TELUS Health and Payment Solutions Business Customer Privacy Policy

Last updated: November 2017

Introduction

TELUS Health and Payment Solutions is in the business of delivering solutions that enable our customers to interact and conduct business electronically. We recognize that an important part of our customers’ operations is to ensure that the privacy of their own end-users’ data is respected. Core to our commitment to putting customers first is to ensure that personal information that our customers entrust to us, including sensitive personal information, is safeguarded and that the privacy of our business customers’ end-users is respected.

TELUS Health and Payment Solutions’ privacy practices are developed in accordance with applicable privacy legislation, including the Protection of Personal Information. Applicable privacy legislation may include, but is not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA), along with substantially similar provincial legislation, and the various applicable provincial health privacy acts.

TELUS Health and Payment Solutions is committed to ensuring that our privacy management practices comply with applicable privacy legislation as well as with our contractual commitments, which commitments may include assisting our customers with their own privacy compliance requirements. Our commitment to TELUS Health and Payment Solutions customers is that we will work with them to protect privacy in all our service offerings.

This TELUS Health and Payment Solutions Business Customer Privacy Policy (this “Privacy Policy”) outlines the responsibilities of TELUS Health Solutions Inc. and its subsidiaries (collectively “THPS”) concerning the protection of Personal Information entrusted to THPS by our business customers.

Definitions

For the purpose of this Privacy Policy:

Personal Information means information about an identifiable individual (which includes personal health information such as diagnostic information, biometrics, health history, treatment and care information, medical imaging, payment or eligibility for health care information) and patient contact information in any fomat but excludes Business Contact Information and de-identified or aggregated information that cannot reasonably be associated with a specific individual.

Business Contact Information means the name, title, business address (including business email address), business telephone or fax numbers of an employee of an organization that is collected, used or disclosed

for the purpose of communicating with the individual in relation to their employment, business or profession.

Customer means a customer of THPS who is a business, enterprise, or other organization but is not an individual consumer or a patient .

Individual/Patient means end-users, clients, customers or patients of Customers.

Scope & Application

This Privacy Policy applies to any Customer of THPS that is a business, enterprise, or other organization but is not an individual consumer contracting directly with THPS. Our commitments to the privacy of those individual consumers is covered in the TELUS Health Privacy Commitment.

This Privacy Policy applies to Individual/PatientPersonal Information in THPS’s custody for the purposes of providing services to the Customer. It includes Individual/PatientPersonal Information that is in the possession of service providers who have been contracted to provide services on THPS’s behalf.

The application of this Privacy Policy is subject to the requirements or provisions of any applicable legislation, regulations, agreements or the ruling of any court or other lawful authority.

All THPS employees, contractors and agents with access to Individual/PatientPersonal Information are required to comply with this Privacy Policy.

Accountability

Our Accountability Commitment

At THPS we are responsible to our Customers for Individual/Patient Personal Information in THPS’s possession or custody, including information that has been transferred for processing by THPS to a service provider or a third party in the course of conducting THPS’s business.

Executive Responsibility

Protecting privacy is an integral part of our services and all members of THPS’s Executive team have a responsibility to enable and oversee operational compliance with THPS’s privacy policies and procedures within their own areas of responsibility, ensuring all business units are properly aware of and resourced to meet our privacy obligations.

Employee Accountability

As a core commitment of THPS, all members of the THPS team undergo mandatory annual privacy training to ensure their continued awareness of and compliance with applicable laws and our policies, including this Privacy Policy; we recognize that all employees play a role in earning and maintaining customer trust and we undertake ongoing privacy awareness activities to create a culture of privacy at THPS.

Our Data & Trust Office

THPS has appointed a Chief Data & Trust Officer to lead and support the THPS Data & Trust Office. The Office is responsible for maintaining an accountable privacy management program specifically designed to protect the privacy of our customers, and for setting policies and procedures to earn and maintain our customers’ trust in our data handling practices.

The key components of THPS’s privacy program are set out in our Privacy Management Program Framework; the Framework documents our core program commitments to protecting privacy in a manner consistent with the principles set out in this Privacy Policy. The Framework also sets out some of the ways in which we have operationalized those commitments and the organizational structure we have implemented to do so.

Finally, we have embraced the seven foundational principles of Privacy by Design, striving to embed these privacy enhancing principles into our product and service development processes.

Consent

As THPS does not have a direct relationship with the Individual/Patients of its Customers, THPS relies on and requires its Customers to ensure that they have obtained the necessary consent of the Customer’s Individual/Patients or other authority for THPS to collect, use and disclose Individual/Patient Personal Information on behalf of the Customer.

Collection and Use

We want to be transparent with our customers about the purposes for which we collect and use Individual/ Patient Personal Information. THPS receives Individual/Patient Personal Information from its Customers and collects Individual/Patient Personal Information from other entities or individuals on behalf of its Customers. We limit the collection of Individual/Patient Personal Information to that which is necessary to fulfil the purposes identified herein or in the contractual agreement with the Customer. THPS requires its Customers to share Individual/Patient Personal Information with THPS only to the extent that such information is lawfully obtained and necessary and sufficient for the purposes identified in this Privacy Policy and any contractual agreement.

THPS does not use Individual/Patient Personal Information for purposes other than as set out in this policy and in the terms and conditions of the contractual agreement with the Customer, except as otherwise required or permitted by applicable law.

Subject to the terms and conditions of the contractual agreement with the Customer, THPS collects and uses Individual/Patient Personal Information for the following purposes:

1. For the provision of products and services on behalf of its Customers (in compliance with contractual obligations), including for billing purposes;

2. To meet contractual, legal, regulatory requirements;

3. To manage and develop its business and operations, including the diagnosis of technical problems or for improved functionality;

4. To investigate and resolve incidents and to resolve Individual/Patient and Customer complaints;

5. To understand Customer and Individual/Patient needs and preferences; and

6. To develop, enhance, promote or provide products and services to our customers.

   
   

   THPS also uses cookies to understand how a customer interacts with our websites, communications, services and selected third party websites, primarily with the aim of improving the user experience. We use cookies in a limited manner and only for purposes consistent with this Privacy Policy. For more information, please refer to our Cookies Notice.

   Disclosure

   THPS discloses Individual/Patient Personal Information as required or permitted pursuant to the terms and conditions of the contractual agreement with the Customer or as otherwise required or permitted by applicable law.

   • For example, THPS may disclose Individual/Patient Personal Information for emergency purposes as defined in applicable law.

     
     

     Unless otherwise set out in the Customer contract, Individual/Patient Personal Information may be transferred to or accessed from outside Canada by THPS or our service providers; such information is protected with appropriate security safeguards, but may be available to foreign government agencies under applicable law.

     
     

     Retention

     THPS has a policy respecting records retention and an associated retention schedule and will keep Individual/Patient Personal Information only as long as it remains necessary or relevant for the identified purposes or in accordance with the terms and conditions of the contractual agreement with the Customer, unless otherwise required to meet legal or regulatory requirements.

     
     

     Accuracy

     THPS does not verify the accuracy of Individual/Patient Personal Information when it is received from a Customer. THPS relies on its Customers to ensure the accuracy and completeness of the Individual/Patient Personal Information that has been supplied to THPS for the identified purposes and in order for THPS to perform the services.

     THPS will take commercially reasonable steps to maintain the integrity of the Individual/Patient Personal Information.

     Safeguards

     THPS maintains an information security governance program to protect Individual/Patient Personal Information. THPS, in compliance with its security policy and data centre security standard, employs security measures appropriate to the sensitivity of the information in an effort to protect Individual/Patient Personal Information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.

     Security measures include but are not limited to the following:

   • Using appropriate administrative, physical and technical security controls designed to prevent and detect unauthorized access to Individual/Patient Personal Information;

   • Employing encryption for data at rest and in transit, tokenization, de-identification and other mechanisms to protect personal information as appropriate;

   • Limiting access to the data to a need-to-know basis and applying the principles of least privilege and role-based access control;

   • Requiring secure disposal of any media containing Individual/Patient Personal Information;

   • Prohibiting the use of Individual/Patient Personal Information in non-production or demonstration environments except with the express consent of the Customer;

   • Implementing a Secure by Design methodology in our work processes;

   • Identifying and assessing reasonably foreseeable risks to the integrity, confidentiality or availability of Individual/Patient Personal Information that we hold and taking reasonable steps to mitigate those risks through the implementation of safeguards;

   • Regular testing of our safeguards and our overall security program;

THPS protects Individual/Patient Personal Information shared with service providers by employing contractual or other means in an effort to ensure that any such service provider will provide a comparable level of protection while Individual/Patient Personal Information is being processed by that service provider.

THPS employment agreements include contractual provisions for the safeguarding and proper usage of confidential information (including Individual/Patient Personal Information) accessible to our employees in the course of their employment. THPS will take appropriate disciplinary measures where necessary to enforce this Privacy Policy.

Openness concerning policies and practices

THPS strives to make information about its policies and practices accessible and easy to understand; this Privacy Policy is available on our privacy page at telus.com/en/qc/support/privacy-policy.

Individual Access

Unless we specifically contract to do so as part of the provision of services to a Customer, THPS will not generally respond directly to access requests or inquiries of our Customers’ Individual/Patients. We will instead make reasonable efforts to direct inquiries and access request made by Individual/Patients to the appropriate Customer.

Incident Management

THPS has developed a comprehensive incident readiness and response plan designed to identify the cause, extent and nature of an incident involving Individual/Patient Personal Information and to allow timely reporting to the Customer in accordance with our contractual terms. THPS will provide reasonable

assistance to our Customers to investigate and assist in the reporting of the incident to regulatory authorities or other required parties to prevent or minimise any loss or harm arising from such incident.

Contacting us

Inquiries or complaints about the manner in which THPS or its service providers treat Individual/Patient Personal Information can be forwarded on a confidential basis to our Chief Data & Trust Officer at privacyhealth@telus.com

THPS maintains procedures for addressing and responding to all inquiries or complaints about THPS’s handling of Personal Information.