Documente Academic
Documente Profesional
Documente Cultură
Our purpose
Table of Contents
Annual Update - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 Why is this training important to you? - - - - - - - - - - - 4 Second City Skit - - - - - - - - - - - - - - - - - - - - - - - - - - - - 6 Message from Angus Russell - - - - - - - - - - - - - - - - - - - 7 Course Objectives - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 Framework of Shires Global Privacy Program - - - - - - 9 Module 1 Global Privacy Laws - - - - - - - - - - - - - - - - 10 Key Concepts -- - - - - - - - - - - - - - - - - - - - - - - - - 11 Module 2 Internal Privacy Principles - - - - - - - - - - - 15
Notice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 18 Choice - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 19 Access - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 20 Data Integrity - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 21 Disclosure to Third Parties - - - - - - - - - - - - - - - - - - - 22 Security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 23 Accountability & Enforcement - - - - - - - - - - - - - - - - 24 Privacy by Design - - - - - - - - - - - - - - - - - - - - - - - - - - 25 Module 4 Information Security - - - - - - - - - - - - - - - - - - - 36 Why Information Security is a Priority - - - - - - - - - - - 37 Shires Corporate Information Security Policy - - - - - 38 What is Electronic Communication - - - - - - - - - - - - - 40 No Expectation of Privacy - - - - - - - - - - - - - - - - - - - - 41 Associated Policies - - - - - - - - - - - - - - - - - - - - - - - - - 42 Module 5 Defensive Intelligence Practices - - - - - - - - - - - 43 Information Security & You - - - - - - - - - - - - - - - - - - 45 Personal & Confidential Information - - - - - - - - - - - - 46 Where is Information at Risk? - - - - - - - - - - - - - - - - 47 Best Practice Workspaces/Devices - - - - - - - - - - - - - - - - - - - - 48 Handling Personal or Confidential Info - - - - - - - 49 Traveling & Working in Public - - - - - - - - - - - - - 50 Phone/Email - - - - - - - - - - - - - - - - - - - - - - - - - - 51 Meeting Rooms & Offsites - - - - - - - - - - - - - - - 52 Conferences & Traveling - - - - - - - - - - - - - - - - - 53 Visitors & 3rd Parties - - - - - - - - - - - - - - - - - - - - 54 Reporting Privacy & Information Security Incidents - - - - - 55 Who Should you Contact - - - - - - - - - - - - - - - - - - - - - - - - - 56
This training program update is designed to refresh your awareness of Shires Global Privacy Program and steps you can take to maintain Shires commitment to data privacy and security. There are five sections to this training: Global Privacy Laws Shires Privacy Principles Shires External Privacy Statements Information Security Defensive Intelligence Practices
This is a refresher course that builds upon basic training that began in 2009. The basic training slide deck is still available on ORBIT (English language only). Go to Compliance & Risk Management / Privacy Compliance Program to find the original slide deck.
Every day around the world Shire accesses, collects, stores, analyzes and shares personally identifiable information from multiple sources in order to conduct its business and enable people with life-altering conditions to lead better lives.
Protecting personally identifiable information and respecting privacy are fundamental parts of our commitment to patients, healthcare professionals, our employees, and the community.
Shire employees at all levels have access to information that is confidential or proprietary to the organization. We all share an obligation to protect that information. The loss or theft of Shires confidential information is a risk to the company, and possibly to you, personally.
This training update is an important part of Shires global compliance program and our efforts to comply with laws and regulations governing data privacy and security. It will help prepare you to represent our team in the positive, ethical manner that has come to define who we are at Shire. Thank you for participating.
Understand the framework of Shires Global Privacy Program and some key concepts. Understand that it is your responsibility to apply Shire's Privacy and Security policies in all your business interactions. Locate resources for questions and concerns about information privacy and security.
This training is mandatory on an annual basis for all Shire employees/contractors who have a Shire e-mail account or have access to Shire systems/applications
To be as brave as the people we help 8
Practices Security
Defensive Intelligence practices in our day-today operations help us maintain our commitment to privacy and data security. Shires Corporate Information Security Policy provides guidance on protecting Shires electronic information assets. Shires external Privacy Statements (or Policies) that are viewed by the public on our websites communicate the minimum standards that Shire endeavors to maintain regarding the collection and use of personal information on that site. Shires Internal Privacy Principles communicate the key principles guiding our internal data protection activities. Global Privacy Laws are designed to protect the privacy and security of personal information used in commerce.
External Statements
Internal Principles
Module 1
Global Privacy Laws
Practices Security
External Statements
Internal Principles
Global Privacy Laws are designed to protect the privacy and security of personal information used in commerce.
There are more than 100 countries that have privacy and/or data protection laws protecting Personal Information* - over 150 laws in the aggregate - and the number is increasing.
* Note that the terms personal data, personal information, and personally identifiable information or PII may be used throughout this training and are intended to mean Personal Information as defined in Shires Privacy Principles. Personal Information deemed sensitive may or may not be more specifically defined by law or regulation depending upon the country. Some examples are provided in Shires Privacy Principles.
International Data Transfer - One of the key privacy and data protection issues we deal with at Shire is the need to transfer data in order to operate globally among our own affiliates or with third parties.
Certain countries do not allow international data transfer of Personal Information! International Data Transfer means moving data from one country to another (trans -border) as well as being able to access or view data in one country from another country. The member states of the EU/EEA, Switzerland, and some other countries, prohibit international data transfer of Personal Information to countries that dont have privacy laws similar to the European standard. The USA is one such country.
Global Privacy Laws Key Concept International Data Transfer Not Permitted - Examples
US-located server
EU-located server
Load to corporate database in EEA, to be viewed/accessed by a person in the US or some other country where not permitted.
US-located person
Global Privacy Laws Key Concept International Data Transfer Compliant Options
There are mechanisms available to allow trans-border transfer of PII:
Consent of the Data Subject International Data Transfer Agreements
Contact the Director of Privacy at PrivacyConnect@Shire.com or your local Legal Department for more information.
Module 2
Shires Privacy Principles
Practices Security
External Statements
Internal Principles
Global Privacy Laws
Our purpose
1 2 3 4 5 6 7
Notice
Choice Access Data Integrity Disclosure to Third Parties
Notice
We respect the privacy of Personal Information. We offer privacy notices that explain how and why we handle Personal Information.
Where required by law and according to local requirements, we inform individuals when Personal Information is collected about them.
Choice
Where appropriate, we respect individual choices regarding the collection, use and disclosure of Personal Information. We only collect, use, disclose and retain Personal Information that is relevant and useful to effectively conduct/administer our business.
Where required by law, regulations, or guidelines, we obtain an individuals consent to process (use, maintain, transfer or otherwise handle) their Personal Information.
Access
We strive to provide individuals the opportunity to access the Personal Information relating to them and, where applicable, to comply with requests to correct, amend, or rectify the Personal Information where incomplete, inaccurate or not compliant with the standards and procedures established at Shire.
Data Integrity
We use reasonable efforts to keep Personal Information accurate, complete, up-to-date and reliable for the intended use. We retain Personal Information as needed to fulfill our legal and business obligations.
Security
We use appropriate information security safeguards and records management to protect Personal Information.
Module 3
Shires External Privacy Statements
Practices Security
External Statements
Internal Principles
Our purpose
Notice
Choice Access Data Integrity Disclosure to Third Parties
Notice
Our Statement is designed to tell visitors to the site about our practices regarding collection, use, and disclosure of information they may provide, either actively or passively, via the site.
Our Statement may have special provisions about collecting information from children, where applicable.
Choice
Our Statement tells the visitor they have a choice whether or not to agree to our policy for the use of the site and may be asked to Opt In or Opt Out of that consent.
Access
Our Statement provides a means to contact Shire with any questions, comments, or concerns about our information practices or to request that information be corrected or removed.
Data Integrity
Our Statement says that we will keep personally identifiable information accurate, current, and complete, and we will take reasonable steps to update or correct the information in our possession based on what the visitor has submitted.
Security
Our Statement says that we take reasonable steps to protect personally identifiable information from loss, misuse, unauthorized access, disclosure, alteration, or destruction. We will retain the information only as long as needed to fulfill the purposes for which it was collected, or until a user requests it to be deleted. We will endeavor to notify the data owner in the event of an incident or breach of personally identifiable information.
Module 4
Information Security
Practices
Security
External Statements
Internal Principles
Our purpose
Information Security
Why Information Security Is A Priority The Value of Information
Shire holds sensitive information on patients, providers and employees, trade secrets, research and other information that gives a competitive edge. As more and more of this information is stored and processed electronically and transmitted across company networks or the internet, the risk of unauthorized access increases and we are presented with growing challenges of how best to protect it.
Protecting Information
Steps must be put in place to protect information. If left unprotected, information could fall into the wrong hands, it can wreck lives, bring down businesses and even be used to commit harm. Ensuring that information is appropriately protected is both a business and legal requirement.
Information Breaches
When information is not adequately protected, it may be compromised and this is known as an information or security breach. The consequences of an information breach are potentially severe, and may entail significant financial penalties, expensive law suits, loss of reputation and business that put our ability to serve our patients at risk.
Information Security
Shires Corporate Information Security Policy
All Employees, Contractors, Third Parties, And Anyone With Access To Shire Information Systems, Are Required To Read, Understand, Acknowledge, And Comply With The Corporate Information Security Policy
The Corporate Information Security Policy defines the minimum information protection requirements for Shire. Certain jurisdictions may have more stringent protection requirements that must be complied with. In addition to general policy guidelines and roles and responsibilities, it provides specific policy statements for:
Access Protection Network and Remote Access Security Appropriate Use of Technology resources Laptops, Desktops, and Mobile Devices Licenses and Copyrights Risk Assessment, Information, Classification, and Risk Acceptance
Information Security
Shires Corporate Information Security Policy
Everyone is responsible for the protection of the data in their possession (electronic and paper) and must exercise due care against its theft, loss, or damage:
Use only authorized software and do not tamper with security software on your device. Establishing rogue wireless networks, utilizing unauthorized remote access services or using unauthorized internet file sharing/storage technologies are not allowed. Avoid storing important files on your laptops hard drive. Instead use a company file share that is backed up and protected. Do NOT leave your laptop or mobile device unattended.
All Shire assets (electronic files, documents, computers, phones, iPads, etc.) must be returned upon termination of employment.
If you need help with using any devices, contact the Shire Help Desk at Ext. 247247 or 247247@Shire.com.
Information Security
What is Electronic Communication
For the purposes of the Corporate Information Security Policy, electronic communication, is a method of exchanging digital data across the Internet or other networks. This includes, but is not limited to, email, Instant Messaging, Shiral and other forms of electronic Social Media. Appropriate, professional behavior, as well as compliance with Shire Security and Privacy policies is mandatory regardless of communication method or data type.
Information Security
No Expectation of Privacy
Information Security
Associated Policies
Employees should make themselves aware of associated Shire Polices that address information handling and ethics:
Employee Code of Ethics Policy Social Media Policy Corporate Responsibility HR Policies regarding standards of employee conduct:
Media, Legal and Government Inquiries Policies regarding harassment and discrimination Policies regarding personal information protection for employees
Any employment or other agreement you may have signed which contains confidentiality provisions.
Module 5
Defensive Intelligence Practices
Practices
Security
External Statements
Internal Principles
Our purpose
See Shires Keep it Confidential e-Guide on ORBIT for more information and tips on safeguarding Shire Information.
Good defensive intelligence is largely common sense. Taking some simple steps can have a dramatic impact
Third parties will be interested in many different types of information not all of it may be related to Shire brands
All of these can be considered Personal and Confidential Information
Clinical trial data Employee information
Organisational structure
Product strategy
P&R negotiations
Corporate policies
Salary information
Pipeline information
Launch timelines
Telephone
Workplaces/ Devices
Conferences
Visitors
Hotels & Offsite Meetings
Meeting Rooms
Travel
Transfer to Vendor
All Participants
Hold discussions in private areas; be aware of your surroundings. Identify everyone attending the meeting.
Ensure room will be secured if materials are to be left unattended during breaks.
Do not leave materials or devices in a meeting room overnight even if the venue assure you it is OK
ShireInformationSecurity@shire.com.