Protecting Sensitive Data

Click the forward arrow to begin.

At Abbott, we rely on data to make decisions - often that data contains sensitive information.

For us to fulfill our mission of helping people live their best lives through good health, it is essential that we keep this data secure and comply with the laws and ethical standards that Abbott upholds. This course is designed to give you the skills needed to support this task.

After completing this course, you will have a better understanding of:

• What sensitive data is,
• How we protect this data at Abbott,
• Your role in protecting sensitive data, and
• What to do if you think sensitive data may have been improperly disclosed or compromised.

1 | Personal Information

Here you will learn how governments, consumers, and the public have become increasingly concerned about the privacy and security of personal information.

12 Minutes

Section 1 | Personal Information

Recognizing Personal Information

Legal, Regulatory and Contractual Requirements

Abbott’s Privacy by Design Principles

Review

2 | Confidential Business Information

Here you will learn how most of the business information we use in our day-to-day work activities is considered confidential.

5 Minutes

Section 2 | Confidential Business Information

Recognizing Confidential Business Information

Cost of Not Protecting Confidential Business Information

Insider Information

Review

3 | Protecting Sensitive Data

Here you will learn what you can do to help protect sensitive data.

8 Minutes

Section 3 | Your Role in Protecting Sensitive Data

Accessing and Using Sensitive Data

Sharing Sensitive Data

Retaining and Disposing of Sensitive Data

Responding to Improper Disclosures

Review

4 | Knowledge Check

Assess your understanding of the key concepts and principles of this course.

5 Minutes

Section 4 | Knowledge Check

Assessment

Click the panel to get started.

Click the yellow play button to begin.

This content is not yet available. You must complete Section{a} {b}.

At Abbott, one common type of sensitive data we use is personal information.

In recent years, governments, consumers, and the general public have become increasingly concerned about the privacy and security of personal information.

Personal information is any information that can be used to contact, locate, or otherwise identify an individual.

Kandice | Marketing Manager

Can you give me some examples of personal information?

Personal information can include biographical information, such as name, date of birth, email address and phone number.

It can include information relating to an individual’s appearance, such as hair color or weight.

It can also include information relating to an individual’s personal life, such as photos, browser cookies or location tracking information.

Jerry | Sales Representative

Does personal information also include protected health information?

Yes, it does.

Protected health information (PHI) is a particularly sensitive type of personal information used in the healthcare industry. It includes any personally identifiable information in medical records, including conversations between medical professionals about treatment.

In most countries in which Abbott conducts business, there are laws and regulations in place designed to protect personal information, including protected health information.

Laws relating to privacy and protection of personal information differ from one country to the next, but often embrace the same core principles.

CLICK EACH OF THE HIGHLIGHTED AREAS ONSCREEN TO LEARN ABOUT THE DIFFERENT TYPES OF PRIVACY LAWS AND REQUIREMENTS IN PLACE AROUND THE WORLD.

Europe

In Europe, the General Data Protection Regulation (GDPR) is one of the most comprehensive privacy laws globally, and since its implementation in 2018, it has set the standard for privacy protection that other countries are trying to emulate. GDPR applies to organizations located within Europe, as well as organizations located outside of Europe that offer goods and services to or monitor the behavior of any individual residing in Europe.

One of the key concepts of GDPR is the right to erasure, also known as the right to be forgotten. This right gives individuals the ability to request that their personal data be erased from an organization's records. If an individual makes such a request, the organization must take steps to erase the data from its systems and prevent its further use or disclosure. There may be exceptions to data subject requests. Nonetheless, Abbott will inform each validated data subject of what action is taken for each request. Violations of GDPR can result in heavy fines for companies, up to 4% of their annual global turnover, or 20 million euros (whichever is greater), for the most serious offenses.

United States

In the United States, there is no single law that protects all personal information. Instead, there are privacy laws and regulations that apply to specific industries and types of data. For example, HIPAA protects the privacy of healthcare data, while the Fair Credit Reporting Act protects credit information.

However, some states have begun enacting their own comprehensive data privacy laws. For instance, California has the California Consumer Privacy Act (CCPA), which gives Californians certain rights to their data, such as the right to know what personal information is being collected about them and the right to delete any personal information collected. The CCPA will be amended by the California Privacy Rights Act (CPRA) in 2023, which will give people even more rights to their data.

Other states that have passed their own data privacy laws include Virginia, Colorado, Utah, and Connecticut. While each state's law is different, they all generally give people rights to their data and require companies to provide certain disclosures about their data processing activities.

Fines for violating state privacy laws can be significant. For example, California can fine companies up to $7,500 USD per violation of the CCPA.

Canada

There are laws at both the federal and provincial levels in Canada that are designed to protect an individual's personal information. For example, the Personal Information Protection and Electronic Documents Act (PIPEDA) is a federal law that applies to private sector organizations and is enforced by the Office of the Privacy Commissioner of Canada.

At the provincial level, Quebec, Alberta, and British Columbia have enacted privacy laws that are similar to PIPEDA. Some other provinces also have rules in place that provide similar protections for personal information, including the provinces of Ontario, New Brunswick, Newfoundland and Labrador, and Nova Scotia, which have enacted health information privacy laws.

These laws are in place to help prevent personal information from being mishandled or collected without the individual's knowledge, and give people the right to access their own information and correct any errors.

Violating these laws can result in significant fines. For example, violating PIPEDA can lead to a fine of up to $100,000. In Alberta, the Personal Information Protection Act (PIPA) allows for fines of up to $10,000 for individuals and $500,000 for organizations.

Asia Pacific

The privacy laws in the Asia Pacific region are constantly expanding and becoming more comprehensive. Some countries, such as China, have implemented data localization measures which require companies to store some personal data on servers within their borders. Additionally, China has privacy and security impact assessment requirements for the cross-border transfer of personal information.

Others, like Australia and Singapore, have adopted a more consumer-focused approach to privacy that gives individuals greater control over their information, including the right to know how companies are using it and the ability to access and correct it if necessary.

The penalties for companies who violate data privacy laws also differ widely across the region. In China, for example, companies can be fined up to 500,000 RMB (about $72,000 USD) for violating data privacy laws.

However, in Singapore, companies can be fined up to 1 million (Singapore) dollars (about $737,000 USD) for violating the country’s privacy law.

Russia

Russia also has laws to protect its citizens' data, including a data localization law, which requires companies to store the personal data of Russian citizens on servers located in Russia.

The law applies to companies that process the data of Russia's citizens, regardless of whether those companies are based in Russia or not. So, for example, a U.S.-based company that processes the data of Russian citizens would need to comply with the law.

Like many countries, the law also requires companies to take steps to protect the personal data they process. For example, companies must ensure that the data is accurate and up-to-date and take steps to prevent it from being mishandled, lost, or stolen.

The fines for violating the law can range from $12,000 to $72,000 USD for the first offense and up to $216,000 USD for the second offense.

Latin America

Most Latin American countries have laws in place that protect the privacy of individuals. However, many countries in the region, such as Ecuador, Argentina and Brazil, have recently revised their existing privacy regulations to stay current with international standards.

Ecuador, for example, recently passed the Organic Law on the Protection of Personal Data (LPPD), which will go into effect in 2023. This law applies to any company around the world that processes the personal data of individuals in Ecuador.

Like others in the region, the LPPD requires companies to provide notice and collect consent from individuals before using their data, destroy it when it is no longer needed, and meet certain restrictions before data is shared with other countries. These measures help protect the privacy of individuals across Latin America and ensure that companies are handling personal data responsibly.

Violations of the LPPD can result in significant fines, ranging from 3% to 17% of an organization’s annual revenue from the previous year, providing a strong incentive for companies to comply with the law.

In addition to laws and regulations governing how Abbott conducts business, there may be additional obligations in specific contracts we have with customers.

For example, the U.S. government is a customer of Abbott. Under the terms of such an agreement, we are required to meet the obligations set out in the U.S. Privacy Act of 1974.

CLICK THE ‘PRIVACY ACT’ BUTTON TO LEARN MORE.

Privacy Act

The Privacy Act of 1974 (5 U.S.C. 552a) is an important Federal regulation. It establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals maintained in systems of records by federal agencies. For certain transactions, Abbott may be granted access to government agency records. In such cases, Abbott must meet several obligations, including the need to demonstrate that privacy training on protecting personally identifiable information has been conducted.

Employees should contact Legal before entering into any agreements with customers that have privacy obligations.

The laws, regulations, and contractual requirements we have just reviewed are often complex and can change rapidly.

Abbott has policies and procedures in place to ensure employees comply with these laws and regulations. If you have any questions or want to learn more, contact OEC or a member of the Global Privacy team.

For contacts and additional information, click the Resources icon.

Collection

• Notice
• Consent

MANAGEMENT

• Data Integrity
• Access and Correction

Usage

• Disclosure and Use

Disposition

• Retention and Disposal

Abbott’s data privacy and protection policies and procedures are organized around a simple set of principles. We call this Privacy by Design.

These principles are designed to help employees protect sensitive data at each stage of the data lifecycle. To illustrate, let’s look specifically at personal information.

The first stage of the data lifecycle is collection.

During this stage, Abbott uses a variety of methods to collect personal information. For example, we may request consumers to provide contact details at an Abbott website, or we may capture personal data generated from one of our devices.

In order to protect the privacy rights of the individuals during this stage, we maintain processes to ensure we adhere to the Privacy by Design principles of Notice and Consent.

Notice is about letting people know what personal information is being collected and explaining in clear, precise, and unambiguous language how we plan to use that information.

For example, when submitting an inquiry at abbott.com, the personal information we collect is used for the sole purpose of responding to the inquiry.

Consent is about providing individuals with the opportunity to agree to the collection and use of their personal information.

Generally, when we seek consent, we ensure it is:

• Freely given. The individual is never coerced or told that consent is a requirement.
• Informed. The individual is given sufficient information to make a reasonable decision to which they are consenting.
• Affirmative. The individual must affirmatively provide consent. We never assign consent, for example, through an individual’s silence, nor do we require the individual to take some action, such as unchecking a box, to opt out of something.
• Revocable. The individual is provided with a clear explanation of how to revoke consent.

For example, a consumer registering with the Abbott Nutrition Similac© Strong Moms© Rewards program can consent to the collection and use of their Personal Information by opting in (e.g., checking a box) to receive additional promotional information.

The second stage of the data lifecycle is management.

During this stage, information is processed and stored.

In order to protect personal information during this stage, we maintain processes that ensure we adhere to the principles of:

• Data Integrity, and
• Access and Correction.

Data Integrity is about taking reasonable measures to ensure that the personal information we retain is accurate, complete, and current.

One way we do this is by tracking and recording all activities that process personal information. This ensures we can identify the source of the data, the specific purposes for which the data has been processed, and where it is stored.

Access and Correction is about providing individuals with reasonable access to their data and the opportunity to exercise their rights in connection with this data.

This includes responding to an individual’s request to access, delete, transfer, or amend the stored records of personal information.

The third stage of the lifecycle is usage.

During this stage, personal information is used to support activities across the organization.

In order to protect personal information during this stage, we maintain processes that ensure we adhere to the principle of Disclosure and Use.

Disclosure and Use is about controlling who has access to personal information and limiting use to specific purposes.

We manage this through access controls and other processes. These controls and processes limit access to individuals in specific job functions as well as limiting use to the specific purposes set out in the notice for which consent was provided.

The final stage of the lifecycle is disposition.

Disposition refers to what happens to data once it is no longer actively being used. Activities may include deletion, archiving, or retaining for legal hold purposes.

In order to protect personal information during this stage, we maintain policies and processes that ensure we adhere to the principle of Retention and Disposal.

Retention and Disposal of personal information is about retaining personal information for only the time necessary to achieve the purposes for which it was needed and processed.

Once personal information is no longer required in an active production environment, Abbott has put in place processes to either archive or dispose of it in a manner consistent with Abbott’s data management, retention, and disposal requirements. Our retention and disposal requirements are also subject to any legal hold requirements relating to legal matters.

For additional information related to retention or disposal requirements, see Abbott’s Global Records and Information Policy (l1-02) or contact Information Governance and Records. Details can be found in the Resources section of this training.

For contacts and additional information, click the Resources icon.

As we have just seen, our policies and procedures are designed to protect personal information throughout its lifecycle.

We do this by adhering to the principles of:

• Notice,
• Consent,
• Data Integrity,
• Access and Correction,
• Disclosure and Use, and
• Retention and Disposal.

COLLECTION

Notice

Consent

MANAGEMENT

Data Integrity

Access and Correction

USAGE

Disclosure and Use

DISPOSITION

Retention and Disposal

Click the arrow to begin your review.

Review

Take a moment to review some of the key concepts covered in this section.

Personal Information (PI)

PI is any information that can be used to

• Contact
• Locate, or
• Identify an individual.

Protected Health Information (PHI)

PHI is a particularly sensitive type of personal information used in the healthcare industry.

Privacy Laws

Privacy laws differ from one country to the next, but often embrace the same core principles.

Abbott’s Privacy by Design Principles

Abbott’s data privacy and protection policies and procedures are organized around a set of principles, called Privacy by Design.

Notice and Consent

Notice and Consent is about letting people know what PI is being collected and providing them the opportunity to agree to that collection.

Data Integrity

Data Integrity is about taking reasonable measures to ensure that PI is accurate, complete, and current.

Access and Correction

Access and Correction is about providing individuals the right to access and correct their data.

Disclosure and Use

Disclosure and Use is about controlling who has access to PI.

Retention and Disposal

Retention and Disposal of PI is about retaining personal information for only the time necessary to achieve the purposes for which it was needed and processed.

To check your progress, click the Menu button

Great job!

You have completed section 1 of 4

Click the forward arrow to continue learning

Another type of sensitive data that we may frequently use is confidential business information.

Confidential business information is a broad category. It includes much of the business information we use and come in contact with on a daily basis. Confidential Information is information that is not publicly available that might be of use to Abbott’s competitors or harmful to Abbott if disclosed.

Kandice | Marketing Manager

Can you give me some examples of confidential business information?

Confidential business information can include, but is not limited to: product designs and processes, compositions, organisms, computer software, research and development data, clinical and pharmacological data, patient data, technical data, customer and prospective customer lists, business practices, marketing plans and strategies, financial and operational data, and personnel data.

It can also include purchasing information, such as bids for contracts, supplier lists, and costing information.

Jerry | Sales Representative

Are there certain types of confidential business information that are more sensitive than others?

Yes. Certain types of confidential business information require greater care than normal because improper disclosure or use of this information can cause serious harm to the company.

Examples include:

• Trade secrets, manufacturing formulas and processes;
• Clinical and regulatory data, regulatory submissions, or pre-approval information; and
• Financial data that has not been released to the public.

As you can see, most of the business information we use in our day-to-day work activities is considered confidential.

A good way to confirm whether the business information you are using is confidential is to ask yourself a simple question:

Is this information publicly available?

If the answer is no, then the information should be considered confidential and appropriate steps must be taken to protect it.

It is also important to remember that any confidential business information created as part of your job function at Abbott is Abbott’s property.

As a result, you must protect this information and cannot keep it if your Abbott employment ends.

Protecting confidential business information is crucial.

Not surprisingly, the improper use or disclosure of this information can result in significant harm to Abbott.

The improper use or disclosure of confidential information can significantly harm Abbott’s relationship with its customers and clients, lead to embarrassing press and media coverage, and result in the loss of competitive advantages for Abbott. It can also result in civil lawsuits and criminal penalties, including against current and former employees.

CLICK THE ‘RECENT CASES’ BUTTON FOR MORE INFORMATION.

RECENT CASES

In recent years, companies have received large jury verdicts and awards against former employees for improperly taking company information. For example, one company received $240 million award against a former employee who improperly disclosed the company’s confidential information to a competitor. Another company received an $854 million jury award against a former employee and his new employer when the former employee misappropriated the company’s confidential information and then used the company’s confidential information on behalf of the new employer.

Studies indicate that the theft of confidential information causes losses between $209 and $625 billion to publicly traded companies.

It should come as no surprise that authorities take the theft of confidential information very seriously.

For example, under federal criminal statutes, an individual can face up to ten years in prison and a $5 million fine for stealing confidential information. In addition, if a company is found guilty of stealing confidential information, it can be fined $10 million or three times the value of the confidential information.

CLICK THE ‘FINES AND PENALTIES’ BUTTON FOR MORE INFORMATION.

FINES AND PENALTIES

In recent years, several people and companies have been fined or sentenced to prison for stealing confidential information. For example:

• A competitor was fined $60 Million for stealing another company’s confidential information;
• A former IT employee was sentenced to 97 months in prison for stealing confidential information;
• A former salesman was sentenced to 12 months in prison for stealing confidential information;
• A senior executive was sentenced to 24 months in prison for stealing confidential information; and
• A research scientist was sentenced to 18 months in prison for stealing confidential information.

Another type of confidential business information that is important to recognize and protect is insider information.

Insider information is any non-public, material information that, if publicly disclosed, could reasonably be expected to affect the market value of a company’s securities, or influence investors’ decisions on whether to buy or sell securities.

Examples of insider information include:

• News of a potential acquisition,
• A delay in a product launch,
• News of a breach of internal IT systems,
• Unanticipated changes in earnings or dividend rates,
• Proposed tender offers or stock splits,
• Information about major new products,
• Contract awards,
• Expansion plans,
• Significant litigation or regulatory proceedings, etc.

If you are aware or in possession of insider information, it is illegal to trade in, or recommend others to trade in, Abbott securities.

This also applies to the buying and selling of securities of other companies, including those currently doing or expected to do business with Abbott.

To learn more about Abbott’s expectations with regard to the use and protection of unpublicized information, review Abbott’s policy on Insider Trading. Details can be found in the Resources section of this training.

Click the arrow to begin your review.

Review

Take a moment to review some of the key concepts covered in this section.

Confidential Business Information

Any business information that is not publicly available should be considered confidential. This includes much of the business information we use in our day-to-day work activities.

Improper Use of Confidential Business Information

The improper use or disclosure of confidential business information can result in significant harm to the Company, our customers and employees.

Insider Information

Insider information is any non-public, material information that, if publicly disclosed, could reasonably be expected to affect the market value of a company’s securities, or influence investors’ decisions on whether to buy or sell securities.

To check your progress, click the Menu button

Great job!

You have completed section 2 of 4

Click the forward arrow to continue learning

Now that you have a good understanding of the different kinds of data you are likely to encounter during your workday, here is what you can do to help protect it.

Before accessing any sensitive data, make sure your role and responsibilities require you to access the data.

If you have a question about whether you should access the data, especially with respect to personal information, contact your manager, the OEC or a member of the Global Privacy team.

CLICK THE ‘DID YOU KNOW’ BUTTON FOR MORE INFORMATION.

DID YOU KNOW

Abbott engages in various forms of lawful monitoring to reduce the risk of improper data usage.

This include monitoring the downloading of data or the sending of data to non-Abbott email addresses.

If you have permission to access sensitive data, only use it for the specific purpose for which you have been granted access.

In the case of personal information, only use the data according to the consent given or notice provided.

Before sharing sensitive data, make sure the person you plan to share with has proper authorization.

If you have a question about whether you should access the data, especially with respect to personal information, talk to your manager or a member of Abbott’s Privacy team.

Requests from Your Own Country

If an Abbott employee located in your same country requests sensitive data, always:

• Confirm the identity of the person making the request;
• Confirm the person’s need to access the information;
• Check to make sure the person is authorized to receive the information;
• Verify that the information can be used for the requested purpose; and
• Share only the amount of information required to meet the need, not more.

If in doubt, contact OEC or Global Privacy prior to sharing sensitive data.

Requests from Other Countries

Many countries and regions have laws designed to protect the rights of their citizens, and place restrictions on the transference of personal information across national borders.

If you receive a request for information containing sensitive data from a colleague in a different country than your own, check your division or function’s data privacy policies, or consult OEC or Global Privacy before proceeding. Then, follow the same steps you would if responding to a request from a colleague in your own country.

Requests from Third Parties

If the request for sensitive data is from a third party, ensure there is a valid and appropriate contractual agreement in place. If you are unsure, contact OEC, Global Privacy, or Legal prior to sharing.

Always archive or dispose of sensitive data in a manner consistent with Abbott’s data management, retention, and disposal requirements.

If you receive a legal hold order, you are prohibited from discarding, destroying, or deleting any information covered by the hold.

If you have questions related to legal hold orders or retention and disposal, contact the attorney/paralegal listed in the Legal Hold notification, or call the Litigation Department at (224) 667-5701.

Always take special care with sensitive data when someone leaves Abbott.

Managers must ensure the departing employee is terminated in the appropriate system (e.g., Workday for Employees or Fieldglass for Contingent Workers) as soon as they are notified the employee is leaving. This will ensure access to Abbott data, physical access to buildings, and final pay will be properly managed.

Ensure no sensitive data leaves with the departing employee. Transition all files to the Abbott employee who will be assuming the departing person’s role or responsibilities.

Remind the departing employee of the obligation not to keep or disclose sensitive information. Employees may not take their work product or any other Abbott property (e.g. mobile devices) with them when they leave Abbott. If you have questions about your local termination process, contact Human Resources.

Inadvertent disclosures of PHI can happen at any time.

For example, you may overhear a nurse discussing details of a patient’s health status or you may accidentally be copied on an email containing details of a patient’s record.

In response to any inadvertent or improper disclosure of a patient’s protected health information (PHI), you should immediately report the incident to OEC or a member of the Global Privacy team.

If you become aware of the improper or inadvertent disclosure of Confidential Business Information, you should immediately report the disclosure to both:

• Your direct supervisor, and
• OEC or a member of the Global Privacy team.

Your immediate reporting of the disclosure will help Abbott immediately retrieve the information, prevent additional improper or misuse of the information and if appropriate, assist the company with pursuing civil or criminal action.

You should never disclose Abbott sensitive data to anyone not authorized to receive the sensitive data.

Similarly, you should only use Abbott sensitive data on behalf of Abbott and while performing your Abbott business function.

If you improperly disclose sensitive data, you may face disciplinary action, up to and including termination of employment.

You are not permitted, both during and after your Abbott employment, to share Abbott data with any Abbott competitor.

Failure to return sensitive data to Abbott, transmitting sensitive data to an unapproved device, storage, account or server, or providing sensitive data to any person or entity not authorized to possess the information can lead to Abbott pursuing legal action against you.

CLICK THE ‘LEGAL ACTION’ BUTTON FOR MORE INFORMATION.

LEGAL ACTION

Legal action could include Abbott filing a civil lawsuit against you that would:

• Prevent you from working for a new employer until Abbott sensitive data has been returned and protected;
• Require you to turn over all electronic devices to Abbott for review and inspection;
• Cause you to pay monetary damages for illegally retaining and/or using Abbott sensitive data, and violating the duties and obligations you owe Abbott under your Abbott Employment Agreement; and
• Obligate you to pay the legal fees Abbott incurs as a result of filing a lawsuit to protect its sensitive data.

If necessary, Abbott will also work with local, state and federal authorities to protect and retain Abbott sensitive data. In this scenario, you could also face criminal penalties.

Any event involving a potential compromise of information security, including a lost or stolen mobile device, should be reported immediately to your local Global Service Desk.

If you have any concerns about a potential violation or want to report a potential privacy incident, contact Global Privacy.

Click the arrow to begin your review.

Review

Take a moment to review some of the key concepts covered in this section.

Accessing and Using Sensitive Data

Only access and use sensitive data for the specific purpose for which you have been granted access.

Sharing Sensitive Data

Before sharing sensitive data:

• Confirm the identity of the requestor;
• Confirm their need to access the information;
• Verify the information can be used for the purpose(s) requested; and
• Share only the amount required to meet the need.

Retianing and Disposing of Sensitive Data

Always archive or dispose of sensitive data in a manner consistent with Abbott’s data management, retention, and disposal requirements.

Responding to Inadvertent Disclosure of PHI

In response to any inadvertent or improper disclosure of a patient’s PHI, immediately report the disclosure to OEC or a member of the Global Privacy team.

Reporting a Privacy Incident

Contact the Global Privacy team to report a potential privacy incident.

To check your progress, click the Menu button

Great job!

You have completed section 3 of 4

Click the forward arrow to continue learning

Where to Get Help

Office of Ethics and Compliance (OEC)

Global Privacy – Contact Global Privacy via email at privacy@abbott.com. You can find additional contact details and important information about privacy on the Global Privacy Portal here on Abbott World.

OEC Contacts – You are encouraged to contact the OEC at any time with any ethics and compliance questions, or to discuss concerns about possible violations of our written standards, laws, or regulations.

• Visit the Contact OEC page on the OEC website on Abbott World or OEC@abbott.com.

ENTERPRISE CYBERSECURITY

Visit the Enterprise Cybersecurity site here on Abbott World.

Visit the Simply Digital site to learn about secure ways to share information.

Legal Division

Contact the Legal Division with questions or concerns about third-party contractual obligations regarding privacy and data protection.

Contact the Information Governance team at information.governance@abbott.com with questions or concerns regarding retention requirements or for guidance on acceptable use of technology solutions.

REFERENCE POLICIES:

• Click here to review the Confidential Information Policy
• Click here to review Abbott’s policy on Insider Trading
• Click here to review the Acceptable Technology Use Policy.
• Click here to review the Records and Information Policy on M-Files.

OEC Policies and Procedures

For our company’s global and country-specific OEC policies and procedures:

• Abbott employees should visit iComply.

Human Resources Service Center

• Click here for a list of HR support contact numbers.

Course Resources

Transcript

Click here for a full transcript of the course.

The Knowledge Check consists of 10 questions. You must score 80% or higher to successfully complete this course.

When you are ready, click the Knowledge Check button.

Question 1: Scenario

Assuming you have worked for Abbott for several years and have recently accepted an offer to work for another company, which of the following would you be legally allowed to take with you when you leave?

Question 1: Options

[1] Personal Patient Information from clinical studies

[2] Abbott customers lists and presentation information that you created while working for Abbott

[3] Sales projections and financial data for your Abbott Division or Business Unit

[4] Personal photos and mementos

Question 1: Feedback

The correct answer is 4. Personal information, confidential business information, and Protected Health Information are all considered sensitive data that you cannot take with you or use after leaving Abbott. Additionally, all Abbott electronic devices and other Abbott property must be returned prior to leaving.

For more information, see  Section 3.4, Responding to Improper Disclosures.

Question 2: Scenario

A Marketing Manager is working on a new product launch and must create a consent form for potential customers. The form will allow for the collection and use of personal information. To align with Abbott’s practices for consent, which of the following must be true for the consent form?

Check all that apply.

Question 2: Options

[1] The form must not pressure customers into giving their consent.

[2] The form must provide customers with all the information about how their personal information will be used.

[3] The form must require customers to actively agree to the collection and use of their personal information.

[4] The form must not allow customers to withdraw their consent once they have given it.

Question 2: Feedback

Abbott's practices for consent require that the form:

• Be clear and concise.
• Not pressure people into giving their consent.
• Provide all information about how personal information will be used.
• Require people to actively agree to the collection and use of their personal information.
• Allow withdrawal of consent if desired.

For more information, see  Section 1.3, Abbott’s Privacy by Design Principles .

Question 3: Scenario

Disclosure and Use of sensitive data such as personal information is managed at Abbott through:

Question 3: Options

[1] De-identification of all data.

[2] Access controls.

[3] Both 1 and 2.

Question 3: Feedback

Disclosure and Use of personal information are managed through access controls and other processes that limit access and use to individuals in specific job functions and for the specific purposes set out in the notice for which consent was given.

For more information, see  Section 1.3, Abbott’s Privacy by Design Principles.

Question 4: Scenario

Which of the following is true in relation to the retention and disposal of personal information?

Check all that apply.

Question 4: Options

[1] Personal information is only retained for the time necessary to achieve the purposes for which it was collected and processed.

[2] Once data is no longer required in an active production environment, it should always be disposed of.

[3] Retention and disposal of personal information is subject to any holds relating to legal matters.

Question 4: Feedback

Generally, Abbott should only retain personal information for the time necessary to achieve the purposes for which it was collected and processed. Once data is no longer required in an active production environment, it should be either archived or disposed of, in a manner consistent with Abbott’s data management, retention, and disposal requirements. Retention and disposal requirements are also subject to any holds relating to legal matters.

For more information about the correct answer, Section 1.3, Abbott’s Privacy by Design Principles.

Question 5: Scenario

An Engineer is working on developing a new product. Which of the following would be considered confidential business information that must be kept secure?

Check all that apply.

Question 5: Options

[1] Sales projections and forecasts for the new product.

[2] Financial reporting data from Abbott’s Annual Report.

[3] Purchasing information, such as bids for contracts for the new product.

[4] Competitive information about similar products.

[5] Proposals from third-party suppliers related to the new product.

Question 5: Feedback

Confidential Business Information is a broad category. It includes much of the business information we use and come in contact with on a daily basis. A good way to confirm whether something is confidential is to ask yourself a simple question:

Is this information publicly available?

If the answer is no, then the information is most certainly confidential, and you should take appropriate steps to protect it.

For more information, see Section 2.1, Recognizing Confidential Business Information.

Question 6: Scenario

The Global Data Protection Regulation (GDPR) is one of the most comprehensive privacy laws in the world. Implemented in 2018, it is the standard for privacy protection. This regulation was designed in:

Question 6: Options

[1] Canada

[2] Asia

[3] Europe

[4] Russia

[5] United States

[6] Latin America

Question 6: Feedback

The correct answer is Europe. In Europe, the General Data Protection Regulation (GDPR) is one of the most comprehensive privacy laws globally, and since its implementation in 2018, it has set the standard for privacy protection that other countries are trying to emulate.

For more information, see Section 1.2, Legal, Regulatory and Contractual Agreements.

Question 7: Scenario

Your colleague just completed a project that involved collecting and using personal data. He's since received a request from another department to access that data. You advise your colleague to:

Question 7: Options

[1] Confirm the requester's identity and their need to access the information.

[2] Verify that the requester is authorized to have a copy of the information.

[3] Make sure that the data can be used for the requested purposes.

[4] All of the above.

Question 7: Feedback

One of the most common causes of data incidents within an organization is the improper sharing of data with unauthorized personnel. Before sharing any document or file containing sensitive data, always:

• Confirm the identity of the person making the request and the person’s need to access the information.
• Check to make sure the person is authorized to have a copy of the information.
• Verify that the information can be used for the purposes they are requesting to use it for.
• Share only the amount of information required to meet the need, not more.

For more information, see Section 3.2, Sharing Sensitive Data.

Question 8: Scenario

You are a Sales Representative visiting a clinic in your area. While waiting in the reception area, you accidentally misplace sensitive documents containing a patient's protected health information. What do you do?

Question 8: Options

[1] Notify the clinic's privacy officer.

[2] Contact your supervisor.

[3] Report the incident to OEC or a member of the Global Privacy team.

Question 8: Feedback

In response to any inadvertent disclosure of a patient’s protected health information, you should immediately report the incident to:

• OEC or a member of the Global Privacy team.

For more information, see Section 3.4, Responding to Improper Disclosures.

Question 9: Scenario

While traveling to work on the train, you accidentally leave your laptop containing sensitive work documents at your seat and exit the train. You realize your mistake when you reach your office and frantically search for your laptop, but it is nowhere to be found. What should you do first?

Question 9: Options

[1] Call the train company and ask if someone turned in your laptop.

[2] Go back to the train station and search for your laptop.

[3] Contact your local Global Service Desk.

Question 9: Feedback

If you believe that sensitive information may have been compromised, such as through a lost or stolen laptop, please contact your local Global Service Desk immediately.

For more information, see Section 3.4, Reporting a Data Incident.

Question 10: Scenario

You should only use personal information:

Check all that apply.

Question 10: Options

[1] For the specific purpose for which you have been granted access.

[2] According to the notice provided to the data subject.

[3] According to the consent granted by the data subject.

Question 10: Feedback

If you have permission to access personal information, only use it:

• For the specific purpose for which you have been granted access.
• According to the notice provided to the data subject.
• According to the consent granted by the data subject.

For more information, see Section 3.1 Accessing and Using Sensitive Data.

All questions remain unanswered

No results are available, as you have not completed the Knowledge Check.

Congratulations! You have successfully passed the Knowledge Check and completed the course.

Please review your results below by clicking on each question.

Once you are done, you must click the EXIT [X] icon in the course title bar before closing your browser window or browser tab.

Sorry, you did not pass the Knowledge Check. Take a few minutes to review your results below by clicking on each question.

When you are done, click the Retake Knowledge Check button.

Introduction

Welcome

Objectives

Menu

Personal Information

Recognizing Personal Information

Legal, Regulatory and Contractual Requirements

Abbott’s Privacy by Design Principles

Review

Confidential Business Information

Recognizing Confidential Business Information

Cost of Not Protecting Confidential Business Information

Insider Information

Review

Your Role in Protecting Sensitive Data

Accessing and Using Sensitive Data

Sharing Sensitive Data

Retaining and Disposing of Sensitive Data

Responding to Improper Disclosures

Review

Knowledge Check

Introduction

Assessment

Question 1

Question 2

Question 3

Question 4

Question 5

Question 6

Question 7

Question 8

Question 9

Question 10

Feedback

The Course cannot contact the LMS. Click 'OK' to continue and review the course. Note, Course Certification may not be available. Click 'Cancel' to exit

All questions remain unanswered

Questions

Question

not answered

That's correct!

That's not correct!

Feedback:

PROTECTING SENSITIVE DATA

Knowledge Check

Submit

Retake Knowledge Check

Course Description: At Abbott, we frequently use sensitive data to make important business decisions. Because many of our stakeholders have concerns about how this data is collected and used, Abbott has policies and procedures in place to ensure this data is protected. This course explains what sensitive data is, why it is vital to our business, and what steps we can take to ensure we process and handle this information safely and securely. This course will take approximately 30-35 minutes to complete.

Menu

Resources

Reference Material

Audio

Exit

Record My Results