Data protection, IT security and cybercrime
As a healthcare provider, protecting patient data is a top priority for Galenica. Galenica ensures that this information is protected against unauthorised access and unauthorised changes or loss.
GRI 418: Customer data protection
Data protection
GRI 103-1
Explanation of the material topic and its boundary
As the Swiss healthcare system becomes increasingly digitalised, the importance of data protection grows and the legal requirements for data processing become more comprehensive. Data protection involves the handling of patient and customer data with the aim of protecting the privacy of patients when their data is processed. Health data is sensitive information that must be protected by law against misuse. Data protection plays a key role in the Service Unit Pharmacies and HCI Solutions in particular. Galenica ensures that patient data is protected against unauthorised access and unauthorised changes or loss.
Targets
Galenica has defined the following objectives:
- We carry out measures to raise employee awareness in the area of data protection twice a year.
You can find an overview of all the sustainability goals here.
GRI 103-2
The management approach and its components
Data Protection Policy and employee training
Galenica is being assisted in this important area by an independent external data protection officer. The Data Protection Policy forms the overarching framework and is supplemented by specific rules and directives for the Group companies. All employment contracts of employees who have access to personal data also contain a data protection clause. All employees are regularly trained and made aware of data protection issues.
Focus on data protection revision
At the end of September 2020, the Swiss parliament passed a complete revision of the Federal Act on Data Protection (nFADP). The revision will bring the Data Protection Act into line with technological and social conditions, which have changed since the act was last revised. In particular, the transparency of data processing will be improved and the autonomy of data subjects will be strengthened. The revised Data Protection Act has been aligned in many areas with the EU General Data Protection Regulation (GDPR). Galenica is following current developments and examining the need for adjustments. In 2021, Galenica launched an internal project to prepare the Galenica Group for the requirements of the nFADP and the new Ordinance to the Federal Act on Data Protection (nOFADP).
The consultation process for the revision of the Ordinance to the Federal Act on Data Protection (OFADP) began in 2021. The Legal Department is assessing where Galenica currently stands with regard to the Data Protection Act and is implementing the statutory provisions. In addition, the Group’s Legal Department continues to follow the EU GDPR practices.
Data Protection Circle
The Data Protection Circle is a committee that offers employees in the Legal Department, IT and operational business sectors a platform for managing and coordinating data protection issues and questions across the Group and implementing preventive measures at an early stage. The committee therefore makes a major contribution to compliance with data protection legislation. The Data Protection Circle is headed by the Secretary General. The committee is part of the Legal Department.
GRI 103-3
Evaluation of the management approach
- Reviews: Galenica keeps up to date with the ongoing amendments to data protection legislation and conducts regular audits, thus ensuring that legal regulations are observed and a high standard is maintained in relation to the handling of personal data.
GRI 418-1
Substantiated complaints concerning breaches of customer privacy and losses of customer data
In the reporting year, there were no substantiated complaints relating to a breach of customer data protection, and there were no identified cases of data theft or loss.
Own material topic
IT security and cybercrime
GRI 103-1
Explanation of the material topic and its boundary
With the increasing digitalisation of the healthcare system, the risk of cyber attacks is growing. This is why IT security is highly important at Galenica. As a healthcare provider, Galenica processes sensitive information and data. Galenica ensures that these are protected against unauthorised access and unauthorised changes or loss. Protecting IT systems is crucial for logistics companies and pharmacies in order to ultimately ensure the security of supply to the population. People are one of the greatest risk factors in connection with cyber attacks, as many cyber attacks target employees, for example by means of fraudulent e-mails (phishing).
Targets
Galenica has also defined the following objective:
- We make our employees aware of IT security and cybercrime.
Galenica has also defined internal objectives in the area of IT security and cybercrime.
You can find an overview of all the sustainability goals here.
GRI 103-2
The management approach and its components
Responsibilities
At Group level, the topic of IT security is coordinated by the chief information security officer (CISO). Together with the team, the CISO heads the “IT Security Circle” committee, to which the IT security managers of the Galenica Group belong. The committee meets quarterly to provide advice and coordinate information and IT security measures. These are implemented by the members in their respective companies. As part of efforts to pool the IT expertise of all Galenica companies in the Service Unit IT & Digital Services, the IT security strategy was also centralised in 2021. The aim is to achieve reliable and efficient IT security across the Group.
Clear guidelines to govern operations
The IT Security Policy defines the objectives relating to information and IT security, the competencies and responsibilities as well as the IT security principles of the Galenica Group. The Policy applies to all companies of the Galenica Group and forms the basis for all written IT security instructions. In addition, the IT Usage Regulations set out the security-related rules of conduct for using IT work equipment, such as the use of private devices, working on the move and working from home. Finally, the IT Security Manual is aimed at employees in the IT departments and lays down the regulations for secure IT operations.
Raising employee awareness
The cooperation of all employees is required to ensure information and IT security. In addition to technical measures, Galenica also promotes awareness of security among employees by means of specific e-learning modules and intranet news. New employees are made aware of the key elements of the IT user regulations on their induction day. In 2021, Galenica implemented and rolled out a range of e-learning modules for all employees concerning data security and how to handle phishing and cyber attacks. In addition, information on cybercrime was regularly published on the intranet for employees.
GRI 103-3
Participation in e-learning
- Security audit: the IT Security Policy and its implementation are regularly reviewed by internal departments or external specialists to ensure they are up to date and effective.
- Monitoring: the security monitoring system monitors all the IT systems and triggers an alarm in the event of anomalies. This is managed by an external Security Operation Centre (SOC).
- E-learning: the participation rate for the e-learning modules on data security and cybersecurity is regularly recorded and evaluated.
Own indicator
Participation in e-learning
In the reporting year, two e-learning courses on the subject of IT security and cybercrime were offered. The average participation rate was 88%.