If your inbox looks anything like mine, you have received quite a few notifications over the past few weeks about companies who have updated their guidelines to improve your privacy. These updates are in response to the GDPR (General Data Protection Regulation), the European Union’s new data privacy law which came into effect as of May 5 2018.
Companies that collect, store or analyze information on EU residents must now be more transparent about the data they have and who they share it with.
If an EU resident asks a company to delete his or her data, to send a copy of his or her data, or agrees for a company to collect his or her data but not use it in specific circumstances, the company must comply.
If the GDPR is specific for EU residents, why are companies based in other countries required to comply as well?
If a company, or online service regardless of where it is located, has any data on an EU resident, they must comply. Basically, the GDPR has become a global standard. This is actually good news for non-EU residents as they now share the same rights as EU residents, except that they have no legal right to complain if any issue related to this topic arises.
Canada Privacy Guidance Online
On May 24th, the day before the GDPR became applicable, the Canadian Privacy Commissioner issued 2 new Canadian privacy guidance documents to steer webpage owners in the right direction when it comes to content challenges on the internet. Here is a summary of the 2 Canadian privacy guidance documents. The information is copied directly from the documents because I did not want to use incorrect wording that would change the meaning of the guidance principles, but please keep in mind that I have only included excerpts that I deemed most important. If you are a Canadian webpage owner that collects information on its viewers, then I strongly advise that you read both Canadian privacy guidance documents in their entirety.
The first guidance document focuses on meaningful consent and sets out 7 guiding principles.
- Emphasizing certain key elements in privacy information and explaining them in a user friendly way
2. Allow individuals to control the level of detail they get and when
- Information must be provided to individuals in manageable and easily-accessible ways (potentially including layers) and individuals should be able to control how much more detail they wish to obtain, and when.
3. Providing people with clear options to say ‘yes’ or ‘no’
4. Be innovative and creative
- Organizations should design and/or adopt innovative consent processes that can be implemented just-in-time, are specific to the context, and are appropriate to the type of interface used.
5. Consider the consumers’ perspective
- Consent is only valid where the individual can understand that to which they are consenting.
6. Make consent a dynamic and ongoing process
- Informed consent is an ongoing process that changes as circumstances change; organizations should not rely on a static moment in time but rather treat consent as a dynamic and interactive process.
- Organizations should also consider periodically reminding individuals about their privacy options and inviting them to review these.
- Organizations should periodically audit their information management practices to ensure that personal information continues to be handled in the way described to individuals.
7. Being accountable and standing ready to demonstrate compliance
- Organizations, when asked, should be in a position to demonstrate compliance, and in particular that the consent process they have implemented is sufficiently understandable from the general perspective of their target audience(s) as to allow for valid and meaningful consent.
The second guidance document clearly identifies ‘no-go zones’.
The “no-go zones” are:
- Collection, use or disclosure that is otherwise unlawful.
- Profiling or categorization that leads to unfair, unethical or discriminatory treatment contrary to human rights law.
- Collection, use or disclosure for purposes that are known or likely to cause significant harm to the individual.
- Publishing personal information with the intended purpose of charging individuals for its removal.
- Requiring passwords to social media accounts for the purpose of employee screening
- Surveillance by an organization through audio or video functionality of the individual’s own device.
Pharma companies sometimes hold very personal information that could allow for a person’s identity and perhaps even associate that person with various health issues. Since the social media profiles and blogs by pharmaceutical companies are often managed by the global office yet reach website users from around the world, it makes sense that the majority of the pharmaceutical companies probably updated their privacy policies to better reflect the requirements of the GDPR as well because they certainly get visitors to their sites from various European countries (amongst many other countries).
OK, so this response wasn’t earth shattering, but hey, they took the time to respond back and their response is definitely accurate and to the point.
Privacy disclaimer and community guidelines for Novo Nordisk’s social media accounts
We welcome and encourage your participation and engagement. When you engage with us on social media, you also agree to follow our disclaimer and community guidelines that explain how we use data and the restrictions of our social media pages.
Thank you for your understanding and for ensuring that your comments fit within these guidelines. While we reserve the right to remove any posting at its sole discretion, we are working to foster openness and dialogue and will therefore only remove comments that violate these guidelines.
1. The information we collect
We collect information for statistically purposes that can help us improve our communication. When you follow us on social media or engage in our content (via likes, shares, comments etc.) we automatically collect this information and use it to inform us if our content is relevant, where our visitors come from, what they look for and act on, and where the most time is spent. The information we gather about impressions and engagement does not include any personally identifiable information.
2. Collection of sensitive data
We do not collect or retain sensitive personal data relating to your health, ethnic origin, religious beliefs or political conviction etc. on social media. In the rare case where we do seek to collect other sensitive data we will do so in strict compliance with local data privacy law.
6. Information provided ”as is”
The information on our social media sites is provided “as is” and we make no representations or warranties, expressed or implied, including but not limited to the implied warranties of merchantability, fitness for a particular purpose or noninfringement.
We make no representations or warranties of any kind as to the completeness, accuracy, timeliness, availability, functionality and compliance with applicable laws.
By following our accounts you accept the risk that the information may be incomplete or inaccurate or may not meet your needs or requirements.
1. Product mentions and medical advice
Due to the nature of our industry, we cannot talk about certain topics with you online. If that is the case, we will let you know and provide others means in which to connect.
Our social media accounts are not intended for discussions about products made by Novo Nordisk A/S including the reporting of side effects associated with the use of prescription drugs.
Any questions or comments specific to products should be made to your healthcare professional.
Social media is not a place for us to provide healthcare advice. If you have questions about your health or the medicine you take, your doctor or health care provider is the person to ask. If you have issues with our medicines (an adverse event), or if you have a product inquiry or complaint, please contact Novo Nordisk’s office in the country you live.
For other comments or feedback please contact us via content (messages) on our accounts that is managed by colleagues in Novo Nordisk in Denmark, on behalf of our colleagues across the organisation.
2. Tone of voice
We welcome comments and questions and try to join the conversation whenever possible. However, we may remove any comments that: (1) are off-topic; (2) are inappropriate, vulgar or abusive; (3) are intended to spam; (4) reference a product; (5) solicit or offer medical advice; or (6) otherwise violates our community guidelines.
3. Information purposes
The content posted on our accounts is presented solely for informational purposes. The accounts do not provide you with advice or recommendation of any kind and should not be relied on as the basis for any decision or action. You are advised to consult professional advisors in the appropriate field with respect to the applicability of any particular aspect of the contents. In particular, nothing being posted constitutes an invitation or offer to invest or deal in Novo Nordisk securities.
Further, our accounts provide selected information of diseases and their treatment. Such information is not intended as medical advice and cannot substitute for the advice of a health care professional. If you have or suspect having any health problems, you should consult your general practitioner or other qualified health provider.
5. Replies, comments and direct messages
We welcome feedback and ideas from all our followers, and encourage you to join the conversation where possible. We will read all replies, comments and messages and ensure that any emerging themes or helpful suggestions are passed to the relevant people in our organisation.
Thanks for reading and for connecting with us.
*** Leave me a comment below to let me know if this information was helpful and if you like seeing examples of privacy policies and community guidelines by pharma and healthcare organizations.