TELUS International: Safe Harbor Policy

We self certify compliance with:

TELUS International (U.S.) Inc. (“TELUS”) is a member of the TELUS group of companies and provides outsourcing solutions to business customers based in the United States, including contact centre services. In connection with the provision of services, TELUS may receive, access, store or otherwise process (collectively, “handle”) personal information of its customers, including personal information of individuals resident or located in the European Economic Area (“EEA”).

Personal information of individuals resident or located in the European Union is subject to the European Commission’s Directive on Data Protection (the “Directive”) which prohibits the transfer of personal data to non-European Union nations that fail to meet the European Union’s “adequacy” standard for privacy protection. In order to provide a streamlined and cost-effective means for U.S. organizations to satisfy the adequacy requirement of the Directive, the U.S. Department of Commerce in consultation with the European Commission developed a Safe Harbor Framework, which includes the Safe Harbor Principles.

TELUS adheres to the Safe Harbor Framework, including the Safe Harbor Principles, as agreed upon by the U.S. Department of Commerce and the European Commission (“Safe Harbor Principles”), which can be found at http://www.export.gov/safeharbor. TELUS has adopted this Safe Harbor Policy to evidence its adherence to the Safe Harbor Principles. Where TELUS processes personal information on behalf of, and under the direction of, a business customer, (which includes handling personal information in connection with providing contact centre services) such personal information is not subject to the Safe Harbor Principles and is governed by the contract between TELUS and the business customer, as permitted by the Safe Harbor Framework.

Where TELUS collects personal information of an individual (a “client”) in connection with activities other than providing processing services to a business customer, such personal information will be subject to this Safe Harbor Policy.

For the purposes of the following Principles “personal information” means information that: (1) is transferred from the EEA to the U.S.; (2) is recorded in any form; (3) is about, or pertains to a specific individual; (4) can be linked to that individual; and (5) is collected by TELUS in connection with activities other than providing processing services to a business customer. Personal information does not include data that is de-identified, anonymous or publicly available.

Principle 1 – Accountability

TELUS is responsible for personal information under its control and shall designate one or more persons who are accountable for TELUS’ compliance with the following principles.

1.1 Responsibility for ensuring compliance with the provisions of the TELUS Safe Harbor Policy rests with the senior management of TELUS, which shall designate one or more persons to be accountable for compliance. Other individuals within TELUS may be delegated to act on behalf of the designated person(s) or to take responsibility for the day-to-day collection and processing of personal information.

1.2 The TELUS contact for handling complaints, access requests, and any other issues related to this Safe Harbor Policy is Director of Security, TELUS International who can be reached at TIprivacy@telus.com

1.3 TELUS is responsible for personal information in its possession or control. TELUS shall use appropriate means to provide a comparable level of protection while information is being processed by a third party (see Principle 7).

1.4 TELUS shall implement policies and procedures to give effect to this Safe Harbor Policy, including:

1. implementing procedures to protect personal information and to oversee TELUS’ compliance with this Safe Harbor Policy
2. establishing procedures to receive and respond to inquiries or complaints
3. training and communicating to staff about TELUS’ policies and practices
4. developing public information to explain TELUS’ policies and practices

Principle 2 – Notice: Identifying Purposes for Collection of Personal Information

TELUS shall identify the purposes for which personal information is collected at or before the time the information is collected.

2.1 TELUS collects personal information only for the following purposes:

1. to establish and maintain responsible commercial relations with clients and to provide ongoing service
2. to understand client needs and preferences
3. to develop, enhance, market or provide products and services
4. to manage and develop TELUS’ business and operations, including personnel and employment matters
5. to meet legal and regulatory requirements

Within this Safe Harbor Policy, references to “identified purposes” mean the purposes identified in this Principle.

2.2 TELUS shall specify orally, electronically or in writing the identified purposes to the client at or before the time personal information is collected. Upon request, persons collecting personal information shall explain these identified purposes or refer the individual to a designated person within TELUS who shall explain the purposes.

2.3 Unless required by law, TELUS shall not use or disclose for any new purpose personal information that has been collected without first identifying and documenting the new purpose and obtaining the consent of the client.

2.4 Telephone calls to or from service representatives involving personal information may be monitored or recorded for quality assurance purposes.

Principle 3 – Choice: Obtaining Consent for Collection, Use or Disclosure of Personal Information

The knowledge and consent of a client is required for the collection, use, or disclosure of personal information, except where not required by applicable privacy legislation. In certain circumstances personal information may be collected, used, or disclosed without the knowledge and consent of the individual. For example:

TELUS may collect or use personal information without knowledge or consent if it is clearly in the interests of the individual and consent cannot be obtained in a timely way, such as when the individual is seriously ill or mentally incapacitated.

TELUS may also collect, use or disclose personal information without knowledge or consent if seeking the consent of the individual might defeat the purpose of collecting the information, such as in the investigation of a breach of an agreement or a contravention of a federal or provincial law.

TELUS may also use or disclose personal information without knowledge or consent in the case of an emergency where the life, health or security of an individual is threatened.

TELUS may disclose personal information without knowledge or consent to a lawyer representing TELUS, to collect a debt, to comply with a subpoena, warrant, court order or other legal process, or as may be otherwise required or permitted by law.

3.1 TELUS shall use reasonable efforts to ensure that a client is advised of the identified purposes for which personal information will be used or disclosed. Purposes shall be stated in a manner that can be reasonably understood by the client.

3.2 Generally, TELUS shall seek consent to use and disclose personal information at the same time it collects the information. However, TELUS may seek consent to use and disclose personal information after it has been collected, but before it is used or disclosed for a new purpose.

3.3 TELUS will require clients to consent to the collection, use or disclosure of personal information as a condition of the supply of a product or service only if such collection, use or disclosure is required to fulfill the identified purposes.

3.4 In determining the appropriate form of consent, TELUS shall take into account the sensitivity of the personal information and the reasonable expectations of its clients.

3.5 In general, the use of products and services by a client constitutes implied consent for TELUS to collect, use and disclose personal information for all identified purposes.

3.6 A client may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Clients may contact the individual referenced in Section 1.2 of this Safe Harbor Policy for more information regarding the implications of withdrawing consent.

Principle 4 – Limiting Collection of Personal Information

TELUS shall limit the collection of personal information to that which is necessary for the purposes identified by TELUS. TELUS shall collect personal information by fair and lawful means.

4.1 TELUS collects personal information primarily from its clients.

4.2 TELUS may also collect personal information from other sources, including credit bureaus, employers or personal references, or other third parties who represent that they have the right to disclose the information.

Principle 5 – Limiting Use, Disclosure, and Retention of Personal Information

TELUS shall not use or disclose personal information for purposes other than those for which it was collected, except with the consent of the individual or as required by law. TELUS shall retain personal information only as long as necessary for the fulfillment of those purposes.

5.1 TELUS may disclose a client’s personal information to:

1. a person who in the reasonable judgment of TELUS is seeking the information as an agent of the client
2. a company involved in supplying the client with communications or communications related services
3. a company or individual employed by TELUS to perform functions on its behalf, such as research or data processing
4. another company or individual for the development, enhancement, marketing or provision of any of TELUS' products or services
5. an agent used by TELUS to evaluate the client’s creditworthiness or to collect the client’s account
6. a credit reporting agency
7. a public authority or agent of a public authority, if in the reasonable judgment of TELUS, it appears that there is imminent danger to life or property which could be avoided or minimized by disclosure of the information
8. a third party or parties, where the client consents to such disclosure or disclosure is required by law to meet legal or regulatory requirements such as under a court order or to a government institution
9. others as required by law

5.2 From time to time TELUS may sell parts of its business, sell or securitize assets, or merge or amalgamate part or all of its business with other entities. Since client and account information will normally be a part of such transactions, TELUS may use or disclose personal information in such context to other parties included in the transaction, as part of due diligence and/or completion of the transaction.

5.3 Only TELUS' employees with a business need to know, or whose duties reasonably so require, are granted access to personal information about clients.

5.4 TELUS shall keep personal information only as long as it remains necessary or relevant for the identified purposes or as required by law. Depending on the circumstances, where personal information has been used to make a decision about a client, TELUS shall retain, for a period of time that is reasonably sufficient to allow for access by the client, either the actual information or the rationale for making the decision.

5.5 TELUS shall maintain reasonable and systematic controls, schedules and practices for information and records retention and destruction which apply to personal information that is no longer necessary or relevant for the identified purposes or required by law to be retained. Such information shall be destroyed, erased or made anonymous.

Principle 6 – Correction: Accuracy of Personal Information

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

6.1 Personal information used by TELUS shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inappropriate information may be used to make a decision about a client.

6.2 TELUS shall update personal information about clients as and when necessary to fulfill the identified purposes or upon notification by the individual.

Principle 7 – Security Safeguards and Onward Transfer

TELUS shall protect personal information by security safeguards appropriate to the sensitivity of the information.

7.1 TELUS shall protect personal information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction, through appropriate security measures. TELUS shall protect the information regardless of the format in which it is held.

7.2 TELUS shall protect personal information disclosed to third parties by contractual agreements stipulating the confidentiality of the information and the purposes for which it is to be used.

7.3 All of TELUS’ employees with access to personal information shall be required to respect the confidentiality of that information.

7.4 Where TELUS transfers personal information to a third party that is acting as an agent or service provider, prior to the transfer TELUS will enter into a written agreement with the third party requiring that the third party provide at least the same level of privacy protection as is required by the Safe Harbor Principles. TELUS will also provide that the third party may not use the information for any purpose other than the delivery of services to TELUS.

Principle 8 – Openness Concerning Policies and Practices

TELUS shall make readily available to clients specific information about its policies and practices relating to the management of personal information.

8.1 TELUS shall make information about its policies and practices easy to understand, including:

1. the means of gaining access to personal information held by TELUS
2. a description of the type of personal information held by TELUS, including a general account of its use

8.2 TELUS shall make available information to help clients exercise choices regarding the use of their personal information and the privacy-enhancing services available from TELUS.

Principle 9 – Access to Personal Information

TELUS shall inform a client of the existence, use, and disclosure of his or her personal information upon request and shall give the individual access to that information. A client shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

9.1 Upon request, TELUS shall afford clients a reasonable opportunity to review the personal information in the individual’s file. Personal information shall be provided in understandable form within a reasonable time, and at minimal or no cost to the individual.

9.2 In certain situations, TELUS may not be able to provide access to all the personal information that it holds about a client. For example, TELUS may not provide access to information if doing so would likely reveal personal information about a third party or could reasonably be expected to threaten the life or security of another individual. Also, TELUS may not provide access to information if disclosure would reveal confidential commercial information, if the information is protected by solicitor – client privilege, if the information was generated in the course of a formal dispute resolution process, or if the information was collected in relation to the investigation of a breach of an agreement or a contravention of a federal or provincial law. If access to personal information cannot be provided, TELUS shall provide the reasons for denying access upon request.

9.3 Upon request, TELUS shall provide an account of the use and disclosure of personal information and, where reasonably possible, shall state the source of the information.

9.4 In order to safeguard personal information, a client may be required to provide sufficient identification information to permit TELUS to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.

9.5 TELUS shall promptly correct or complete any personal information found to be inaccurate or incomplete. Any unresolved differences as to accuracy or completeness shall be noted in the individual’s file. Where appropriate, TELUS shall transmit to third parties having access to the personal information in question any amended information or the existence of any unresolved differences.

9.6 Clients can seek access to their personal information by contacting the TELUS contact identified in section 1.2 of this Safe Harbor Policy.

Principle 10 – Challenging Compliance

TELUS uses a self-assessment approach to assure compliance with this Safe Harbor Policy and periodically verifies that the policy is accurate, comprehensive for the information intended to be covered, prominently displayed, implemented and accessible and in conformity with the Safe Harbor Principles. A client may submit any questions, complaints or disputes concerning TELUS’ compliance with the above principles to the TELUS contact identified in section 1.2 of this Safe Harbor Policy. TELUS will investigate and attempt to resolve complaints and disputes regarding use and disclosure personal information in accordance with the principles contained in this Safe Harbor Policy. With respect to any complaints related to this Safe Harbor Policy that cannot be resolved through TELUS’ internal processes, TELUS shall cooperate in an independent dispute resolution process to resolve such disputes.

10.1 TELUS shall maintain procedures for addressing and responding to all inquiries or complaints from its clients about TELUS’ handling of personal information.

10.2 The person or persons accountable for compliance with this Safe Harbor Policy may seek external advice where appropriate before providing a final response to individual complaints.

10.3 TELUS shall investigate all complaints concerning TELUS’ compliance with this Safe Harbor Policy. If a complaint is found to be justified, TELUS shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A client shall be informed of the outcome of the investigation regarding his or her complaint. With respect to any complaints relating to this Safe Harbor Policy that cannot be resolved through TELUS’ internal processes, TELUS has agreed to participate in the independent dispute resolution procedures set forth by the BBB EU Safe Harbor Program, operated by the Council of Better Business Bureaus, Inc. More information on this program, as well as the contact information for filing a complaint, is available at http://www.bbb.org/us/consumer/european-dispute-resolution/complaint-info/. In the event that TELUS or the Council of Better Business Bureaus concludes that TELUS did not comply with this Safe Harbor Policy, TELUS will take appropriate steps to address any adverse effects and assure future compliance.