Data and privacy protection

Data privacy is an increasingly important issue in our industry. All individuals, including patients, employees, consumers or investors, expect - and are entitled to - protection of their personal data. Personally identifiable information can include the health, employment or financial details that individuals share with the companies with which they choose to do business.

Novartis has an infrastructure in place to address privacy and data protection issues throughout the organization. A Data Privacy Network - including Country Data Protection Officers, Divisional Privacy Experts and representatives of global functions - has been established under the lead of the Corporate Privacy Officer. The network enables and ensures local compliance with privacy laws under a uniform approach facilitating the detection and mitigation of risks as well as the dissemination of best practices and development of tools and trainings to support the business.

Our Data Privacy Compliance Program aims to achieve compliance in respect to the collection, use, disclosure, transfer and processing of personal data throughout Novartis. Further, it is meant to create a corporate privacy culture that respects privacy and fosters trust both within the company and with regard to our external customers and vendors.

The Executive Committee of Novartis and the Board of Directors approved a new Policy on the Protection of Personal Information (effective January 2008). Supportive guidelines, manuals and standard operating procedures will facilitate its implementation across operations worldwide.

We adhere to the many privacy laws and regulations around the world which apply to areas of our business that collect and otherwise process personal data. Novartis fully supports the protection of confidential medical information, including genetic information. The company condemns the disclosure of individually identifiable genetic data without the individual's informed consent and explicit authorization, or any use or disclosure of such information which could lead to discrimination.

In its capacity as an employer, Novartis adheres to the UN Global Compact, firmly embraces principles of social justice and does not select or discriminate against its associates on the basis of their genetic profile. The company does not perform any genetic tests in any pre-placement or employment-related examinations.

Particular challenges include ensuring appropriate security, keeping up with the continuous addition of new laws and requirements and evaluating how to handle conflicts between privacy laws and other legal requirements, such as drug safety adverse event reporting laws. We also engage in some outreach efforts with regulators and stakeholders to assist them in understanding why we need certain types of data and how consumers benefit from our programs.

In 2006, Novartis Pharmaceuticals Corporation in the US became certified to the Safe Harbor Program, which enables transfer of personal data between Switzerland, EU and the US, based on a commitment to adhering to certain privacy standards. We expect to be in a position to certify the remaining US divisions during 2008.