•  

Privacy Code

GlaxoSmithKline Inc. (“GSK”) is committed to the protection of the personal information of individuals with whom it comes into contact. Accordingly, GSK adheres to the principles set out below (the “Privacy Principles”). The Privacy Principles are based on the principles set out in Schedule 1 of the Personal Information Protection and Electronic Documents Act (Canada). “Personal Information”, as used in this Code, means information about an identifiable individual, but does not include the name, title or business address or telephone of an employee of an organization.

  1. PRINCIPLE 1 - ACCOUNTABILITY

    GSK is responsible for the personal information under its control and has designated an individual as its Privacy Officer who shall be accountable for the organization's compliance with the following principles

  2. 1.1

    Accountability rests with the Legal Counsel, Compliance and Chief Privacy Officer of GSK, even though other individuals with the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals may be delegated to act on behalf of the designated individual.

    1.2

    GSK shall make known, upon request, the identity, title and contact information of the person designated to oversee GSK's compliance with its policy.

    1.3

    GSK is responsible for personal information in its possession or control. As such, GSK will use appropriate means to ensure that all existing and future contracts ensure a level of privacy protection equal to GSK's policies when information is being processed by third parties.

    1.4

    GSK shall implement policies and practices to give effect to these principles, including:

    (a)

    the implementation of procedures to protect personal information;

    (b)

    the establishment of procedures to quickly receive and respond to complaints and inquiries;

    (c)

    training and communicating to staff about GSK's policies and practices; and

    (d)

    developing information to explain GSK's policies and practices.

  3. PRINCIPLE 2 - IDENTIFYING PURPOSES
  4. GSK shall identify the purposes for which personal information is collected at or before the time the information is collected.
    2.1

    Accountability rests with the Legal Counsel, Compliance and Chief Privacy Officer of GSK, even though other individuals with the organization may be responsible for the day-to-day collection and processing of personal information. In addition, other individuals may be delegated to act on behalf of the designated individual.

    • Maintaining a record of medical queries, requests for information, complaints and adverse event reports relating to GSK products and reporting these to relevant regulatory bodies, related companies or other companies which market the same product as may be required or prudent;
    • Administering disease awareness/management programs or other similar programs organized by GSK;
    • Notifying you of matters that GSK may be required by law to notify you of (eg., product recalls);
    • Developing, implementing, marketing and managing GSK's products;
    • In the case of Healthcare Professionals:
      • Sending you material on and contacting you regarding GSK's activities and products or developments in pharmaceutical treatments which may be of interest to you and tailoring marketing services to suit your needs;
      • Supplying you with clinical evaluation packages of GSK products;
      • Administering clinical trials or other research organized by GSK and which you agree to participate in or be involved with;
      • Identifying, developing and administering continuing education programs, conferences, symposia, expert panels, seminars or other meetings or events organized by GSK;
      • Establishing and maintaining customer relationships, including: managing, planning and arranging meetings between you and GSK sales representatives;
    • Monitoring and reviewing GSK's compliance with relevant codes of conduct in its dealings with you.
    2.2

    If we plan to use Personal Information we have collected for a purpose not previously identified, we will identify and document this purpose before such use.

    2.3

    GSK will make reasonable efforts to specify the identified purpose, orally or in writing, to the individual from whom the information is collected either at the time of collection or after collection but before use.

  5. PRINCIPLE 3 - CONSENT
  6. The knowledge and consent of the individual are required for the collection, use and disclosure of personal information, except where inappropriate.
    3.1

    The way in which we seek consent, including whether it is express or implied consent, may vary depending on the sensitivity of the information and the reasonable expectations of the individual. An individual may withdraw consent at any time, subject to legal and contractual restrictions and reasonable notice.

    3.2

    GSK will typically seek consent for the use or disclosure of personal information at the time of collection, but in certain circumstances consent may be sought after collection but before use.

    3.3

    GSK will only ask individuals to consent to the collection, use or disclosure of personal information as a condition of the supply or purchase of a product, if such use, collection or disclosure is required to fulfil an identified purpose.

    3.4

    In certain circumstances, as permitted or required by law, we may collect, use or disclose personal information without the knowledge and consent of the individual. These circumstances include: Personal Information which is subject to solicitor-client privilege or is publicly available as defined by regulation; where collection or use is clearly in the interests of the individual and consent cannot be obtained in a time way; to investigate a breach of agreement of a contravention of the law; to act in respect to an emergency that threatens the life, health or security of an individual; for debt collection; or to comply with a subpoena, warrant or court order.

  7. PRINCIPLE 4 - LIMITING COLLECTION
  8. GSK will limit the amount and type of Personal Information collected to that which is necessary for the purposes identified by GSK. We will only collection Personal Information by fair and lawful means.
  9. PRINCIPLE 5 - LIMITING USE, DISCLOSURE AND RETENTION
  10. GSK shall not use or disclose personal information for purposes other than those for which it was collected, except with consent of the individual or as required by law. Personal information shall be retained only as long as is necessary for the fulfilment of those purposes.
    5.1

    GSK will not disclose personal information about you to any person except in the following circumstances, and then only that information which is necessary.

    • Third parties we use in the ordinary course of our business, such as for conference organizing, marketing, data processing and associated printing and mailing;
    • Companies related to GSK for the same kinds of purposes as listed above;
    • Such third parties as otherwise permitted or required by law.
    5.2

    GSK shall retain personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. In some circumstances where personal information has been utilized to make a decision about an individual, GSK shall retain that personal information for a period of time that is reasonably sufficient to allow for access by the individual.

    5.3

    Personal information that is no longer required to fulfil an identified purpose shall be erased, destroyed or made anonymous.

  11. PRINCIPLE 6 - ACCURACY OF PERSONAL INFORMATION
  12. GSK will use its best effort to ensure that Personal information is as accurate, complete and up-to-date as is necessary for the purposes for which it is to be used.
    6.1

    Personal information used by GSK shall be sufficiently accurate, complete and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about an individual.

    6.2

    GSK shall not routinely update personal information about individuals, but only as and when necessary to fulfil identified purposes.

  13. PRINCIPLE 7 - SAFEGUARDS
  14. GSK will protect personal information by security safeguards appropriate to the sensitivity of the information.
    7.1

    GSK shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. GSK shall protect personal information regardless of the format in which it was held.

    7.2

    Nature of the safeguards taken:

    (a)

    physical measures - building security, lock boxes, etc.;

    (b)

    organizational measures - “need to know” basis; and

    (c)

    technological measures - use of encryption and passwords

    7.3

    GSK shall make its employees aware of the importance of maintaining the confidentiality of personal information by signing a Secrecy Document as a precondition of employment.

  15. PRINCIPLE 8 - OPENNESS
  16. GSK will make readily available to individuals specific information about its policies and practices relating to the management of personal information.
    8.1

    GSK shall make information regarding its policies and practices available in a form that is generally understandable, including:

    (a)

    how to gain access to personal information held by GSK;

    (b)

    the type of personal information held by GSK, including a general account of its use;

    (c)

    personal information available to related organizations (affiliates).; and

    (d)

    how to contact our Privacy Officer.

  17. PRINCIPLE 9 - INDIVIDUAL ACCESS
  18. Upon written request, GSK will inform an individual of the existence, use and disclosure of his or her personal information and we will give the individual access to that information. An individual can challenge the accuracy and completeness of the information and have it amended as appropriate.
    9.1

    GSK will respond to an individual's written request for information within a reasonable period of time. We may require an individual to provide sufficient information to permit us to provide an account of the existence, use and disclosure of Personal Information. This information shall be provided in an understandable, timely and low-cost manner from the perspective of the individual.

    9.2

    Should an individual successfully demonstrate any inaccuracy or incompleteness in the records, GSK will make the appropriate amendments to the information. When a challenge is not resolved to the satisfaction of the individual, a statement of disagreement shall be attached to the individual's records. When appropriate, the existence of the unresolved challenge shall be transmitted to third parties having access to the information in question.

    9.3

    In certain situations, GSK may not be able to provide access to all the personal information it holds about an individual. Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. The reasons for denying access shall be provided by GSK upon request.

  19. PRINCIPLE 10 - CHALLENGING COMPLIANCE
  20. An individual can address a challenge concerning compliance with the above principles to the designated person accountable for GSK's compliance with the policy.
    10.1

    GSK will investigate all complaints. If a complaint is found to be justified, GSK will take appropriate measures, including, if necessary, amending its policies and practices.

How to contact the Privacy Officer:

Access request, inquiries or complaints should be addressed in writing to:

Privacy Officer

GlaxoSmithKline Inc.

7333 Mississauga Road

Mississauga, Ontario

L5N 6L4