Data Protection and Privacy
Pictured: CSL Employees in Melbourne, Australia
Data Protection & Privacy
CSL collects and holds personal information about its employees and key stakeholders, such as plasma donors, healthcare professionals and patients. Unauthorised access or use of this information presents a risk to its operations, and CSL’s place as a leader in the biotherapies marketplace.
Data Protection/Cybersecurity
CSL’s cybersecurity program is an integral part of its broader enterprise risk management strategy. CSL’s Global Leadership Group (GLG) and Board of Directors provide governance of the program and provide support to ensure cybersecurity risks are appropriately managed and CSL complies with the laws and regulations of the regions in which CSL operates. CSL’s Chief Information Security Officer provides quarterly reports to the Audit & Risk Committee of the Board of Directors, ensuring top-level oversight and strategic alignment.
CSL takes a risk-based approach to cybersecurity and has constructed its program around industry frameworks designed to build resilience against a dynamic spectrum of cyber threats. The system consists of cybersecurity policies, standards, processes, and practices throughout CSL’s operations that are designed to detect, prevent, contain, and respond to cybersecurity threats and incidents in a prompt and effective manner with the goal of minimising business disruptions. The program also includes monitoring, identification, assessment, and management processes, coupled with
communication and escalation protocols that keep the Global Leadership Group team well-informed of potential risks.
CSL partners with third parties to assess the effectiveness of its cybersecurity program and extends its cybersecurity standards and expectations to applicable third-party vendors and service providers – this includes assessing our external providers based on defined cybersecurity criteria.
During 2023/24, strategic investments in cybersecurity have been made to improve CSL’s threat management capabilities, proactive defense posture and rapid response to cybersecurity events.
Privacy
CSL maintains a strong commitment to the responsible use of personal data entrusted to us by patients, donors, employees and other stakeholders.
We comply with relevant privacy and health regulations in all jurisdictions in which we operate and are committed to safeguarding the privacy of personal information that we process. Dedicated personnel operating across major jurisdictions provide oversight and governance of privacy risk, empowering operational compliance of data privacy laws, such as China’s Personal Information Protection Law (effective as of November 2021) and the European General Data Protection Regulation (effective as of 25 May 2018), through a robust data privacy framework and appropriate controls.
CSL maintains an enterprise-wide data privacy policy as well as standards and procedures that guide the collection, maintenance, and use of personal data and considers global legal and regulatory requirements. CSL has improved its digital data privacy processes to help ensure that we are respecting the right to privacy of individuals and responsibly collecting and managing the data we collect.
CSL follows a robust Privacy Incident and Data Breach Response Procedure in dealing with possible data privacy incidents. Privacy incidents are reported to an enterprise-wide data privacy team for triage and assessment.
