Close
 
 
 

Data privacy, confidentiality and information security

 
 

Data privacy, confidentiality and information security

We protect confidential information, personal data and IT systems from unauthorized access, use or disclosure.

We consider data privacy laws, maintain the confidentiality of all commercially sensitive information, trade secrets and other confidential information relating to the Group and its business.

 

Data privacy

Personal data is information from which an individual can be identified. As a global company holding a significant volume of information about individuals (such as Employees and consumers), Group Companies and Employees must ensure that they handle personal data fairly, lawfully and reasonably, in accordance with local data protection laws and the Group Data Privacy Policy.

Data privacy laws govern the way in which organizations collect and process personal data, including how we are able to transfer data between companies or countries.

We are committed to handling personal data responsibly and in compliance with applicable data privacy laws worldwide. The Group Data Privacy Procedure provides a global minimum standard of governance on how we process personal data generally, and also more specifically how we must treat employee and consumer personal data.

We must be mindful that in some jurisdictions certain laws may impose additional requirements, and we will handle personal data in accordance with all such applicable laws.

 

Confidential information

Confidential information is any information, material or knowledge not generally available to the public that relates to the Group, our Employees, customers, business partners or others we do business with. Confidential information may prejudice the Group’s interests if disclosed to third parties. The way we obtain, use or otherwise handle confidential information, whether relating to the Group or third parties, can also breach applicable laws or other Group policies. Examples of confidential information include:
  • sales, marketing and other corporate databases
  • pricing and marketing strategies and plans
  • confidential product information and trade secrets
  • research and technical data
  • new product development material
  • business ideas, processes, proposals or strategies
  • unpublished financial data and results
  • company plans
  • personnel data and matters affecting Employees
  • software licensed to or developed by a Group Company
 

Disclosing confidential information

We must not disclose confidential information relating to a Group Company or its business outside the Group without authorization from higher management and only:
  • to agents or representatives of a Group Company owing it a duty of confidentiality and requiring the information to carry out work on its behalf
  • under the terms of a written confidentiality agreement or undertaking
  • under the terms of an order of a competent judicial, governmental, regulatory or supervisory body, having notified and received prior approval from local LEX Counsel

If confidential information is to be transmitted electronically, then technical and procedural standards should be applied, and agreed with the other party where possible.

We should be mindful of the risk of unintentional disclosure of confidential information through discussions or use of documents in public places.

 

Access to and storage of confidential information

Access to confidential information relating to a Group Company or its business should only be provided to Employees requiring it in order to carry out their work.

We must not take home any confidential information relating to a Group Company or its business without making adequate arrangements to secure that information.

For further guidance, please contact LEX.

 

Use of confidential information

We must not use confidential information relating to a Group Company or its business for our own financial advantage or for that of a friend or relative (see ‘Conflicts of interest’).

Particular care must be taken if we have access to ‘Inside Information’, which is confidential information relevant to the price of shares and Securities in public companies. For further details, see ‘Insider dealing and market abuse’.

 

Third party information

We must not request or obtain from any person confidential information belonging to another party. If we inadvertently receive information which we suspect may be confidential information belonging to another party, we should immediately notify our line manager and local LEX Counsel.
 

Cyber security

Failure to take appropriate steps to protect the confidentiality, integrity and availability of personal data, confidential information and Group IT systems could threaten the Group’s continuity of operations, confidentiality obligations, proprietary information, reputation, and may jeopardize our ability to comply with regulatory and legal obligations.
 

Reducing security risk

The Group uses technological measures, processes and policies to reduce cybersecurity risk. All Employees and contractors have an individual and collective responsibility to act in a way that reduces our cybersecurity risk. This includes complying with the IDT Security Procedure at all times and exercising a high level of care, professionalism and good judgment in accordance with applicable laws. Employees and contractors must collect, store, access and transmit personal data and confidential information only as permitted by the Group, including as per the Group Data Privacy Procedure and Acceptable Use Policy.
 

Security awareness

Most security incidents are caused or enabled by human error which includes unintentional actions or failure to take proper action that cause, spread or allow a security incident to take place.
 

Information security incidents

Employees and contractors are required to immediately report any potential or actual loss of, or any attempted or actual unauthorized access to or alteration of, confidential information or personal data to the local IDT Security Team.

If you become aware of any such incident which may involve data that could be considered ‘sensitive’ (e.g. all personal data, financial data, etc.), you must immediately report it to your local IDT Security Team or local LEX (e.g. Data Privacy Counsel and/or Data Protection Officer).

 

We must not request or obtain from any person, confidential information belonging to another party.

 

Who to talk to

  • Your line manager
  • Higher management
  • Your local LEX Counsel
  • Head of Compliance: sobc@bat.com