Confidential Information Management

Confidential Information Management Rules
Creation date: December 1, 2015
Revised date:
1 GENERAL PROVISIONS
Article 1. Objective
This document is written in order to prevent confidential information leak, falsification, loss and unauthorized use by defining how to protect and handle confidential information owned by Thai Kyowa Biotechnologies Co., Ltd. (hereinafter referred to as [TK]),.
Article 2. Compliance obligation and scope of application
1) The rules shall apply to those who are engaged in the business of TK such as directors, employees, contract employees and part-time staff, etc. (hereinafter referred to as [employees, etc.]).
2) The employees, etc. are obliged to follow the defined rules in a conscientious manner.
3) When outsourcing part of the business, a contract implemented in relation to the rules on this document shall be exchanged so that the outsourced company will comply with the rules on this document.
Article 3. Definition of Confidential Information
1) [Confidential Information] on this document indicates the information or knowledge which has not become public knowledge and include any information related to management, technology, sales, personal, contracts, policies, ideas, know-how, quality, standards and facilities as well as tangible entities such as equipment, instruments, microbes, cells and chemical compounds.
2) Confidential information includes not only literal but also audio, video and photographic information. The literal information includes not only information written in paper, but also email messages, electronic files recorded in external storage (such as optical disks) and their draft versions.
Article 4. Classification of Confidential Information
Classification of confidential information (hereinafter referred to as [information category]).
1) Confidential
By disclosing or leaking to other parties outside TK, this will or may bring loss or damage to TK. The information can be subject to the protection under confidentiality law in Thailand as a trade secret.
2) Strictly Confidential
By disclosing or leaking to other parties outside TK, this will or may bring significant loss to TK or penalized. The information shall be disclosed to the limited group of people only (e.g. Top level management information).
3) Other confidential information
Confidential information other than [Confidential] or [Strictly confidential] criteria. The information shall be internal use only and should not be disclosed to external people.
Article 5. General rules for information sharing
Employees shall not store any confidential information under their personal management without any apparent reason. They shall endeavor to share information in accordance with the rules on this document as well as other internal rules and standards.
Article 6. Handling confidential information
1) Confidential information shall not be disclosed or passed without prior consent from TK. This also applies after leaving office or retiring from work.
2) Even within the office, confidential information shall not be disclosed outside the related parties.
3) Confidential information shall not be used outside the business in charge or intended business purpose.
4) Confidential information shall not be disclosed or passed by means of audio, video or photography.
5) A group of information that include any [Confidential] or [Strictly Confidential] information is considered as [Confidential] or [Strictly Confidential] as a whole.
6) Confidential information written in Article 4 3) shall be regarded as [Internal Use Only] whenever possible. Any confidential information not classified specifically shall be treated as [Internal Use Only].

Article 7. Handling information from external companies
All information received with obligation of confidentiality in an appropriate manner shall be treated as confidential information and follow the rules on this document. However, if the information is outside the scope of application of this document and specified separately, the appropriate agreement/contract shall be prioritized.
2 INFORMATION SECURITY MANAGER
Article 8. Information Security Manager
1) The person responsible of information security throughout TK is the President.
2) In principle, assign Information Security Manager.
3) Information Security Managers can assign deputy managers. In principle, deputy managers are the head of each department.
Article 9. Roles and responsibilities of Information Security Managers
1) The President and Information Security Managers shall manage and promote all aspects of information security in an appropriate manner.
2) President and Information Security Managers shall make sure that appropriate confidential information will be protected in accordance with the rules as well as give appropriate training to the employees in order for them to understand and follow the rules.
3 HANDLING [CONFIDENTIAL] AND [STRICTLY CONFIDENTIAL] INFORMATION
Article 10. Information category and specifying scope of disclosure target (hereinafter referred to as [scope of disclosure])
1) Information to be specified as [Confidential] and [Strictly Confidential] should be kept to the minimum.
2) Specifying [Confidential] or [Strictly Confidential] shall be carried out in the following manner; the creator of the information (hereinafter referred to as [the creator] applies for the classification, then the Information Security Manager of his/her department approves it.
3) When specifying as [Confidential] or [Strictly Confidential], it is also required to define the scope of disclosure.
4) In the case of [Strictly Confidential] information, it should be registered to the appropriate book and managed with a unique registration number.
Article 11. Change/cancellation of information category and scope of disclosure
1) For [Confidential] and [Strictly Confidential] information, change/cancellation shall be completed by the approval of the Information Security Manager of an appropriate department.
2) In the case of [Strictly Confidential] information, enter the detail of the revision (for change) and the reason (for change or cancellation) in the appropriate book.
Article 12. Specifying information category and scope of disclosure
The creator shall clearly specify the information category and scope of disclosure after gaining an approval from his/her Information Security Manager.
Article 13. Setting a step to restrict viewing/access to the information
The creator shall take necessary steps to prevent the information from being accessed easily by people outside the scope of disclosure.
Article 14. Viewing/access restriction
1) [Confidential] and [Strictly Confidential] information shall not be viewed or accessed by those people outside the scope of disclosure. In case anyone outside the scope of disclosure view/access the information, he/she needs to acquire prior approval from the specified department of the information or from the Information Security Manager of his/her own department.
Article 15. Restriction on replication, copying and printing (hereinafter referred to as [copies, etc.])
1) When making copies, etc. of [Confidential] information, keep it to the minimum. [Confidential] information is, in principle, not allowed to be copied by people outside the scope of disclosure.
2) [Strictly Confidential] information is, in principle, not allowed to be copied. When anyone is making copies, etc. due to inevitable reasons, he/she shall acquire prior approval from the Information Security Manager of the appropriate department.
Article 16. Restriction on forwarding, sending and distribution (hereinafter referred to as [forwarding, etc.]
1) [Confidential] information is, in principle, not allowed to do forwarding, etc. to people outside the scope of disclosure. Those people who have received such information, should not forward to anyone else. However, Article 19 [Return] shall not apply to this clause.
2) [Strictly Confidential] information is, in principle, not allowed to do forwarding, etc.. When anyone is forwarding, etc. due to inevitable reasons, he/she shall acquire prior approval from the President. However, Article 19 [Return] shall not apply to this clause.
3)
Article 17. Restriction on taking out
1) [Taking out] means anyone who belongs to the scope of disclosure is taking out the confidential information by means of paper or electronic copy on the encrypted personal computer or electronic medium such as an encrypted USB memory stick or CD/DVD. The information handled internally by email, by post or in-house mail within a company does not apply to this clause.
2) [Confidential] and [Strictly Confidential] information should be internal use only in principle. In the case if anyone needs to take out such information outside the company due to inevitable reasons, he/she shall acquire prior approval from the President or from the Information Security Manager. Whenever [Strictly Confidential] information is taken outside TK, record it on the appropriate book.
3) If any [Confidential] or [Strictly Confidential] information is recorded on electronic devices such as personal computers or electronic media and when the appropriate electronic devices or electronic media is taken outside the company, the users of the electronic devices or electronic media shall take responsibility of the hardware and information ensuring to prevent loss, theft and information leak.
Article 18. Storage
1) [Confidential] or [Strictly Confidential] information should be stored under the management of Information Security Managers.
2) Information Security Managers and deputy managers should check the status of storage condition appropriately and give training to their own department staff for how to store information properly.
3) Information Security Managers and deputy managers shall make constant effort to maintain and enhance security of the storage location and storing method by checking locking status, restricting access, alarm syst