Confidential information is any information, material or knowledge not generally available to the public that relates to the Group, our Employees, customers, business partners or others we do business with. Confidential information may prejudice the Group’s interests if disclosed to third parties. The way we obtain, use or otherwise handle confidential information, whether relating to the Group or third parties, can also breach applicable laws or other Group policies. Examples of confidential information include:

• sales, marketing and other corporate databases
• pricing and marketing strategies and plans
• confidential product information and trade secrets
• research and technical data
• new product development material
• business ideas, processes, proposals or strategies
• unpublished financial data and results
• company plans
• personnel data and matters affecting Employees
• software licensed to or developed by a Group Company

We must not disclose confidential information relating to a Group company or its business outside the Group without authorisation from higher management and only:

• to agents or representatives of a Group company owing it a duty of confidentiality and requiring the information to carry out work on its behalf
• under the terms of a written confidentiality agreement or undertaking
• under the terms of an order of a competent judicial, governmental, regulatory or supervisory body, having notified and received prior approval from local LEX Counsel

If confidential information is to be transmitted electronically, then technical and procedural standards should be applied, and agreed with the other party where possible.

We should be mindful of the risk of unintentional disclosure of confidential information through discussions or use of documents in public places.

Access to confidential information relating to a Group company or its business should only be provided to Employees requiring it in order to carry out their work.

We must not take home any confidential information relating to a Group company or its business without making adequate arrangements to secure that information.

For further guidance, please contact LEX.

We must not use confidential information relating to a Group Company or its business for our own financial advantage or for that of a friend or relative (see ‘Conflicts of interest’).

Particular care must be taken if we have access to ‘inside information’, which is confidential information relevant to the price of shares and securities in public companies. For further details, see ‘Insider dealing and market abuse’.

We must not request or obtain from any person confidential information belonging to another party. If we inadvertently receive information which we suspect may be confidential information belonging to another party, we should immediately notify our line manager and local LEX Counsel.

Failure to take appropriate steps to protect the confidentiality, integrity and availability of personal data, confidential information and Group IT systems could threaten the Group’s continuity of operations, confidentiality obligations, proprietary information, reputation and may jeopardise our ability to comply with regulatory and legal obligations.

The Group uses technological measures, processes and policies to reduce cybersecurity risk. All Employees and contractors have an individual and collective responsibility to act in a way that reduces our cybersecurity risk. This includes complying with the IDT Security Procedure at all times and exercising a high level of care, professionalism and good judgement in accordance with applicable laws. Employees and contractors must collect, store, access and transmit personal data and confidential information only as permitted by the Group, including as per the Group Data Privacy Procedure and Acceptable Use Policy.

Most security incidents are caused or enabled by human error which includes unintentional actions or failure to take proper action that cause, spread or allow a security incident to take place.

Employees and contractors are required to immediately report any potential or actual loss of, or any attempted or actual unauthorised access to or alteration of, confidential information or personal data to the local IDT Security Team.

If you become aware of any such incident which may involve data that could be considered ‘sensitive’ (e.g. all personal data, financial data, etc.), you must immediately report it to your local IDT Security Team or local LEX (e.g. Data Privacy Counsel and/or Data Protection Officer).

• Your line manager
• Higher management
• Your local LEX Counsel
• Head of Compliance: sobc@bat.com