TELUS Business Customer Privacy Policy
Version #2- May 9, 2024
Introduction
This TELUS Business Customer Privacy Policy (this “Privacy Policy”) outlines how TELUS protects the Personal Information entrusted to TELUS by our Customers. TELUS Health Business Customers are covered by a separate Business Privacy Policy. See the
TELUS Health and Payment Solutions Business Privacy Policy
.TELUS Communications Inc. (“TELUS”) is in the business of providing a wide range of communications products and services, including wireless, data, internet protocol, voice, television, entertainment, video and business security. We have a direct relationship with many individual consumers, and we are also a service provider to our Customers. We recognize that an important part of our Customers’ operations is to ensure that their End-user’s privacy is protected. Core to our commitment to “putting customers first” is ensuring that the Personal Information our Customers entrust to TELUS is safeguarded and that the privacy of our Customers’ End-users is respected.
TELUS’ privacy management practices are developed in accordance with applicable Canadian privacy legislation, (including, but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar Canadian provincial privacy legislation), as well as with our contractual commitments. TELUS’ privacy practices are also designed to assist our Customers with their own privacy compliance requirements, including with the European Union’s General Data Protection Regulation (GDPR). While TELUS relies on our Customers to ensure that they have obtained all necessary consents or otherwise have all necessary authority for the processing of Customer and End-user Personal Information, our commitment to TELUS Customers is that we will work with them to protect privacy in all relevant service offerings.
This Privacy Policy should be read alongside any contract that a Customer enters into with TELUS. In the event of a conflict between this Privacy Policy and any contract, the contract will take precedence.
Definitions
For the purpose of this Privacy Policy:
Personal Information means information about an identifiable individual in any format but excludes Business Contact Information (except where such information is regulated by applicable privacy legislation). For greater certainty, personal information does not include anonymized, de-identified or aggregated information that cannot reasonably be associated with a specific individual.
Business Contact Information means the name, title, business address (including business email address), business telephone or fax numbers of an employee of an organization that is collected, used or disclosed for the purpose of communicating with the individual in relation to their employment, business or profession.
Customer means a customer of TELUS who is a business, enterprise, or other organization but is not an individual consumer contracting directly with TELUS.
Customer Personal Information means Personal Information provided to TELUS by, or collected by TELUS on behalf of, the Customer in order to provide services to the Customer and may include Personal Information of Customer’s End-users.
End-user means a customer, client, contractor or employee of a Customer where the use of TELUS services is not being provided under an individual consumer agreement with TELUS.
Scope and application
This Privacy Policy applies to any Customer of TELUS that is a business, enterprise, or other organization but is not an individual consumer contracting directly with TELUS. Our commitments to TELUS’ individual consumers are set out in the
TELUS Privacy Commitment.
This Privacy Policy applies to Customer Personal Information in TELUS’ possession or custody for the purposes of providing services on behalf of any Customer. It includes Customer Personal Information that is in the possession of service providers who have been contracted to provide services on TELUS’ behalf.
All TELUS employees, contractors and agents with access to Customer Personal Information are required to treat Customer Personal Information in accordance with this Privacy Policy.
Accountability
Our Accountability Commitment
As a service provider, TELUS is responsible for Customer Personal Information in TELUS’ possession or custody, including information that has been transferred for processing by TELUS to our service providers or a third party in the course of providing services to our Customers.
Executive Responsibility
Protecting privacy is an integral part of our services. All members of TELUS’ Executive team have a responsibility to enable and oversee operational compliance with TELUS’ privacy policies and procedures within their own areas of responsibility, ensuring all business units are properly aware of, and are resourced to meet our privacy obligations.
Employee Accountability
As a core commitment of TELUS, all members of the TELUS team undergo mandatory annual privacy training to ensure their continued awareness of and compliance with applicable laws and our policies, including this Privacy Policy. We recognize that all employees play a role in earning and maintaining Customer trust and we undertake ongoing privacy awareness activities to create a culture of privacy at TELUS.
Our Data & Trust Office
TELUS has appointed a Chief Data & Trust Officer to oversee the TELUS Data & Trust Office. The Office is responsible for maintaining an accountable privacy management program specifically designed to protect the privacy of our Customers’ End-users, and for setting policies and procedures to earn and maintain our Customers’ trust in our data handling practices.
The key components of TELUS’ privacy program are set out in our
Privacy Management Program Framework
. The Framework sets out our commitments to protecting privacy in a manner consistent with this Privacy Policy. The Framework also sets out some of the ways in which we have operationalized those commitments and the organizational structure we have implemented to do so. Finally, we have embraced the seven foundational principles of
Privacy by Design
, striving to embed these privacy enhancing principles into our product and service development processes.Consent
As TELUS does not have a direct relationship with the End-users of our Customers, TELUS relies on and requires Customers to ensure that they have obtained all necessary consents from such End-users, provided all necessary notices to End-Users, and otherwise have all necessary authority to permit the collection, use or disclosure of Customer Personal Information by and between the Customer and TELUS.
Collection and use
We are transparent with our Customers about the purposes for which we collect and use Customer Personal Information. TELUS receives Customer Personal Information from our Customers and collects Customer Personal Information from other entities or individuals on behalf of those Customers. We limit the collection of Customer Personal Information to that which is necessary to fulfil the purposes identified herein or in the contract with the Customer. TELUS requires Customers to restrict their sharing of Customer Personal Information with TELUS to solely information that is lawfully obtained and necessary and sufficient for the purposes identified in this Privacy Policy and any contract entered into between TELUS and the Customer.
Subject to this Privacy Policy and the terms and conditions of the contract with the Customer, TELUS collects and uses Customer Personal Information for the following purposes:
- To establish and maintain a responsible commercial relationship with Customers and to provide ongoing service;
- To understand Customer and End-user needs and preferences;
- To develop, enhance, promote or provide products and services to our Customers;
- To manage and develop our business and operations, including the diagnosis of technical problems or for improved functionality, and to maintain and enhance safety and security for our Customers;
- To meet contractual, legal, and regulatory requirements;
- To investigate and resolve incidents, and End-user and Customer complaints or disputes; and
- For the provision of products and services on behalf of Customers (in compliance with contractual obligations), including for billing purposes.
If you use a TELUS mobile application (app), we collect information that is reasonably necessary to authenticate you and provide the service.
If a feature in a TELUS app, such as the TELUS Smart Building or TELUS Secure Business, requires access to your location, camera, image and audio information, calendar, contacts, device ID including phone number, app interactions or other information from your device to provide the services you have requested such as building management or arming / disarming building alarm systems, you will be prompted with a notice to enable and/or disable the access to and sharing of this information. Data, such as location data, may be continuously collected in the background once you enable the app to provide the service you requested. By authorizing access to this data or continuing to use the app you agree to the use of your personal information as described in the notice.
TELUS does not use Customer Personal Information for purposes other than as set out in this Privacy Policy and in the terms and conditions of the contract with the Customer, except as may otherwise be required or permitted by applicable law.
Disclosures and transfers for processing
TELUS discloses Customer Personal Information only as required or permitted pursuant to the terms and conditions of the contract with the Customer or as otherwise required or permitted by applicable law. TELUS may transfer Customer Personal Information for processing to a service provider who has been contracted to provide services on TELUS’ behalf.
Unless otherwise set out in the Customer contract, Customer Personal Information may be stored, transferred, viewed, accessed, processed, handled or otherwise used from outside Canada by TELUS or our service providers. Such information is protected with appropriate security safeguards, but may be available to foreign government agencies under applicable law. In particular, Customer Personal Information may be stored in the cloud, which may include transfers of data outside of Canada.
When roaming outside of Canada, the storage, treatment and transfer of Customer Personal Information and data may be subject to laws or regulations different from those in Canada.
Retention
TELUS has a policy respecting records retention and an associated retention schedule and will keep Customer Personal Information only as long as it remains necessary or relevant for the identified purposes and in order for TELUS to perform the services or in accordance with the terms and conditions of the contract with the Customer, unless otherwise required to meet legal or regulatory requirements. After such time, TELUS will return or destroy Customer Personal Information in accordance with the terms and conditions of the contract with the Customer.
Accuracy
TELUS relies on our Customers to ensure the initial and ongoing accuracy and completeness of the Customer Personal Information that has been provided to TELUS for the identified purposes and in order for TELUS to perform the services.
Safeguards
TELUS maintains an information security governance program to protect Customer Personal Information.
TELUS, in compliance with our security policy and data centre security standard, employs security measures appropriate to the sensitivity of the information in an effort to protect Customer Personal Information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
To the extent practical and applicable in the context of the services, TELUS implements, maintains, updates and monitors the following technical, administrative and organizational measures to help protect the security, integrity, availability and confidentiality of Personal Information:
Technical Safeguards:
- Implementing a Secure by Design methodology in our work processes, where applicable.
- Restricting and securing access to TELUS’ applications, operating systems and network platforms through the use of access controls, unique username and passwords and two factor authentication, thereby ensuring access only to authorized TELUS representatives.
- Protecting data through networking and web application firewalls, as well as intrusion detection and intrusion prevention systems.
- Employing technologies such as tokenization, de-identification, industry-standard encryption for data at rest and in transit and other mechanisms to protect Personal Information, as applicable.
- Utilizing endpoint security software that scans sensitive application files and file systems for malware and taking appropriate action in response.
- Monitoring networks and applications for security incidents and regularly testing incident response plans.
- Maintaining a business continuity and contingency plan applicable to our operations, reviewed and updated annually to address any material deficiencies.
- Regularly testing our safeguards and our overall security program.
Administrative Safeguards:
- Developing a governance structure that promotes and values privacy and that enables TELUS team members to make the right decisions about how to respect privacy when handling Customer Personal Information.
- Requiring secure disposal of any media containing Customer Personal Information.
- Prohibiting the use of Customer Personal Information in non-production or demonstration environments except with the express consent of the Customer or as otherwise required or permitted by law.
- Limiting access to Customer Personal Information to a need-to-know basis and applying the principles of least privilege and role-based access control.
- Identifying and assessing reasonably foreseeable risks to the integrity, confidentiality or availability of Customer Personal Information that we hold and taking reasonable steps to mitigate those risks through the implementation of safeguards.
- Collecting, using and disclosing Customer Personal Information to fulfill the Services purchased by the Customer and as requested or instructed by the Customer.
- Requiring all TELUS employees and subcontractors to:
- put privacy first when handling Customer Personal Information;
- receive mandatory training that outlines their obligations to protect Customer privacy;
- learn about TELUS’ Privacy Management Program, which documents TELUS’ key commitments to protecting the privacy of TELUS customers, and sets out some of the ways that TELUS has operationalized those commitments and the organizational structure TELUS has implemented in order to do so;
- comply with TELUS’ corporate security policies that address authorization, access control, privileges, monitoring, terminating and revoking access to TELUS’ applications and associated IT infrastructure and network platforms; and
- sign employment agreements that include contractual provisions for the safeguarding and proper usage of confidential information (including Customer Personal Information) accessible to our employees in the course of their employment, and taking appropriate disciplinary measures where necessary.
- Protecting Customer Personal Information shared with service providers by employing contractual or other means in an effort to ensure that any such service provider will provide a comparable level of protection while Customer Personal Information is being processed by that service provider.
Physical Safeguards:
- TELUS’ facilities are secured and meet industry standards and certifications.
- Access to high-security areas is restricted and TELUS representatives wear badges and must either scan the badge or enter access codes for entry.
- Visitors must register prior to entry and/or be escorted at all times when at TELUS production data centres and facilities.
- These data centres are housed in non-descript facilities with access strictly controlled both at the perimeter and at building ingress points by professional security staff using video surveillance, intrusion detection systems, and other electronic means.
- TELUS data centres employ automatic fire detection and suppression equipment that utilizes smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms.
- The data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week.
- Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back-up power for the entire facility.
- Data centres are conditioned to maintain atmospheric conditions at optimal levels. TELUS representatives and systems monitor and control temperature and humidity at appropriate levels.
Openness concerning policies and practices
TELUS strives to make information about our policies and practices accessible and easy to understand. This Privacy Policy is available on our privacy page at
https://www.telus.com/en/about/privacy
. Individual access
Unless we specifically contract to do so as part of the provision of services to a Customer, TELUS will not generally respond directly to access or correction requests or inquiries of our Customers’ End-users. We will instead make reasonable efforts to direct inquiries and requests made by End-users to the appropriate Customer.
Incident management
TELUS has established practices and procedures for incident readiness and response designed to identify the cause, extent and nature of an incident involving Customer Personal Information and to allow timely reporting to the Customer in accordance with our contractual terms. Except as described below, the Customer is generally responsible for managing security incidents with its End Users. TELUS will provide reasonable and timely assistance to our Customers to investigate and assist Customers with respect to their obligations, if any, to notify affected individuals (including End Users) and/or report the incident to regulatory authorities or other parties.
In the case of an incident resulting from a breach of TELUS’ security safeguards that affects the data of a Customer End-user’s to whom the service is provided directly by TELUS, TELUS will have sole responsibility for any obligation to notify affected End Users and/or report the incident to regulatory authorities or other parties. We will rely on the Customer to provide reasonable and timely assistance to TELUS with respect to investigation and fulfilling its obligations.
Contacting us
Inquiries or complaints about the manner in which TELUS or our service providers treat Customer Personal Information can be forwarded on a confidential basis to our
Chief Data & Trust Officer
.TELUS maintains procedures for addressing and responding to all inquiries or complaints about TELUS’ handling of Personal Information.
TELUS will investigate all complaints concerning compliance with this Privacy Policy. If a complaint is found to be justified, TELUS will take appropriate measures to resolve the complaint including, if necessary, amending our policies and procedures.