Cybersecurity, Confidentiality and Information Security
We protect confidential information and IT systems from unauthorized access, use or disclosure, and we maintain the confidentiality of all commercially sensitive information, trade secrets and other confidential information relating to the Group and its business.
Managing Cybersecurity and Reducing Security Risk
The Group uses technological measures, processes and policies to reduce cybersecurity risk, and all Group Employees and contractors have an individual and collective responsibility to act in a way that reduces our cybersecurity risk. This includes:
- complying with the IDT Security Procedure at all times;
- exercising a high level of care, professionalism and good judgment in accordance with applicable laws; and
- collecting, storing, accessing, and transmitting personal data and confidential information only as permitted by the Group, including as per the Group Data Privacy Procedure and Acceptable Use of Technology Procedure.
Failure to take appropriate steps to protect the confidentiality, integrity and availability of personal data, confidential information and Group IT systems could threaten the Group’s continuity of operations, confidentiality obligations, proprietary information, reputation, and may jeopardize our ability to comply with regulatory and legal obligations.
-
Security Awareness
-
Confidential Information
-
Disclosing Confidential Information
-
Access to and Storage of Confidential Information
-
Use of Confidential Information
-
Third-party Information
-
Information Security Incidents
Security Awareness
Most security incidents are caused or enabled by human error which includes unintentional actions or failure to take proper action that cause, spread, or allow a security incident to take place.
Confidential Information
Confidential information is any information, material or knowledge not generally available to the public that relates to the Group, our Employees, customers, business partners or others we do business with. Confidential information may prejudice the Group’s interests if disclosed to third parties.
The way we obtain, use or otherwise handle confidential information, whether relating to the Group or third parties, can also breach applicable laws or other Group policies.
Examples of confidential information include:
- sales, marketing, and other corporate databases;
- pricing and marketing strategies and plans;
- confidential product information and trade secrets;
- research and technical data;
- new product development material;
- business ideas, processes, proposals, or strategies;
- unpublished financial data and results;
- company plans;
- personnel data and matters affecting Employees; and
- software licensed to or developed by a Group Company.
Disclosing Confidential Information
We must not disclose confidential information relating to a Group Company or its business outside the Group without authorization from higher management and only:
- to agents or representatives of a Group Company owing it a duty of confidentiality and requiring the information to carry out work on its behalf;
- under the terms of a written confidentiality agreement or undertaking; and
- under the terms of an order or request of a competent judicial, governmental, regulatory, or supervisory body, having notified and received prior approval from your local Legal Counsel.
If confidential information is to be transmitted electronically, then technical and procedural standards should be applied, and agreed with the other party where possible.
We should be mindful of the risk of unintentional disclosure of confidential information through discussions or use of documents in public places.
Access to and Storage of Confidential Information
Access to confidential information relating to a Group Company or its business should only be provided to Employees requiring it, in order to carry out their work.
We must not take home any confidential information relating to a Group Company or its business without making adequate arrangements to secure that information.
For further guidance, please contact Legal Affairs.
Use of Confidential Information
We must not use confidential information relating to a Group Company or its business for our own financial advantage or for that of a friend or relative (see ‘Conflicts of interest’).
Particular care must be taken if we have access to ‘Inside Information’, which is confidential information relevant to the price of shares and Securities in public companies. For further details, see ‘Insider Dealing and Market Abuse’.
Third-party Information
We must not request or obtain from any person confidential information belonging to another party. If we inadvertently receive information which we suspect may be confidential information belonging to another party, we should immediately notify our line manager and local Legal Counsel.
Information Security Incidents
Employees and contractors are required to immediately report any potential or actual loss of, or any attempted or actual unauthorized access to or alteration of, confidential information or personal data to the local IDT Security Team.
If you become aware of any such incident which may involve data that could be considered ‘sensitive’ (e.g. all personal data, financial data, etc.), you must immediately report it to your local IDT Security or Legal Affairs team (e.g. Data Privacy Counsel and/or Data Protection Officer). Confidential business information should not be shared on public platforms, applications, or other unapproved technology solutions.
We must not request or obtain from any person confidential information belonging to another party.
Who to Talk to
Your line manager
Higher management
Your local Legal Counsel
Head of Corporate Compliance: [email protected]
Speak Up Portal: bat.com/speakup
Speak Up Hotlines: bat.com/speakuphotlines