Effective Revision Date (September 26, 2014)
Change synopsis: expanded definition of human resources information collected, added reference to SJM Employee Safe Harbor Policy and SJM Safe Harbor Notification Policy, changed sensitive personal information definition, added verification enforcement provision, added enforcement by the Federal Trade Commission (FTC).
St. Jude Medical (SJM) respects and protects personally identifiable information that we collect and/or maintain. As part of our commitment, SJM is certified to the U.S.-European Union Framework and U.S. - Swiss Safe Harbor Framework Agreements for the following personal information:
- human resources information regarding SJM EU and Swiss employees
- patient clinical trial
- patients enrolled in the Merlin.net™ Patient Care Network and the personal information of clinic customers using the Merlin.net™ Patient Care Network
This policy describes the principles we follow with respect to transfers of personal information belonging to employees, patients enrolled in clinical trials, and customers and patients enrolled in the Merlin.net™ Patient Care Network, whether in electronic, paper or verbal format, between countries in the European Union (EU), Switzerland and the United States.
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the Safe Harbor Principles) to enable U.S. companies to satisfy EU and Swiss law requirements for adequate protection of personal information transferred from the EU and Switzerland to the United States. Consistent with our commitment to protect personal privacy, we adhere to the Safe Harbor Principles as stated in this policy, the SJM Employee Safe Harbor Policy for the EU and Switzerland, and the SJM Safe Harbor Notification Policy for EU and Swiss Employees.
To learn more about the Safe Harbor program and to view St. Jude Medical’s certifications, please visit http://www.export.gov/safeharbor/.
Agent - Any third party that processes personal information under the instructions of, and solely for, SJM or to which SJM discloses personal information for use on SJM’s behalf.
Customer - A hospital or clinic that provides treatment using St. Jude Medical devices and the Merlin.net™ Patient Care Network and/or the individual medical personnel (i.e. physicians and nurse) that use the Merlin.net™ Patient Care Network. Customers are data controllers and St. Jude Medical, Inc. is the data processor.
Employee - An individual employed by a SJM affiliate located in one of the EU member countries or Switzerland.
Patient - An individual in one of the EU member countries or Switzerland enrolled in a clinical trial sponsored by St. Jude Medical or one of its affiliated companies, or an individual or customer enrolled in the Merlin.net™ Patient Care Network by their physician or clinic.
Personal information - Any information or set of information that identifies or could be used by or on behalf of SJM to identify an employee, patient enrolled in a clinical trial, or patient and customer in the Merlin.net™ Patient Care Network. Personal information does not include information that is encoded or anonymized and is not subject to re-identification, or publicly available information that has not been combined with non-public personal information.
Sensitive personal information - Personal information that receives heightened protection under various laws of geographies in which St. Jude Medical operates, including but not limited to: race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information that concerns health or sexual orientation.
St. Jude Medical or SJM - St. Jude Medical, Inc. For employee data SJM includes St. Jude Medical, Inc. (Corporate) and St. Jude Medical Cardiology Division, Inc., in the United States and territories. For patient data from clinical trials conducted in the EU or Switzerland, SJM includes St. Jude Medical, Inc. (Corporate), St. Jude Medical Cardiology Division Inc., Pacesetter, Inc., St. Jude Medical Atrial Fibrillation Division, Inc., Irvine Biomedical, Inc., and Advanced Neuromodulation Systems, Inc. For patient data collected in the EU or Switzerland and processed by the Merlin.net™ Patient Care Network, SJM includes St. Jude Medical, Inc. (Corporate) and Pacesetter, Inc.
The following privacy principles are based on the Safe Harbor Principles.
Where SJM collects personal information directly from employees or patients enrolled in clinical trials, we will inform them about the purposes for which we collect, process and use personal information about the employee, customer or patient, the types of non-agent third parties to which SJM discloses that information, and the choices and means, if any, SJM offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as practicable thereafter, and in any event before SJM uses the information for a purpose other than that for which it was originally collected. Personal data about patients enrolled in clinical trials may be used in a manner consistent with the general research purpose for which the data were originally collected; this includes use in future medical and pharmaceutical research activities that are unanticipated at the time of original collection. Where SJM acts as a data processor for the Merlin.net™ Patient Care Network, we will provide information to the data controller (the Customer) about how the system processes personal information, and the data controller will be responsible for informing its patients and staff about the collection, processing and use and will obtain consent from patients and, where necessary, from their staff as part of the enrollment process in the Merlin.net™ Patient Care Network; the personal information of individuals enrolled in the Merlin.net™ Patient Care Network may be used in a manner consistent with the consents obtained or information provided by the Customer at the time of enrollment.
Where SJM collects personal information directly from employees in the EU or Switzerland, or patients enrolled in clinical trials in the EU and Switzerland, we will offer the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. SJM will provide individuals with reasonable mechanisms to exercise their choices. Where SJM receives personal information as a data processor for the Merlin.net™ Patient Care Network, SJM will work with the data controller to provide reasonable mechanisms for individuals to exercise their choices and process the data as directed by the data controller.
For sensitive personal information, SJM will give employees, or patients enrolled in clinical trials, the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of the information to a non-agent third-party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the employee or patient. Where SJM is the data processor for the Merlin.net™ Patient Care Network, SJM will process the data as directed by the data controller.
Onward Transfers to Third Parties
In cases of onward transfers to third parties, SJM will obtain assurances from third party business partners (agents) that they will safeguard personal information consistent with our policies. Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating the third party to provide at least the same level of protection as is required by the relevant Safe Harbor Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the third party, or being subject to another European Commission adequacy finding. Where SJM has knowledge that a third party business partner is using or disclosing personal information in a manner contrary to the company policy, SJM will take reasonable steps to prevent or stop the use or disclosure.
SJM will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
SJM will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the employee or patient enrolled in a clinical trial. Where SJM is a data processor for patient or customer data in the Merlin.net™ Patient Care Network, SJM will process that data consistent with the direction of the data controller. SJM will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Upon request, SJM will grant employees, or patients enrolled in a clinical trial, reasonable access to personal information that it holds about them. In addition, SJM will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete. Where SJM is a data processor for the Merlin.net™ Patient Care Network, SJM will act at the direction of the data controller.
SJM will use a self-assessment verification approach and conduct compliance audits of its applicable privacy practices to verify adherence to this policy. St. Jude Medical’s employees receive Safe Harbor training annually. Self-assessment verification efforts are enforceable under Article 5 of the Federal Trade Commission (FTC). The FTC can enforce self-regulatory efforts made by SJM. SJM must include an independent recourse enforcement method, and can satisfy this requirement by the commitment to cooperate with the Data Protection Panel in the EU.
Enforcement and Dispute Resolution
Complaints or concerns for employee, patient clinical trial data, customer or patient data in the Merlin.net™ Patient Care Network should be addressed to the Chief Privacy Officer. Any employee that SJM determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Any complaints or concerns that cannot be resolved internally will be referred to the Data Protection Panel comprised of EU or Swiss data protection regulators. SJM commits to following the determination and advice of this body.
Limitation on Scope of Principles
Adherence by SJM to this policy may be limited to the extent required to meet legal, governmental or national security obligations, including requirements to cooperate with law enforcement.
Changes to This Policy
This policy may be amended from time to time, consistent with the requirements of the Safe Harbor Principles. The revisions will take effect on the date of publication of the amended policy, as stated. The change synopsis will notify you of any material changes to the policy.
Complaints, questions, or comments on SJM’s Safe Harbor Policy, data collection and processing practices? Send your inquiries to:
Chief Privacy Officer
St. Jude Medical, Inc.
One St. Jude Medical Drive
St. Paul, MN 55117 USA