Privacy protection philosophy
The Advisory Board believes that it is a person’s right to have their Personal Information kept private. Therefore, we have implemented privacy protections including technical security measures, to keep Personal Information private and secure. To support this philosophy, we will:
- determine the potential benefit of processing Personal Information and seek to identify and minimize the effects of potential risks by implementing privacy protection measures;
- listen to and consider feedback from internal and external audiences that have specific privacy concerns; and
- adhere to external privacy protection requirements that we are required to implement for processing of Personal Information.
Framework for implementing privacy protections
Applying Privacy Protections
- We implemented training, awareness and compliance processes to address the privacy of data of, among others, those who receive health care or higher education services from a member of one of our programs, those who access internal and external Advisory Board websites, and its employees;
- We developed methodologies to identify business systems and processes, electronic and/or manual, that process Personal Information to minimize the effects of any potential risks;
- We instituted privacy and security standards that support the appropriate confidentiality of Personal Information, including medical information, and the Advisory Board will continue to monitor new technical security measures for possible implementation;
- We implemented privacy processes and practices related to security, enforcement, access, disclosure and third party due diligence; and
- We developed mechanisms to respond to privacy concerns in a timely fashion.
1. What is “Private Information"?
Private Information means any information relating to an individual that identifies that individual or could reasonably be used to identify the individual regardless of the medium involved (e.g., paper, electronic, video, audio). Private Information also can constitute “protected health information” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).
2. Whose Private Information is covered?
Notice—Collection and Use; Informing the Individual
A. Collection and Use
The Advisory Board seeks to collect and use Private Information it acquires as a business from individuals and third parties only in a lawful manner.
1. From what types of sources does the Advisory Board collect Private Information?
General. We collect Private Information directly from the individual, or through third parties. In those cases where the Advisory Board collects Private Information about an individual from someone other than that individual, we take measures to respect the privacy preferences of individuals. Examples of when the Advisory Board collects Private Information from others include, without limitation, and where appropriate, from a health care provider, higher education institution, or other organization that provides Protected Information to us in connection with the provision of our services, from job applicants, and from users of certain features made available to members of an Advisory Board program in the members-only area of the Advisory Board’s website. Some of the health care providers from whom we collect or otherwise receive Private Information may be a “covered entity” for purposes of HIPAA.
Members. If you or your organization is a member of an Advisory Board program and access the restricted, members-only area of an Advisory Board website, we may collect additional information relating to your participation in Advisory Board programs. The Advisory Board also may obtain information about your access and use of Advisory Board research materials, decision-support tools, and other online and offline offerings. Please note that we also collect Personal Information relating to you at the time you or your organization enrolled in an Advisory Board program or programs, as well as in the course of allocating and issuing to you your unique ID and password to access the members-only areas of Advisory Board websites. Please be aware also that others could view some of your Private Information when you post a message to one of our online blogs in a members-only area of an Advisory Board website.
Information collected automatically. When you visit an Advisory Board website, we automatically collect and analyze certain information about your computer. This information includes, but may not be limited to, the IP address used to connect your computer to the Internet, information about your browser type and language, the date and time you are accessing the website, the content of any undeleted cookies that your browser previously accepted from us, and the referring website address.
- Cookies. When you visit an Advisory Board website, we may assign your computer one or more “cookies.” A cookie is a small text file that contains information that can later be read by us to facilitate your access to the site and personalize your online experience. For example, when you sign into an Advisory Board site, we may record your user ID in a cookie file on your computer. In addition, through the use of a cookie, we may automatically collect information about your online activity on the Advisory Board site, such as the web pages you visit, the links you click, and the searches you conduct. Most browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies by visiting the Help portion of your browser’s toolbar. If you choose to decline cookies, please note that you may not be able to sign in or use some of the interactive features offered on the Advisory Board websites.
- Other technologies. We may use standard Internet technology, such as Web beacons (also called clear GIFs or pixel tags) and other similar technologies, to deliver or communicate with cookies and track your use of Advisory Board sites. We also may include web beacons in e-mail messages or newsletters to determine whether messages have been opened and acted upon. The information we obtain in this manner enables us to customize the services we offer and measure the overall effectiveness of our online content, advertising campaigns, and the products and services offered through the site.
2. Does the Advisory Board receive, collect or use Private Information from sources outside of the United States?
Advisory Board members also should be aware that, by participating in our online and offline networks and services, such as retreats, blogs, and other conferences, Private Information about them and/or their individual employees might be made available or visible to other Advisory Board members throughout the world to facilitate intelligence sharing across our membership. If you are uncomfortable with this transfer of your or your individual employees’ Private Information, you should not use those services.
3. Why does the Advisory Board collect and use Private Information?
Our collection and use of Private Information is essential to the conduct of many of the Advisory Board's business functions. Examples of the purposes for which the Advisory Board collects and uses Private Information include:
- to respond to inquiries that you submit to us about Advisory Board membership via the online “contact us” feature and determine which Advisory Board programs and services will help you achieve your goals;
- to send you membership details and information about Advisory Board programs and services that you have requested from us;
- to administer your membership and facilitate your access to and provide you with the Advisory Board resources, decision-support tools, and other materials available to you through your program membership;
- to communicate with you about surveys, marketing, promotions, executive-oriented events, educational forums, and other exclusive opportunities offered by us, including information about other Advisory Board programs in which you may be interested;
- to engage in research and analysis in order to maintain, protect and improve Advisory Board programs and services, as well as develop new services;
- to enhance the Advisory Board network and our products and services; and
- to help ensure the technical functioning of the Advisory Board websites.
Informing the Individual
In those cases where we obtain Private Information about an individual from the individual directly, we inform that individual of (or make available to that individual information relating to) the type of data we collect, the purposes for which we collect it, how to contact us with any inquiries or complaints, the types of parties to whom we might disclose the Private Information, the privacy and information safeguards we employ, and that person’s right to access and, if necessary, correct the Private Information. We will provide or make available this notice when individuals are first asked to provide Private Information to the Advisory Board, or as soon thereafter as is practicable.
The Advisory Board recognizes the importance of respecting individuals' privacy preferences.
We may share individuals' Private Information with our corporate affiliates, divisions, or subsidiaries, or with third parties who are acting on our behalf to enable us to provide the individuals with certain employee-related benefits and services or to provide services to the Advisory Board member that provided us with the Private Information. In addition, where consent of individuals or their representatives (such as a member of an Advisory Board program) for the collection, use, or disclosure of Private Information is required by law, contract or agreement, we will obtain such consent or seek assurance that the Advisory Board member obtained such consent.
1. Are there cases when the Advisory Board may disclose Private Information without consent?
Yes. In certain limited or exceptional circumstances, and in accordance with legal requirements, we disclose an individual's Private Information without the individual's consent, such as (a) when we are required to disclose the information by law or legal process, (b) when the vital interests of the individual, such as life or health, are at stake, or (c) when we believe it is appropriate to investigate, prevent, or take action regarding illegal or suspected illegal activities; to protect and defend the rights, property or safety of the Advisory Board, our members, customers or others. If an individual’s Private Information is provided to us by a third party (such as a member of an Advisory Board program), we may share the individual’s Private Information with such member.
Please note that, when an individual or an individual’s organization becomes an Advisory Board member, we may make information about the individual (including contact and institutional information) available to other members through online and offline services. We may share aggregate or anonymous information with third parties, including advertisers, investors and partners. This information does not contain any Private Information and is used to develop content and services that we hope the individual and our member will find of interest.
2. Under what circumstances does the Advisory Board disclose Private Information to agents and contractors, and what steps does the Advisory Board take to safeguard that information?
3. What happens if Individuals object to the collection, use, and disclosure of their Private Information?
We will make reasonable efforts to address the concerns of any individual who objects to providing us his or her Private Information. See also the complaint resolution procedures set forth below.
The Advisory Board provides individuals about whom it maintains Private Information with a reasonable opportunity to examine their information, to challenge its accuracy, and to have it corrected, amended or deleted as appropriate, subject to certain exceptions.
1. How do Individuals exercise their rights under the Access Principle?
Upon request, individuals will be given reasonable access to the Private Information that the Advisory Board holds about them. Reasonable access applies to both the process of accessing Private Information and the types of Private Information to be accessed. In terms of the process, reasonable access means, for example, that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive. In terms of the types of Private Information to be accessed, reasonable access means recognizing certain exceptions discussed in frequently asked question #2 that follows. If we deny an individual access, however, we will provide such individual with the reason(s) for denying access and a contact point for further inquiries.
If we are notified that Private Information maintained by us is incorrect, where requested and provided with appropriate supporting documentation, we will either correct the information or direct the individual to the source of the information for correction. If, upon review, we believe that the existing information is correct, we will inform the individual. If the individual continues to dispute the accuracy of the information, the Advisory Board will note that dispute in the individual´s record upon request.
2. Is there any Private Information of an Individual maintained by the Advisory Board that such Individual would not be permitted to access?
Yes, there are some exceptions to the obligation to provide access. These may include access to confidential or proprietary information, such as physician notes, or situations in which granting access might have to be balanced against the privacy interests of others. In addition, access may be denied when the information requested relates to an ongoing investigation of the individual, litigation or potential litigation or where the burden or expense of providing access would be disproportionate to the risks to the individual´s privacy. In cases of sensitive medical information, it may be more appropriate to provide such information to the individual´s health care provider who in turn can provide such information to the individual and be available to interpret properly the meaning of the information collected.
The Advisory Board employs reasonable steps to keep Private Information accurate, complete and up-to-date.
Is there a role for Individuals to play in maintaining the accuracy of Private Information?
Yes. Keeping Private Information as accurate, complete and up-to date as required for the purposes for which it is used is in the best interests of both individuals and the Advisory Board. We expect all individuals to assist it in keeping the Private Information we hold about them accurate, complete and up-to-date, and facilitates cooperation by individuals in doing so.
The Advisory Board has implemented technical and organizational security measures to help protect against unauthorized access to or unauthorized alteration, disclosure or destruction of Private Information. We review our systems regularly to help ensure that the security and integrity of Personal Information in our possession is not compromised. Unfortunately, no data transmission over the Internet can be guaranteed to be entirely secure, and we do not assume any liability for any damage suffered by you caused by the interception, alteration, or misuse of information during transmission that is outside of our reasonable control.
Within the Advisory Board, we restrict access to Private Information to employees, contractors, and agents who need to know that information in order to operate, develop, or improve our programs and services. We subject our third party contractors and agents to contractual controls to help ensure that they apply suitable protections to any Personal Information they access or receive from us.
1. Is there a role for Individuals to play in maintaining the security of Private Information?
Individuals play a vital role in maintaining security by, for examples, protecting passwords used to access a system, keeping their own paper records under lock and key when not in use, and disposing of records and reports no longer needed in a secure manner. Effective security with respect to Advisory Board websites depends, in part, on Advisory Board members and their employees ensuring that any IDs and passwords that they have been issued by us are kept confidential and secure and that members adhere to the restrictions on password and ID-sharing.
2. How are decisions reached about who has access to Private Information about individuals?
Access to Private Information about individuals is given only to those employees, vendors, Advisory Board members or other persons with a legitimate need to know the information to carry out their responsibilities.
3. What is to prevent a person who has access to some of an individual´s Private Information from browsing through other parts of it for other reasons?
It is the Advisory Board’s policy to grant employees, agents and contractors access only to the amount of information necessary to carry out their responsibilities.
Advisory Board websites contain business-related content and are specifically aimed at and designed for use by adults. We do not knowingly solicit or collect Private Information from or about individuals under the age of 18 years other than from Advisory Board members that provide such information to us as part of an Advisory Board program. If we discover that we have received Private Information from an individual whom we believe to be under the age of 18 in some other manner, we will delete such information from our systems.
The Advisory Board and the E.U.—U.S.Safe Harbor for Privacy
For more information on Safe Harbor, please see http://www.export.gov/safeharbor/.
Enforcement—Compliance and Complaint Resolution
1. What are the responsibilities of the Advisory Board Compliance Officer?
Responsibilities of the Advisory Board Compliance Officer include:
- Overseeing responses to inquiries, and resolution of complaints, relating to privacy; and
Compliance measures may include:
- Training those individuals with access to Private Information on privacy policies and procedures; and
B. Complaint Resolution
1. What are the procedures for filing a complaint about the handling of Private Information?
All individuals having questions or complaints concerning the Advisory Board´s privacy practices can send an e-mail message to firstname.lastname@example.org, leave a voicemail message at 1-800-523-3391, or send a fax to 202-266-6633, Attention: Compliance Officer. You may also send a letter to Compliance Officer, The Advisory Board Company, 2445 M Street, N.W., Washington, DC 20037.
2. What types of independent dispute resolution mechanisms are available?
Some jurisdictions have established data protection authorities overseeing the processing of Private Information that are willing to assist in the resolution of complaints. The Advisory Board is committed to working with these authorities to resolve any complaint and to complying with their decisions in such cases.
Alternatively, in jurisdictions where there is no data protection authority available to provide dispute resolution, we identified and will utilize an independent alternative dispute resolution mechanism administered by the CPR Institute for Dispute Resolution (www.cpradr.org).
The Advisory Board Compliance Officer will be able to provide additional information about the use of independent dispute resolution mechanisms.
Changes to This Policy