Global Data Protection

Overview

At Quintiles, given the nature of our work, the protection of personal data, particularly patients’ personal health information, and customer confidential data, is critical for our company and our customers. With regard to personal data and customer confidential data, Quintiles has been widely acknowledged for our long-established and robust global data protection program that follows the “Privacy by Design” concept.

Global Council on Data Protection (CODP)

The Council was charted by Quintiles to monitor implementation of Quintiles corporate policy for the protection of Individually Identifiable Information and to serve as Quintiles’ internal privacy board with respect to standard practices and procedures designed to oversee our global data protection program. The Council’s membership includes worldwide representatives from the varied functions and lines of business as well as consultants and independent participants. The Global Chief Privacy Officer chairs the Council.

Privacy Incident Response Team

The CODP has designated a Privacy Incident Response Team (“PIRT”) to serve as a primary contact point for privacy and confidentiality inquiries and “information incidents”. The PIRT follows the company’s “Information Incident Response Plan”, particularly with respect to compliance with applicable security breach notification laws and for investigating, tracking and appropriate notification regarding customer confidentiality.

International Privacy Laws

Quintiles intends that its corporate privacy and confidentiality policies and standard practices and procedures meet or exceed the requirements of all applicable local and international privacy laws and regulations and customer contract provisions.

U.S. HIPAA

Though Quintiles is not a covered entity under HIPAA, the U.S. law that sets privacy and security standards for Protected Health Information, the company has put into place robust technical, organizational and security measures that, in fact, meet or exceed the HIPAA standards.

EU Data Protection Directive

Quintiles follows the requirements of the EU Data Protection Directive for the protection of personal data in the EU. Moreover, to permit the transfer of personal data outside the EU to Quintiles facilities in other countries, Quintiles must meet the “adequate level of protection” requirement of the Directive. Accordingly, for the transfer of data outside of the EU to our United States facilities, Quintiles certified adherence with annual recertification to the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor Privacy Principles. For more information about the certification, see http://www.export.gov/safeharbor and also see the link on this website to Quintiles’ privacy policy.

With respect to “adequacy” for the transfer of personal data from the EU to Quintiles sites in countries other than the U.S., Quintiles has executed EU “Model Contracts”, that is, Data Transfer Agreements (DTAs).

Privacy Training

The Council has developed a global “Privacy Awareness Basic Training” course through “Learning Curve”, mandated for all Quintiles’ employees on the company’s privacy and confidentiality policies and procedures. This course is part of Quintiles’ CORE Compliance Curriculum and is implemented and tracked through the Ethics and Compliance Office.