Safe Harbor Policy
Effective: March 2013
Change synopsis: added St. Jude Medical Cardiology Division, Inc. to the list of SJM companies receiving European Union employee data.
St. Jude Medical (SJM) respects and protects personally identifiable information that we collect or maintain. As part of our commitment, SJM is certified to the U.S.-European Union Framework and U.S. - Swiss Safe Harbor Framework agreements regarding human resources and patient clinical trial personal information. This page describes the principles we follow with respect to transfers of personal information of our employees, and patients enrolled in clinical trials, whether in electronic, paper or verbal format, between countries in the European Union (EU), Switzerland and the United States.
Safe Harbor
The United States Department of Commerce and the European Commission have agreed on a set of data protection principles and frequently asked questions (the U.S.-EU Safe Harbor Framework) to enable U.S. companies to satisfy EU law requirements for adequate protection of personal information transferred from the EU to the United States. The United States Department of Commerce and the Federal Data Protection and Information Commissioner of Switzerland have agreed on a similar set of data protection principles and frequently asked questions (the U.S.-Swiss Safe Harbor Framework) to enable U.S. companies to satisfy Swiss law requirements for adequate protection of personal information transferred from Switzerland to the United States. Consistent with our commitment to protect personal privacy, we adhere to the U.S.-EU and U.S.-Swiss Safe Harbor Privacy Principles.
Definitions
Agent – Any third party that processes personal information under the instructions of, and solely for, SJM or to which SJM discloses personal information for use on SJM’s behalf.
Personal information – Any information or set of information that identifies or could be used by or on behalf of SJM to identify an employee, or patient enrolled in a clinical trial. Personal information does not include information that is encoded or anonymized and is not subject to re-identification, or publicly available information that has not been combined with non-public personal information.
Sensitive personal information – Personal information that reveals race, ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, or that concerns health or sexual orientation.
Employee – An individual employed by a SJM affiliate located in a one of the EU member countries or Switzerland.
Patient – An individual enrolled in a clinical trial in one of the EU member countries or Switzerland sponsored by St. Jude Medical or one of its affiliated companies.
St. Jude Medical or SJM – St. Jude Medical, Inc. For employee data SJM includes St. Jude Medical, Inc. (Corporate) and St. Jude Medical Cardiology Division, Inc., in the United States and territories. For patient data from clinical trials conducted in the EU or Switzerland, SJM includes St. Jude Medical, Inc. (Corporate), St. Jude Medical Cardiology Division Inc., Pacesetter, Inc. (Cardiac Rhythm Management division), St. Jude Medical Atrial Fibrillation Division, Inc., Irvine Biomedical, Inc., and Advanced Neuromodulation Systems, Inc. (Neuromodulation division).
Privacy Principles
The following privacy principles are based on the Safe Harbor Privacy Principles.
Notice
Where SJM collects personal information directly from employees, or patients enrolled in clinical trials, we will inform them about the purposes for which we collect and use personal information about the employee or patient, the types of non-agent third parties to which SJM discloses that information, and the choices and means, if any, SJM offers individuals for limiting the use and disclosure of their personal information. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as practicable thereafter, and in any event before SJM uses the information for a purpose other than that for which it was originally collected. Personal data about patients enrolled in clinical trials may be used in a manner consistent with the general research purpose for which the data were originally collected; this includes use in future medical and pharmaceutical research activities that are unanticipated at the time of original collection.
Choice
Where SJM collects personal information directly from employees, or patients enrolled in clinical trials in the EU and Switzerland, we will offer the opportunity to choose (opt-out) whether their personal information is (a) to be disclosed to a non-agent third party or (b) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. SJM will provide individuals with reasonable mechanisms to exercise their choices.
For sensitive personal information, SJM will give employees, or patients enrolled in clinical trials, the opportunity to affirmatively and explicitly consent (opt-in) to the disclosure of the information to a non-agent third-party or the use of the information for a purpose other than the purpose for which it was originally collected or subsequently authorized by the employee or patient.
Onward Transfers to Third Parties
SJM will obtain assurances from third party business partners (agents) that they will safeguard personal information consistent with our policies. Examples of appropriate assurances that may be provided by third party business partners include: a contract obligating the third party to provide at least the same level of protection as is required by the relevant Safe Harbor Privacy Principles, being subject to EU Directive 95/46/EC (the EU Data Protection Directive), Safe Harbor certification by the third party, or being subject to another European Commission adequacy finding. Where SJM has knowledge that a third party business partner is using or disclosing personal information in a manner contrary to the company policy, SJM will take reasonable steps to prevent or stop the use or disclosure.
Security
SJM will take reasonable precautions to protect personal information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction.
Data Integrity
SJM will use personal information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the employee or patient enrolled in a clinical trial. SJM will take reasonable steps to ensure that personal information is relevant to its intended use, accurate, complete, and current.
Access
Upon request, SJM will grant employees, or patients enrolled in a clinical trial, reasonable access to personal information that it holds about them. In addition, SJM will take reasonable steps to permit individuals to correct, amend or delete information that is demonstrated to be inaccurate or incomplete.
Enforcement and Dispute Resolution
SJM will conduct compliance audits of its relevant privacy practices to verify adherence to this policy. Any employee that SJM determines is in violation of this policy will be subject to disciplinary action up to and including termination of employment. Complaints or concerns for employee or patient clinical trial data that cannot be resolved internally will be referred to the Data Protection Panel comprised of EU data protection authorities or the Federal Data Protection and Information Commissioner of Switzerland. SJM commits to following the determination and advice of these bodies.
Limitation on Scope of Principles
Adherence by SJM to this policy may be limited to the extent required to meet legal, governmental or national security obligations, including requirements to cooperate with law enforcement.
Changes to This Policy
This policy may be amended from time to time, consistent with the requirements of the Safe Harbor Privacy Principles. The revisions will take effect on the date of publication of the amended policy, as stated. The change synopsis will notify you of any material changes to the policy.
Contact Information
Questions or comments on SJM’s Safe Harbor Policy, data collection and processing practices? Send your inquiries to:
Chief Privacy Officer
One St. Jude Medical Drive
St. Paul, MN 55117 USA
1-651-756-2000
safeharbor@sjm.com