Global Data Privacy Policy

M-I SWACO is strongly committed to protecting the privacy of those who entrust us with their personal data. We will maintain this trust by protecting the privacy of personal data of our employees, their families, and our customers whether disclosed directly to us by the individual or received from other sources regarding the individual.

This Policy applies to M-I SWACO L.L.C. and the M-I SWACO group of companies including all affiliated companies, divisions, branches, offices, subsidiaries and controlled affiliates (all of which are collectively referred to as “M-I”, “we”, or “our”) and to all employees, independent contractors, and vendors of any M-I entity.

As part of this commitment, M-I will comply with:

• the Safe Harbor Privacy Principles agreed between the United States of America and the European Union in connection with the European Privacy Directive (the “Safe Harbor Principles”);
• the European Union Privacy Directive (directive 95/46/EC) and implementing legislation enacted by the member states of the European Union (the “Directive”) with respect to M-I operations in, and data originating from, those member states;
• the Health Insurance Portability and Accountability Act of 1996, as amended from time to time (“HIPPA”), with respect to M-I operations in the United States; and
• All other privacy laws, rules and regulations that apply to M-I in each location in which M-I has operations.

This policy describes:

• the personal data that M-I typically collects and the sources that provide that data such as the employee, a family member or dependent, or a third-party;
• how M-I typically uses or discloses personal data M-I collects;
• the employees and other business organizations that typically have access to the personal data that M-I collects;
• how M-I protects the personal data it collects;
• rights to review and correct personal data;
• how to notify M-I about improper disclosure or use of personal data and the action M-I may take after determining that personal data has been improperly disclosed or used; and
• the circumstances under which employees will be given a choice to “opt out” or decline M-I’s collection, use, or disclosure of personal data.

Nothing in this policy is intended to imply, nor will anything in this policy be deemed to create, any ownership interest or privacy right in any voice or data transmission over M-I voice or data networks. M-I retains ownership of, and, where consistent with applicable laws and regulations, the right to inspect, copy, retain, and intercept all electronic mail, voice mail, telephone conversations and other electronic communications created using or transmitted over M-I’s voice or data networks. For further information on the use of M-I networks, please refer to M-I’s Email Policy and Internet/Intranet Policy.

I. Definitions

A. “Business Contact Personal Data” (“BCD”) means personal data that it is reasonably necessary to disclose for an employee to be contacted by those who have legitimate business needs to do so. BCD includes; name, job title, job function, office address, office telephone and fax numbers, business e-mail address and, where M-I pays for such services devices either directly or through reimbursement, pager number and cellular telephone number. For Employees who are in leadership positions or who have on-call responsibilities, a home telephone number may be treated as BCD only if M-I does not provide a pager or cellular telephone to the Employee.

B. “Business Personal Data” (“BPD”) means data relating to any identified or identifiable individual that is reasonably necessary to be disclosed or used (1) for an employee to perform his or her job functions effectively and efficiently; (2) for management to manage the work of the individual or to manage the individual’s training, development or performance; (3) for the Company to administer compensation and benefit programs; or (4) that the Company is legally required to collect and disclose to governmental agencies (e.g. tax authorities or immigration authorities) in compliance with applicable laws and regulations. Examples of BPD include, but are not limited to, name, home address, home telephone number, national identification numbers such as social security or social insurance numbers, performance history, work assignment history, immigration data, health data required to administer benefit programs, date of birth, pre-employment background investigation information, pay rate or salary, etc.

C. “Sensitive Personal Data” (“SPD”) means all identified or identifiable personal data of a particularly sensitive nature, and usually, but not always, recognized as such in legislation or government regulation. SPD can include: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health and medical information, and sexual orientation. Sensitive personal data includes protected health information as such term is defined in HIPAA. M-I collects, stores, uses, and discloses SPD only in order to carry out M-I’s legal obligations as an employer including its role as a sponsor or provider of employee benefits.

II. Privacy Officers

A. Corporate Privacy Officer. M-I’s Senior Vice President, Human Resources and Executive Compensation is our Corporate Privacy Officer. The Corporate Privacy Officer will conduct an assessment of M-I’s compliance with this Employee Personal Data Privacy Policy at least annually. Upon completion of each assessment and implementation of any required changes to M-I’s privacy practices, the Corporate Privacy Officer will certify the self-assessment report and verify M-I’s compliance with this Policy in writing.

B. Appointed Privacy Officers. M-I may appoint Privacy Officers in some organizations or jurisdictions in order to effectively implement this Policy or where required to comply with applicable law. The documents appointing those Privacy Officers will set out the duties and accountabilities of each such position.

III. Notice of Personal Data Collected and Sources of Data Collection

A. Data Collection. Personal data is collected from individuals when they apply for employment with M-I, when they accept an offer of employment with M-I, or during the course of their employment with M-I. Employees may disclose personal data to M-I by updating their personal data through automated systems such as eCampus, Active Directory, on-line benefit administration tools or sites, etc. Employees may also disclose personal data in non-automated systems through communications with supervisors and managers, with individuals in Human Resources, and with third-parties such as benefit vendors. M-I does receive personal data in connection with (i) pre-employment and other background checks in countries where these checks are conducted, (ii) pre-employment and other drug tests in countries where these tests are conducted, (iii) enrollment for medical and other insurance benefits, and (iv) in certain cases, when employees or their dependents seek medical insurance or other M-I benefits.

B. Specific Data Examples. M-I will collect personal data in a specific jurisdiction only as allowed by the laws and regulations applicable to that specific jurisdiction. In accordance with those local laws, personal data collected may include, but is not limited to, the following:

• personal identification information such as name, date of birth, gender, national identification numbers (e.g. social insurance, social security, or tax payer numbers), driver’s license number, passport number, etc.;
• employment-related personal background information such as education (including schools attended, and dates of attendance, degrees or diplomas granted), training, work history (including names of employers, dates of employment, and compensation information), military and veteran status, and criminal history;
• contact information such as home and office address, home, office and cellular telephone numbers, home and office e-mail address, etc.;
• compensation information, such as wages or salary, commissions, bonuses, stock program information, pension and 401(k) plan account information, etc.;
• health and medical information, such as results of pre- and post-employment drug tests, or as collected in the administration of health or other benefits including information regarding employees, family members or dependents and related individuals, etc.; and
• job-related information such as work history, experience, training courses, performance information, job or functional assignments, account or territory assignments, etc.

C. Data Sources. Personal data is received or collected from (i) employees and their family members when employees apply for employment or benefits, (ii) service providers in connection with pre- employment and other drug tests and background checks, and (iii) health, medical and other benefit providers in connection with the administration of M-I’ benefits programs.

IV. Notice of Disclosure and Use of Personal Data

A. Business Contact Data, Business Personal Data, and Sensitive Personal Data

M-I discloses BCD, BPD, and SPD in the following circumstances: (i) to M-I Employees who reasonably need to receive such personal data to perform their duties for M-I; (ii) M-I’s benefits providers who reasonably need to receive such personal data to administer benefit programs covering M-I employees; (iii) M-I clients and prospective clients regarding employees who are providing, or are proposed to provide, services (except that sensitive personal data is not disclosed to clients or prospective clients other than in connection with transitions of employment where disclosure of such sensitive personal data is necessary to accomplish benefits transitions and for similar employment-related business purposes); (iv) potential buyers and sellers of business units for in which employees are providing, or are proposed to provide, services (except that sensitive personal data is not disclosed to such buyers or sellers other than in connection with transitions of employment where disclosure of such sensitive personal data is necessary to accomplish benefits transitions and for similar employment-related business purposes); and, (v) under applicable law to governmental entities or in response to valid legal processes.

B. Specific Examples.

Specific examples of M-I’s use or disclosures include: An employee’s supervisor and management have a business need to know the employee’s personal, background, contact, compensation, work history, experience, training, and performance information in connection with managing his or her duties for M-I.

Employees in finance, human resources and legal may also need to receive personal information to prepare budgets, administer compensation or benefit programs, or to advise M-I on compliance with its legal obligations. Employees given access to personal data for these purposes will receive training on data protection as a condition of being provided data access.

M-I may disclose Business Contact Personal Data to M-I employees and other individuals and organizations without any restriction on its further use or restriction by the recipient.

Our policy is not to disclose employee home addresses or telephone numbers to M-I employees or other individuals or organizations without the employee’s prior approval, except that M-I may disclose your home address and telephone number (i) to M-I supervisors and managers who have a business need to know, and (ii) in emergency and critical business situations to other M-I employees and emergency assistance vendors who need to contact employees. Personal data of employee family members or dependents may also be provided to M-I employees and emergency service vendors in similar circumstances.

Disclosure to Third-Parties.

Consistent with the Safe Harbor Principles, M-I may disclose BCD and BPD to M-I’s agents that are outside firms and consultants (who will, in turn, disclose your personal data to their employees and consultants) who advise M-I on organizational effectiveness, compensation matters, or benefits programs or who administer such programs for M-I. M-I requires each of these agents, outside firms and consultants (other than licensed professionals, such as lawyers and doctors, who are subject to legally enforceable client confidentiality obligations) to sign a written confidentiality agreement that requires them to adequately protect data provided to them and prohibits them (and their employees and consultants) from disclosing or using your personal data in any way that is not necessary to perform the services they have been engaged to provide. This confidentiality agreement must be signed before M-I will disclose Business Personal Data.

M-I may also disclose Business Contact Data and Business Personal Data of employees to customers and prospective customers and to possible merger and acquisition parties where the employees whose data are disclosed are providing, or are proposed to provide, services to the third-party but only for purposes consistent with this Policy and subject to agreements requiring adequate protection and prohibiting further disclosure. Sensitive personal data is not routinely disclosed to customers or prospective customers or to merger and acquisition parties, and will not be disclosed without your prior written consent. M-I requires all of its customers to whom personal data is disclosed to sign a confidentiality agreement that requires them to adequately protect the data and that prohibits them (and their employees and consultants) from disclosing the data to any person or using the personal data in any way that is not directly related to the business relationship between M-I and the customer. This confidentiality agreement must be signed before M-I discloses personal data to these customers or prospective customers.

M-I may be required to disclose Business Contact Data, Business Personal Data or Sensitive Personal Data under applicable law or in response to valid legal process. These disclosures would include responses to valid search warrants, subpoenas, court orders, or other official request from a government or regulatory authority or agency. M-I reserves the right to disclose information in order to satisfy its legal obligations. Furthermore, M-I may disclose Business Personal Data or Sensitive Personal Data to government or regulatory authorities or agencies if M-I has reason to believe that disclosure is required under applicable law (for example, if M-I discovers evidence of a crime or attempted crime).

Disclosures may also be appropriate to protect M-I’s legal rights (e.g. theft of trade secret case), when physical safety is believed to be at risk, or to notify family members or public or private disaster relief agencies of your location or condition.

M-I may disclose Business Personal Data or Sensitive Personal Data about an employee or his or her family to a group health plan where M-I is the sponsor of, or performs plan administration functions for, that group health plan, as specified in the relevant plan documents.

M-I does not disclose or sell Employees’ personal data to any company or person for marketing purposes. However, in limited circumstances M-I may allow a vendor who has legitimate access to Business Personal Data or Business Contact Data to communicate with M-I employees to offer them services closely aligned to the function the vendor performs for M-I. For example, a retirement plan administrative vendor might be allowed to make employees aware of other retirement planning services the vendor provides but only upon receiving specific approval from M-I for that offer of services and only if they have provided the individuals to whom the data relate with notice and the opportunity to opt out of receiving such communications.

V. Choice

M-I will adhere to the Choice Principle of the Safe Harbor. M-I internally discloses and uses employee Business Personal Data in connection with the management of day-to-day operations, in business planning, in the management of legal proceedings, and for emergency response. Except in limited circumstances, such as those involving Sensitive Personal Data, an employee’s consent to the disclosures and uses of that employee’s personal data for the purposes described in this Policy will not be requested. M-I’s Corporate Privacy Officer will make the ultimate determination whether or not a particular disclosure or use is described in this policy.

If M-I develops a potential use or disclosure of personal data that is not described in this Policy, then M-I will notify employees of this new purpose for use or disclosure. M-I will offer employees a choice whether or not to allow M-I to use or disclose their personal data for that new purpose. In this situation, employee consent must be received in writing (or a legally equivalent electronic form) before M-I uses or discloses personal data for this new purpose.

VI. Onward Transfer

M-I will comply with the Onward Transfer Principle of the Safe Harbor including adherence to the Notice and Choice Principles for disclosure to non-agent third parties. M-I will ensure all data transfers comply with the data privacy requirements of the employee’s home country and those of the country in which the data is stored or processed. M-I will ensure that transferred data is adequately protected from accidental disclosure and from theft or intentional disclosure or misuse. Where appropriate or when required by applicable laws, M-I will implement data transfer agreements to specify the applicable standards of protection for transferred data.

VII. Security

M-I applies physical, electronic, and procedural safeguards that we believe provide adequate protection of data and comply with applicable laws to guard personal data against loss, unauthorized access, destruction, misuse, modification, or improper disclosure. Business Contact Data, Business Personal Data, and Sensitive Personal Data are retained in M-I’s “Global People System” (“GPS”) human resources database (or a similar system), other systems or records (for example, Information Technology provisioning systems or directory servers ) or in physical form. The GPS database and other M-I automated systems are maintained on computer equipment located in restricted access environments. In addition to physical security measures, M-I uses electronic security safeguards that protect against unauthorized access to restrict systems access to a limited number of employees whose duties require access to the information. Physical files are retained in restricted access environments or locked storage containers when not being used.

All employees whose job duties require access to Business Personal Data or Sensitive Personal Data are trained on their data protection obligations and on protective measures as a condition of being provided access to the data.

VIII. Data Access and Integrity

M-I recognizes the need for accuracy and completeness of all personal data it collects or receives. M-I will allow employees to review personal data that it has retained in personnel files or other reasonably available files during regular business hours after employees give reasonable notice of the desire to see that personal data. Each of employee’s family members will also be allowed to see his or her personal data (but not the employee’s personal data) during regular business hours after giving reasonable notice of his or her desire to see that personal data. In addition, certain personal data may be reviewed and modified by employees themselves in the GPS human resources system. If an employee or a family member believes any personal data in M-I’ possession or under its control is incorrect or incomplete, they will be allowed to update the information. If the information the employee believes to be incorrect or incomplete is subject to interpretation or different viewpoints, as it could be in the case of, for example, a performance review, the employee is allowed to submit written information to be included as part of M-I records. Employees may contact their respective Human Resources department for assistance in requesting access to personal data as described above.

IX. Enforcement

M-I’s Corporate Privacy Officer or his or her designee will promptly review and investigate every allegation that this Policy has been violated by any employee, customer, outside firm, consultant, or other unauthorized party. As part of this review and investigation, the Corporate Privacy Officer will review any relevant processes and procedures to determine whether changes are necessary to prevent a recurrence of any substantiated violation of this policy.

M-I will, at its sole discretion and in accordance with all applicable laws, take disciplinary action against any employee who violates this policy. The severity of the disciplinary action taken will vary based on factors considered relevant by the Privacy Officer including:

the sensitivity of the personal data disclosed or used in violation of this policy;

the number of employees impacted by the violation of this policy;

the duration of the improper disclosure or use;

prior improper disclosure or use of personal data by that employee, and

whether the violation was inadvertent, foreseeable, the result of negligence, or arose from a deliberate or reckless act.

Except where (i) the improper disclosure or use of personal data was inadvertent or the result of inadequate training, or (ii) the Corporate Privacy Officer or his or her designee determines that the circumstances do not warrant such action for other reasons, appropriate disciplinary action will be taken in accordance with M-I’s corrective action or disciplinary policies. Among other forms of action available, violations of this Policy may result in suspension without pay (to the extent permitted by applicable law) or termination of employment. In all cases, the Corporate Privacy Officer or his or her designee shall determine whether additional training or process modifications are also required.

The Corporate Privacy Officer or his or her designee will review any violation of this Policy by a customer, client, outside firm or consultant with a senior manager of such client, outside firm, or consultant to determine the appropriate corrective action. Unless the Corporate Privacy Officer or his or her designee determines otherwise, appropriate disciplinary action with respect to an employee or consultant of a client, outside firm or consultant who violates this Policy should include actions similar to those that would occur if the employee or consultant were a M-I employee. In addition, the Corporate Privacy Officer or his or her designee may recommend whether the business relationship between M-I and the customer, client, outside firm or consultant should be terminated as a result of the violation.

The results of each investigation, including any disciplinary action recommended or taken, will be reported to the Compliance Officer and the Audit Committee of M-I’s Board of Directors per established reporting procedures. Where M-I believes that the conduct may constitute a violation of any applicable law, rule or regulation, the conduct may be disclosed to appropriate law enforcement and regulatory authorities.

In addition to its internal investigative and resolution efforts, M-I will cooperate with the European Union Data Protection Authorities (“DPAs”) in their efforts to investigate and resolve complaints brought under the Safe Harbor. M-I will comply with advice given by the DPAs, including remedial or compensatory measures for the benefit of individuals affected by any non-compliance with the Safe Harbor Principles.

X. Country / Geographic Exceptions & Modifications

Any M-I business unit at the country, geography, or location level may modify this policy to provide greater protections than contained herein where legally required to do so. However, no M-I business unit may modify this Policy to provide less protection than contained herein.

M-I reserves the right to change this Privacy Policy from time to time.

How to Contact Us: Should you have any questions or suggestions about our privacy practices, or wish to update or correct any personally identifiable information that you have chosen to provide to us, please contact your organization’s human resources professionals. Should you wish to report a violation or suspected violation, you can contact any member of M-I management, any member of M-I human resources, any one of M-I’s legal professionals, or you can use M-I’s Ethics reporting tools at www.reportlineweb.com/Smith or call +1 (877) 571-9753 (toll free within the US and Canada); +1 (678) 250-7591 (collect if you are outside the US or Canada).

You may also mail a report to:

Corporate Privacy Officer

C/O Human Resources

M-I SWACO

PO Box 42842

Houston, Texas 77242
USA

This Privacy Policy was last updated on 29 April 2008.