Data protection, IT security and cybercrime
As a healthcare provider, protecting patient data is a top priority for Galenica. Galenica ensures that this information is protected against unauthorised access and unauthorised changes or loss.
GRI 418: Customer privacy
Data protection
GRI 3-3
Management of material topics
As the Swiss healthcare system becomes increasingly digitalised, the importance of data protection grows and the legal requirements for data processing become more comprehensive. Data protection involves the handling of patient and customer data with the aim of protecting the privacy of patients when their data is processed. Health data is sensitive information that must be protected by law against misuse. Data protection plays a key role in the Service Unit Pharmacies and HCI Solutions in particular. Galenica ensures that patient data is protected against unauthorised access and unauthorised changes or loss. Data protection is also an important basis for a peaceful and inclusive society and strong institutions.
Objectives
Galenica has defined the following objectives:
- We carry out measures to raise employee awareness in the area of data protection twice a year.
You can find an overview of all sustainability goals and the progress made here.
Data Protection Policy and employee training
Galenica is being assisted in this important area by an independent external data protection officer. The Data Protection Policy forms the overarching framework and is supplemented by specific rules and directives for the Group companies. All employment contracts of employees who have access to personal data also contain a data protection clause. All employees are regularly trained and made aware of data protection issues. In the reporting year, the Legal Department developed a new e-learning course on the topic of data protection, which will be launched in 2023.
Focus on data protection revision
At the end of September 2020, the Swiss parliament passed a complete revision of the Federal Act on Data Protection (nFADP). The nFADP and the new Ordinance to the Federal Act on Data Protection (nOFADP) will enter into force on 1 September 2023. The revision will bring the Data Protection Act into line with technological and social conditions, which have changed since the act was last revised. In particular, the transparency of data processing will be improved and the autonomy of data subjects will be strengthened. The revised Data Protection Act has been aligned in many areas with the EU General Data Protection Regulation (GDPR) and entails new obligations for companies. Galenica is working on implementing these new requirements, one of which is the duty to provide information. Against this backdrop, Galenica published a Privacy Policy for employees in 2022 and developed a new process for exercising the right of access, which enables data subjects to have control over their own personal data. In addition, the Group’s Legal Department continues to follow the EU GDPR practices.
Data Protection Circle
The Data Protection Circle is a committee that offers employees of the Legal Department, IT and operational business sectors a platform for managing and coordinating data protection issues and questions across the Group and implementing preventive measures at an early stage. The committee therefore makes a major contribution to compliance with data protection legislation. The Data Protection Circle is headed by the General Secretary. The committee is part of the Legal Department.
Evaluation of the management approach and measures
Reviews: Galenica keeps up to date with the ongoing amendments to data protection legislation and conducts regular audits, thus ensuring that legal regulations are observed and a high standard is maintained in relation to the handling of personal data.
GRI 418-1
Substantiated complaints concerning breaches of customer privacy and losses of customer data
In the reporting year, there were no substantiated complaints relating to a breach of customer data protection, and there was no statutory investigation of data theft or loss.
Own material topic
IT security and cybercrime
GRI 3-3
Management of material topics
With the increasing digitalisation of the healthcare system, the risk of cyber attacks is growing. This is why IT security is highly important at Galenica. As a healthcare provider, Galenica processes sensitive information and data. Galenica ensures that these are protected against unauthorised access and unauthorised changes or loss. Protecting IT systems is crucial for logistics companies and pharmacies in order to ultimately ensure the security of supply to the population. People are one of the greatest risk factors in connection with cyber attacks, as many cyber attacks target employees, for example by means of fraudulent e-mails (phishing).
Objectives
Galenica has also defined the following objective:
- We will make our employees aware of IT security and cybercrime.
Galenica has also defined internal objectives in the area of IT security and cybercrime.
You can find an overview of all sustainability goals and the progress made here.
Responsibilities
At Group level, the topic of IT security is coordinated by the Head of Information Security & Quality Assurance. In 2022, Galenica restructured the responsibilities and organisation of IT security. The newly formed IT Security Board is responsible for balancing the interests of IT and the individual Business Units and coordinates IT security-relevant topics and measures. These are implemented by the members in their respective areas. The Board is responsible for the IT security strategy and ensures its implementation. The aim of the strategy is to achieve reliable and efficient IT security across the Group. The Board meets quarterly or as required and will begin its work in 2023.
Clear guidelines to govern operations
The IT Security Policy defines the objectives relating to information and IT security, the competencies and responsibilities as well as the IT security principles of the Galenica Group. The Policy applies to all companies of the Galenica Group and forms the basis for all written IT security instructions. In addition, the IT Usage Regulations set out the security-related rules of conduct for using IT work equipment, such as the use of private devices, working on the move and working from home. Finally, the IT Security Manual is aimed at employees in the IT departments and lays down the regulations for secure IT operations.
Raising employee awareness
The cooperation of all employees is required to ensure information and IT security. In addition to technical measures, Galenica also promotes awareness of security among employees by means of specific e-learning modules and intranet news. New employees are made aware of the key elements of the IT user regulations on their induction day. Galenica regularly runs e-learning courses on data security and dealing with phishing and cyber attacks. In addition, information on cybercrime is regularly published on the intranet for employees.
Evaluation of the management approach and measures
- Security audit: the IT Security Policy and its implementation are regularly reviewed by internal departments or external specialists to ensure they are up to date and effective.
- Monitoring: the security monitoring system monitors all IT systems and triggers an alarm in the event of anomalies. This is performed by an external Security Operation Center (SOC).
- e-learning: the participation rate for the e-learning modules on data security and cybersecurity is regularly recorded and evaluated.
Own indicator
Participation in e-learning
In the reporting year, two e-learning courses were offered in the area of IT security and cybercrime. The average participation rate was 88%.