 2007).
Our company is actively engaged in policy and advocacy efforts to further privacy standards and next-generation policy frameworks that promote the responsible collection, use and collaborative sharing of data in support of healthcare, biomedical research and other innovations.
We are a member of the International Pharmaceutical Privacy Consortium (IPPC), an association of research-based pharmaceutical companies that supports worldwide responsibility for the protection of personal health information and other types of personal data. We are a corporate member of the International Association of Privacy Professionals, members of our company’s Privacy Office serve on its Board of Directors and Certification Advisory Board, and we encourage development of privacy program management competencies among our privacy, compliance and IT employees through privacy training and professional certification. We also participate in other privacy and information policy organizations, such as the Centre for Information Policy Leadership (CIPL) and the Future of Privacy Forum, which encourage responsible information governance and the development of leading privacy practices.
In 2013, we became a founding supporter of the Information Accountability Foundation, a charitable organization created to build upon the work of the Accountability Project to further accountability-based information governance that facilitates information-driven innovation while protecting individuals’ rights to privacy and autonomy.
|Number of countries in which we conducted privacy compliance verification and risk assessment||87||137||137||137||137|
|Change in program control effectiveness (over 2010 baseline)||NA||32%||37%||39%||41%|
|Number of substantiated concerns regarding privacy practices, breaches of privacy and losses of personal data1||92||229||68||212||151|
|Percentage of reported concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated||78%||68%||23%||26%||18%|
|Number of privacy breaches requiring notification by Merck & Co., Inc., Kenilworth, NJ, USA to individuals or government authorities||0||2||0||0||1|
|Number of privacy breaches requiring notification by third parties working for Merck & Co., Inc., Kenilworth, NJ, USA to individuals or government authorities||2||3||2||1||1|
|1 Privacy concerns include all concerns escalated to our company's Privacy Office about our privacy practices. Substantiated concerns are those that are determined to be inconsistent with our own privacy standards or that involve loss of, theft of or unauthorized access to personal data.|