1) The document discusses effectively analyzing information retention as a business risk and outlines steps to mitigate that risk, including knowing compliance standards, measuring risks, and prioritizing based on factors like data types and volumes. 2) It recommends running a program to achieve business as usual compliance, which includes getting support, funding, clearly defining requirements, and segmenting the work. 3) The document provides examples of tools for the program, like data collection sheets and questionnaires to identify gaps between local laws and baseline requirements.

9. Privacy Questionnaire Baseline Baseline Requirement Equivalent Local Law Brief Description of Local Law Questions UK DPA Principle 1UK DPA Principle 2UK DPA Schedule 2Dir 95/46/EC Article 6.1aDir 95/46/EC Article 6.1bDir 95/46/EC Article 7 For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7) HKDPO Principle 1 ver 1 Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair. (-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject? UK DPA Principle 1 UK DPA Principle 2 UK DPA Schedule 3 Dir 95/46/EC Article 6.1a Dir 95/46/EC Article 6.1b Dir 95/46/EC Article 8 If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8) N/A Under the HKPO there is no separate concept of "Sensitive Personal Data". (-) Are you processing sensitive personal data? Defined as personal data relating to: (a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.

10. US One-Page Summary RR Schedule (Note: Disposal Hold Override**) Definition of “c” & “t” The above descriptions of “c” & “t” are not fixed, they are the most common references. More example below: ‘ c’ – period of time ‘c’ until an event closes (e.g., transaction completes, contract/agreement ends) such that auto destruct date can be assigned today (known end date) ‘ t’ – period of time ‘t’ until a relationship/event terminates (e.g., employee leaves, customer ends relationship) such that auto destruct date cannot be assigned today (unknown end date) ‘ Curr’ – keep as long as record remains current ‘ Perm’ – keep record permanently * All figures denote number of years unless otherwise stated ** Relevant records must be preserved throughout an applicable Disposal Hold independent of any prescribed retention period stated here Paper vs. Electronic - Where a complete set of Business Records is retained in paper and electronic version, it is recommended to designate the electronic version as the official if legally possible. Refer to the FAQ’s at the Records Retention homepage at http://rrhome NOTE: This is the default Records Retention Schedule and does not apply in cases where there is a litigation disposal hold or other disposal hold. Revised – Nov 08 Required reports to regulators, all regulatory inquiries, legal actions Corporate records of the firm as a business entity All records re staff, consultants, temps, contractors as individuals Finances of the firm Transactions of the firm and clients All Email, IMs, Blackberry messages Client relationships, accounts, finances ; published marketing/ sales/research Description 5 (CFTC-related communications) [NOTE – 3 & 5 years are minimum periods & apply where an electronic comm isn’t within any of the other buckets or applicable disposal holds/litigation overrides] 1 ½ (surveillance & activity exception rpts) 5 (rpts re accts firm owns at foreign institutions, FOCUS Parts II / IIA, CFTC, SARS, Customs/ Treasury/IRS (currency transactions > $10,000)) c + 6 (customer complaints) Perm (employee charges re discrimination) c + 3 (internal audit working papers; compliance manuals) 3 (records evidencing internal controls – eg SOX, intersystem recs, snr mgmt MIS, other Audit related) t + 3 (non-RR policies/procedures) Perm (records articles of incorp’n, stock books, Forms BD, records re securities kept in custody, documentation on how to access indices and records) 5 (personal trading records, futures-introducing brokers) 6 (lists of: principals responsible for compliance/who can explain record types, MSRB records, benefit plan records) 18 (accident and injury reports) 30 (OSHA-related records) Perm (exemptions from fingerprint requirements, employee pension/benefits-required documentation) 7 (Sarbanes-Oxley ‘samples’ selected for testing by auditors (to be held by Internal Audit on behalf of the firm); Sarbanes-Oxley financial attestations) 1 (margin calls, margin payments) c + 5 (customer confirms, CFTC transactions, securities/ funds borrowed/ loaned, funds transfers, bank activity transactions, security futures/ index products, clearing agency records, options & options granted/guaranteed records) 6 (order tickets) c + 6 (trade/settlement blotters, securities positions ledgers, municipal securities) 5 (client correspondence;marketing, advertising, sales material; MSRB offerings/disclosures; proxy solicitations; pitch books, road show materials, client presentations) t + 5 (acct guarantees; KYC/OFAC records; investment advisory client records; CFTC-related records; client securities w/ BarCap voting rights; client subscription/redemption records) Perm (published research) Exceptions to default * t (end of litigation/dispute/regulatory inquiry) + 3 Corp Secretarial – Permanent Other - c (agreement end) + 6 t (last day on payroll) + 4 c (financial year end) + 6 c (payment obligation ends) + 3 (5 yr min.) 3 t (client relationship ends) + 6 Default * Annual/quarterly reports, balance sheets, P&L, cash flow statements, risk reports/ models, general ledgers/supporting ledgers and ledger entries (debits, credits, etc.), A/P, A/R, purchase orders, invoices, taxes, audited financial statements Accounting / Tax Electronic Communication Job applications, drug tests, fingerprints, work authorizations, background checks, licenses/reviews/ examinations, personal dealing, wages/salary, payroll, promotions, job performance, benefits, pensions, injuries/ accidents, health & safety Employee Submitted to regulators in the ordinary course or in response to legal/ regulatory inquiry, investigation, external audit, complaints, lawsuits, subpoenas, hearings Legal / Regulatory Company Secretarial – Certificate of incorporation/charter; titles; deeds; board of directors/shareholder records; stock certificates Other – Contracts, agreements, internal/external audit, policies and procedures, real/personal property, intellectual property, IT designs/source code, process flows/user documentation, application/software licenses Corporate Entity Orders, tickets, order tracking, order audit trail systems, price/volume data, execution, offers, allocations, aggregations, confirms, settlement, reconciliation, counterparties, collateral, broker commissions, trade blotters, ledgers, securities lending/borrowing Transaction Accounts, statements, securities held, correspondence, proof of customer identification, signature cards, agreements to deal/execute, safe custody assets, money laundering reports/tests/evidence, prospectuses, investment offerings Customer Examples “ Bucket”

14. Putting it together (Principle) Risk Control Risk Owner (Local v. Central) Overall Risk RAG Rating Evidence Remediation Actions Remediation RAG Rating The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures. Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively. Boba Fett Amber Identify area of testing. Green Develop and implement. Green Analyse results. Amber Remediation plan. Red MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk. The Emperor Green Obtain. Green Use Jedi mind trick. Amber Receive update. Green Execute under-performers. Green RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues. Darth Vader Amber Inspect the stormtroopers. Amber Check they are using the RCA to inspire fear. Amber Validate results with the locals. Amber

15. Dashboard mock-up Not Real Data

16. Focus: Records Management – June 2009 Not Real Data Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff. Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June. IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies BAU Schedule for RM management activities in place. Management of RM/DP project actions integrated with existing CSA action management system. Current State Residual Risk Commentary 1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates. Activities to date have reduced the overdue actions with further focus being applied in July. RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses. Exception Commentary Cumulative Achievements Improved BU team refresh process to be proposed and implemented if agreed Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address. Refresh Retention Schedules in conjunction with Group and Legal. Launch phase two of the assessment programme beginning with Jersey and Guernsey Major Activities next month RM SME resource departed mid June Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource. Risks Identified to Date

18. Awareness Material

19. Awareness Material

20. Awareness Material

21. Awareness Material