Is good privacy good for business, and if so, how do you get there?

1. Is good privacy good for business, and if so, how do you get there? Sandra Kelman Global Lead – Data Privacy, BP Privacy Issues Forum, 27 August 2008

2. About BP One of the largest integrated oil companies in the world, with an estimated global market share of around 3% of oil & gas production and 4% of refining capacity in the major global markets • ~100,00 employees • ~ 100 countries • ~ 24,100 service stations • ~ 1.2 million shareholders • Operations include finding oil & gas (exploration), extracting and moving it, making fuel & products (refining & production), selling them (marketing) and generating alternative energies • Infrastructure (functions) to support these • HQ in UK, but ‘hubs’ in Houston & Singapore • www.bp.com • All of the above activities generate/process personal information

3. Foundation: Doing what you say • In all our activities we seek to display some unchanging, fundamental qualities – integrity, honest dealing, treating everyone with respect and dignity, striving for mutual advantage and contributing to human progress. • We express our group values under four headings: performance; people and capability; health, safety and environment; and external relationships. • Code of Conduct • There should be no gap between what we say and what we do. • Great companies are built on trust. If our company is to thrive and grow, we need the trust of our customers, investors, employees, the communities in which we work and, at a wider level, the societies of which we are part. • Helping BP people to do the right thing • Providing guidance for dealing with cases of harassment or abuse and for protecting privacy and employee confidentiality

4. Respect & Trust - Privacy Notices 1. Identify the owner of the data (legal entity) 2. What do you want the information for (e.g. administration, marketing) 3. Who will have access to the data and for what reason (e.g. any Group company/business unit or third party that may wish to access the data and why) 4. If the data be processed outside the country of origin (state where, if possible) 5. If the collection is authorised or required by any law (and name the law) 6. Whether the supply of information is voluntary or mandatory 7. The consequences of not supplying any/all of the requested information) 8. If you intend to use the information for direct marketing, give the individual the option to refuse (opt in box) 9. State the methods that you will use for marketing (e.g. telephone, email, mail) 10. Consent for email marketing, phone marketing, fax marketing and processing sensitive data (opt in box) 11. How long are you going to keep the data for? 12. How are you going to keep the data accurate and up to date 13. Any other information, to ensure that the processing is as transparent and fair as possible 14. Privacy statement link

5. Employee “Fair Processing” Statements Employee Privacy Statement • Types of personal information held by BP • The purposes for which BP use the personal information • Disclosures of personal information to third parties • Health information • Use of third party service providers • International storage and transfer of data • Security • Monitoring • Information relating to third parties which is provided by you • Your rights • Further information • Attachment 1 - categories of data Personal Details, Job Data, Other • Attachment 2 – List of 3rd party processors/location

6. Web Notices - Guidance Content (10pp) • What is required on your internal or external website? • Why is it important? • What should they contain? • Privacy Statement and Privacy Notice • The BP Privacy Statement • Where the Privacy Statement should be placed • What information is included in the privacy statement? • The Privacy Notice • Which sites need this information? • Data collection principles • What resources are available? • Data Privacy Contacts • Privacy Statement Template (3pp)

7. Walking our talk

8. Short/Layered Notices This privacy statement provides highlights of the BP full privacy statement. Both statements apply to all of BP Group’s online activities. Personal Information When you apply for or request specific BP services, we will collect personal information related to the purpose and use of that activity We do not disclose your personal information to anyone outside the BP Group without your permission Since BP operates globally, this may mean we could transfer your data to countries outside your country of origin, including outside the European Economic Area We sometimes use cookies to track usage patterns and record preferences to personalise your web site visit. For more information click here. site traffic information and cookies Your Choices You have the right to request access to and correction/erasure of your personal information held by us. We will advise you as to how long we intend to retain your personal information for. To help us keep your personal data up to date, we request that you advise us of any changes or inaccuracies You can unsubscribe to or opt out of BP’s direct marketing services at anytime. If we want to use your personal information for another purpose, we will contact you first for permission Important Information We process your information securely and take appropriate security measures to protect your personal information. If you access a link to a non-BP website, we suggest that you refer to its privacy policy as BP’s privacy statement will not apply. Click here for more details relating to hyperlinks BP does not knowingly collect information from children How to contact us Information about our organisation & website or you may want to contact us: by Email write to us at: Insert address Any changes to our full privacy statement will be notified here Click here to access the full BP privacy statement

9. Questions/Comments?