2012 Privacy English

7/27/2019 2012 Privacy English

1/57

Our purpose

We enable people with life-altering conditions to lead better lives

Information Privacy and SecurityAwareness Training

Annual Update 2011-2012


2/57

Table of Contents

Annual Update - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3

Why is this training important to you? - - - - - - - - - - - 4

Second City Skit - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6Message from Angus Russell - - - - - - - - - - - - - - - - - - - 7

Course Objectives - - - - - - - - - - - - - - - - - - - - - - - - - - - 8

Framework of Shires Global Privacy Program - - - - - - 9

Module 1 Global Privacy Laws - - - - - - - - - - - - - - - - 10

Key Concepts -- - - - - - - - - - - - - - - - - - - - - - - - - 11

Module 2 Internal Privacy Principles - - - - - - - - - - - 15

Notice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18

Choice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19

Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20

Data Integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21

Disclosure to Third Parties - - - - - - - - - - - - - - - - - - - 22

Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23

Accountability & Enforcement - - - - - - - - - - - - - - - - 24

Privacy by Design - - - - - - - - - - - - - - - - - - - - - - - - - - 25

Module 3Shires External Privacy Statements - - - - 26

Statement - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27

Notice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29

Choice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31

Data Integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32

Disclosure to Third Parties - - - - - - - - - - - - - - - - - - - 33

Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34

Accountability & Enforcement - - - - - - - - - - - - - - - - 35

To be as brave as the people we help2

Module 4 Information Security - - - - - - - - - - - - - - - - - - - 36

Why Information Security is a Priority - - - - - - - - - - - 37

Shires Corporate Information Security Policy - - - - - 38

What is Electronic Communication - - - - - - - - - - - - - 40

No Expectation of Privacy - - - - - - - - - - - - - - - - - - - - 41

Associated Policies - - - - - - - - - - - - - - - - - - - - - - - - - 42

Module 5 Defensive Intelligence Practices - - - - - - - - - - - 43

Information Security & You - - - - - - - - - - - - - - - - - - 45

Personal & Confidential Information - - - - - - - - - - - - 46

Where is Information at Risk? - - - - - - - - - - - - - - - - 47

Best Practice

Workspaces/Devices - - - - - - - - - - - - - - - - - - - - 48Handling Personal or Confidential Info - - - - - - - 49

Traveling & Working in Public - - - - - - - - - - - - - 50

Phone/Email - - - - - - - - - - - - - - - - - - - - - - - - - - 51

Meeting Rooms & Offsites - - - - - - - - - - - - - - - 52

Conferences & Traveling - - - - - - - - - - - - - - - - - 53

Visitors & 3rd Parties - - - - - - - - - - - - - - - - - - - - 54

Reporting Privacy & Information Security Incidents - - - - - 55

Who Should you Contact - - - - - - - - - - - - - - - - - - - - - - - - - 56


3/57

This training program update is designed torefresh your awareness of Shires Global PrivacyProgram and steps you can take to maintainShires commitment to data privacy and security.

There are five sections to this training: Global Privacy Laws

Shires Privacy Principles

Shires External Privacy Statements

Information Security

Defensive Intelligence Practices


Information Privacy & Security Awareness Training

Annual Update 2011-2012

This is a refresher course

that builds upon basic

training that began in 2009.

The basic training slide

deck is still available on

ORBIT (English language

only).

Go to Compliance & Risk

Management / Privacy

Compliance Program to

find the original slide deck.


4/57


Every day around the world Shire accesses, collects, stores, analyzes andshares personally identifiable information from multiple sources inorder to conduct its business and enable people with life-alteringconditions to lead better lives.

Protecting personally identifiable information and respecting privacy arefundamental parts of our commitment to patients, healthcare

professionals, our employees, and the community.

Why is this training important to you?

Safeguarding Identity: Protecting your identity and

the identity of your co-workers, business partners,

and the patients we serve.


5/57


Shire employees at all levels have access to informationthat is confidential or proprietary to the organization.

We all share an obligation to protect that information.The loss or theft of Shires confidential information is arisk to the company, and possibly to you, personally.

Why is this training important to Shire?

Safeguarding Shire information: Protecting Shire

information by keeping it confidential.


6/57

Second City Skit Loose Lips

Click on the picture below to watch the video
http://shchmos02/shire/Documents/Compliance%20and%20Risk%20Management/Privacy/2012-Privacy%20docs/Loose%20Lips-High.wmv


7/57


The Importance of Information Privacy & SecurityA message from Shire CEO Angus Russell

This training update is an

important part of Shires global

compliance program and our

efforts to comply with laws and

regulations governing data privacy

and security.

It will help prepare you to

represent our team in the positive,

ethical manner that has come to

define who we are at Shire.

Thank you for participating.


8/57


Course Objectives

As a result of this training, you should be able to

Understand the framework of Shires Global Privacy

Program and some key concepts.

Understand that it is your responsibility to apply Shire's

Privacy and Security policies in all your business

interactions.

Locate resources for questions and concerns about

information privacy and security.

This training is mandatory on an annual basis for all Shire employees/contractors

who have a Shire e-mail account or have access to Shire systems/applications


9/57


The Framework of Shires Global Privacy Program

Practices

Security

External

Statements

Internal Principles

Global Privacy Laws

Defensive Intelligence practices in our day-to-day operations help us maintain ourcommitment to privacy and data security.

Shires Corporate Information Security Policyprovides guidance on protecting Shireselectronic information assets.

Shires external Privacy Statements (orPolicies) that are viewed by the public on ourwebsites communicate the minimumstandards that Shire endeavors to maintainregarding the collection and use of personalinformation on that site.

Shires Internal Privacy Principlescommunicate the key principles guiding ourinternal data protection activities.

Global Privacy Laws are designed to protect theprivacy and security of personal informationused in commerce.


10/57

Our purpose


Module 1

Global Privacy Laws

Practices

Security

External Statements

Internal Principles

Global Privacy Laws


11/57

To be as brave as the people we help

11

Global Privacy Laws are designed to protect the privacy and security of

personal information used in commerce.

There are more than 100 countries

that have privacy and/or data

protection laws protecting Personal

Information* - over 150 laws in the

aggregate - and the number is

increasing.

* Note that the terms personal data, personal information, and personally identifiable information or PII may be used

throughout this training and are intended to mean PersonalInformation as defined in Shires Privacy Principles. Personal

Information deemed sensitive may or may not be more specifically defined by law or regulation depending upon the

country. Some examples are provided in Shires Privacy Principles.


12/57

Trans-border Data

Flows


12

International Data Transfer - One of the key privacy and data protection issues we

deal with at Shire is the need to transfer data in order to operate globally amongour own affiliates or with third parties.

Certain countries do not allow international data transfer of Personal Information!

International Data Transfer means moving data from one country to another (trans-border) as

well as being able to access or view data in one country from another country.

The member states of the EU/EEA, Switzerland, and some other countries, prohibit international

data transfer of Personal Information to countries that dont have privacy laws similar to the

European standard. The USA is one such country.

Global Privacy Laws Key Concept


13/57

Personal Data of residents

of the EU/EEA

countries, or Argentina,

Australia, Switzerland,

Canada, Colombia,

Hong Kong, Indonesia,

Malaysia, Philippines,Poland, Russia,

Thailand


13


International Data Transfer Not Permitted - Examples

US-located server

Load to corporate database in EEA, to beviewed/accessed by a person in the US or some other

country where not permitted.

Trans-border Data Flows

Trans-border Data Flows

US-located person

EU-located server


14/57


14


International Data TransferCompliant Options

There are mechanisms available to allow trans-border

transfer of PII: Consent of the Data Subject

International Data Transfer Agreements

Binding Corporate Rules

EU-US Safe Harbor Certification (also available Switzerland-US)

Other special exceptions may be available under laws or

regulations of particular jurisdictions.

Contact the Director of Privacy at

[email protected] or your local Legal Department

for more information.
mailto:[email protected]:[email protected]


15/57

Our purpose


Module 2

Shires Privacy Principles

Practices

Security

External Statements

Internal Principles

Global Privacy Laws


16/57


16

Shires Internal Privacy Principles

The Privacy Principles are statements based on internationally recognized

practices(1)

relating to the treatment of Personal Information, and are in thespirit of Shires commitment to conducting its business in an ethical and

legally compliant manner.

The statements set the global minimum standard for safeguarding Personal

Information within Shire.

Together, the Privacy Principles combined with the Employee Code of EthicsPolicy and Corporate Information Security Policy express and support Shires

privacy commitment to patients, healthcare professionals and alliance

partners, our employees and all other individuals with whom we have

business interactions.

(1)E.g. OECD Standards; APEC Privacy Principles


17/57


17


Shires internal Privacy Principles are based on the following seven principles:

1 Notice

2 Choice

3 Access

4 Data Integrity

5 Disclosure to Third Parties

6 Security

7 Accountability & Enforcement


18/57


18


1

Notice

We respect the privacy of Personal Information.

We offer privacy notices that explain how and why we

handle Personal Information.

Where required by law and according to localrequirements, we inform individuals when Personal

Information is collected about them.


19/57


19


Where appropriate, we respect individual choices

regarding the collection, use and disclosure of Personal

Information.

We only collect, use, disclose and retain PersonalInformation that is relevant and useful to effectively

conduct/administer our business.

Where required by law, regulations, or guidelines, we

obtain an individuals consent to process (use, maintain,

transfer or otherwise handle) their Personal

Information.

2 Choice


20/57


20


3 Access

We strive to provide individuals the opportunity to

access the Personal Information relating to them

and, where applicable, to comply with requests to

correct, amend, or rectify the Personal Information

where incomplete, inaccurate or not compliantwith the standards and procedures established at

Shire.


21/57


22/57


22



We limit the access to and disclosure of Personal Information

internally and with third parties.

Where we share Personal Information, such as permitting

access, transmission or publication with third parties

(either within or outside Shire) we do so only with a

reasonable assurance that the recipient will apply suitable

privacy and security protection to the Personal

Information. This may include contractual protections and

controls.

We strive to comply with legal restrictions and requirementsthat apply to the international transfer of Personal

Information.


23/57


23


6 Security

We use appropriate information security safeguards and records

management to protect Personal Information.

Section 4 of this training highlights the

Corporate Information Security Policy.


24/57


24



We provide individuals with an opportunity to ask questions

and register complaints regarding our handling of their

Personal Information.

All employees, contractors, agents, temporary staff, suppliers

and affiliates are expected to comply with these Privacy

Principles. Any employee or contractor that violates these

principles may be subject to corrective and/or disciplinary

action, which may, in serious cases, result in dismissal or

removal from office.


25/57


25

Practical Application of the Privacy Principles

Privacy by Design

Consider data protection and privacy as you design or review a new

process or application or make any changes to an existing process orapplication that involves Personal Information. This applies to both

manual and electronic processes.

Ensure that data protection and privacy is a requirement in your RFP to a

third party.

Work with the Director of the global Privacy Program and your local legalcounsel to ensure that you are aware of data protection and privacy

requirements in your locality and to address potential compliance issues

that may arise from the process or application.

Contracts for services that involve processing PII require special language

about data protection and privacy in most jurisdictions.


26/57

Our purpose


Module 3

Shires External Privacy

Statements

Practices

Security

ExternalStatements

Internal Principles

Global Privacy Laws


27/57


27

Shire's External Privacy Statements

Shire uses e-Commerce in many ways including: product brand sites, sponsored

therapeutic area information sites, patient assistance/support sites, physician supportsites, IST registries, Grant registries, and trial recruitment sites, to name a few.

Any type of e-Commerce site, or any site that registers visitors and collects their information in any

way must have a privacy statement.

An external Privacy Statement (also known as a Privacy Policy) is a document on a public-facing

website that tells visitors how the website will be using their Personal Information.

It protects the company and indicates to visitors what they are agreeing to by using the website.

The privacy statement should be prominently displayed and clearly disclose whether or not

information is collected, the types and means by which information is collected, i.e. cookies, the

way that information will be used, whom will be granted access to that information, and most

importantly, what options the consumer can exercise in controlling that information.

Contact the Director of the global Privacy Program or your local legal counsel to obtain an

appropriate privacy statement/policy for a website.


28/57


28

Shires External Privacy Principles

Similar to the Privacy Principles, Shires external Privacy Statements follow sevenprinciples:

1 Notice

2 Choice

3

Access

4 Data Integrity


6 Security



29/57


29


1 Notice

Our Statement is designed to tell visitors to the site

about our practices regarding collection, use, and

disclosure of information they may provide, either

actively or passively, via the site.

Our Statement may have special provisions about

collecting information from children, where

applicable.


30/57


30


Our Statement tells the visitor they have a choice whether

or not to agree to our policy for the use of the site and

may be asked to Opt In or Opt Out of that consent.

2 Choice


31/57


31


3 Access

Our Statement provides a means to contact Shire with any

questions, comments, or concerns about our information

practices or to request that information be corrected or

removed.


32/57


32


4 Data Integrity

Our Statement says that we will keep personally

identifiable information accurate, current, and

complete, and we will take reasonable steps to update

or correct the information in our possession based onwhat the visitor has submitted.


33/57


33



Our Statement indicates that we may disclose personally

identifiable information to our affiliates or to third

parties in other countries who agree to treat it in

accordance with the policy, and we do so only for certain

purposes.


34/57


34


6 Security

Our Statement says that we take reasonable steps to

protect personally identifiable information from loss,

misuse, unauthorized access, disclosure, alteration,

or destruction.

We will retain the information only as long as needed to

fulfill the purposes for which it was collected, or

until a user requests it to be deleted.

We will endeavor to notify the data owner in the event

of an incident or breach of personally identifiable

information.


35/57


35



Compliance with these principles is the

responsibility of every Shire employee.


36/57

Our purpose


Module 4

Information Security

Practices

Security

External Statements

Internal Principles

Global Privacy Laws


37/57


37

Information SecurityWhy Information Security Is A Priority

The Value of Information

Shire holds sensitive information on patients, providers and employees,trade secrets, research and other information that gives a competitive

edge. As more and more of this information is stored and processed

electronically and transmitted across company networks or the internet,

the risk of unauthorized access increases and we are presented with

growing challenges of how best to protect it.

Protecting InformationSteps must be put in place to protect information. If left unprotected,

information could fall into the wrong hands, it can wreck lives, bring down

businesses and even be used to commit harm. Ensuring that information is

appropriately protected is both a business and legal requirement.

Information BreachesWhen information is not adequately protected, it may be compromised

and this is known as an information or security breach. The consequencesof an information breach are potentially severe, and may entail significant

financial penalties, expensive law suits, loss of reputation and business

that put our ability to serve our patients at risk.


38/57


38

Information SecurityShires Corporate Information Security Policy

The Corporate Information Security Policydefines the minimum informationprotection requirements for Shire. Certain jurisdictions may have morestringent protection requirements that must be complied with.

In addition to general policy guidelines and roles and responsibilities, itprovides specific policy statements for:

Access Protection

Network and Remote Access Security

Appropriate Use of Technology resources

Laptops, Desktops, and Mobile Devices

Licenses and Copyrights Risk Assessment, Information, Classification, and Risk Acceptance

All Employees, Contractors, Third Parties, And Anyone With Access To Shire Information Systems, Are

Required To Read, Understand, Acknowledge, And Comply With TheCorporate Information Security Policy


39/57


39

Information SecurityShires Corporate Information Security Policy

Everyone is responsible for the protection of the data in their possession

(electronic and paper) and must exercise due care against its theft, loss, ordamage:

Use only authorized software and do not tamper with security

software on your device.

Establishing rogue wireless networks, utilizing unauthorized

remote access services or using unauthorized internet file

sharing/storage technologies are not allowed.

Avoid storing important files on your laptops hard drive. Instead

use a company file share that is backed up and protected.

Do NOT leave your laptop or mobile device unattended.

All Shire assets (electronic files, documents, computers, phones,

iPads, etc.) must be returned upon termination of employment.

If you need help with using any devices, contact the Shire Help

Desk at Ext. 247247 or [email protected].


40/57


40

Information SecurityWhat is Electronic Communication

For the purposes of the Corporate Information Security Policy, electronic

communication, is a method of exchanging digital data across the Internet or

other networks.

This includes, but is not limited to, email, Instant Messaging, Shiral and other

forms of electronic Social Media.

Appropriate, professional behavior, as well as compliance with Shire Security

and Privacy policies is mandatory regardless of communication method or

data type.


41/57


41

Information SecurityNo Expectation of Privacy

Shires Corporate Information Security Policy states that:

Employees should not have any expectation of privacy with respect to any

electronic communication that they have sent or received using Shire networks

or electronic communication services.

All communications from Shire provided services are considered property of Shire.

Network traffic, including Internet access will be controlled and monitored.

In all cases, the right to view and monitor electronic communication is subject to

local law and procedure.

The policy applies to all forms of electronic data and devices.

IMPORTANT NOTICE NO EXPECTATION OF PRIVACY


42/57


42

Employees should make themselves aware of associated Shire Polices thataddress information handling and ethics: Employee Code of Ethics Policy

Social Media Policy

Corporate Responsibility

HR Policies regarding standards of employee conduct:

Media, Legal and Government Inquiries

Policies regarding harassment and discrimination

Policies regarding personal information protection for employees

Record retention policies

Any employment or other agreement you may have signed which contains confidentiality provisions .

Information SecurityAssociated Policies


43/57

Our purpose


Module 5

Defensive Intelligence

Practices

Practices

Security

ExternalStatements

InternalPrinciples

Global Privacy Laws


44/57


44

See Shires Keep it Confidential e-Guide on ORBIT for

more information and tips on safeguarding Shire

Information.


45/57


45

Shires Information Security & You

The loss or theft of Shire information is a serious risk to the company and may

be a risk to you personally. Consider these points regarding your role in safeguarding information at

Shire

You have access to information that external groups or companies want:

Intelligence about products, the company, external partners, personal data.

You are legally responsible for protecting Shire information and must take

appropriate steps to minimize the risk of loss to third parties.

Good defensive intelligence is largely common sense.

Taking some simple steps can have a dramatic impact

Third parties will be interested in many different types of


46/57


46

Third parties will be interested in many different types of

information not all of it may be related to Shire brands

Organisational

structure

Business

Development

Product

strategy

Regulatory

timelines

Clinical trial

data

Salary

information

Budgetinformation

Pipeline

information

New market

entries

Launch

timelines

P&R

negotiations

Employment

expansion

plans Site expansion

plans

Offsite

meeting plans

Financial

performance

data

Employee

information

All of these can be considered Personal and Confidential Information

Employee

benefit

schemes

Corporate

policies


47/57


47

Where Is Information At Risk?

Meeting

Rooms

Visitors

TelephoneWorkplaces/

Devices

Travel

Conferences

Transfer to

Vendor

Joining /Leaving

Shire

Hotels &Offsite

Meetings


48/57


48

Best Practice: Keeping Your Workspaces/Devices Secure

Make a habit of securing your workstation.

During the work day Set your computer screen to auto lock after a

defined period of inactivity.

Lock the screen (Ctrl+Alt+Del) when leaving

workstations unattended.

Never leave laptops, PDAs, cell phones, flash

drives, CDs unsecured. At the end of the day

Log off all systems before leaving.

If you work in an open floor plan and have a

laptop device, take it with you or log out, turn it

off and lock it away in a cabinet.

If you work in an office, lock it.


49/57


49

Best Practice: Handling Personal or Confidential Information

Take these actions when handling confidential information

Retrieve It - When printing Personal or Confidential Information, retrieve itimmediatelydont leave it lying around for others to access.

Keep It - Do not leave Personal or Confidential Information unattended on

desks, near copy machines, or in easily accessible public locations.

Secure It - Lock Personal or Confidential Information in file cabinets and desk

drawers during non-working hours or if office is to be shared.

Shred It - When finished with Personal or Confidential Information, immediately

shred it or place it in containers provided for that purpose, rather than simply

throwing it away.

Erase It - Erase/close/cover white boards when not actively in use.


50/57


50

Best Practice: Traveling & Working In Public

Talking in public

Dont discuss confidential business inpublic areas (e.g. airport lounges).

Discussions held in restaurants,

airports, on trains and in other public

places can be overheard and you

never know who is listening.

Discussions held on public and

cellular telephones can be overheard

and can also be tapped or

intercepted.

Working in public

Be aware of shoulder surfers.

Use privacy screens on laptops

Dont leave materials/Shire devices

lying around

If you must leave a laptop in the

car, make sure it is hidden away

from site in the boot

Do not pack Shire devices in

checked luggage!


51/57


51

Best Practice: Using Phone/Email

When using the phone/e-mail

Identify the person with whom you are communicating.

Dont answer questions unless you are sure of the purpose and identity of the

caller/e-mailer. If youre unsure, offer to return the call at a better time.

Never give away employee names or contact information to unknown

callerstake their details instead and pass these on to your colleague.

If an unknown caller says that another employee told them to contact you,check first with the other employee before continuing.

Always be skeptical of information requests, including e-mails asking you to

participate in surveys.

Direct all strange calls/e-mails or rude callers to your local security desk or

contact [email protected]. You can also forward e-mails to

Global Competitive Intelligence: [email protected].


52/57


52

Best Practice: Using Meeting Rooms On & Offsite

All Participants

Hold discussions in private areas; be

aware of your surroundings.

Identify everyone attending the

meeting.

Ensure room will be secured if

materials are to be left unattended

during breaks.

Do not leave materials or devices in a

meeting room overnight even if thevenue assure you it is OK

Meeting planners/hosts

When booking, check the venue will not

be hosting other competitor meetings atthe same time

Dont use Shire name/logo on meeting

room signs or banners

Take all materials with you; clear the

room and erase boards.

Ensure any TC/VC is connected to the

right meeting.

Leader of the meeting should provide a

reminder to the group about defensive

intelligence at the beginning of the

meeting

DI rules apply to the evenings as well!

Consider privacy when making dinner

reservations.


53/57


53

Best Practice: Attending Conferences & Travelling

Use discretion and these common sense practices when travelling or attending

conferences

Remember: observers can look over your shoulderkeep confidential information

stowed during travel and if you must work in public, use a laptop privacy screen.

Never discuss Shire business in public venues such as elevators, hotels, trains, planes,

airport lounges, exhibit halls or restaurants.

No discussion in a public place is private.

Remind attendees, including vendors/guests/presenters, of confidentiality

obligations.

Dont assume everyone is a potential customer! Competitors will have competitive

intelligence consultants on site at meetings trying to find information about Shire.

When approached, find out whom you are speaking with and ask for more specific

information if the first response is vague or seems insincere.

Electronically transmit informationminimize hard copy distribution of schedules

and other sensitive documents.


54/57


55/57


55

Reporting Privacy & Information Security Incidents

Immediately report the incident to the Shire

Global IS Service Desk (247247).

Immediately report the incident to your line

manager/supervisor.

Working with the Shire Global IS Service Desk,

immediately change all of your Shire passwords

and access codes.

Complete the Equipment Loss, Damage or Theft

Report (available on ORBIT) within 48 hours of

discovery of the incident, and send it to the

Information Security team via email at

[email protected].

In the event of the loss, disappearance, or theft of Shire Corporate Information, including

but not limited to Personal Information, or Information Assets or equipment in any form,

you are required to follow this procedure:
mailto:[email protected]:[email protected]:[email protected]


56/57


56

Who Should You Contact With Questions?

For guidance about the appropriate classification and

use of Personal Information you collect and handle: Contact your local legal counsel or email the Privacy

Director in Global Compliance & Risk Management at

[email protected].

For guidance about the appropriate use of Shires

technology resources:

Contact Shire Information Security at

[email protected].

To confidentially report a suspected data security

breach:

Contact the Global Compliance Helpline where available.

You can find the contact numbers on ORBIT.


57/57


Thank you for taking this Privacy Training!

Date post:	02-Apr-2018
Category:	Documents
Upload:	dhivakar-meganathan
View:	215 times
Download:	0 times