8. Privacy Questionnaire Baseline Baseline Requirement Equivalent Local Law Brief Description of Local Law Questions UK DPA Principle 1UK DPA Principle 2UK DPA Schedule 2Dir 95/46/EC Article 6.1aDir 95/46/EC Article 6.1bDir 95/46/EC Article 7 For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7) HKDPO Principle 1 ver 1 Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair. (-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject? UK DPA Principle 1 UK DPA Principle 2 UK DPA Schedule 3 Dir 95/46/EC Article 6.1a Dir 95/46/EC Article 6.1b Dir 95/46/EC Article 8 If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8) N/A Under the HKPO there is no separate concept of "Sensitive Personal Data". (-) Are you processing sensitive personal data? Defined as personal data relating to: (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

11. Putting it together (Principle) Risk Control Risk Owner (Local v. Central) Overall Risk RAG Rating Evidence Remediation Actions Remediation RAG Rating The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures. Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively. Boba Fett Amber Identify area of testing. Green Develop and implement. Green Analyse results. Amber Remediation plan. Red MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk. The Emperor Green Obtain. Green Use Jedi mind trick. Amber Receive update. Green Execute under-performers. Green RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues. Darth Vader Amber Inspect the stormtroopers. Amber Check they are using the RCA to inspire fear. Amber Validate results with the locals. Amber

12. Dashboard mock-up Not Real Data

13. Focus: Records Management – June 2009 Not Real Data Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff. Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June. IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies BAU Schedule for RM management activities in place. Management of RM/DP project actions integrated with existing CSA action management system. Current State Residual Risk Commentary 1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates. Activities to date have reduced the overdue actions with further focus being applied in July. RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses. Exception Commentary Cumulative Achievements Improved BU team refresh process to be proposed and implemented if agreed Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address. Refresh Retention Schedules in conjunction with Group and Legal. Launch phase two of the assessment programme beginning with Jersey and Guernsey Major Activities next month RM SME resource departed mid June Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource. Risks Identified to Date

15. Awareness Material

16. Awareness Material

17. Awareness Material

18. Awareness Material