business ethics conduct guide best practices guide in ... thales - best practices guide in...

Business Ethics Conduct Guide

Best Practices Guide in information management

www.thalesgroup.com

2

Thales - Best Practices Guide in information management

Contents

PrEfacE ......................................................3

ProtEction and disclosurE of information .........................................5

Thales classification ............................................... 7

acquiring information ............................9

toolbox ....................................................12

The legal framework ............................................. 12

France ........................................................... 12

United States of America .................................. 13

Germany ......................................................... 13

United Kingdom ............................................... 13

The Netherlands .............................................. 14 Italy................................................................ 14

Best practices ..................................................... 15

furthEr information .............................17

contact ....................................................19

3

CHORUS - 87207345-GOV-GRP-EN-01 – creation October 2013

Preface

« The information handled by Thales is covered by a

series of internal procedures and regulations.

Looking beyond tools and processes, however, every

Thales employee needs, first and foremost, to

behave in a responsible manner when handling

information. Information processing and management

lie right at the heart of the Company’s business and

are key to its performance.

The aim of this Business Ethics Conduct Guide is to

provide a reminder of a few simple rules, and above all

to encourage reflection on the ethical issues associated

with responsible information management. »

dominique lamoureux, VP, Ethics & Corporate Responsibility

This guide has been developed by the Ethics and Corporate Responsibility Department in collaboration with the Corporate Communications, Business Intelligence, Human Resources, Security and Information Systems Departments.

4


Information management is of vital strategic importance to Thales. In a world that is increasingly mobile, interconnected and interdependent, the ability to manage information effectively can help the Company make the right decisions and thereby achieve its objectives.

Employees need comprehensive, transparent and relevant information to help them make the right choices and achieve their own targets. Such information ultimately helps build the collective intelligence that is so vital to the long-term development of the Company.

In their day-to-day activities, all Group employees are continuously required to process and manage information, which is omnipresent in today’s work environment, both electronically and physically (in the form of paper documents, CD-ROMs, memory sticks, etc.).

The aim of this guide is to help employees to manage information in accordance with the legal and ethical requirements with which Thales complies. It does not aim to set out rules of conduct to be followed in all circumstances, but is intended for use by everybody who has to handle information in their work.

5


5

Employees’ knowledge of information is often limited to their immediate work environment and/or the areas specifically covered by their activities.

The intrinsic value of such partial information held by an employee grows as that information is transmitted and exchanged. Information, when it is shared, supports the decision-making process. It thus helps to build up the collective intelligence that is so vital to Thales’s long-term development.

Sharing information, in accordance with the Code of Ethics, is thus part of a collaborative process in which individual knowledge is leveraged to boost the knowledge available at Corporate level.

It is vital for employees to know how to disseminate information discreetly, starting with an assessment of the sensitivity of information.

Pr

oTE

CTI

on

a

nd

dIS

Clo

Su

rE


Classified information in France

Because of Thales’s activities in critical markets such as defence and security, some employees are specially authorised to handle “classified” information (as defined by articles R2311-2 and R2311-3 of the French Defence Code). According to French Government regulations (1), classified information is defined as information of a political, military, diplomatic, scientific, economic or industrial nature, the disclosure of which presents a major threat to defence and national security.

Due to its extremely sensitive nature, such information has a very high level of legal and physical protection throughout its lifecycle, from creation to destruction.

access to, and dissemination of, such information are restricted for security reasons.

any person attempting to breach the security of classified information is liable to severe sanctions in accordance with articles 413-10 and 413-11 of the French Penal Code.

regulations for handling classified information can vary from country to country. contact your country/unit security officer to find out which rules apply – and make sure you comply with them.

Some information – while not falling within the “classified” category outlined above – constitutes a competitive asset for Thales. This includes data for internal use (for the strategic plan, for example), intellectual property (patents, know-how, licences, etc.), and commercially confidential information.

Just like conventional physical assets, such information is the property of Thales, and is an important component of the firm’s intangible assets.

It therefore has to be protected.

(1) French General Interministerial Instruction on the protection of national defence secrets: Légifrance Reference JORFTEXT000024892134

6P

ro

TEC

TIo

n

an

d d

ISC

loSu

rE

http://www.legifrance.gouv.fr/affichTexte.do?cidTexte=JORFTEXT000024892134&fastPos=1&fastReqId=275001272&categorieLien=cid&oldAction=rechTexte

7


thales classification All employees disseminate information, both internally and externally, as part of their work.

To assess the appropriate level of protection for information, Thales has defined an information protection policy at Corporate level, which is set out in an instruction available to all personnel on Chorus 2.0.

The policy applies to all internal information within the Company, regardless of medium or context (emails, memos, minutes of meetings, team reports, CD-ROMs, memory sticks, etc.). It classifies information on four levels, according to its sensitivity:

open non-sensitive information. Can be freely accessed by people both inside and outside Thales.

thales group internal non-sensitive and non-public information which must only be disclosed to others on a “need-to-know” basis. This type of information is intended primarily for internal use. It may however be disclosed outside Thales to any person who needs this information within the context of their relationship with the Company.

thales group confidential Sensitive information. Unauthorised disclosure of such information could significantly compromise the normal execution of a project and/or cause serious harm to Thales. This type of information may only be disclosed to others on a need-to-know basis within the context of their work, in accordance with the principles described above.

thales group secret Information that is so sensitive that its disclosure could compromise the success of a key project and/or cause serious harm to Thales (to its finances, image, strategy, technologies, etc.). This type of information may only be disclosed to others formally authorized by the author.

Pr

oTE

CTI

on

a

nd

dIS

Clo

Su

rE

7


Pr

oTE

CTI

on

a

nd

dIS

Clo

Su

rE

8

find out more:

Protection of Group information InstructionChorus Reference 87201725-GOV-GRP

If these categories are not adequate in specific circumstances, the employee holding the information is responsible for assessing its sensitivity, and taking appropriate action based on:

the type of document,

and/or the recipient’s “need to know”.

Information that appears to be trivial may in fact turn out to be strategically important when utilised in a different context, or when combined with other data.

In all cases, responsibility for protection and disclosure, whether internal or external, rests with the individual holding the information.

Particular vigilance is required regarding information disclosed on social networking websites. Although such information may appear to be completely separate from the work environment, it can potentially be damaging to the employee, their friends and family, and Thales.

Employees are requested not to disclose information related to Thales’s activities on social networking websites.

if in doubt, ask your line manager for advice, or, depending on the nature of the information, contact the appropriate department within your unit (security, legal, communications, etc.).

http://chorus2-mod.corp.thales/modulo/webservice?database=chorus2p&servicename=fileget&number=GRP/ORGA/01053


The acquisition of information is an intrinsic part of Thales’s business activities. It is vital that it takes place in accordance with the legal and ethical requirements with which the Company complies.

Information can be obtained through legal channels such as intelligence tools, note-taking, brochures, meetings at trade shows, conferences, websites, free or subscription databases, etc.

Business intelligence Business intelligence involves gathering, analysing, disseminating and protecting strategic information to support planning and decision-making.

Within Thales, it plays a key role in improving our understanding of markets and customer expectations, as well as providing in-depth information on our competitors and the economic challenges facing the Company.

A key driver of competitiveness, business intelligence helps Thales to understand and relate to its environment more effectively.

9

aC

qu

IrIn

G In

For

maTI

on


However, Thales adopts a zero-tolerance stance on any attempt to acquire information fraudulently by theft or hacking.

Thales is liable for such actions. They are subject to strict sanctions in the Company’s countries of operation.

Moreover, they seriously harm Thales’s image.

Computer hackers violate software, computer or network security systems for malicious purposes, such as theft of confidential information. In addition to being strictly against the law in Thales’s countries of operation, computer hacking is completely at odds with the Company’s ethical principles. Thales adopts a policy of zero tolerance on any attempt to acquire information by such means.

If information is acquired by chance (for example if an employee finds a RFP pack left on a train or plane, overhears an informal conversation between competitors, or receives documents by mistake), the following actions should be taken:

do not make use of the information.

If possible, and where applicable, return it to its owner.

If this is not possible, destroy it.

report the incident to your line manager and Security officer.

10a

Cq

uIr

InG

In

For

maTI

on

11


Global Principles of Business Ethics for the aerospace and defence IndustryThe Global Principles of Business Ethics for the Aerospace and Defence Industry, which arose out of an agreement signed in 2009 by the AeroSpace and Defence Industries Association of Europe (ASD) and the Aerospace Industries Association of America (AIA), define a set of ethical standards to be applied by companies in the sector.

One of the principles concerns “respect for proprietary information”.

The relevant text states that companies will not solicit or accept a third party’s proprietary information. In addition, companies who receive a third party’s proprietary information without authorisation shall promptly cease dissemination and review of such information, promptly destroy or return it, and should inform the third party of the incident and their response.

as a founder of the Global Principles initiative, Thales is committed to a policy of responsible adherence, including adherence to the principles concerning proprietary information.

Thales expects all of its employees to ensure that this commitment is met.

if in doubt, ask your line manager for advice, or, depending on the nature of the information, contact the appropriate department within your unit (security, legal, communications, etc.).

11

aC

qu

IrIn

G In

For

maTI

on


the legal framework

france

In France, protection of information is not based on a specific piece of legislation, but on a series of different judicial regimes governing civil liability, criminal liability and unfair competition.

Theft is an offence under articles 311-1 and following of the French Penal Code. Persons committing theft are liable to up to three years imprisonment and a fine of € 45,000. Information can be considered to have been the subject of theft if the medium on which it is held is stolen or fraudulently copied.

Hacking is prohibited by articles 323-1 and following of the French Penal Code. Article 323-3-1 prescribes sanctions for anyone who “without lawful authority, imports, possesses, offers, transfers or makes available any equipment, instrument, computer program or information created or specially adapted for the purpose of committing [hacking].”

Too

lBo

x12

13


Too

lBo

x

13

united states of america

In the United States, theft of commercially confidential information is a federal crime punishable under Title 18, sections 1832 and following of the US Code by a fine and up to ten years imprisonment for a natural person, and a fine of up to $ 5,000,000 for a legal person. In addition, the “Economic Espionage Act” (1996) or the “Cohen Act” (1996), recently supplemented by the “Theft of Trade Secrets Clarification Act” (2012), extend the scope of interpretation of what constitutes commercially confidential information.

germany

Commercially confidential information has benefited from significant protection in Germany since the passing of the “German Unfair Competition Act” of 2004. disclosure and theft of commercially or industrial confidential information, and documents or manuals of a technical nature, are prohibited under Chapter 4. These provisions also form the basis for the civil liability of the offender.

united KingdomThe United Kingdom has no specific legislation on the protection of information, except for the rules of equity, and more specifically the principle of “breakdown of trust”, under which the fraudulent acquisition of confidential information is liable to sanctions, and engages the civil or criminal liability of the offender.


the netherlandsIn the Netherlands, confidential information and trade secrets are protected under articles 272 and 273 of the Dutch Penal Code, which set out the sanctions applicable to acts aimed at fraudulently acquiring information. Offenders are liable to 6 to 12 months imprisonment and a fine of up to € 11,250.

In addition, despite the absence of specific civil legislation, case law has extended common civil liability law to cover breaches of trade secrets.

Finally, damages can be awarded, and certain practices banned, on grounds of unfair competition.

italy Italy has no specific legislation governing the protection of confidential information. However, protection is provided by various measures under the country’s Intellectual Property Code and Code of Civil Procedure, which provide for the payment of damages and the imposition of provisional bans, interim measures and temporary orders. In addition, breaches involving fraudulent activity (theft, hacking, etc.) are liable to prosecution.

other regulations

regulations can vary from country to country.Contact your Country/unit Security officer to find out which rules apply – and make sure you comply with them.

Too

lBo

x14


best practices

a non-exhaustive list of best practices in information processing is given below, the intention being to help employees manage information at a day-to-day level.

marking of documents and files

Before any information is exchanged, files should be marked using the appropriate marking system, according to the sensitivity of the information they contain, and the application (office, collaborative, etc.).

use of information technology

When processing and handling information, employees must use IT resources (hardware, software, information systems and applications) provided and/or approved by Thales, and qualified for the level of sensitivity of the information concerned.

In addition, employees are advised to make responsible use of the communications systems and equipment made available to them.

Using computers (especially laptops) or smartphones, particularly outside the company, can lead to a risk of leakage of confidential information.

Too

lBo

x

15


Being vigilant

Files, documents or information whose disclosure and/or loss would cause serious harm to Thales should never be left unattended in any circumstances.

This applies in particular when travelling outside the Company, and to visits by third parties to Thales premises.

Conservation of documents

Thales is required to comply with legal procedures and deadlines regarding the conservation and destruction of documents.

These obligations vary from country to country, and are applicable to physical documents as well as information in digital format.

Too

lBo

x16


useful links

corporate security intranet site http://intranet.corp.thales/dsg/

chorus 2.0 reference system: Process “support operational Processes”

“Ensure people, property, operations and information security” http://chorus2.corp.thales

“manage information systems / manage is security and risks” http://chorus2.corp.thales

Ethics and corporate responsibility intranet site http://intranet.corp.thales/ethics/

17

Fur

THEr

In

For

maTI

on

http://intranet.corp.thales/dsg/pub/index_en.cfm?intralang=en

http://chorus2.corp.thales/group/guest/process?id=ObjDef.gi----cj----p--&parentId=ObjDef.5hz7--a6----p--

http://chorus2.corp.thales/group/guest/process?id=ObjDef.4dy---h7----p--&previousId=ObjDef.6z----c0----p--&keepCO=true

http://intranet.corp.thales/ethics/pub/index_en.cfm


reference documents

thales code of Ethics http://intranet.corp.thales/ethics/

“Protection of group information” instruction Chorus Reference 87201725-GOV-GRP

charter relating to the correct use of information technology and communications resources (information technology charter) Chorus Reference 87205824-GOV-GRP

global Principles of business Ethics for the aerospace and defence industry www.ifbec.info

Fur

THEr

In

For

maTI

on

18

http://intranet.corp.thales/ethics/pub/codethales_en.cfm



http://www.ifbec.info


Contact:

do not hesitate to appeal to the Ethics and corporate responsibility department:

[email protected]

☎ + 33 (0)1 57 77 82 07

19

Co

nTa

CT

mailto:[email protected]

RéféRence cHORUS – 87205444-GOV-GRP-fR-001 - création octobre 2012

Réa

lisat

ion:

Zao

+S

trat

écré

a -

Shu

tter

stoc

k

Ethics and Corporate responsibility department

45 rue de Villiers92526 Neuilly-sur-Seine Cedex

France

www.thalesgroup.com

This document is printed on recycled paper

business ethics conduct guide best practices guide in ... thales - best practices guide in...

Documents