In the regular course of business, The Advisory Board Company (which is referred to in this Privacy Policy sometimes as the "Advisory Board," "us," "we" or "our") interacts and communicates directly with health care providers and professionals, higher education institutions, consumers, employees and others. These audiences may share Personal Information with us that we subsequently process electronically and/or manually. The Advisory Board recognizes and respects the privacy interests of individuals. As evidence of our commitment, we have developed this comprehensive Privacy Policy, which includes a set of frequently asked questions.
As a company, the following philosophy helps to guide our privacy protection efforts and serves as a foundation for this Privacy Policy:
The Advisory Board believes that it is a person's right to have their Personal Information kept private. Therefore, we have implemented privacy protections including technical security measures, to keep Personal Information private and secure. To support this philosophy, we will:
The Advisory Board has implemented this Privacy Policy to develop a privacy cultural awareness within the Advisory Board. We have done so also to provide a context for technical requirements and procedures. This Privacy Policy is the driving force the Advisory Board uses to integrate the Privacy Policy in appropriate areas of the company's operations. Our senior management takes an active leadership role in the direction of the Advisory Board's privacy program.
The Advisory Board demonstrates its sensitivity and responsiveness to potential concerns regarding processing of Personal Information by applying this Privacy Policy in the following ways:
The Privacy Policy applies to all of the Private Information about any person that we collect or receive as part of our business operations - whether from an individual person or from a health care provider, higher education institution, or other organization that provides Protected Information to us in connection with the provision of our services. The relevant portions of the Privacy Policy also apply to third parties which handle and process Private Information about individuals on our behalf.
Private Information means any information relating to an individual that identifies that individual or could reasonably be used to identify the individual regardless of the medium involved (e.g., paper, electronic, video, audio). Private Information also can constitute "protected health information" under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA").
All Private Information handled by the Advisory Board in connection with the Advisory Board's business operations, such as information from an individual person or from a health care provider, higher education institution, or other organization that provides Protected Information to us in connection with the provision of our services, is covered by the Privacy Policy.
The Advisory Board seeks to collect and use Private Information it acquires as a business from individuals and third parties only in a lawful manner.
From what types of sources does the Advisory Board collect Private Information?
General. We collect Private Information directly from the individual, or through third parties. In those cases where the Advisory Board collects Private Information about an individual from someone other than that individual, we take measures to respect the privacy preferences of individuals. Examples of when the Advisory Board collects Private Information from others include, without limitation, and where appropriate, from a health care provider, higher education institution, or other organization that provides Protected Information to us in connection with the provision of our services, from job applicants, and from users of certain features made available to members of an Advisory Board program in the members-only area of the Advisory Board's website. Some of the health care providers from whom we collect or otherwise receive Private Information may be a "covered entity" for purposes of HIPAA.
Members. If you or your organization is a member of an Advisory Board program and access the restricted, members-only area of an Advisory Board website, we may collect additional information relating to your participation in Advisory Board programs. The Advisory Board also may obtain information about your access and use of Advisory Board research materials, decision-support tools, and other online and offline offerings. Please note that we also collect Personal Information relating to you at the time you or your organization enrolled in an Advisory Board program or programs, as well as in the course of allocating and issuing to you your unique ID and password to access the members-only areas of Advisory Board websites. Please be aware also that others could view some of your Private Information when you post a message to one of our online blogs in a members-only area of an Advisory Board website.
Information collected automatically. When you visit an Advisory Board website, we automatically collect and analyze certain information about your computer. This information includes, but may not be limited to, the IP address used to connect your computer to the Internet, information about your browser type and language, the date and time you are accessing the website, the content of any undeleted cookies that your browser previously accepted from us, and the referring website address.
Use of cookies and other technologies. We use various technologies to collect information about your and your organization's activities on an Advisory Board website.
Information Collected by Third Parties. Third parties, such as vendors, advertising entities, and business partners, may use cookies and other technologies (such as Web beacons) to collect information about your online activities. The purposes for collecting this information includes: to measure usage of Advisory Board sites; to analyze, modify, and personalize advertising content on Advisory Board websites; and to provide ads about goods and services we hope will be of interest to you. We do not have access to or control over cookies or other features these third parties may use, and the information practices of these third parties are not covered by this Privacy Policy. Some of these third parties may be third-party network advertisers that offer you the option of not having this information collected. For more information about these some of these third parties, you may wish to visit http://www.networkadvertising.org.
Does the Advisory Board receive, collect or use Private Information from sources outside of the United States?
Yes. All of the Advisory Board's websites, including customized websites provided to members of our programs, products, and services, are operated in the United States. Depending on an individual's or a member's country of residence, the submission of Private Information to us may involve some transfer of Private Information to the United States. You should be aware that privacy laws in the United States might not provide protections equivalent to those of your country of residence. We have taken steps to help ensure that appropriate levels of protection necessary to maintain the security and quality of your Personal Information are in place and that any transferred data is processed only in accordance with the Privacy Policy. In addition, we have self-certified our privacy practices as consistent with U.S.—E.U. Safe Harbor principles: Notice, Choice, Onward Transfer, Access and Accuracy, Security, and Oversight/Enforcement. More information about the U.S. Department of Commerce Safe Harbor Program can be found at http://www.export.gov/safeharbor/, as well as at under "Advisory Board and the E.U.-U.S. Safe Harbor for Privacy" below.
Advisory Board members also should be aware that, by participating in our online and offline networks and services, such as retreats, blogs, and other conferences, Private Information about them and/or their individual employees might be made available or visible to other Advisory Board members throughout the world to facilitate intelligence sharing across our membership. If you are uncomfortable with this transfer of your or your individual employees' Private Information, you should not use those services.
Why does the Advisory Board collect and use Private Information?
Our collection and use of Private Information is essential to the conduct of many of the Advisory Board's business functions. Examples of the purposes for which the Advisory Board collects and uses Private Information include:
In those cases where we obtain Private Information about an individual from the individual directly, we inform that individual of (or make available to that individual information relating to) the type of data we collect, the purposes for which we collect it, how to contact us with any inquiries or complaints, the types of parties to whom we might disclose the Private Information, the privacy and information safeguards we employ, and that person's right to access and, if necessary, correct the Private Information. We will provide or make available this notice when individuals are first asked to provide Private Information to the Advisory Board, or as soon thereafter as is practicable.
The Advisory Board recognizes the importance of respecting individuals' privacy preferences.
We may share individuals' Private Information with our corporate affiliates, divisions, or subsidiaries, or with third parties who are acting on our behalf to enable us to provide the individuals with certain employee-related benefits and services or to provide services to the Advisory Board member that provided us with the Private Information. In addition, where consent of individuals or their representatives (such as a member of an Advisory Board program) for the collection, use, or disclosure of Private Information is required by law, contract or agreement, we will obtain such consent or seek assurance that the Advisory Board member obtained such consent.
Are there cases when the Advisory Board may disclose Private Information without consent?
Yes. In certain limited or exceptional circumstances, and in accordance with legal requirements, we disclose an individual's Private Information without the individual's consent, such as (a) when we are required to disclose the information by law or legal process, (b) when the vital interests of the individual, such as life or health, are at stake, or (c) when we believe it is appropriate to investigate, prevent, or take action regarding illegal or suspected illegal activities; to protect and defend the rights, property or safety of the Advisory Board, our members, customers or others. If an individual's Private Information is provided to us by a third party (such as a member of an Advisory Board program), we may share the individual's Private Information with such member.
Please note that, when an individual or an individual's organization becomes an Advisory Board member, we may make information about the individual (including contact and institutional information) available to other members through online and offline services. We may share aggregate or anonymous information with third parties, including advertisers, investors and partners. This information does not contain any Private Information and is used to develop content and services that we hope the individual and our member will find of interest.
Under what circumstances does the Advisory Board disclose Private Information to agents and contractors, and what steps does the Advisory Board take to safeguard that information?
As a part of our normal business operations, we hire agents and contractors to carry out certain functions that require use of Private Information. We bind such parties through written agreements to observe the relevant portions of the Privacy Policy, restrict the use and retention of the information to the purposes and timeframe of such outsourcing, and take other measures to require the observance of the relevant portions of the Privacy Policy.
What happens if Individuals object to the collection, use, and disclosure of their Private Information?
We will make reasonable efforts to address the concerns of any individual who objects to providing us his or her Private Information. See also the complaint resolution procedures set forth below.
The Advisory Board provides individuals about whom it maintains Private Information with a reasonable opportunity to examine their information, to challenge its accuracy, and to have it corrected, amended or deleted as appropriate, subject to certain exceptions.
How do Individuals exercise their rights under the Access Principle?
Upon request, individuals will be given reasonable access to the Private Information that the Advisory Board holds about them. Reasonable access applies to both the process of accessing Private Information and the types of Private Information to be accessed. In terms of the process, reasonable access means, for example, that requests for access are made during normal business hours, following standard procedures, and that the frequency of access requests is not excessive. In terms of the types of Private Information to be accessed, reasonable access means recognizing certain exceptions discussed in frequently asked question #2 that follows. If we deny an individual access, however, we will provide such individual with the reason(s) for denying access and a contact point for further inquiries.
If we are notified that Private Information maintained by us is incorrect, where requested and provided with appropriate supporting documentation, we will either correct the information or direct the individual to the source of the information for correction. If, upon review, we believe that the existing information is correct, we will inform the individual. If the individual continues to dispute the accuracy of the information, the Advisory Board will note that dispute in the individual´s record upon request.
Is there any Private Information of an Individual maintained by the Advisory Board that such Individual would not be permitted to access?
Yes, there are some exceptions to the obligation to provide access. These may include access to confidential or proprietary information, such as physician notes, or situations in which granting access might have to be balanced against the privacy interests of others. In addition, access may be denied when the information requested relates to an ongoing investigation of the individual, litigation or potential litigation or where the burden or expense of providing access would be disproportionate to the risks to the individual´s privacy. In cases of sensitive medical information, it may be more appropriate to provide such information to the individual´s health care provider who in turn can provide such information to the individual and be available to interpret properly the meaning of the information collected.
The Advisory Board employs reasonable steps to keep Private Information accurate, complete and up-to-date.
Yes. Keeping Private Information as accurate, complete and up-to date as required for the purposes for which it is used is in the best interests of both individuals and the Advisory Board. We expect all individuals to assist it in keeping the Private Information we hold about them accurate, complete and up-to-date, and facilitates cooperation by individuals in doing so.
The Advisory Board has implemented technical and organizational security measures to help protect against unauthorized access to or unauthorized alteration, disclosure or destruction of Private Information. We review our systems regularly to help ensure that the security and integrity of Personal Information in our possession is not compromised. Unfortunately, no data transmission over the Internet can be guaranteed to be entirely secure, and we do not assume any liability for any damage suffered by you caused by the interception, alteration, or misuse of information during transmission that is outside of our reasonable control.
Within the Advisory Board, we restrict access to Private Information to employees, contractors, and agents who need to know that information in order to operate, develop, or improve our programs and services. We subject our third party contractors and agents to contractual controls to help ensure that they apply suitable protections to any Personal Information they access or receive from us.
Is there a role for Individuals to play in maintaining the security of Private Information?
Individuals play a vital role in maintaining security by, for examples, protecting passwords used to access a system, keeping their own paper records under lock and key when not in use, and disposing of records and reports no longer needed in a secure manner. Effective security with respect to Advisory Board websites depends, in part, on Advisory Board members and their employees ensuring that any IDs and passwords that they have been issued by us are kept confidential and secure and that members adhere to the restrictions on password and ID-sharing.
How are decisions reached about who has access to Private Information about individuals?
Access to Private Information about individuals is given only to those employees, vendors, Advisory Board members or other persons with a legitimate need to know the information to carry out their responsibilities.
What is to prevent a person who has access to some of an individual´s Private Information from browsing through other parts of it for other reasons?
It is the Advisory Board's policy to grant employees, agents and contractors access only to the amount of information necessary to carry out their responsibilities.
Advisory Board websites contain business-related content and are specifically aimed at and designed for use by adults. We do not knowingly solicit or collect Private Information from or about individuals under the age of 18 years other than from Advisory Board members that provide such information to us as part of an Advisory Board program. If we discover that we have received Private Information from an individual whom we believe to be under the age of 18 in some other manner, we will delete such information from our systems.
The U.S. Department of Commerce and the European Commission have developed a "safe harbor" framework of data protection principles ("Safe Harbor"). This Safe Harbor is designed to provide U.S. organizations with a means to satisfy the European Union's legal requirement that adequate data protections be afforded to personally-identifiable information transferred from the European Union to the United States. The Advisory Board's Privacy Policy is consistent with the safe harbor principles, and the Advisory Board has specifically certified that its transfers of manual and electronic data from the European Union to the United States adhere to the Safe Harbor principles.
For more information on Safe Harbor, please see http://www.export.gov/safeharbor/.
The Advisory Board maintains active processes to help ensure compliance with the Privacy Policy, as well as with legal requirements, contractual agreements, and other commitments in the handling of Private Information. The Advisory Board's Compliance Officer is responsible for implementing and overseeing the administration of the Privacy Policy. To contact the Advisory Board´s Compliance Officer, you may send an e-mail message to compliance@advisory.com, leave a voicemail message at 1-800-523-3391, or send a fax to 202-266-6633, Attention: Compliance Officer. You may also send a letter to Compliance Officer, The Advisory Board Company, 2445 M Street, N.W., Washington, DC 20037.
What are the responsibilities of the Advisory Board Compliance Officer?
Responsibilities of the Advisory Board Compliance Officer include:
What steps are taken to promote compliance with the Privacy Policy?
Compliance measures may include:
The Advisory Board recognizes the importance of having mechanisms in place to address and resolve complaints by individuals about the processing of Private Information. Therefore, in addition to any legal remedies that may be available, if an individual covered by the Privacy Policy makes a complaint about the processing of the individual´s Private Information, and the complaint is not resolved to the individual satisfaction through our internal procedures, we will use a readily available and affordable independent dispute resolution mechanism to resolve the complaint.
What are the procedures for filing a complaint about the handling of Private Information?
All individuals having questions or complaints concerning the Advisory Board´s privacy practices can send an e-mail message to compliance@advisory.com, leave a voicemail message at 1-800-523-3391, or send a fax to 202-266-6633, Attention: Compliance Officer. You may also send a letter to Compliance Officer, The Advisory Board Company, 2445 M Street, N.W., Washington, DC 20037.
What types of independent dispute resolution mechanisms are available?
Some jurisdictions have established data protection authorities overseeing the processing of Private Information that are willing to assist in the resolution of complaints. The Advisory Board is committed to working with these authorities to resolve any complaint and to complying with their decisions in such cases.
Alternatively, in jurisdictions where there is no data protection authority available to provide dispute resolution, we identified and will utilize an independent alternative dispute resolution mechanism administered by the CPR Institute for Dispute Resolution (www.cpradr.org).
The Advisory Board Compliance Officer will be able to provide additional information about the use of independent dispute resolution mechanisms.
If the Advisory Board changes the Privacy Policy, we will post the revised Privacy Policy here, with an updated revision date. If the Advisory Board makes significant changes to the Privacy Policy, we may also notify you by other means, such as sending an email or posting a notice on the Advisory Board's external website.
