Data privacy
A commitment to privacy and protection
Roche upholds the highest standards of ethics, ensuring integrity, transparency and respect in all our practices.
Data privacy
At Roche, protecting privacy is fundamental to fostering trust and safeguarding the rights of patients and healthcare professionals. Our comprehensive approach ensures personal health data is processed with the utmost care, transparency and respect for individual privacy.
We adhere to rigorous global standards, embedding privacy measures throughout the entire product lifecycle. By balancing the power of data with respect for privacy, Roche commits to responsible, permission-based and compliant data use. Patients and healthcare professionals can trust that their data is safeguarded at every stage of the healthcare journey.
Privacy by design: Our structured governance model ensures responsible data management practices that align with international regulations. This approach safeguards sensitive information globally while upholding consistent and trusted privacy standards.
Data privacy notice
Roche is committed to transparency and accountability in data privacy. Our Data Privacy Notice outlines our practices for processing, protecting and respecting personal data, ensuring compliance with global standards like GDPR and HIPAA. Roche upholds the highest standards of ethics, ensuring integrity, transparency and respect in all our practices. Our commitment to ethical principles guides every decision we make, fostering trust and accountability.
Privacy as a fundamental right
At Roche, we believe privacy is a fundamental human right. We balance the power and reach of data with a deep respect for individual privacy, ensuring that patient data is used ethically, fairly and transparently.
Ethical data use for innovation
While data is vital for driving healthcare innovation, Roche ensures all data handling is conducted responsibly. By adhering to strict data protection principles, we build and maintain the trust of patients, partners and stakeholders in our commitment to privacy.
Data processing agreements
Roche employs a proactive cybersecurity approach grounded in Zero-Trust and Threat-Based Methodologies:
By embedding these practices early in development Roche enhances the security and resilience of our products ensuring they are prepared for emerging cyber threats.
Commitment to compliance
Roche upholds high standards of accountability in data processing, adhering to stringent privacy regulations such as the GDPR, HIPAA and the Swiss Federal Act on Data Protection. Our data processing agreements not only protect the privacy of patients and users of our products but also enable Roche to deliver medical and clinical value that benefits our customers, patients and society.
To ensure consistent privacy protection, Roche requires all third-party suppliers and vendors to sign robust data processing agreements, aligning them with our commitment to safeguarding sensitive data.
Secure and responsible data handling
All data processing at Roche is conducted with integrity, confidentiality and respect for individual rights. We adhere to principles of permission-based, lawful and purpose-driven data use, ensuring that data is only processed when necessary. Our guidelines include data minimization, storage limitations and robust safeguards to protect sensitive information and maintain trust.
Adhering to global standards
Our adherence to global data protection laws reinforces Roche’s commitment to patient trust and integrity. This ensures that personal data is handled with the highest standards of security and responsibility across every region we operate in.
Privacy-enhancing technologies
Roche protects sensitive personal health data using advanced privacy-enhancing technologies like anonymization, pseudonymization and confidential computing. These measures safeguard data throughout its lifecycle, reducing risks during processing, research and sharing while preserving privacy and enabling innovation.
Importance of protecting personal health data
Roche recognizes the sensitivity of personal health data collected throughout the patient journey. We protect this data through both cybersecurity and privacy-enhancing technologies, reducing risks in legitimate processing, research and data sharing.
Core principles of data protection
Our data protection principles aim to minimize exposure, restrict access and control data processing duration. These measures, supported by advanced technologies, safeguard patient data throughout its lifecycle, even during research or controlled sharing.
Anonymization and pseudonymization
Roche employs anonymization and pseudonymization techniques to protect individual privacy. These methods safeguard personal data, ensuring it remains secure and enabling valuable insights for research while preserving privacy.
Confidential computing
Confidential computing enhances security by protecting data during active processing. This technology ensures sensitive information is kept private, even during complex data analysis and machine learning operations.
Commitment to research and innovation
Roche is dedicated to advancing privacy-enhancing technologies through ongoing research and collaboration with the academic community. Our commitment to pioneering data protection tools reflects our dedication to maintaining high privacy standards in healthcare.
Patient-centered development and privacy
Roche places patients at the core of every innovation, embedding privacy principles into products and partnerships to deliver secure, reliable healthcare solutions. By balancing innovation with respect for patient rights, Roche ensures data is handled ethically and transparently.
Innovation with trust
Roche is dedicated to innovating with integrity. By embedding privacy principles or standards in every product and partnership, we offer patients secure, reliable healthcare solutions. This commitment to privacy and ethical data use forms the foundation of Roche’s digital trust, supporting better healthcare outcomes through responsible innovation.
Putting patients first
At Roche, our products are designed with patients’ needs in mind at every step. From diagnosis to treatment support and remote monitoring, our solutions are developed to enhance patient care while safeguarding privacy. We view data as a vital asset for driving healthcare innovation yet always balance its use with a deep respect for patient rights.
Balancing innovation with privacy
We believe data power comes with responsibility. Roche protects patient information as a fundamental right, ensuring it is used ethically and transparently. Our practices uphold strict standards for lawful, fair and confidential data handling, building trust by respecting privacy in every interaction.
Accountability in data processing
Roche is committed to high standards of data processing compliance. We adhere to global privacy regulations like GDPR and HIPAA and ensure that our employees and partners follow rigorous guidelines to protect personal data. Measures like data minimization and confidentiality safeguards ensure that data use remains secure and purpose-driven.
Global governance for privacy
Our global network of privacy experts works to ensure data protection across all regions, aligning with local laws and global standards. This team collaborates closely with legal and cybersecurity functions to ensure Roche’s solutions are developed with privacy at their core, honoring patient rights in every market we serve.
Certifications and standards
Certifications and standards
Overview of certifications and standards
We adhere to the high industry standards in data management and cybersecurity for our digital solutions, earning certifications and adhering to standards such as:
ISO 27001/27017/27018: International standard for managing information security, including cloud environments
ISO 27701: International standard for privacy management
IEC 81001-5-1:2022: International standard for the safety, security and effectiveness of healthcare software products
HITRUST: Recognized certified framework to ensure adherence to key regulations and industry-defined requirements for safeguarding sensitive information and managing risk effectively
Why we invest in certifications
Patient data protection: These certifications confirm that Roche implements stringent measures to protect sensitive patient information from breaches and cyber threats
Regulatory compliance: Certifications help ensure Roche meets global legal standards, providing consistency and reliability in our data management practices
Risk mitigation: Certified practices reduce risks of data breaches, financial losses and legal liabilities, helping protect Roche’s reputation and assets
Operational efficiency: Compliance with certification standards streamlines security practices, reducing downtime and enhancing operational reliability
Global compliance and legal approach
Roche is committed to upholding the highest standards of compliance and data protection globally. Through legal support, vendor oversight and ongoing compliance efforts, we ensure secure, responsible data practices that build trust and deliver value for patients and healthcare providers.
Global compliance efforts
We take a global approach to compliance, with dedicated teams staying informed on international privacy and security regulations and official guidelines to ensure our products meet stringent security and privacy standards worldwide, including but not limited to:
HIPAA: U.S. regulation to protect patient health information
GDPR: European regulation for data protection and privacy
NIS2 and its local transpositions in EU for critical infrastructures
US FDA guidance for premarket submissions and postmarket management of cybersecurity in medical devices
Legal approach
Dedicated legal support
Roche has legal teams across its corporate and affiliate offices globally, supporting compliance across research, product development and commercial availability, ensuring that data protection is integrated into every stage of product creation and deployment
Staying updated on global privacy laws
Roche’s legal teams frequently monitor changes in privacy laws worldwide, educating product teams to ensure privacy-by-design principles are embedded in product development. Our employees receive regular privacy training to reinforce our commitment to safeguarding data through physical, administrative and technical measures. Certain internal and external audits are conducted regularly to verify adherence to these practices
Contracts and compliance obligations
Roche’s products are supported by detailed contracts with customers, including Data Protection Agreements under GDPR and Business Associate Agreements under HIPAA. Roche also requires third-party vendors and suppliers to adhere to these data protection standards, applying a quality process that includes cybersecurity and data privacy risk assessments
Ensuring ongoing compliance
Our legal and compliance teams work diligently to stay up to date on evolving privacy laws around the globe. They provide guidance to ensure products are developed with security and privacy-by-design principles. Regular training and certain internal audits reinforce our commitment to data protection, embedding privacy into daily operations across the organization.
- Not every digital product is available in all markets. The use of any third-party app is subject to a separate license agreement with the respective third-party app developer. Roche gives no warranties (express or implied) with regard to any third-party app. Third-party apps might not be available in your country. This website and its content may be accessible worldwide, Roche assumes no liability with regard to the access to the information, which may not be compatible with legislations or regulations in force in your country.
- MC--1674