Global Privacy Program
Global Privacy Program
In all that we do, we strive to be good data stewards to balance our data needs with our responsibilities to the people and communities we serve.
Data about people—whether our employees, patients, physicians, veterinarians and other health professionals, customers, business partners, or other stakeholders—is essential to fulfilling our corporate mission and to operating our global research-intensive biopharmaceutical and animal-health businesses.
Over the past 16 years, we have developed and continually improved a comprehensive global privacy program that promotes organizational accountability for privacy, data governance and data protection across our business, and with our collaborative partners and suppliers. On March 1, 2016, we became the first company in the world to obtain regulatory approval in the European Union (EU) for Binding Corporate Rules (BCR) based in part on our existing Asia Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) certified program.
This achievement demonstrates that organizations can rely on common internal standards and processes to govern international data transfers across both the EU and APEC regions to simplify their ability to address the growing regulatory challenges in this area.
In November 2016, we self-certified to the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. These frameworks were designed by the U.S. Department of Commerce, and the European Commission and Swiss Administration, respectively, following the invalidation of the EU-U.S. and Swiss-U.S. Safe Harbor programs.
Our holistic approach to privacy has its origins in biomedical research ethics and the protection of participants in the research studies that we sponsor and conduct. We have adapted human subject research ethics standards for risk-benefit analysis, transparency, anonymization, coding and prior review to other activities and processes involving data about people. We also have established a set of privacy values to guide all of our privacy, data stewardship and data protection decisions. These core tenets serve as the foundational ethical framework for our comprehensive global privacy program and our compliance with the continually evolving legal and regulatory standards for privacy and data protection.
|Number of countries in which we conducted privacy compliance verification and risk assessment||137||137||137||137||137|
|Number of concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated1||68||212||151||143||227|
|Percentage of reported concerns regarding privacy practices, breaches of privacy and losses of personal data that were substantiated2||23%||26%||18%||96%||98%|
|Number of privacy breaches requiring notification by our company to individuals or government authorities||0||0||1||0||1|
|Number of privacy breaches requiring notification by third parties working for our company to individuals or government authorities||2||1||1||3||0|
|1. Privacy concerns include all concerns about our privacy practices escalated to our company’s Privacy Office. Substantiated concerns are those that are determined to be inconsistent with our own privacy standards or that involve loss of, theft or unauthorized access to personal data.
2. In 2015, because of the scope of lost or stolen devices known to be encrypted, we ceased inclusion of lost or stolen MSD devices in our incident metrics.