General:

Cerner Corporation and its wholly owned subsidiaries ("Cerner") are committed to protecting the privacy and security of its clients, partners, and associates and therefore operate under a set of strict privacy principles.

Cerner adheres to the Safe Harbor Agreement concerning the transfer of personal data from the European Economic Area (“EEA”) and/or Switzerland to the United States of America. Accordingly, Cerner follows the Safe Harbor Principles published by the U.S. Department of Commerce. If there is any conflict between the policies in these EEA and Swiss Safe Harbor Privacy Guidelines (these “Privacy Guidelines”) and the principles published by the U.S. Department of Commerce, the latter principles shall govern.

These Privacy Guidelines set forth the privacy principles Cerner follows with respect to any transfer of personal data from the EEA and/or Switzerland to the United States. These Privacy Guidelines apply to all personal data received from the EEA and Switzerland by Cerner whether in electronic or paper format.

Please note that Cerner provides its clients with services that involve it processing personal data on its client’s behalf, such as where it provides remote hosting, system monitoring, system trouble-shooting, data warehousing and application management services. In this capacity, Cerner does not own or control the personal data it processes, but rather its client does. In this capacity, Cerner receives and processes personal data merely as a “data processor” on behalf of its client. In such situations, Cerner often has no contact with the individuals to whom such personal data relates and so is dependent upon its client to comply with applicable EEA and/or Swiss data protection law at the time that the personal data is originally collected or received by its client. As a data processor acting on behalf of a Cerner client, Cerner is not required to comply with the these principles but is required to perform its services in accordance with its contract with the client concerned and any data privacy protections incorporated therein. These Privacy Guidelines are to be read subject to this distinction.

Notice:

In the event Cerner is collecting personal data from individuals in the EEA and/or Switzerland and is transferring such information to the U.S., Cerner will inform the individuals concerned about the purpose for which Cerner collects and uses their personal data. If Cerner in the U.S. receives personal data of individuals from its subsidiaries or affiliates or other entities in the EEA or Switzerland it will only use such information in accordance with the notices such entities have provided to the individuals concerned and any consents that such individuals have provided.

Cerner in the U.S. particularly receives, holds and processes the following personal data from the EEA and/or Switzerland:

As a manufacturer of clinical and management information systems, Cerner assists its clients worldwide in the implementation and support of Cerner solutions in their healthcare institution(s). Since Cerner provides implementation and support for different healthcare institutions, Cerner may receive, hold, and process personal data from clients within the EEA and/or Switzerland, including patient data provided by clients for the purpose of troubleshooting specific computer system hardware and software problems and issues in accordance with business and/or service agreements. In addition, Cerner also provides managed services such as remote hosting, remote system monitoring, disaster recovery, data warehousing and application management services, in which it may act as the custodian patient health information for certain clients.  With these offerings, Cerner not only has access to provider-based personal health information, but also performs many of a provider’s custodial duties as well.

In addition, Cerner’s goal is to provide its clients, partners and associates with a personalized Internet experience and an Internet-based online information and communication service that delivers the information, resources and services that are most relevant and helpful to its users. In order to achieve these goals, Cerner may collect information and process personal data during user’s visits to its Web sites and, in particular, during a user’s visits to cerner.com and/or ucern.com Web sites. As a consequence, Cerner may receive, hold, and process personal data from clients, partners and associates within the EEA and/or Switzerland while providing website services such as an Internet based communication platform for professionals to connect to each other. Cerner’s collection and use of personal data varies based on the website services requested by the users and the user's choice of privacy options within the relevant website services.

Further Cerner receives, holds, and processes personal data from employees of Cerner’s wholly owned European subsidiaries, which are transferred to Cerner Corporation in the U.S. for purposes of human resource administration. Any such personal data is purely collected and processed for job related purposes, for other legitimate purposes reasonably related to an individual’s employment, their performance of job responsibilities and Cerner’s ability to make employment services and benefits available to them. Cerner particularly collects and uses personal data for the proper management of global operations, including for payroll management, headcount, promotions and performance review measures, vacation, tax and social security withholding, enrollment in company benefit programs, stock purchase and stock option programs, relocation or immigration assistance, and the mandatory compliance with all applicable labor, employment and tax laws. 

Choice: 

Cerner will offer individuals the opportunity to choose (through an ‘opt out’ choice) whether their personal data is (1) to be disclosed to a third party (unless permitted or required by contract or law) or (2) to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual.

For sensitive personal data (that is personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual or other personal data that Cerner receives from a third party which the third party identities as sensitive personal data), Cerner will give individuals the opportunity to affirmatively or explicitly consent (through an ‘opt in’ choice) if the personal data is to be disclosed to a third party (unless permitted or required by contract or law) or if it is to be used for a purpose other than its original purpose or a purpose authorized subsequently by the individual.

Onward Transfer:

Cerner only transfers personal data to third parties as necessary to carry out the purposes individuals have been notified about. Further, Cerner only transfers personal data to third parties that are acting as an agent to perform task(s) on behalf of and under the instructions of Cerner. Cerner will not transfer personal data to any third parties unless this third party is subscribed to the Safe Harbor principles, or enters into a written agreement with Cerner requiring that the third party provide at least the same level of privacy protection as is required by the relevant Safe Harbor Principles. If Cerner learns that an agent is using or disclosing personal data in a manner contrary to these Privacy Guidelines, Cerner will take all reasonable steps to prevent or stop the use or disclosure. Cerner limits the data transferred to a third party agent to data that is necessary to carry out the function Cerner has contracted with the agent to perform. 

Data Security:

Cerner takes all reasonable measures to protect the personal data from loss, misuse, unauthorized access, disclosure, alteration and/or destruction. Cerner accordingly has put in place appropriate physical, electronic and managerial security measures to safeguard and secure any personal data under Cerner’s control from loss, misuse, unauthorized access or disclosure, alteration or destruction. However, Cerner cannot guarantee the security of personal data on or transmitted via the Internet.

Data Integrity:

Cerner will only process personal data in a way that is compatible with and relevant for the purpose for which it was collected or authorized by the individual. To the extent necessary for those purposes, Cerner will take reasonable steps to ensure that personal data is accurate, complete, current and reliable for its intended use.  

Access:

Subject to any statutory exceptions, Cerner will allow an individual access to their personal data upon request and will provide reasonable measures to allow the correction, amendment or deletion of inaccurate information, except where the burden or expense of providing access would be disproportionate to the risks to the privacy of the individual in the case in question or where the rights of persons other than the individual would be violated.

Enforcement and Dispute Resolution:

Cerner uses a self-assessment approach to assure compliance with these Privacy Guidelines and periodically verifies that these Privacy Guidelines are accurate, comprehensive for the information intended to be covered, prominently displayed, completely implemented and accessible and in conformity with the most current Safe Harbor principles.

Cerner encourages interested persons to raise any concerns using the contact information provided below and it will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of personal data in accordance with the Safe Harbor principles.

If a complaint or dispute cannot be resolved through our internal process, Cerner agrees to dispute resolution using BBBOnline (contact BBBOnline EU Safe Harbor at www.bbb.org/us/safe-harbor) as an independent third party resolution provider.

Contact Information:

Questions, comments or complaints regarding these Privacy Guidelines or data collection and processing practices can be mailed or emailed to:

Cerner Corporation
Brian Dahlin, Director, Corporate Security
2800 Rockcreek Parkway, Kansas City, Missouri 64117-2551
Phone: (816)201-2441
Email: bdahlin@cerner.com

Amendments:

These Privacy Guidelines may be amended from time to time consistent with the requirements of the Safe Harbor. We will post any revised policy on this website.

Effective Date:

November 2009