Questar's European Union Privacy of Information Policy

In conjunction with its business activities, Questar processes data originating from certain European countries that are members of the European community.

The European parliament and the Council of the European Union has set forth in a Directive certain policies and procedures that must be adhered to by a "Processor" or "Controller" of such information.

One of the primary purposes of this Directive is to protect the privacy of identified or identifiable persons whose data is processed by persons or entities located in non-European countries.

By virtue of its business activities, Questar is considered to be a data "Processor" as defined in the subject Directive. The company is, therefore, bound by this Directive and has certified that it will comply with the requirements contained therein. As such, we conform with the EU/U.S. Safe Harbor Principles.

• So as to protect the privacy of this information and to comply with the various Directive requirements, Questar has established the following policies and procedures which it and all of its employees are expected to follow.
• Prior to the processing of any data originating from an EU country, the explicit consent of the data subject, i.e., survey respondent, must be obtained.
• The data subject must be apprised as to the reason that such data is being collected and/or processed.
• A data subject is entitled to obtain access to that data relating to him/her should such individual want to verify the accuracy of such data.
• Unauthorized attempts to upload or change information, or otherwise cause damage to our websites are strictly prohibited and a person or entity attempting to do so may be punishable under federal and/or state law and subject to civil action.
• Absent an exception as provided for in the Directive, Questar will not process personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data regarding a data subject's health or sex life.

Questar considers maintaining the confidentiality and security of all client data to be extremely important. This is especially true since the company often possess information and data that identifies, or which makes the identification of survey respondents possible. To achieve the goal of maintaining the confidentiality and privacy of such information the following policies must be strictly adhered to.

It is a serious breach of company policy for any employee to discuss with or disclose to any individual or entity any information regarding a Questar client or survey respondent other than in the performance of work for Questar. This includes the prohibition of distributing or making available to any unauthorized party any client or Questar documents, materials, records, or information of any type. Under no circumstances may a Questar employee utilize for his/her own benefit any such information.

Any request from a non-Questar employee to release, disclose, discuss or distribute any Questar or client information must be directed to a corporate officer. All visitors to Questar must sign in at the reception desk and be provided with a visitors badge. Visitors are not allowed within any Questar production facility unless accompanied by Questar supervisory personnel.

Questar maintains and will continue to maintain firewalls and other network-level access controls so as to ensure the integrity and privacy of all data and information stored in its computer systems. These systems are routinely tested in order to verify that all firewalls and control systems are working properly.

Information contained in Questar's computer systems is password protected. Access to such information is made available to only those employees having a "need to know" in order to perform their duties. All employees are expected to protect their individual password from disclosure to other employees and non-employees.

Rigorous authentication procedures for users, administrators and remote users are employed to ensure that outsiders do not gain unauthorized access to the company's network. Questar's computer systems reside in a secure area so as to protect against unauthorized access.

Questar has identified certain of its employees with expertise in security to be involved in all security related discussions and decisions. The company identifies what it needs to protect based upon the value of the asset as well as the level of the security needed to protect it. The company has designated a Security Officer who is in charge of these activities. The company has established a security awareness program. All employees are expected to participate in security awareness training.

It is the responsibility of every Questar employee to immediately notify his/her immediate supervisor in the event they become aware of any activity that would lead them to believe that a party is attempting to gain unauthorized access to Questar's computer systems or otherwise misuse any data or information stored therein.

Questar is committed to minimizing the amount of time that client data is stored in its systems. Project Managers are expected to discuss with, and ascertain from their client(s) the point at which such information is no longer needed by the client. Information no longer needed is either deleted from the Questar computer system, or if in paper format, shredded by contracted document destruction company.

No materials containing either company or client information may be removed from Questar's offices except in the course of Questar's business activities and then only by approved couriers and/or employees having permission to do so in fulfillment of Questar's business activities.

Please direct any questions regarding these policies the company's General Counsel.