Global Privacy Policy

A. PURPOSE

In the regular course of business, Baxter International Inc. ("Baxter") acquires Personal Information by interaction and communication with patients, healthcare professional, employees, and others. Baxter recognizes and respects the privacy rights of individuals with regards to such Personal Information. As evidence of its commitment to privacy, Baxter's management has established this Policy and Baxter's Global Privacy Program, to ensure that respect for privacy is a key part of Baxter company culture and operations.

This Global Privacy Policy is designed to accomplish the following objectives:

  • Increase awareness of regulatory, legal, and corporate requirements for handling and protecting Personal Information;
  • Set forth a clear and comprehensive corporate policy for handling Personal Information;
  • Establish accountability for all individuals who handle Personal Information; and
  • Enable Baxter to meet business, legal, and regulatory responsibilities relating to Personal Information.

B. SCOPE AND APPLICABILITY

This Policy establishes a minimum worldwide standard within Baxter for collecting, using and protecting Personal Information. It covers any Personal Information that is collected, stored, processed, or transferred in electronic or paper form in connection with Baxter’s business operations, such as information from patients, health care professionals (e.g., physicians, pharmacists, and nurses), employees or third party business associates.

This Policy must be implemented and followed in all Baxter businesses, functions, regions, and subsidiary companies, including those located in jurisdictions in which the privacy protections provided by the Policy are not legally required. Since Baxter business entities must always comply with relevant local laws and regulations, such laws and regulations are to be followed even if they conflict with certain aspects of this Policy and related standards. In addition, since Baxter participates in the International Safe Harbor Program, Baxter business units in the U.S. must always follow the Safe Harbor Privacy Principles, which may be more detailed than corresponding provisions of this Policy, in handling Personal Information transferred from the European Union or Switzerland to the United States.

This Policy is to be followed not only internally, but also by all Baxter agents, temporary staff, contractors, service providers and consultants in their handling and processing of Personal Information on behalf of the company. Policy awareness training to be managed by Third Party owner.

As of the effective date this Policy replaces and supersedes the former Baxter Global Privacy Statement and Baxter Global Privacy Principles. All Personal Information must be handled and protected according to the requirements set forth in this Policy, subject to the circumstances described under the Exceptions (Section Q) of this Policy.

C. DEFINITIONS

TERM DEFINITION
Baxter's Global Privacy Program   The global privacy compliance program approved by Baxter’s Corporate Responsibility Office.
 
Confidentiality   Ensuring that information is accessible only to those authorized to have access.  
Data Privacy   The legal rights and expectations of individuals to control how their Personal Information is collected and used.  
Data Protection Authority   Governmental agencies responsible for the enforcement and interpretation of local privacy laws and regulations
Data Quality   The accuracy, completeness and relevancy of information.  
Explicit Consent   Agreement by an individual, demonstrated by an observable or affirmative act, whether in writing, orally or by some other means.  
Global Information Security Officer (GISO)   IT Director responsible for Information Security strategy and activities throughout the Global Baxter organization.  
Global Policy A set of rules applicable to all business, regional and functional units or domains that must be adhered to by all persons accountable to these domains.  Specific policies may be adapted to enable scalability and flexibility.  
Global Privacy Officer (GPO)   Corporate Counsel responsible for Data Privacy strategy and activities throughout the Global Baxter organization.    
Implicit Consent   Agreement by an individual, inferred from the context or by the inaction of the individual.  
Information Security The means of ensuring that data and/or information is protected from corruption (Integrity), destruction (Availability), and/or disclosure (Confidentiality)  
Personal Information   Personal Information is any information about an identified or identifiable individual.  
Processing   Any operation or set of operations which is performed upon Personal Information.  
Sensitive Personal Information Definitions of sensitive information vary from country to country.  European data protection laws treat certain categories of information as especially sensitive:  information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life.  Other categories of personal data are subject to additional protections under national law in some European countries:  information about criminal history, civil judgments, administrative sanctions, government security measures, government-issued ID numbers, biometric data, genetic data, geo-location data, and personality profiling.  Personal information subject to legal and regulatory protection in the United States include information about age, gender, ethnicity, health, disability, sexual orientation, children under 13, credit history, bankruptcy, garnishments, genetics, Social Security Numbers, driver’s license numbers, financial account and payment card details (in combination with PINs or other access codes), and other non-public financial and medical data.  
Standard   Derived from generally accepted industry standard frameworks, a specific set of rules that are designed to structure and guide implementation of policy and allow an organization to operate uniformly and effectively; a set of auditable minimum requirements that support policy objectives  
Third Party   An entity that is independent and legally distinct from Baxter or any of its businesses or subsidiary companies.

D. POLICY

1.0 Management

To establish a comprehensive privacy program, Baxter has adopted internationally-accepted principles of fair information practice as the basis for this Policy. These principles were further aligned with concepts and requirements from the European Union’s Data Protection Directive (95/46/EC) and the U.S. Department of Commerce’s International Safe Harbor Privacy Principles. They also follow the framework of the American Institute of Certified Public Accountant’s (AICPA) Generally Accepted Privacy Principles (GAPP).

Top

2.0 Notice

Baxter must notify individuals about the purposes for which it collects, processes, stores and/or discloses information about them. Notice must be communicated in a clear and easy-to-understand manner.

At a minimum, the Notice statement must contain (unless it is evident from the context):

  • The type of information that is collected;
  • The purpose for which the information is collected;
  • If there is a legal requirement to collect the information, a statement of this fact;
  • How the information will be used or processed;
  • If the information will be collected by or disclosed to third parties, a statement of this fact and the purposes for doing so;
  • How individuals can access their information and correct or delete it if it is inaccurate; and
  • How to contact Baxter with questions, corrections, complaints, and disputes.

Where feasible, Baxter must provide the Notice to an individual at or before the time of the collection of Personal Information.

Top

3.0 Choice and Consent

Baxter must obtain consent from individuals when required or appropriate. Baxter also must clearly communicate any choices available when Personal Information is collected or used by a third party, or disclosed by Baxter to such parties.

Specifically, when consent is required or appropriate, Baxter must:

  • Request the consent of the individual using the type of consent (opt-out or opt-in) that is required or appropriate;
  • Ensure that the choices provided to an individual are complete and clear (e.g., how to "opt-out");
  • Inform individuals of the consequences for failing to consent or to provide their information;
  • Inform individuals regarding how they can change their consent decisions, if this is feasible;
  • Verify that Baxter's use of individual Personal Information is consistent with consent obtained; and
  • Obtain new consent if Personal Information will be used for a purpose other than originally disclosed to the individual.

Consent must be obtained in accordance with local country laws and regulations (e.g., explicit and/or implicit consent). Additional safeguards that may be required, along with the definition of Sensitive Personal Information, may vary from country to country.

Top

4.0 Collection

Baxter must collect or obtain Personal Information only in a fair and lawful manner.

Specifically, Baxter must:

  • Collect only as much Personal Information as is required by law or needed for the purposes about which the individual has been informed;
  • Collect Personal Information in a fair and non-deceptive manner;
  • Clearly indicate to individuals which Personal Information is required and which is optional at the time of collection;
  • Collect Personal Information from individuals consistent with local country and jurisdictional laws;
  • Collect Personal Information directly from the individual, when possible; and
  • Verify that Personal Information collected from third parties is reliable and legally obtained.

Top

5.0 Use and Retention

Baxter must use, process, store, and/or retain Personal Information only for legitimate business purposes or as authorized by the individual.

Specifically, Baxter will use, store, and/or process Personal Information consistent with:

  • Stated purposes for which it was collected;
  • Consent obtained from the individual; and
  • Contractual, regulatory, and local country laws and requirements.

Personal Information must be retained and destroyed according to applicable Baxter data retention policies and procedures.

Top

6.0 Access

Baxter must provide individuals about whom it processes Personal Information an opportunity to access and correct their information.

Specifically, Baxter must provide a:

  • Response to the request for access to Personal Information in a timely manner, in a format convenient for both Baxter and the individual; and
  • Chance to review the Personal Information, challenge its accuracy, and have it corrected, amended or deleted.

Baxter must authenticate individuals before allowing access to or providing Personal Information. Access to Personal Information may be denied if an unreasonable request is made (e.g., requests that do not follow the procedure outlined in the privacy Notice or requests which would provide Personal Information about others besides the requesting individual). However, in cases in which access is denied, Baxter must provide a reason to the individual and a point of contact for further inquiry.

Top

7.0 Disclosure and Onward Transfer

Baxter may share an individual’s Personal Information with Third Parties as required for normal business operations, including providing services and products to patients, health care professionals (e.g., physicians, pharmacists, and nurses) and employees.

When disclosing information Baxter must:

  • Only disclose Personal Information to Third Parties for the purposes identified in the Notice provided to individuals;
  • Verify that Baxter's actions align with the consent provided by the individual, in addition to any legal and/or regulatory requirements;
  • Require Third Parties, through contractual clauses and/or written agreements to adhere to a baseline of privacy and information security controls - as approved by the respective legal team; and
  • Require Third Parties to process Personal Information in accordance with the individuals' choices and consent.

The Baxter director, officer, employee, or contractor responsible for each Third Party relationship is responsible to ensure compliance with this Policy by such Third Party.

Top

8.0 Security

Baxter takes reasonable precautions, including administrative, technical, personnel, and physical measures, to safeguard Personal Information against loss, misuse and unauthorized access, disclosure, alteration, destruction, and theft.

Top

9.0 Data Integrity and Data Quality

Baxter must employ reasonable processes to keep Personal Information accurate, complete, and up-to-date for the purposes for which it was collected.

Specifically, Baxter must:

  • Implement procedures to keep Personal Information as accurate, complete and up-to-date as needed; and
  • To the extent feasible, allow and encourage individuals to keep their Personal Information accurate, complete and up-to-date.

Top

10.0 Monitoring and Enforcement

Baxter is committed to monitoring and enforcing ongoing compliance with this Policy and with applicable privacy laws, regulations and obligations. The Global Privacy Officer is responsible for working with Baxter's legal staff to ensure such compliance.

Specifically, Baxter must:

  • Inform employees, customers, or patients with questions, concerns, or complaints about Baxter's privacy practices as to how they can contact Baxter. Individuals may:
  • Acknowledge, formally document, investigate, address and respond in a timely manner to formal complaints that are received.
  • Provide a readily available and affordable independent dispute resolution mechanism to handle complaints not resolved to the individual's satisfaction through Baxter's internal procedures, as follows:
    • In jurisdictions with data protection or privacy authorities that assist individuals with complaints, Baxter is committed to working with such authorities to resolve the complaint and to complying with their decisions.
    • In other jurisdictions, Baxter will provide an independent alternative dispute resolution mechanism administered by the CPR Institute for Dispute Resolution (www.cpradr.org) and comply with the outcome of such procedures.
  • Include conformance to provisions of this Policy in certain standard audits of company operations involving Personal Information.
  • Perform periodic privacy compliance assessments of Baxter´s internal practices to ensure that they conform to this Policy and related standards, as well as to applicable privacy laws, regulations and obligations.

Any and all potential, apparent or actual violations of this Policy must be immediately reported to the Global Privacy Officer.

Top

11.0 Consequences of Non-Compliance

All Baxter directors, officers, employees, agents and contractors are expected to fully comply with this Policy. Violations of this Policy will be investigated and remediated. Failure to comply with this Policy may result in disciplinary action up to and including termination of employment or contract.

The Global Privacy Officer must approve exemptions from adherence to particular provisions of this Policy. Exemptions to this Policy will only be considered if special circumstances do not allow for the practical implementation of a requirement, if a local or regional law or regulation supports a requested exemption, and if there are compensating controls in place to mitigate the risk.

Top

12.0 Exceptions

Under certain limited or exceptional circumstances, Baxter may, as permitted or required by applicable laws and obligations, process Personal Information without providing notice or seeking consent. Examples of such circumstances include investigation of specific allegations of wrongdoing or criminal activity; protecting employees, the public or Baxter from harm or wrongdoing; cooperating with law enforcement agencies; auditing financial results or compliance activities; responding to legal requirements or process; meeting legal or insurance requirements or defending legal claims or interests; satisfying labor laws or agreements or other legal obligations; collecting debts; protecting Baxter’s information assets; in emergency situations, when vital interests of the individual, such as life or health, are at stake; succession planning; business re-organization; and in cases of business necessity.

In addition, Baxter may, as permitted or required by applicable law and obligations, process Personal Information without providing access, such as in the circumstances described above; when the privacy interests of others would be jeopardized; or where the burden or expense of providing access would be disproportionate to the risks to the individual's privacy.