Introduction
Apotex Inc. ( “Apotex” ) is committed to protecting the privacy of personal information where this type of information is collected, used or distributed in the course of conducting commercial activities. As a Canadian organization Apotex will be bound by both Federal and Provincial legislation with regards to the protection of personal information. As a global organization Apotex is also sensitive to, and will adhere to where applicable, International laws pertaining to the protection of personal information. This policy applies to individuals such as: Customers, Consumers, Patients, Subjects involved in Research Studies and employees with respect to business activities associated with Apotex.

The definition of ‘Personal Information’ may vary, to some degree, from one legislation to another. For the purposes of this policy, ‘personal information’ will mean information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization. An individual is identifiable for the purpose of this policy if:

a) information includes his or her name;
b) information makes his or her identity obvious;
c) the information does not itself include the name of the individual or make his or her identity obvious but is likely under the circumstances to be combined with other information that does;

Personal information will include personal health information, comments, opinions or employment related information.

Apotex will apply Federal and Provincial privacy laws as applicable for each jurisdiction where Apotex operates. Only where the provincial legislation is substantially similar to the Federal privacy laws, will the provincial laws take precedents, or where specific concerns are not included in the Federal laws.

Apotex will take into consideration any foreign laws which apply to protecting personal information when operating in a foreign jurisdiction. In general terms, information collected in a foreign jurisdiction will be managed local to that jurisdiction and accountable to the local laws which apply.

Scope
The scope of this document applies to all companies, operating as part of Apotex Inc around the world, and to all employees who collect, use or disclose personal information as defined by privacy legislation.

Responsibility
Each and every employee (both permanent and contract) of Apotex is responsible for maintaining the confidentiality of all personal information to which they have access. As a condition of employment, Apotex employees are required to comply with all Apotex policies and to sign an employment agreement and a confidentiality agreement binding them to this responsibility which governs their actions.

Apotex keeps employees informed about its policies and procedures for protecting personal information and reinforces the importance of complying with them through ongoing communication.
.
The Chief Privacy Officer oversees privacy governance including policy, dispute resolution, education, communication activities and reporting to the Executive Committee. The Chief Privacy Officer can be contacted at Apotex Inc., 150 Signet Drive, Weston, Ontario, M9L 1T9.

Policy
This policy applies to personal information that Apotex collects, uses or discloses in the course of its commercial activities or in connection with its employees.

This policy does not, however, apply with respect to the collection, use or disclosure of the following information by Apotex:

Information that is publicly available, such as a customer’s or employee’s name, title, address, telephone number and electronic address, when listed in a directory or made available through directory assistance; and personal information that Apotex collects, uses or discloses for journalistic, artistic or literary purposes;

The application of this policy is subject to the requirements or provisions of any applicable legislation, regulations, tariffs or agreements or the order of any court or other lawful authority within Canada. Various legal criteria independent of this Privacy Policy will determine whether federal or provincial privacy legislation or case law applies to the personal information that Apotex collects, uses or discloses in respect of its customers or employees. This Privacy Policy does not replace those criteria.

This policy has been modeled after the ‘Canadian Standards Association Model Code for the Protection of Personal Information’, CAN/CSA-Q830-96 (the ‘CSA Code’). Accordingly, the ten principles of fair information practices, as identified by the Canadian Standards Association, have been adopted by Apotex and represent a formal statement of the minimum requirements to be adhered to for the protection of personal information under applicable legislation.

Key Requirements

1.0 Principle 1 - Accountability

The Chief Privacy Officer for Apotex is responsible for the personal information under the control of Apotex and is accountable for the company’s compliance with the procedures and principles set out in this policy.

1.1 Accountability for compliance with the policies and procedures set out in this policy rests with the Chief Privacy Officer for Apotex Inc., even though other individuals within Apotex may be responsible for the day-to-day collection and processing of personal information. The Chief Privacy Officer may, from time to time, designate one or more individuals to act on his or her behalf.

1.2 The contact information of the Chief Privacy Officer for Apotex Inc. shall be made available on the Apotex Inc. website at www.apotex.ca, and the Apotex Inc. intranet site and shall also be made available upon request by contacting our offices at (416)-749-9300.

1.3 Apotex shall be responsible for the personal information in its possession or custody, including personal information that has been transferred to a third party for processing. Apotex shall use contractual or other appropriate means to ensure a comparable level of protection while the information is being processed by a third party.

1.4 Apotex has implemented policies and practices to give effect to the principles and procedures set out in this policy, including:

1.4.1 Implementing procedures to protect personal information such as the adoption of physical, organizational and technological security measures;

1.4.2 Establishing procedures to receive and respond to complaints and inquiries through the establishment of a confidential e-mail address and dedicated phone line;

1.4.3 Training and communicating to staff information about the Apotex policies and practices; and

1.4.4 Developing public information to explain the Apotex policies and procedures.

2.0 Principle 2 Identifying Purpose

Apotex will identify the purpose for which personal information is collected at or before the time the information is collected. The purposes for which information is collected, used or disclosed must be those purposes for which consent has been received from the individual whose personal information is being collected, used or disclosed. Consent must be either expressed or implied. In limited circumstances, consent may be implied if a reasonable person would consider the collection, use or disclosure of personal information appropriate in the circumstances.

2.1 Apotex will document the purposes for which personal information is collected in order to comply with the Openness principle (See Principle 8) and the Individual Access principle (See principle 9)

2.2 Identifying the purposes for which personal information is collected at or before the time of collection allows for each Apotex company to determine the information it needs to collect to fulfill these purposes. The Limiting Collection principle (Principle 4) requires each Apotex company to collect only that information necessary for the purposes that have been identified.

2.3 The identified purposes for which personal information is collected shall be specified at or before the time of collection to the individual from whom the personal information is collected. Depending upon the way in which the information is collected or the nature of this information, this shall be done orally or in writing.

2.4 When Apotex proposes to use personal information that has been collected for a purpose not previously identified, it will identify the new purpose before using such personal information. Unless the new purpose is required by law, or consent is otherwise not required pursuant to privacy legislation or common law, the consent of the individual shall be obtained before the personal information is used for the new purpose.

2.5 Apotex employees as well as third parties responsible for collecting personal information on behalf of Apotex will be required to disclose to all individuals the purposes for which the personal information is being collected from the individuals. All third parties will be required to implement appropriate measures and privacy policies to comply with applicable privacy laws.

2.6 The purposes for which the personal information of Apotex employees is collected may include, but is not limited to:

a) Administering payroll and employee benefit programs;
b) Administering travel and entertainment expenses;
c) Conducting performance evaluations and discipline;
d) Providing employee training and education;
e) Conducting internal reviews, investigations and complaint resolution processes;
f) Complying with legal and regulatory obligations.

2.7 The purposes for which the personal information of customers is collected may include, but is not limited to:

a) Processing of commercial transactions;
b) Communicating with customers;
c) Establishing and maintaining commercial relations;
d) Developing, marketing or providing products and services;
e) Monitoring, improving or recalling products;
f) Managing and developing business opportunities;
g) Conducting investigations and complaint resolution processes;
h) Complying with legal and regulatory obligations.

Anonymous or “non-personal” information gathered by Apotex through its web site may be used for technical, research and analytical purposes. Information collected through surveys, existing files and public archives may be used by Apotex to analyze its markets and to develop, enhance or recall product and/or service offerings.

3.0 Principle 3 Consent

The knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where consent is not required by privacy legislation as, for example, where the collection, use or disclosure of personal information is solely for journalistic, artistic or literary purposes.

3.1 Consent is required for the collection of personal information and the subsequent use or disclosure of this information. Apotex will seek consent for the use or disclosure of the information at the time of collection. In certain circumstances, consent with respect to the use or disclosure of personal information may be sought after the information has been collected but before the personal information is used (for example, when Apotex wants to use information for a purpose not previously identified). In obtaining consent, the Apotex companies shall use reasonable efforts to ensure that the individual is advised of the identified purposes for which personal information will be collected, used or disclosed. Purposes shall be stated in a manner that can be understood by a reasonable individual.

3.2 In certain circumstances, personal information may be collected, used or disclosed without the knowledge and consent of the individual. These circumstances shall be in accordance with the provisions identified in the applicable privacy laws.
 
3.3 Apotex will not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of information beyond that required to fulfill the explicitly specified and legitimate purposes.

3.4 In obtaining consent, Apotex will take into account the sensitivity of the personal information and the reasonable expectations of the individual. For example:

An individual filing an application for employment with Apotex would reasonably expect that his or her age and marital status would be used for the purposes of administering benefit plans.

3.5 Apotex may seek consent in a variety of ways depending on the circumstances and the type of information collected. Apotex will generally seek express consent when the information ought reasonably to be considered sensitive. It will rely on implied consent only where collection and use of the personal information is directly related to a transaction or exchange of information in which the individual is directly participating. Consent may also be given by an authorized representative of the individual, such as a legal guardian or a person having power of attorney.

3.6 Consent may be obtained in any one of the following ways:

a) An application form may be used to seek consent, collect information and inform the individual of the use that will be made of the information. By completing and signing the form in writing or electronically, the individual is giving consent to the collection and the specified uses.
b) Consent may be given orally when information is collected over the telephone; or
c) Consent may be given at the time that individuals use a product or service.

3.7 Generally, the application for or the acceptance of employment or benefits by an employee, constitutes implied consent for Apotex to collect, use and disclose personal information for the relevant purposes.

An individual may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. Apotex will inform individuals of the implications of withdrawing consent. Customers and employees may contact the Chief Privacy Officer for more information regarding the implications of withdrawing consent.

4.0 Principle 4 Limiting Collection

Apotex shall limit the collection of personal information to that which is necessary for the purposes identified by the company. Personal information shall be collected by fair and lawful means.

4.1 Apotex will not collect personal information indiscriminately. Both the amount and the type of information shall be limited to that which necessary to fulfill the purposes identified. Apotex shall specify the type of information collected as part of its information handling policies and practices, in accordance with the Openness principle (Principle 8)

4.2 The requirement that personal information be collected in a fair and lawful means is intended to prevent Apotex from collecting information by misleading or deceiving individuals about the purpose of which the information is being collected. Consent to the collection of personal information must not be obtained through deception.

5.0 Principle 5 Limiting Use, Disclosure and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of the purposes for which it was collected.

5.1 Where Apotex intends to use personal information for a purpose not previously identified, Apotex shall document the new purpose and shall obtain the consent of the individual prior to using the information for the new purpose.

5.2 Apotex may disclose the personal information of its employees:

a) To human resources, payroll, benefits, information management, medical and security personnel;
b) To third party service providers for the purposes of administering payroll and benefits programs or other outsourced Apotex programs;
c) To Apotex Inc. affiliates and subsidiaries;
d) To internal or external legal counsel and auditors;
e) To the management personnel of each Apotex company;
f) In the context of providing references regarding current or former employees in response to requests from prospective employers and/or financial institutions or credit providers;
g) To prospective parties in the context of transactional due diligence review;
h) Where disclosure is required by law.

5.3 Apotex may disclose personal information of its customers:

a) To internal or external legal counsel and auditors;
b) To Apotex Inc, affiliates and subsidiaries;
c) To the management personnel of Apotex companies;
d) To third parties for the development, enhancement or marketing of Apotex products or services;
e) To third parties that supply products or provide services to Apotex customers on behalf of Apotex;
f) To an agent retained by Apotex in connection with the collection of customer’s account;
g) To a third party or parties, where the customer consents to such disclosure;
h) To prospective parties in the context of a transactional due diligence review; and
i) Where disclosure is required by law.

5.4 Except as required or permitted by law, when disclosure is made to a party other than an Apotex company or a third party provider of products or services, the consent of the individual shall be obtained. In all cases, reasonable steps shall be taken by Apotex to contractually require any such third party to implement personal information privacy procedures and policies in compliance with applicable privacy laws.

5.5 Unless authorized by the individual, Apotex will not sell, lease or trade the personal information of their employees or customers to third parties.

5.6 Personal information shall be kept only as long as it remains necessary or relevant for the purposes for which it was collected or as required by law.

5.7 Apotex has adopted guidelines and procedures with respect to the retention of personal information. Personal information that is no longer necessary or relevant for the purposes for which it was collected or required by law to be retained, shall be destroyed, erased or made anonymous in accordance with the Apotex Document Retention and Destruction Policy.

6.0 Principle 6 Accuracy

Personal information shall be as accurate, complete and up-to-date as is reasonably necessary for the purposes for which it is to be used.

6.1 The extent to which personal information shall be accurate, complete and up-to-date will depend upon the use of the information, taking into account the interests of the individual and Apotex. Personal information used by Apotex shall be sufficiently accurate, complete, and up-to-date to minimize the possibility that inaccurate information may be used to make decisions about the individual.

6.2 Apotex will not, however, be obligated to routinely update personal information, unless such a process is necessary to fulfill the purposes for which the information was collected.

6.3 Personal information that is used on an ongoing basis, including information that is disclosed to third parties, will generally be accurate and up-to-date, unless limits to the requirement for accuracy are clearly set out.

7.0 Principle 7 Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

7.1 Apotex shall implement security safeguards to protect personal information against unauthorized disclosure to third parties, loss or theft as well as unauthorized access, disclosure, copying, use or modification, regardless of the format in which the information is held.

7.2 The nature of the safeguards will vary depending on (i) the sensitivity of the information that has been collected, (ii) the amount, distribution and format of the information, and (iii) the method of storage.

7.3 Apotex has adopted measures such as locked filing cabinets and restricted access to offices, organizational measures such as security clearances and limiting access on a “need-to-know” basis, and technological measures such as the use of passwords and encryption in accordance with the Apotex Document Retention and Destruction Policy.

7.4 Apotex shall regularly communicate to all employees, identifying among other matters the importance of maintaining personal information in accordance with this policy.

7.5 Personal information disclosed to third parties shall be protected by contractual agreement stipulating the confidentiality of the information and the purposes for which it is to be used.

The disposal or destruction of personal information shall be carried out in accordance with current Apotex policies to prevent unauthorized access to personal information.

8.0 Principle 8 Openness

Apotex shall make readily available to its customers and employees specific information about its policies and practices relating to the management of personal information.

Apotex will be open about its policies and practices with respect to the management of personal information. Customers and employees shall be able to acquire information about the Apotex policies and practices with respect to the management of personal information without unreasonable effort. Apotex will make such information available through the external website and through the Apotex intranet sites and shall include:

8.1 The name or title, and address of the Chief Privacy Officer;

8.2 The means of gaining access to ones own personal information held by Apotex;

8.3 A description of the type of personal information held by Apotex including a general account of its use;

8.4 Copies of any brochures or other information that explain the Apotex policies, standards or codes; and

8.5 A description of what personal information is made available to Apotex Inc. affiliates and subsidiaries.

9.0 Principle 9 Individual Access

Upon request, an individual shall be informed of the existence, use and disclosure of his or her personal information and shall be given access to that information except where Apotex is permitted or required by law not to disclose personal information to the individual customer or employee. An individual customer or employee shall be able to challenge the accuracy and completeness of the information disclosed to him or her and request to have it amended as appropriate.

9.1 Upon request, Apotex shall inform an individual customer or employee whether it holds personal information about that individual (except where permitted or required by law not to disclose personal information) and shall afford the individual a reasonable opportunity to review the personal information in his or her file at minimal or no cost to the individual. Apotex shall provide an account of the use that has been made or is being made of the personal information and an account of the third parties to which the personal information has been disclosed. Where reasonably possible, Apotex shall indicate the source of the personal information.

9.2 In order to safeguard personal information, a customer or employee may be required to provide sufficient identification information to permit Apotex to account for the existence, use and disclosure of personal information and to authorize access to the individual’s file. Any such information shall be used only for this purpose.

9.3 Apotex will endeavor to provide a list of third parties to which it has disclosed personal information about an individual. If this is not possible, Apotex will provide the individual with a list of third parties to which it may have disclosed personal information about the individual.

9.4 Apotex shall respond to an individual’s request within a reasonable time and at minimal or no cost to the individual. The requested information shall be provided or made available in a form that is generally understandable. For example, if the organization uses abbreviations or codes to record information, an explanation shall be provided.

9.5 If an individual successfully demonstrates the inaccuracy or incompleteness of personal information, Apotex shall amend the information as required. Depending on the nature of the information challenged, amendment involves the correction, deletion or addition of information. Apotex will, where appropriate, disclose the amended information to third parties having access to the information in question in accordance with this policy.

10.0 Principle 10 Challenging Compliance

An individual customer or employee shall be entitled to challenge compliance with the principles in this policy in respect of his or her personal information.

10.1 Apotex shall maintain a procedure for addressing and responding to all inquiries or complaints from its customers and employees about Apotex’s handling of personal information.

10.2 Apotex will post on its Intranet and relevant web sites the existence of these procedures as well as the availability of complaint procedures.

10.3 Apotex shall investigate all complaints concerning compliance with this policy. If a complaint is found to be justified, Apotex shall take appropriate measures to resolve the complaint including, if necessary, amending its policies and procedures. A customer or employee shall be informed of the outcome of the investigation regarding his or her complaint.

10.4 If an individual is not satisfied with the response to his or her complaint, he or she shall contact the Chief Privacy Officer of Apotex directly at 150 Signet Drive, Weston, Ontario, M9L 1T9 or at 416.749.9300. Failing a satisfactory response from the Chief Privacy Officer, the individual may have recourse to additional remedies under applicable privacy legislation. For further information, contact the Privacy Commissioner at www.privcom.gc.ca or call 1-800-282-1376.