PERSONAL AND PERSONAL HEALTH INFORMATION PRIVACY POLICY STATEMENT

SCOPE AND PURPOSE

This policy applies to LifeMark Health and its subsidiaries operating in Canada (collectively “LifeMark Health” or “Company”). References in this document to “LifeMark Health Personnel” include directors, officers, employees, contract workers, consultants and agents of LifeMark Health and its subsidiaries. LifeMark Health Personnel will comply with the requirements of this Policy.

LifeMark Health is committed to protecting the privacy and security of the personal and personal health information of individuals with whom we interact, such as our employees, clients, customers, suppliers, neighbors, and contractors.

This document has been prepared to provide a more detailed understanding of LifeMark Health’s obligations under the law regarding protection of personal and personal health information, as well as how to interpret and implement practices that support LifeMark Health’s Personal and Personal Health Information Privacy Policy Statement. (“Privacy Policy Statement”). Failure to comply with privacy practices could expose LifeMark Health to legal risk, including penalties, and may result in disciplinary action for LifeMark Health Personnel.

All LifeMark Health Personnel who collect, hold or use personal and personal health information must be thoroughly familiar with these standards. More information about individual accountabilities is outlined in the document. Please note that this Policy may be updated frequently in response to changes in the applicable legislation.

The legislation means that privacy principles will be reflected in our processes and our behavior, both as an organization and as individuals within the scope of our roles within the organization. To summarize:

• We need to get informed consent from individuals before we collect their information. This means open communication and understanding of our information management practices.
• We need to be sensitive and rigorous in how we handle files, correspondence and other records containing information about individuals.
• We must have information retention standards, and we must follow them.

The legislation sets out time limits for responding to individuals who want copies of the information we have about them, and dictate what information we give them and what we withhold from them.

INDEX

1. Legal Requirements
2. Personal and Personal Health Information - Definition
3. Accountability
4. Identifying Purpose & Obtaining Consent
5. Collecting and Using Personal Information
6. Disclosure of Personal Information
7. Retention & Disposal of Personal Information
8. Accuracy – Updating Personal Information
9. Protection of Personal Information
10. Open and Transparent Practices
11. An Individual’s Access to Their Personal Information
12. Complaint Process
13. Third Party Service Providers
14. Contacts

A. LEGAL REQUIREMENTS

In Canada, the Personal Information Protection and Electronic Documents Act [PIPEDA], governs the legal requirements for the protection of personal information. Provincial privacy laws apply in lieu of PIPEDA, if such laws are deemed to be substantially similar or in addition to PIPEDA where they are not substantially similar. LifeMark Health cooperates with its customers and clients as a supplier by complying with their standards to the level of Privacy legislation that they require. LifeMark Health has taken the position that processes will be designed to meet the most rigorous legislation.

LifeMark Health’s policies and practices adhere to privacy principles for privacy management, as follows:

Accountability: LifeMark Health is responsible for personal and personal health information under its control and has designated a Chief Privacy Officer who, along with the Clinic Directors, is accountable for ensuring LifeMark Health has processes, procedures and practices in place for the organization's compliance with the following principles:

• Identifying Purposes: The purposes for which personal and personal health information are collected shall be identified by the organization at or before the time the information is collected.
• Consent: The knowledge and consent of the individual are required for the collection, use or disclosure of personal and personal health information, unless specific exceptions apply.
• Limiting Collection: The collection of personal and personal health information shall be limited to that which is necessary for the purposes identified by LifeMark Health. Information shall be collected by fair and lawful means.
• Limiting Use, Disclosure, and Retention: Personal and personal health information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by the law. Personal and personal health information shall be retained only as long as necessary for fulfillment of those purposes.
• Accuracy: Personal and personal health information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
• Safeguards: security safeguards appropriate to the sensitivity of the information shall protect personal and personal health information.
• Openness: LifeMark Health shall make available to individuals specific information about its policies and practices relating to the management of personal and personal health information.
• Individual Access: Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal and personal health information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
• Challenging Compliance: An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals.

B. PERSONAL AND PERSONAL HEALTH INFORMATION - DefinitionS

Personal information refers to any information concerning an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.

Some examples of personal information are:

• Race, national or ethnic origin, colour, religion, age or marital status;
• Medical, educational, financial, employment and criminal history;
• Current and prognosis information of a medical/dental/injury nature;
• Fingerprints and identifying numbers assigned to the individual;
• Correspondence with LifeMark Health that is explicitly or implicitly of a private nature;
• Views or opinions concerning an employee’s or individual’s performance evaluation;
• Banking, income, tax and investment information;
• Views, opinions, or political affiliations held by an individual
• A person’s image [e.g. photographs, videos]

Personal information is not restricted to the above examples. Personal information may be stored on paper, electronically, digitally, and includes videos, photographs or tape recordings.

Personal health information is any information concerning an identifiable individual’s physical or mental health; the provision of their health care; the eligibility of payment for their health care; the identity of the provider of their health care; and, where required for an authorized purpose, their health care number. Personal health information also includes information about an identifiable individual that is not personal health information but is contained in the same record or file as personal health information about the individual.

LifeMark Health collects and generates personal and personal health information about identifiable individuals in the course of providing services.

C. ACCOUNTABILITY

Clinic Directors are ultimately accountable for ensuring that this Policy is adhered to within their respective Centres.

The Chief Privacy Officer (“CPO”) is responsible for monitoring Company-wide application of the Privacy Policy Statement, compliance with applicable privacy laws, and acting as a liaison with the Federal Privacy Commission and any provincial agencies as required. The Chief Privacy Officer also serves as a resource for the Clinic Directors, and may coordinate and support the efforts of the Clinic Directors in training and awareness. The CPO will assist in the development of business processes and procedures for the Clinic Directors and their Centres. The CPO also manages all complaints and is responsible for responding on behalf of LifeMark Health to internal and external requests for personal and personal health information and inquiries about LifeMark Health’s Privacy Policy Statement or personal and personal health information management.

Corporate Management and Clinic Directors are the custodians of the personal and personal health information collected, retained and used within their respective Centres and as such are responsible for ensuring that:

1. consent has been obtained prior to collection of information, and processes to manage exceptions are in place; [see section D for further details]
2. only personal and personal health information necessary for the purpose is collected, retained and used;
3. appropriate controls are in place to physically secure both hard copy (including external computer readable media) and electronically stored personal and personal health information;
4. appropriate system access controls, including “business-related need to know” restrictions, are in place and kept up-to-date;
5. personal and personal health information is appropriately updated and accurate, having regard to the purpose of such information;
6. personal and personal health information is destroyed or made anonymous when it is reasonable to conclude that it is no longer required for any of the purposes for which it was collected. This means having Centre record retention standards and following them;
7. contracts with third parties for processing, using or storing personal and personal health information contain appropriate clauses guaranteeing that the third party will comply with privacy legislation, safeguard the information, and will only use the information provided for the contractual purposes. Similar privacy clauses should also be included in any agreement that the third party has with sub-contractors they may engage to conduct work on their behalf for LifeMark Health;
8. contracts with third parties who provide us with personal and personal health information include appropriate clauses asserting that they have obtained the required consents from their staff;
9. appropriate resources have been assigned to retrieve information requested by an individual.

Corporate management and Clinic Directors are also responsible for ensuring all LifeMark Health Personnel within their centres have received appropriate training and support to understand and comply with LifeMark Health’s Privacy Policy Statement and applicable privacy laws.

Each LifeMark Health Centre is responsible for ensuring that appropriate safeguards are in place for physical security of personal and personal health information stored in offsite archive facilities and for ensuring that such personal and personal health information is appropriately destroyed within a reasonable time following the destruction date established by the document owner.

Information Services is responsible for ensuring that appropriate safeguards are in place to protect the personal and personal health information stored electronically, and for ensuring that all LifeMark Health Personnel are sufficiently familiar with the availability and application of such safeguards to make appropriate use of them in complying with the Privacy Policy Statement.

If required, LifeMark Health will engage legal counsel to provide legal advice and support in relation to matters arising out of LifeMark Health’s Privacy Policy Statement or privacy legislation.

All LifeMark Health Personnel are individually responsible for the personal and personal health information about others that they collect, use, retain or disclose, in the course of performing their duties for LifeMark Health, and ensuring that their activities with respect to that information are carried out only in accordance with LifeMark Health’s Privacy Policy Statement.

D. IDENTIFYING PURPOSE, OBTAINING CONSENT AND WITHDRAWING CONSENT

Before collecting information about individuals, we must explain the purpose for collection. In other words, what we intend to do with it – how we intend to use it. Consent forms or verbal explanations should contain sufficient information about the use of such information. ‘Sufficient’ means that an ordinary person should be able to make the link between the data requested and its relationship with the process.

Where an individual’s consent is required, it must constitute informed consent. This means that the individual must understand why the information is being collected, and how we intend to use the information. Therefore, the person collecting consent must be sufficiently knowledgeable to explain the processes.

The consent may be either implicit (for example, if we ask for information for a specific purpose, and the information is then provided, that would generally constitute implied consent) or explicit, depending on the circumstances. Explicit consent may be obtained either in writing or verbally. Where verbal consent is obtained, however, the verbal consent must be recorded by those who collected it, and retained in a relevant file for future reference, along with a summary of the information provided to the individual to ensure the individual’s verbal consent was given on an informed basis

Where the collection, use and/or disclosure of sensitive personal or personal health information are concerned (for example, medical information, or personal financial information such as salary), the consent must be explicit. Guidance on the classification of data by level of sensitivity can be obtained from a Clinic Director or from the Chief Privacy Officer.

In some cases, consent is not required [see exceptions section below].

Explicit Consent Collection Processes

LifeMark Health Personnel who are responsible for obtaining consent need to be familiar with the type of information collected and how it is used, in order to be able to explain and answer questions from the individual. The following are some examples of some of the more common situations requiring consent.

Employee consent

• HR gathers a broad range of consent from employees when they start at the company.
• Appropriate Company representatives obtain consent for publication of photographs in company publications and on the web site.
• Medical professionals obtain written consent for medical information gathering.

Independent Consultants, Consulting Firms and Third Party Contractors

• LifeMark Health obtains consent from consultants and contractors pertaining to the collection, use and disclosure of personal and personal health information where appropriate. Standard contract clauses requiring compliance with privacy legislation must be included in contracts and professional service agreements to ensure that this requirement is met. In the case of contractors employed by a third party, such as a temporary agency, LifeMark Health requires the contractor’s employer to obtain consent.

Implied Consent Collection Processes

Resumes

• Individuals providing their resumes are deemed to consent for the Company to use it for employment and contracting purposes. This statement is present on LifeMark Health’s web site. LifeMark Health’s practice is to retain and possibly use resumes for 6 months after receipt. In order to circulate or use the resume information of an unsuccessful candidate, their consent is required. LifeMark Health implements practices to ensure this obligation is met.

External Web Site Users

• LifeMark Health provides information on its external web site about the information collected when a user accesses a LifeMark Health web page. Users of LifeMark Health’s web site are deemed to consent to the collection and use of such information for the purpose of monitoring web site activity.

Exceptions

Some external parties, such as law enforcement agencies, have a lawful or investigative need to collect, use and disclose personal information without having to obtain the consent of the concerned individuals. For these reasons, certain exemptions to the consent standard are allowed, if:

• the collection is clearly in the interests of the individual and consent cannot be obtained in a timely way;
• it is reasonable to expect that the collection, with the knowledge or consent of the individual, would compromise the availability or accuracy of the information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province; or
• the information is publicly available.

LifeMark Health should not make consent a condition for supplying a product or service, unless the information requested is required to fulfill an explicitly specified and legitimate purpose. For example:

• you may refuse to sell a product on credit if the customer refuses to allow you to collect information about their credit worthiness, but you cannot refuse to sell to them on credit if they refuse to provide their driver’s license number.
• In the same example, if your consent form indicates that you will use their information to evaluate credit-worthiness, invoice and collect sales, provide customer services, and send marketing and promotional material, the individual may choose to withhold consent on the marketing and promotional functions, since it is not specifically related to the sales transaction. The Clinic Director will then need to have processes to separate those who did not consent from those who did.

Withdrawing consent

Individuals have the right to withdraw their consent to the collection, use or disclosure of personal or personal health information in whole or in part, at any time upon providing reasonable written notice to the Clinic Director of the Centre they are attending. The Clinic Director is responsible for informing the individual of any potential consequences that may result from the withdrawal of their consent, prior to making such a decision (for example it may limit the ability of LifeMark Health to provide the individual with assessment, treatment or other services).

If an individual withdraws their consent it is not retroactive and does not apply to personal and personal health information already collected, used or disclosed by LifeMark Health.

Clinic Directors are required to notify the Chief Privacy Officer if individuals withdraw their consent, in whole or in part, so that any files related to the individuals and held at another location or centrally can be flagged to indicate withdrawal of their consent.

E.COLLECTING AND USING PERSONAL AND PERSONAL HEALTH INFORMATION

Personal and personal health information may only be collected if it relates to LifeMark Health programs or business activities, if the information is reasonably necessary for the carrying out of such programs or activities, and if appropriate consent has been obtained [see above].

Personal and personal health information may only be used for the purpose for which it was collected and access to such information must be restricted to those who have a need for access in order to administer LifeMark Health programs or business activities. The only exceptions will be where the individual consents otherwise or where it is required by law [see list below]. All individuals authorized to access personal and personal health information are required to maintain confidentiality of the information in accordance with the Privacy Policy Statement.

The Company may use personal and personal health information without the knowledge and consent of an individual only:

• if we have reasonable grounds to believe the information could be useful when investigating a contravention of a federal, provincial or foreign law and the information is used for that investigation;
• for an emergency that threatens an individual’s life, health or security; or
• if it is publicly available.

F. DISCLOSURE OF PERSONAL AND PERSONAL HELATH INFORMATION

Personal and personal health information concerning an individual may only be disclosed to others when the purpose for the disclosure is consistent with the purpose for which the information was collected. This means disclosed internally when there is a business-related need to know, and externally if it is given to our third party service providers to assist us in carrying out LifeMark Health programs or business activities or a third party representing the individual client providing that third party provides evidence of consent by the individual client.

Exceptions

1. For the purposes of a business transaction between two or more organizations [mergers and acquisitions or joint ventures for example], the parties to the transaction may collect, use or disclose employee information without the consent of the individual, under certain circumstances. LifeMark Health ensures that standard clauses are created to ensure LifeMark Health practices are compliant with the law.
2. The law allows LifeMark Health to disclose personal information without the individual’s knowledge and consent only:
   • To a lawyer representing LifeMark Health
   • To collect a debt the individual owes to LifeMark Health
   • To comply with a subpoena, warrant or an order made by a court or other body with appropriate jurisdiction
   • To a government institution that has requested the information, identified its lawful authority and indicates that disclosure is for the purpose of enforcing, carrying out an investigation, or gathering intelligence relating to any federal, provincial or foreign law, or suspects that the information relates to national security or the conduct of international affairs, or is for the purpose of administering any federal or provincial law. [For example – when a regulatory agency requires information in the filings or permit process.]
   • In an emergency threatening an individual’s life, health or security [the Company must then inform the individual of the disclosure]
   • 20 years after the individual’s death or 100 years after the record was created
   • if it is publicly available
   • if required by law.

Other exceptions require the approval of the CPO.

Transmission / Sharing of Personal and Personal Health Information

Extreme care must be taken when transmitting personal and personal health information internally or externally to ensure that

• the persons who have requested the information and those to whom you are sending it have been authenticated, and
• the method of transmission (whether by telephone, mail, fax, electronically or otherwise) is appropriate to protect the confidentiality of the information in light of its sensitivity.

If mailed, the information should be enclosed in a securely sealed envelope and stamped “Private and Confidential”. In all instances, the name of the intended recipient must be clearly identified. There are also email flags that can be used to denote personal or confidential information in email communications. Because of the ease with which email is transmitted, and issues relating to control over storage of multiple copies of email, the use of email to transmit personal and personal health information is discouraged where a reasonable alternative method is available.

G. RETENTION AND DISPOSAL OF PERSONAL AND PERSONAL HEALTH INFORMATION

Retention and disposal of personal and personal health information will be in accordance with LifeMark Health’s Records Management Policy and any related retention schedules established by each LifeMark Health Centre. In keeping with these schedules, personal and personal health information no longer required to fulfill the purposes for which it was collected should be destroyed, erased, or made anonymous.

To support more secure and easier access to personal and personal health information, more centralized filing systems will be developed internally as managers evaluate their processes in response to the privacy principles. Employee information is one example.

Care must be used in the disposal or destruction of personal and personal health information to prevent unauthorized parties from gaining access to the information. When disposal of hard copy information is authorized, shredding must be used to maintain confidentiality.

H. ACCURACY – UPDATING PERSONAL AND PERSONAL HEALTH INFORMATION

Personal and personal health information must be updated as required to fulfill the purposes for which it was collected. The Company minimizes the possibility of using incorrect information when making a decision about the individual, or when disclosing information to third parties.

I. PROTECTION OF PERSONAL AND PERSONAL HEALTH INFORMATION

LifeMark Health relies on protection principles outlined in standard practices to protect electronically stored personal and personal health information. Physical security should be managed through facility security, records management practices and individual discretion, based on the sensitivity of the information. When developing safeguards for personal and personal health information, consider loss, theft, alteration, unauthorized access, copying, or use.

If an incident occurs where personal or personal health information is inadvertently disclosed, lost, corrupted, or transmitted contrary to company standards, LifeMark Health Personnel are required to contact the Chief Privacy Officer immediately to report the incident.

J. OPEN AND TRANSPARENT PRACTICES

LifeMark Health will inform customers, employees and other individuals about the Privacy Policy Statement and practices on LifeMark Health’s public web sites and intranet sites. LifeMark Health will also publish the contact information of the Chief Privacy Officer. Various brochures, standards and other documents have been prepared to support information sharing and access, with internal and external stakeholders.

K. AN INDIVIDUAL’S ACCESS TO THEIR PERSONAL AND PERSONAL HEALTH INFORMATION

Any individual has the right to request access to their information, and under federal law we must provide that access within 30 days [see exceptions below]. The CPO may request an extension for an additional 30 days. Access to the specified information is given by allowing an individual to view LifeMark Health’s documentation, or by providing them with a reproduced copy of the information. Under no circumstances will documents that are the property of LifeMark Health be given to the individual requesting access.

Requests for access may be made verbally or may be written. Both must be honored.

Sometimes, a request is made for a specific document(s) that is relatively simple to provide. In cases where a centre or department is already responsible for managing relations with that individual and for handling correspondence, management may choose to undertake the task, but must call the CPO to log the request.

Documents or files provided to an individual must be reviewed first to ensure that no personal or personal health information about another individual is disclosed in the documents. If so, that information must be masked, or made anonymous before the person making the request views the document. Personal or personal health information that an individual has requested access to cannot be removed or destroyed under any circumstances.

LifeMark Health has the right to charge an individual a reasonable amount to recover the cost of producing and delivering documents requested by an individual. The Clinic Directors in cooperation with the CPO will be responsible for assessing related costs based on compliance with relevant Privacy legislation and determining the reasonability of charging the individual. If the Company plans to charge, the individual must be informed, and the individual must accept the charge, before the documents are produced.

If an individual has a complaint about LifeMark Health’s collection, use, disclosure and destruction processes, or LifeMark Health’s response to a request for access, they should follow the process in the Complaint Process section of this document.

Exceptions

Access shall be subject to any prohibitions, exceptions or exemptions in applicable privacy laws. If access is denied, then the requesting individual shall be informed in writing of the reason for the denial.

LifeMark Health must refuse access to personal and personal health information the Company has disclosed to a government institution for law enforcement or national security reasons. For example: investigation files. In some cases, the fact that such information was disclosed must also be withheld. Please consult the Chief Privacy Officer if in doubt.

It is also LifeMark Health's policy to refuse access, as permitted under applicable law, if:

• the information falls under solicitor/client privilege
• the information contains confidential commercial information
• disclosure could harm an individual’s life, health or security
• it was collected to investigate a breach of an agreement or contravention of a law
• it was generated in the course of a formal dispute resolution process,

unless the Chief Privacy Officer specifically authorizes access to any of the foregoing.

L. COMPLAINT PROCESS

Individuals whose personal and personal health information has been collected, used, disclosed and/or disposed of by LifeMark Health may make complaints about LifeMark Health’s policies or practices relating to the handling of their personal and personal health information. A complaint may be made in writing to the Chief Privacy Officer, specifying the nature of the complaint.

In the case of a complaint, the CPO will undertake an investigation. The CPO shall provide a written response to the complainant outlining the results of the investigation and the actions, if any, taken or to be taken by LifeMark Health in respect of the complaint.

Individuals may also make a complaint to the Federal Privacy Commissioner or applicable provincial counterpart. LifeMark Health Personnel receiving notice of such a complaint must immediately inform the CPO, who will handle the complaint process and the relationship with the Privacy Commissioner’s Office. LifeMark Health will cooperate fully with any audit or investigation initiated by the Commissioner.

LifeMark Health will not penalize, sanction nor discriminate against any individual who has made a complaint or inquiry.

M. THIRD PARTY SERVICE PROVIDERS

From time to time, LifeMark Health retains third party service providers to assist LifeMark Health in administering its programs or conducting its business. For example: service providers that keep records relating to our employee insurance and benefit plans. In some cases, in order to perform the services, LifeMark Health must disclose personal and personal health information about our employees or customers. LifeMark Health Personnel entering into these contracts with third party service providers shall ensure that:

• use of the personal and personal health information by the third party service provider is limited to the purposes specified to fulfill the contract;
• all use of the personal and personal health information shall be in accordance with the Privacy Policy and applicable privacy laws;
• the third party service provider refers to any individuals looking for access to their personal and personal health information to LifeMark Health;
• the third party service provider uses appropriate safeguards to protect the personal and personal health information
• the personal and personal health information is destroyed or returned to LifeMark Health upon termination or completion of the contract; and
• LifeMark Health has the right to audit the third party service provider’s compliance with the contract.

N. CONTACTS