Protected Information
Laws and regulations restrict the confidentiality, access to and use of individually identifiable health information (referred to as “Protected Health Information” under the Health Insurance Portability and Accountability Act [“HIPAA”]) and Nonpublic Personal Information (as defined under the Gramm-Leach-Bliley Act) of Lawson employees, customers, and employees of customers. Lawson certifies that it complies with European Union Safe Harbor principles established by the United States Department of Commerce with respect to any personal information transmitted from the European Union. Protected Health Information and Nonpublic Personal Information, including all personal information transmitted from the European Union, constitute Protected Information under this Code of Conduct.
The restrictions described below and under the Section entitled “Confidential Information” apply to all Protected Information:
- Protected Information may not be disclosed to others except only to the extent expressly allowed by applicable laws and regulations.
- Sensitive Information (information about medical conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or an individual’s sex life) will not be disclosed to any third party or used for a purpose other than the purpose for which it was originally obtained without the consent of the person who is subject of the information, unless disclosure is required by law.
- Lawson’s employees and other representatives must use appropriate safeguards to prevent the unauthorized use or disclosure of Protected Information.
- Lawson will grant reasonable access to permit individuals to change their Protected Information.
- Subject to local Data Privacy requirements, any Protected Information received by a Lawson employee or other representative, that person must track and retain the following: (a) the date of the disclosure; (b) the name of the entity or person who received the Protected Information and, if known, the address of such entity or person; (c) a brief description of the Protected Information disclosed; and (d) a brief statement of the purpose of such disclosure which includes an explanation of the basis for such disclosure.
- Upon termination of the authorized use, the Lawson employee or representative must return all Protected Information in any form and shall retain no copies of such information, or, if that return is not feasible, the Lawson employee or representative must continue to extend the protections to such information and limit further use of the information to those purposes that make the return or destruction of the information infeasible.
- Lawson’s General Counsel must be notified in writing immediately upon (a) learning of or receiving any subpoenas, orders or other legal mandates regarding the use or disclosure of Protected Information or (b) receiving a request for amendment of an individual’s Personal Information or an accounting of disclosures of Protected Information.
Americas-based Lawson employees should review Lawson’s Policy titled “Use of Protected Information” policy located on the employee portal under the Employee Self Service section. Access ERG Policy 3.03 through the Handbook section. EMEA and APAC-based employees should refer to the applicable section of their employee handbook or contact their HR representative for more information.
For non-Lawson employees, additional information on this topic may be obtained at the HIPAA and Gramm-Leach-Bliley Compliance website located at www.lawson.com in the section entitled “Corporate Governance” in the Investor Relations.
>> Continue reading the next section of the Lawson Code of Conduct
All sections of the Lawson Code of Conduct:
|