Corporate Policy 13.

0: Information Management and Protection

What You Need to Know

At Merck and MSD (Merck), information about our company, products and people is one of our most
valuable assets. We are committed to ethical use, management and protection of information. Our
commitment applies not only to Mercks information, but also to information entrusted to us by others.
Our processes and procedures ensure that we appropriately use and safeguard information throughout
its life cycle to prevent unauthorized disclosure.

What You Need to Do At a High Level

Maintain an awareness of the types of information you receive, create, use, manage, store, disclose and
dispose of. Handle and protect it accordingly. Use it only for appropriate purposes that support Mercks
business. Share it only with those who are authorized to see it and need the information in order to
carry out their job responsibilities. Follow Merck Legal Hold and Record Retention requirements for the
appropriate storage and timely destruction of documents.

What You Need to Do In Your Everyday Work

Your job at Merck may expose you to many types of information. This information can take many forms
(e.g., electronic, paper or verbal) and may have special processes designed to protect it. Make sure you
know and follow the processes for the different types of information you handle whether it is
information about our company, people, or others outside of Merck. Follow not only the letter, but the
spirit of laws and policies in the countries where we do business. Seek help anytime you have a
question. Know and adhere to the following key operating principles of this policy:

1. Types of Information.
Information About our Company.
This includes information about our business plans and how we operate, such as product
research, specifications, pricing, business strategies, non-public financial information, trade
secrets, intellectual property, marketing plans, etc.
Requirements for Safeguarding Trade Secrets

Information About People.

This includes personal information about our customers, employees and members of their
families, contractors, patients who participate in our research studies, scientists,
shareholders, government officials and others we interact with, evaluate, or make decisions
about as we manage our business.
Merck Privacy Standards

Page 1 of 5
Corporate Policy 13.0: Information Management and Protection

Information About Others, Outside of Merck.

This includes information about our partners, suppliers, vendors or other third parties that
we have been entrusted to protect. It also includes any confidential information about our
customers, our competitors or any other company (including any of your former employers).
Competitive Intelligence Collection, Use, and Dissemination

2. Classification of Information.
Classify information at the time of creation (or receipt, if not already classified). Label it
using an approved classification label (Sensitive, Confidential, Proprietary or Public).
Maintain that classification throughout its lifecycle and manage it in the manner directed.
Apply Merck Privacy standards to make sure that personal information is classified, labeled
and managed appropriately.
Information Classification, Handling, and Retirement Functional Policy

3. Appropriate Use of Information.

Only use the information you receive or create for Merck in support of Mercks business.
Never use it for your own personal reasons. Be transparent about how you use this
information. If you received it from someone else, respect the intent and reasons it was
provided to you. Dont use it for any other purposes unless you are sure that you are
authorized to do so. In disclosing information, make sure recipients know their
responsibilities to safeguard the information, including requirements related to its
classification, and understand any restrictions related to its use and dissemination. Never
use information in ways that damage the reputation of Merck or cause harm to others.
Follow commitments we have made in any contracts or nondisclosure agreements. If you
come to Merck from another company, honor the promise you made to protect that
companys information. If you leave Merck, do not share our information with your new
employer (or anyone else).
Watch what you say on the phone, at social events and in public places to avoid
inadvertently divulging confidential information about our company. Always apply
discretion and common sense when using social mediayou are accountable for your
actions. Keep in mind that online is forever. Dont speak on behalf of Merck unless
specifically authorized to do so.
Professional and Personal Use of Social Media

4. Quality of Information.
Keep information accurate. The value of information depends on its accuracy. As information is
copied or maintained over time, preserve its integrity and amend any inaccurate or outdated
information.
GxP Data Governance and Integrity Standard

Page 2 of 5
Corporate Policy 13.0: Information Management and Protection

5. Storage, Maintenance and Destruction of Information.

Be responsible in the storage, maintenance and destruction of information. Comply with our
record retention requirements. Properly dispose of records that have met their retention
requirements unless they are subject to a document preservation requirement or legal hold.
Records Management Guidelines

6. Technology and Information.

Appropriate Use
Technology assets provided by Merck are company assets and provided for business use.
Make sure your use of company assets, intranet and Internet access never interferes with
the companys business. Dont transmit or provide access to sensitive information unless it
is adequately protected. Take care to prevent theft, loss or unauthorized use of electronic
information and systems.
Acceptable Use and Information Protection Requirements
Information Security Standards & Guidelines

Risk Assessment
If you are responsible for Merck processes and systems that use information about our
company, people or others outside of Merck, you must ensure that the information is
managed and protected. Request an Information Risk Assessment for all new systems and
processes. Request a Privacy Risk and Controls Assessment for all systems and processes
that use personal information. Assessments must also be done before substantive
modifications to any systems or processes that handle or store Merck information.
Request Information Risk Assessment for New System or Process
Request Privacy Risk and Controls Assessment for System or Process Using Personal
Information

Information Systems development

All employees and third party vendors involved in development of technology solutions and
services, including mobile apps, websites, etc., must know and understand their
responsibility to comply with Mercks System Development Life Cycle. Doing so will help the
organization manage its exposure to business and regulatory risk, improve the reliability of
our systems and ensure the integrity and confidentiality of our data.
Merck Systems Development Lifecycle

7. Speak Up.
You are Merck. Protect the reputation weve earned as a company that operates with integrity
and report any conduct that could put our reputation at risk. If you see or suspect improper,
Page 3 of 5
Corporate Policy 13.0: Information Management and Protection

unethical or illegal activity, talk to your manager, Office of Ethics or other Merck resource (e.g.,
Compliance, Legal, or Human Resources), to discuss your concerns confidentially without fear of
retaliation or, where permitted by law, call the AdviceLine.

To uphold the Company's commitment to ethics, integrity and compliance with laws,
regulations, Company policy and the Company's Code of Conduct (Our Values and Standards),
actions inconsistent with this policy shall be subject to Corporate Policy: Reporting and
Responding to Misconduct.

Questions About this Policy?

Contact: Scott Taylor at staylor@merck.com

Be aware that procedures for applying our policy may vary from location to location. Whenever a local
law, regulation, or industry code is more restrictive, follow the more restrictive standard.

Terms You Need to Know

Information. Any data that is created, processed, transmitted, carried or stored in any form including,
audio, visual, printed, magnetic, digital, electronic or optical formats and oral communications.

Intellectual Property. Our knowledge baseincluding patents, copyrights and trademarks.

Personal information. Any data about an identified or identifiable individual, including data that
identifies an individual or that could be used to identify, locate, track, or contact an individual. Personal
information includes both directly identifiable information such as a name, identification number or
unique job title, and indirectly identifiable information such as date of birth, unique mobile or wearable
device identifier, telephone number as well as key-coded data.

Trade Secrets. Information, including intellectual property, that Merck keeps secret to give Merck an
advantage over its competitors. The protection of a Trade Secret can last indefinitely, and requires the
owner to actively protect the information. Trade Secrets are not protected by intellectual property
laws, although Business Trade Secrets involving data about customers, patients or other people may be
protected by privacy and data protection laws; protection for Trade Secrets is primarily done by non-
disclosure.

Third Parties. Any non-Merck employee or entity authorized by Merck to carry out some or all of a
business activity.

Page 4 of 5
Corporate Policy 13.0: Information Management and Protection

Revision Number: 2.3

Date Established: January 2015
Date Last Updated/Reviewed: April 2017
Next Compliance Summit Assessment: January 2018
Sponsor: Ashley Watson, SVP & Chief Compliance Officer
Content Owners: Terry Rice, VP Service Delivery; Scott Taylor, AVP, Privacy & GSF Compliance; Ken Deitz,
Director Global Security

Revision History
Revision Short Description of Revision Translation
Number Required
(Y/N)
1.1 Updated hyperlinks to acceptable use requirements, risk assessment N
process, and information risk management policy page.
2.0 Updated hyperlink to Merck Privacy Standards, 13.2 Global Privacy & Data Y
Protection; new definition of Personal Information per requirement of
regulators. Updated language versions will be forthcoming.
2.1 Standardization and simplification of Corporate Policy Footers - Footers for N
language version of policy maintained in English. Revision History log
maintained in English Version only. Content Owner and Contact updated to
Scott Taylor. Replaced Content Owner Allen Phelps with Ken Deitz.
Modified Date Established and Next Compliance Summit Assessment
to reflect January 2015 launch of new policy framework.
2.2 Updated the Personal and Professional Use of Social Media and Request N
Info Risk Assessment for New System or Process links.
2.3 Included hyperlink under section 4.0 for new GxP Data Goveranance and N
Integrity standard.

Page 5 of 5