Contingent Workforce: Global Privacy Laws Overview Version: 1 © Cerner Corporation. All rights reserved. This document contains Cerner confidential and/or proprietary information belonging to Cerner Corporation and/or its related affiliates which may not be reproduced or transmitted in any form or by any means without the express written consent of Cerner.

Welcome to the Global Privacy WBT. Introduction Welcome to the Global Privacy WBT. Cerner Corporation’s presence in the worldwide market includes many different countries. As a global company, we must be aware of the privacy laws and regulations specific to each country that impact Cerner's ability to conduct business. The intent of this course is to provide awareness of international privacy and data protection requirements in preparation for your work on behalf of Cerner and Cerner’s clients. This course summarizes the privacy laws in the countries in which Cerner does business, and your responsibilities for complying.

Why is data protection legislation important? Many countries in which Cerner does business have passed data protection laws that protect the privacy and confidentiality of individuals’ data. Many data protection laws protect all identifiable personal data about individuals, not just their health-related data. The goal of most of the laws is to ensure at least a minimum level of protection for individually identifiable personal data. Many countries with stringent privacy laws prohibit transfer of data to countries who do not provide proof of “adequate” privacy protection. Many personal data protection laws limit the types of processing that can be done on personal data without the individual’s knowledge and consent. Many personal data protection laws apply to all forms of data processing, which can even include simply accessing, viewing or storing the data.

Cerner’s compliance depends on you! Data protection – Key Concepts Countries in the European Union as well as Canada, Australia and New Zealand all have very stringent privacy laws that protect all personal data. Many countries have a privacy commissioner or regulatory agency that oversees compliance with privacy regulations and ensure that data is used only for lawful purposes. Individuals can file complaints with these agencies if they believe their personal data has been misused. Some countries, such as Australia and Canada, have territorial and state privacy laws that can be more stringent than those at the federal level. Companies who do not comply with data privacy laws may be denied access to do business in a country, or may be subject to penalties for failing to protect the privacy of personal data. Cerner clients in countries with stringent privacy laws may stipulate in their contract the types of processing Cerner is allowed to do on personal data and how the data must be protected. Cerner’s compliance depends on you!

Differences in Country Specific Privacy Laws The following website contains links to privacy laws currently in force around the world: http://www.informationshield.com/intprivacylaws.html Most Stringent Medium Less Stringent All EU Countries, such as: France UK Spain Ireland Germany Canada Territorial and state laws can be more stringent Australia New Zealand U.S. (HIPAA) State laws can be more stringent India Malaysia Singapore Note: in countries without personal data protection laws, follow Cerner’s policies and instructions (and Cerner client policies when applicable) when accessing or handling personal data.

Accessing and Processing Personal Data (PD) Only access PD when authorized by Cerner (or Cerner’s clients). Only access PD that is directly related to the scope of work performed for Cerner. Abide by Cerner’s instructions and policies for handling personal data related to the work done on behalf of Cerner. Abide by any confidentiality agreements signed with Cerner. Abide by Cerner’s instructions and policies for accessing our clients’ environments and their data. Abide by Cerner clients’ policies or restrictions around accessing their systems and the personal data stored on those systems. Contact your monitor with any questions related to handling personal data.

Protecting Personal Data – Dos and Don’ts Best Practices – Protecting Personal Data (PD): Dos: Do use the minimum amount of PD needed to complete your assigned task Do use blinded or de-identified data whenever possible Do ensure printed PD is shredded when no longer needed Do keep all PD and Cerner client information confidential at all times Do report suspected breaches of PD to your monitor Don’ts: Don’t access or use more PD than what is needed Don’t disclose PD to those inside or outside of Cerner who don’t have a direct business need to know the information Don’t store PD on non-encrypted portable storage media devices, as these devices can be easily lost or stolen Don’t leave PD unattended on your screen or workstation

Key Points to Remember Many of the countries in which Cerner does business have privacy laws to protect personal data. Many of these countries’ laws protect all personal data, not just health data. In addition to federal privacy laws, some countries also have privacy laws at the state, provincial and territorial level (which may be more restrictive that those at the federal level). Most privacy laws limit how personal data is used and restrict processing to only the purposes for which it was collected. Abide by Cerner’s instructions when you are authorized to access or use personal data. Client contractual requirements may also place greater restrictions on how data must be accessed, used, and secured. Those doing work on Cerner’s behalf are responsible for being aware of the privacy laws for the countries in which they live and work. Those doing work on Cerner’s behalf are responsible for handling personal data in a manner that ensures the confidentiality and privacy of the data will be maintained.

For questions, contact contingentworkforce@cerner.com