SHOPPERS DRUG MART – PRIVACY CODE

It is Shoppers Drug Mart’s policy not to give, rent or sell any information that personally identifies an individual to any organization or entity without the individual’s consent.

1. Accountability

The individuals who are accountable for Shoppers’ compliance with the privacy principles are:

• Chief Privacy Officer - Executive Vice President, Legal Affairs, General Counsel & Secretary
• Privacy Officer - Legal Council
• Privacy Officer - Director, Consumer Affairs & Corporate Affairs

In each store the person responsible for that store’s compliance is:

• Associate/Licensee of that store

2. Identifying Purposes

Whenever Shoppers collects personal information about an individual, we will explain how we intend to use it. We will limit the information we collect to what we need for identified purposes and we will only use it for those purposes. We will obtain the individual’s consent if we wish to use the information for another purpose.

3. Consent

We will seek and confirm an individual’s consent to use his/her personal information at the time of collection of that information. We will endeavour to employ clear, understandable language when we obtain the individual’s consent. Consent may be expressed in writing or implied and in some cases, the individual may provide it verbally, in writing, electronically or through an authorized representative. We will imply consent where it is obvious from the information provided that we will be using that information for that purpose: for example, if an individual when presenting a prescription provides the pharmacy with the information of a health plan insurer, we may provide personal information to the health plan insurer in order to process the claim.

The choice to provide us with personal information is always the individual’s. Upon request, we will explain the individual’s options of refusing or withholding consent of the collection, use or release of his/her personal information, and we will record and respect the individual’s written choices. However, an individual’s decision to withhold particular details may limit the services we are able to offer.

4. Limiting Collection

Our collection of personal information shall be limited to that which is necessary for the purposes identified. We will not collect any personal information beyond that which is necessary.

5. Limiting Use, Disclosure & Retention

We will only use personal information for the purposes that were defined when it was collected. We will seek the individual’s consent before using the personal information for purposes beyond the scope of the original consent. Under no circumstances do we sell consumer lists or other personal information to third parties. From time to time, in the process of fulfilling our obligations and/or conducting our business, we provide the information to service providers to allow them to provide specific services to us. All service providers must undertake that they will keep all personal information confidential, only use it for the limited purposes of providing their services to us and return or destroy all personal information once they have provided the services.

We will retain the individual’s information only for the time that it is required for the purposes we described or as required by law. Once an individual’s personal information is no longer required, it will be destroyed or made anonymous.

6. Accuracy

We will make reasonable efforts to keep an individual’s information accurate and up-to-date.

7. Safeguards – Protecting Personal Information

We protect all personal information by security safeguards appropriate to the sensitivity of the information. Our computer security specialists have built security into all our computer systems. Access to personal information is limited to only those employees requiring access in the performance of their duties, to any person granted access by the individual through the consent process and to those otherwise authorized by law. We give service providers only the information necessary to perform their services and we require that they do not store, analyze or use that information for any purposes other than to carry out those services.

8. Openness

If an individual has any additional questions or concerns about privacy, we invite them to contact one of the Privacy Officers who will try to address his/her concerns.

9. Providing Individual Access

We will give an individual access to the information we retain about that individual within a reasonable timeframe, upon written request, satisfactory identification and proof of entitlement. If the individual finds any errors in the information retained by us, we urge the individual to contact us as soon as possible and we will make the appropriate corrections immediately, based on receipt of satisfactory evidence.

If for some reason the request cannot be completed, we will advise the individual in writing of the reason for refusal. The individual may challenge our decision.

10. Challenging Compliance

If an individual has been denied access by the Associate/Licensee of the store then the individual may, in writing, challenge the decision made by the Associate/Licensee to one of the Privacy Officers. An individual may challenge a decision made by one of the Privacy Officers to the Chief Privacy Officer.

Shoppers Drug Mart invites anyone to contact us with any questions or concerns that they may have regarding the privacy of their personal information given to us or this Privacy Code. We will investigate and respond to the individual’s concerns about any aspect of the handling of his/her personal information. In most cases, an issue can be resolved simply by telling us about it and discussing it. If the issue is at store level, please contact the Associate/Licensee of the business. If after contacting the Associate/Licensee individuals feel that their concerns have not been addressed satisfactorily, they may contact one of the Privacy Officers. If the issue is still not resolved satisfactorily, the individual may contact the Chief Privacy Officer.

Shoppers Drug Mart agrees to respect and observe the provisions set forth in the Personal Information Protection and Electronic Documents Act and other relevant legislation.

Any changes to this Privacy Code and our information handling practices will be reflected in this privacy code in a timely manner. We may add, modify or remove portions of this code when we feel it is appropriate to do so.

All references in this document to “Shoppers” or “Shoppers Drug Mart” refer to Shoppers Drug Mart Inc. and Pharmaprix and the businesses owned and operated by the licensees of the stores operated under the Shoppers Drug Mart or Pharmaprix trade marks. All references to “us”, “we”, or “our” refer to Shoppers Drug Mart Inc. and/or its licensees as the context requires.