ESG Report 2018

INFORMATION SECURITY CONSTRUCTION Information security construction is an important method for the Group to protect its internal information and customer privacy. Leakage of enterprise confidential information or customer information would cause adverse effects and loss to the enterprise itself, customers and other stakeholders. Therefore, the Group has established a sound information management and privacy protection system to enable different parties to maintain confidence in the operation and service of the Group. According to the related regulations of information management of the Group, all the information of the Group is classified into five categories by the level of importance, including Top Secret, Secret, Confidential, Internal and Public. Different approval procedures are needed when accessing different categories of information. The use of different information, such as information for internal use, for advertising and promotion, for medication instruction and for after-sale service, etc., is subject to the relevant regulations regarding the use of product information. The purpose and target of the use of information is subject to strict requirements and limitations under related systems, so as to prevent disclosure of false information. Regarding employees, the employee confidentiality system implemented by the Group requires all the employees to bear confidentiality obligations on our business secrets such as information on technology and operation etc., and not to allow any third parties to know about our business secrets in form of disclosure, release or publishing. In order to further secure the interests of the Group and stakeholders, all employees should bear his/her confidentiality obligations for three years after resignation. On the other hand, when cooperating with suppliers, customers and other partners, the Group shall sign confidentiality agreement with them to ensure that the information of both parties are not disclosed, and the privacy rights are not infringed. In the process of business operation, the Group's employees of various departments are in contact with different personal information such as the information of customers, shareholders, employees and employment candidates. In order to regulate the management process of personal information of the Group, legally obtain and use personal information, protect the legal rights and interests of information providers, as well as prevent the risks incurred from improper management of personal information, we have formulated and strictly implemented relevant systems for personal information protection. The system has regulated the methods on collection, use, transmission and storage of personal information so as to ensure that relevant laws are not violated when handling personal information and negative impacts to the stakeholders involved are avoided. INFORMATION MANAGEMENT PRIVACY PROTECTION 36 Environmental, Social and Governance Report 2018 The United Laboratories International Holdings Limited