Information Privacy and Security Awareness Training

Annual Update 2011-2012

Our purpose

We enable people with life-altering conditions to lead better lives

Table of Contents
Annual Update - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 Why is this training important to you? - - - - - - - - - - - 4 Second City Skit - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 Message from Angus Russell - - - - - - - - - - - - - - - - - - - 7 Course Objectives - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 Framework of Shires Global Privacy Program - - - - - - 9 Module 1 Global Privacy Laws - - - - - - - - - - - - - - - - 10 Key Concepts -- - - - - - - - - - - - - - - - - - - - - - - - - 11 Module 2 Internal Privacy Principles - - - - - - - - - - - 15
Notice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 Choice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 Data Integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21 Disclosure to Third Parties - - - - - - - - - - - - - - - - - - - 22 Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 Accountability & Enforcement - - - - - - - - - - - - - - - - 24 Privacy by Design - - - - - - - - - - - - - - - - - - - - - - - - - - 25 Module 4 Information Security - - - - - - - - - - - - - - - - - - - 36 Why Information Security is a Priority - - - - - - - - - - - 37 Shires Corporate Information Security Policy - - - - - 38 What is Electronic Communication - - - - - - - - - - - - - 40 No Expectation of Privacy - - - - - - - - - - - - - - - - - - - - 41 Associated Policies - - - - - - - - - - - - - - - - - - - - - - - - - 42 Module 5 Defensive Intelligence Practices - - - - - - - - - - - 43 Information Security & You - - - - - - - - - - - - - - - - - - 45 Personal & Confidential Information - - - - - - - - - - - - 46 Where is Information at Risk? - - - - - - - - - - - - - - - - 47 Best Practice Workspaces/Devices - - - - - - - - - - - - - - - - - - - - 48 Handling Personal or Confidential Info - - - - - - - 49 Traveling & Working in Public - - - - - - - - - - - - - 50 Phone/Email - - - - - - - - - - - - - - - - - - - - - - - - - - 51 Meeting Rooms & Offsites - - - - - - - - - - - - - - - 52 Conferences & Traveling - - - - - - - - - - - - - - - - - 53 Visitors & 3rd Parties - - - - - - - - - - - - - - - - - - - - 54 Reporting Privacy & Information Security Incidents - - - - - 55 Who Should you Contact - - - - - - - - - - - - - - - - - - - - - - - - - 56

Module 3 Shires External Privacy Statements - - - - 26

Statement - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 27 Notice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29 Choice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 30 Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31 Data Integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32 Disclosure to Third Parties - - - - - - - - - - - - - - - - - - - 33 Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 34 Accountability & Enforcement - - - - - - - - - - - - - - - - 35

To be as brave as the people we help 2

Information Privacy & Security Awareness Training Annual Update 2011-2012

This training program update is designed to refresh your awareness of Shires Global Privacy Program and steps you can take to maintain Shires commitment to data privacy and security. There are five sections to this training: Global Privacy Laws Shires Privacy Principles Shires External Privacy Statements Information Security Defensive Intelligence Practices

This is a refresher course that builds upon basic training that began in 2009. The basic training slide deck is still available on ORBIT (English language only). Go to Compliance & Risk Management / Privacy Compliance Program to find the original slide deck.

To be as brave as the people we help 3

Why is this training important to you?

Safeguarding Identity: Protecting your identity and the identity of your co-workers, business partners, and the patients we serve.

Every day around the world Shire accesses, collects, stores, analyzes and shares personally identifiable information from multiple sources in order to conduct its business and enable people with life-altering conditions to lead better lives.
Protecting personally identifiable information and respecting privacy are fundamental parts of our commitment to patients, healthcare professionals, our employees, and the community.

To be as brave as the people we help 4

Why is this training important to Shire?

Safeguarding Shire information: Protecting Shire information by keeping it confidential.

Shire employees at all levels have access to information that is confidential or proprietary to the organization. We all share an obligation to protect that information. The loss or theft of Shires confidential information is a risk to the company, and possibly to you, personally.

To be as brave as the people we help 5

Second City Skit Loose Lips

Click on the picture below to watch the video

The Importance of Information Privacy & Security

A message from Shire CEO Angus Russell

This training update is an important part of Shires global compliance program and our efforts to comply with laws and regulations governing data privacy and security. It will help prepare you to represent our team in the positive, ethical manner that has come to define who we are at Shire. Thank you for participating.

To be as brave as the people we help 7

Course Objectives As a result of this training, you should be able to

Understand the framework of Shires Global Privacy Program and some key concepts. Understand that it is your responsibility to apply Shire's Privacy and Security policies in all your business interactions. Locate resources for questions and concerns about information privacy and security.

This training is mandatory on an annual basis for all Shire employees/contractors who have a Shire e-mail account or have access to Shire systems/applications
To be as brave as the people we help 8

The Framework of Shires Global Privacy Program

Practices Security

Defensive Intelligence practices in our day-today operations help us maintain our commitment to privacy and data security. Shires Corporate Information Security Policy provides guidance on protecting Shires electronic information assets. Shires external Privacy Statements (or Policies) that are viewed by the public on our websites communicate the minimum standards that Shire endeavors to maintain regarding the collection and use of personal information on that site. Shires Internal Privacy Principles communicate the key principles guiding our internal data protection activities. Global Privacy Laws are designed to protect the privacy and security of personal information used in commerce.

External Statements

Internal Principles

Global Privacy Laws

To be as brave as the people we help 9

Module 1
Global Privacy Laws

Practices Security

External Statements

Internal Principles

Global Privacy Laws

Our purpose

We enable people with life-altering conditions to lead better lives

Global Privacy Laws are designed to protect the privacy and security of personal information used in commerce.

There are more than 100 countries that have privacy and/or data protection laws protecting Personal Information* - over 150 laws in the aggregate - and the number is increasing.

* Note that the terms personal data, personal information, and personally identifiable information or PII may be used throughout this training and are intended to mean Personal Information as defined in Shires Privacy Principles. Personal Information deemed sensitive may or may not be more specifically defined by law or regulation depending upon the country. Some examples are provided in Shires Privacy Principles.

To be as brave as the people we help 11

Global Privacy Laws Key Concept

International Data Transfer - One of the key privacy and data protection issues we deal with at Shire is the need to transfer data in order to operate globally among our own affiliates or with third parties.
Certain countries do not allow international data transfer of Personal Information! International Data Transfer means moving data from one country to another (trans -border) as well as being able to access or view data in one country from another country. The member states of the EU/EEA, Switzerland, and some other countries, prohibit international data transfer of Personal Information to countries that dont have privacy laws similar to the European standard. The USA is one such country.

Trans-border Data Flows

To be as brave as the people we help 12

Global Privacy Laws Key Concept International Data Transfer Not Permitted - Examples

Trans-border Data Flows

Personal Data of residents of the EU/EEA countries, or Argentina, Australia, Switzerland, Canada, Colombia, Hong Kong, Indonesia, Malaysia, Philippines, Poland, Russia, Thailand

US-located server

EU-located server

Trans-border Data Flows

Load to corporate database in EEA, to be viewed/accessed by a person in the US or some other country where not permitted.

US-located person

To be as brave as the people we help 13

Global Privacy Laws Key Concept International Data Transfer Compliant Options
There are mechanisms available to allow trans-border transfer of PII:
Consent of the Data Subject International Data Transfer Agreements

Binding Corporate Rules

EU-US Safe Harbor Certification (also available Switzerland-US) Other special exceptions may be available under laws or regulations of particular jurisdictions.

Contact the Director of Privacy at PrivacyConnect@Shire.com or your local Legal Department for more information.

To be as brave as the people we help 14

Module 2
Shires Privacy Principles

Practices Security

External Statements

Internal Principles
Global Privacy Laws

Our purpose

We enable people with life-altering conditions to lead better lives

Shires Internal Privacy Principles

The Privacy Principles are statements based on internationally recognized practices(1) relating to the treatment of Personal Information, and are in the spirit of Shires commitment to conducting its business in an ethical and legally compliant manner. The statements set the global minimum standard for safeguarding Personal Information within Shire. Together, the Privacy Principles combined with the Employee Code of Ethics Policy and Corporate Information Security Policy express and support Shires privacy commitment to patients, healthcare professionals and alliance partners, our employees and all other individuals with whom we have business interactions.

(1)E.g. OECD Standards; APEC Privacy Principles

To be as brave as the people we help 16

Shires Internal Privacy Principles

Shires internal Privacy Principles are based on the following seven principles:

1 2 3 4 5 6 7

Notice
Choice Access Data Integrity Disclosure to Third Parties

Security Accountability & Enforcement

To be as brave as the people we help 17

Shires Internal Privacy Principles

Notice
We respect the privacy of Personal Information. We offer privacy notices that explain how and why we handle Personal Information.

Where required by law and according to local requirements, we inform individuals when Personal Information is collected about them.

To be as brave as the people we help 18

Shires Internal Privacy Principles

Choice
Where appropriate, we respect individual choices regarding the collection, use and disclosure of Personal Information. We only collect, use, disclose and retain Personal Information that is relevant and useful to effectively conduct/administer our business.

Where required by law, regulations, or guidelines, we obtain an individuals consent to process (use, maintain, transfer or otherwise handle) their Personal Information.

To be as brave as the people we help 19

Shires Internal Privacy Principles

Access
We strive to provide individuals the opportunity to access the Personal Information relating to them and, where applicable, to comply with requests to correct, amend, or rectify the Personal Information where incomplete, inaccurate or not compliant with the standards and procedures established at Shire.

To be as brave as the people we help 20

Shires Internal Privacy Principles

Data Integrity
We use reasonable efforts to keep Personal Information accurate, complete, up-to-date and reliable for the intended use. We retain Personal Information as needed to fulfill our legal and business obligations.

To be as brave as the people we help 21

Shires Internal Privacy Principles

Disclosure to Third Parties

We limit the access to and disclosure of Personal Information internally and with third parties. Where we share Personal Information, such as permitting access, transmission or publication with third parties (either within or outside Shire) we do so only with a reasonable assurance that the recipient will apply suitable privacy and security protection to the Personal Information. This may include contractual protections and controls. We strive to comply with legal restrictions and requirements that apply to the international transfer of Personal Information.

To be as brave as the people we help 22

Shires Internal Privacy Principles

Security
We use appropriate information security safeguards and records management to protect Personal Information.

Section 4 of this training highlights the Corporate Information Security Policy.

To be as brave as the people we help 23

Shires Internal Privacy Principles

Accountability & Enforcement

We provide individuals with an opportunity to ask questions and register complaints regarding our handling of their Personal Information. All employees, contractors, agents, temporary staff, suppliers and affiliates are expected to comply with these Privacy Principles. Any employee or contractor that violates these principles may be subject to corrective and/or disciplinary action, which may, in serious cases, result in dismissal or removal from office.

To be as brave as the people we help 24

Practical Application of the Privacy Principles Privacy by Design

Consider data protection and privacy as you design or review a new process or application or make any changes to an existing process or application that involves Personal Information. This applies to both manual and electronic processes.
Ensure that data protection and privacy is a requirement in your RFP to a third party. Work with the Director of the global Privacy Program and your local legal counsel to ensure that you are aware of data protection and privacy requirements in your locality and to address potential compliance issues that may arise from the process or application. Contracts for services that involve processing PII require special language about data protection and privacy in most jurisdictions.

To be as brave as the people we help 25

Module 3
Shires External Privacy Statements

Practices Security

External Statements
Internal Principles

Global Privacy Laws

Our purpose

We enable people with life-altering conditions to lead better lives

Shire's External Privacy Statements

Shire uses e-Commerce in many ways including: product brand sites, sponsored therapeutic area information sites, patient assistance/support sites, physician support sites, IST registries, Grant registries, and trial recruitment sites, to name a few.
Any type of e-Commerce site, or any site that registers visitors and collects their information in any way must have a privacy statement. An external Privacy Statement (also known as a Privacy Policy) is a document on a public-facing website that tells visitors how the website will be using their Personal Information. It protects the company and indicates to visitors what they are agreeing to by using the website. The privacy statement should be prominently displayed and clearly disclose whether or not information is collected, the types and means by which information is collected, i.e. cookies, the way that information will be used, whom will be granted access to that information, and most importantly, what options the consumer can exercise in controlling that information. Contact the Director of the global Privacy Program or your local legal counsel to obtain an appropriate privacy statement/policy for a website.

To be as brave as the people we help 27

Shires External Privacy Principles

Similar to the Privacy Principles, Shires external Privacy Statements follow seven principles:
1

Notice
Choice Access Data Integrity Disclosure to Third Parties

Security Accountability & Enforcement

To be as brave as the people we help 28

Shires External Privacy Principles

Notice
Our Statement is designed to tell visitors to the site about our practices regarding collection, use, and disclosure of information they may provide, either actively or passively, via the site.

Our Statement may have special provisions about collecting information from children, where applicable.

To be as brave as the people we help 29

Shires External Privacy Principles

Choice
Our Statement tells the visitor they have a choice whether or not to agree to our policy for the use of the site and may be asked to Opt In or Opt Out of that consent.

To be as brave as the people we help 30

Shires External Privacy Principles

Access
Our Statement provides a means to contact Shire with any questions, comments, or concerns about our information practices or to request that information be corrected or removed.

To be as brave as the people we help 31

Shires External Privacy Principles

Data Integrity
Our Statement says that we will keep personally identifiable information accurate, current, and complete, and we will take reasonable steps to update or correct the information in our possession based on what the visitor has submitted.

To be as brave as the people we help 32

Shires External Privacy Principles

Disclosure to Third Parties

Our Statement indicates that we may disclose personally identifiable information to our affiliates or to third parties in other countries who agree to treat it in accordance with the policy, and we do so only for certain purposes.

To be as brave as the people we help 33

Shires External Privacy Principles

Security
Our Statement says that we take reasonable steps to protect personally identifiable information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. We will retain the information only as long as needed to fulfill the purposes for which it was collected, or until a user requests it to be deleted. We will endeavor to notify the data owner in the event of an incident or breach of personally identifiable information.

To be as brave as the people we help 34

Shires External Privacy Principles

Accountability & Enforcement

Compliance with these principles is the responsibility of every Shire employee.

To be as brave as the people we help 35

Module 4
Information Security

Practices

Security
External Statements

Internal Principles

Global Privacy Laws

Our purpose

We enable people with life-altering conditions to lead better lives

Information Security
Why Information Security Is A Priority The Value of Information
Shire holds sensitive information on patients, providers and employees, trade secrets, research and other information that gives a competitive edge. As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the risk of unauthorized access increases and we are presented with growing challenges of how best to protect it.

Protecting Information
Steps must be put in place to protect information. If left unprotected, information could fall into the wrong hands, it can wreck lives, bring down businesses and even be used to commit harm. Ensuring that information is appropriately protected is both a business and legal requirement.

Information Breaches
When information is not adequately protected, it may be compromised and this is known as an information or security breach. The consequences of an information breach are potentially severe, and may entail significant financial penalties, expensive law suits, loss of reputation and business that put our ability to serve our patients at risk.

To be as brave as the people we help 37

Information Security
Shires Corporate Information Security Policy

All Employees, Contractors, Third Parties, And Anyone With Access To Shire Information Systems, Are Required To Read, Understand, Acknowledge, And Comply With The Corporate Information Security Policy

The Corporate Information Security Policy defines the minimum information protection requirements for Shire. Certain jurisdictions may have more stringent protection requirements that must be complied with. In addition to general policy guidelines and roles and responsibilities, it provides specific policy statements for:
Access Protection Network and Remote Access Security Appropriate Use of Technology resources Laptops, Desktops, and Mobile Devices Licenses and Copyrights Risk Assessment, Information, Classification, and Risk Acceptance

To be as brave as the people we help 38

Information Security
Shires Corporate Information Security Policy

Everyone is responsible for the protection of the data in their possession (electronic and paper) and must exercise due care against its theft, loss, or damage:
Use only authorized software and do not tamper with security software on your device. Establishing rogue wireless networks, utilizing unauthorized remote access services or using unauthorized internet file sharing/storage technologies are not allowed. Avoid storing important files on your laptops hard drive. Instead use a company file share that is backed up and protected. Do NOT leave your laptop or mobile device unattended.

All Shire assets (electronic files, documents, computers, phones, iPads, etc.) must be returned upon termination of employment.
If you need help with using any devices, contact the Shire Help Desk at Ext. 247247 or 247247@Shire.com.

To be as brave as the people we help 39

Information Security
What is Electronic Communication

For the purposes of the Corporate Information Security Policy, electronic communication, is a method of exchanging digital data across the Internet or other networks. This includes, but is not limited to, email, Instant Messaging, Shiral and other forms of electronic Social Media. Appropriate, professional behavior, as well as compliance with Shire Security and Privacy policies is mandatory regardless of communication method or data type.

To be as brave as the people we help 40

Information Security
No Expectation of Privacy

IMPORTANT NOTICE NO EXPECTATION OF PRIVACY

Shires Corporate Information Security Policy states that:
Employees should not have any expectation of privacy with respect to any electronic communication that they have sent or received using Shire networks or electronic communication services. All communications from Shire provided services are considered property of Shire. Network traffic, including Internet access will be controlled and monitored. In all cases, the right to view and monitor electronic communication is subject to local law and procedure.

The policy applies to all forms of electronic data and devices.

To be as brave as the people we help 41

Information Security
Associated Policies

Employees should make themselves aware of associated Shire Polices that address information handling and ethics:
Employee Code of Ethics Policy Social Media Policy Corporate Responsibility HR Policies regarding standards of employee conduct:
Media, Legal and Government Inquiries Policies regarding harassment and discrimination Policies regarding personal information protection for employees

Record retention policies

Any employment or other agreement you may have signed which contains confidentiality provisions.

To be as brave as the people we help 42

Module 5
Defensive Intelligence Practices

Practices
Security

External Statements

Internal Principles

Global Privacy Laws

Our purpose

We enable people with life-altering conditions to lead better lives

See Shires Keep it Confidential e-Guide on ORBIT for more information and tips on safeguarding Shire Information.

To be as brave as the people we help 44

Shires Information Security & You

The loss or theft of Shire information is a serious risk to the company and may be a risk to you personally. Consider these points regarding your role in safeguarding information at Shire
You have access to information that external groups or companies want: Intelligence about products, the company, external partners, personal data. You are legally responsible for protecting Shire information and must take appropriate steps to minimize the risk of loss to third parties.

Good defensive intelligence is largely common sense. Taking some simple steps can have a dramatic impact

To be as brave as the people we help 45

Third parties will be interested in many different types of information not all of it may be related to Shire brands
All of these can be considered Personal and Confidential Information
Clinical trial data Employee information

Offsite meeting plans

Financial performance data

Organisational structure

Product strategy

Regulatory timelines Budget information

P&R negotiations

Corporate policies

Business Development New market entries

Salary information

Employee benefit schemes

Employment expansion plans

Pipeline information

Launch timelines

Site expansion plans

To be as brave as the people we help 46

Where Is Information At Risk?

Telephone

Workplaces/ Devices

Conferences

Joining / Leaving Shire

Visitors
Hotels & Offsite Meetings

Meeting Rooms

Travel

Transfer to Vendor

To be as brave as the people we help 47

Best Practice: Keeping Your Workspaces/Devices Secure

Make a habit of securing your workstation.

During the work day Set your computer screen to auto lock after a defined period of inactivity. Lock the screen (Ctrl+Alt+Del) when leaving workstations unattended. Never leave laptops, PDAs, cell phones, flash drives, CDs unsecured.

At the end of the day

Log off all systems before leaving. If you work in an open floor plan and have a laptop device, take it with you or log out, turn it off and lock it away in a cabinet. If you work in an office, lock it.

To be as brave as the people we help 48

Best Practice: Handling Personal or Confidential Information

Take these actions when handling confidential information
Retrieve It - When printing Personal or Confidential Information, retrieve it immediately dont leave it lying around for others to access. Keep It - Do not leave Personal or Confidential Information unattended on desks, near copy machines, or in easily accessible public locations. Secure It - Lock Personal or Confidential Information in file cabinets and desk drawers during non-working hours or if office is to be shared. Shred It - When finished with Personal or Confidential Information, immediately shred it or place it in containers provided for that purpose, rather than simply throwing it away. Erase It - Erase/close/cover white boards when not actively in use.

To be as brave as the people we help 49

Best Practice: Traveling & Working In Public

Talking in public Dont discuss confidential business in public areas (e.g. airport lounges). Discussions held in restaurants, airports, on trains and in other public places can be overheard and you never know who is listening. Discussions held on public and cellular telephones can be overheard and can also be tapped or intercepted. Working in public Be aware of shoulder surfers. Use privacy screens on laptops

Dont leave materials/Shire devices lying around

If you must leave a laptop in the car, make sure it is hidden away from site in the boot

Do not pack Shire devices in checked luggage!

To be as brave as the people we help 50

Best Practice: Using Phone/Email

When using the phone/e-mail
Identify the person with whom you are communicating. Dont answer questions unless you are sure of the purpose and identity of the caller/e-mailer. If youre unsure, offer to return the call at a better time. Never give away employee names or contact information to unknown callerstake their details instead and pass these on to your colleague. If an unknown caller says that another employee told them to contact you, check first with the other employee before continuing. Always be skeptical of information requests, including e-mails asking you to participate in surveys. Direct all strange calls/e-mails or rude callers to your local security desk or contact ShireInformationSecurity@Shire.com. You can also forward e-mails to Global Competitive Intelligence: compintel@shire.com.

To be as brave as the people we help 51

Best Practice: Using Meeting Rooms On & Offsite

Meeting planners/hosts
When booking, check the venue will not be hosting other competitor meetings at the same time Dont use Shire name/logo on meeting room signs or banners Take all materials with you; clear the room and erase boards. Ensure any TC/VC is connected to the right meeting. Leader of the meeting should provide a reminder to the group about defensive intelligence at the beginning of the meeting DI rules apply to the evenings as well! Consider privacy when making dinner reservations.

All Participants
Hold discussions in private areas; be aware of your surroundings. Identify everyone attending the meeting.

Ensure room will be secured if materials are to be left unattended during breaks.
Do not leave materials or devices in a meeting room overnight even if the venue assure you it is OK

To be as brave as the people we help 52

Best Practice: Attending Conferences & Travelling

Use discretion and these common sense practices when travelling or attending conferences
Remember: observers can look over your shoulderkeep confidential information stowed during travel and if you must work in public, use a laptop privacy screen. Never discuss Shire business in public venues such as elevators, hotels, trains, planes, airport lounges, exhibit halls or restaurants. No discussion in a public place is private. Remind attendees, including vendors/guests/presenters, of confidentiality obligations. Dont assume everyone is a potential customer! Competitors will have competitive intelligence consultants on site at meetings trying to find information about Shire. When approached, find out whom you are speaking with and ask for more specific information if the first response is vague or seems insincere. Electronically transmit informationminimize hard copy distribution of schedules and other sensitive documents.

To be as brave as the people we help 53

Best Practice: Attending to Visitors & Third Parties

Follow these recommendations with Shire visitors Escort - Visitors on site should be attended by a Shire host at all times. Inform - If your visitors work in competitor-related areas, inform colleagues in and around meeting rooms ahead of time. Ask If you dont recognize a visitor, request their identity. Enter/Exit with Awareness Be conscious of tailgaters when entering or leaving Shire buildings. Everyone should use his or her security cards to gain access (in locations with ID card access control).

To be as brave as the people we help 54

Reporting Privacy & Information Security Incidents

In the event of the loss, disappearance, or theft of Shire Corporate Information, including but not limited to Personal Information, or Information Assets or equipment in any form, you are required to follow this procedure:
Immediately report the incident to the Shire Global IS Service Desk (247247). Immediately report the incident to your line manager/supervisor. Working with the Shire Global IS Service Desk, immediately change all of your Shire passwords and access codes. Complete the Equipment Loss, Damage or Theft Report (available on ORBIT) within 48 hours of discovery of the incident, and send it to the Information Security team via email at

ShireInformationSecurity@shire.com.

To be as brave as the people we help 55

Who Should You Contact With Questions?

For guidance about the appropriate classification and use of Personal Information you collect and handle:
Contact your local legal counsel or email the Privacy Director in Global Compliance & Risk Management at PrivacyConnect@Shire.com.

For guidance about the appropriate use of Shires technology resources:

Contact Shire Information Security at ShireInformationSecurity@Shire.com.

To confidentially report a suspected data security breach:

Contact the Global Compliance Helpline where available. You can find the contact numbers on ORBIT.

To be as brave as the people we help 56

Thank you for taking this Privacy Training!

To be as brave as the people we help 57