TELUS Communications Inc. (“TELUS”) is in the business of providing a wide range of communications products and services, including wireless, data, internet protocol, voice, television, entertainment, video and business security. We have a direct relationship with many individual consumers, and we are also a service provider to our Customers. We recognize that an important part of our Customers’ operations is to ensure that their End-user’s privacy is protected. Core to our commitment to “putting customers first” is ensuring that the Personal Information our Customers entrust to TELUS is safeguarded and that the privacy of our Customers’ End-users is respected.
TELUS’ privacy management practices are developed in accordance with applicable Canadian privacy legislation, (including, but not limited to the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar Canadian provincial privacy legislation), as well as with our contractual commitments. TELUS’ privacy practices are also designed to assist our Customers with their own privacy compliance requirements, including with the European Union’s General Data Protection Regulation (GDPR). While TELUS relies on our Customers to ensure that they have obtained all necessary consents or otherwise have all necessary authority for the processing of Customer and End-user Personal Information, our commitment to TELUS Customers is that we will work with them to protect privacy in all relevant service offerings.
Personal Information means information about an identifiable individual in any format but excludes Business Contact Information (except where such information is regulated by applicable privacy legislation). For greater certainty, personal information does not include anonymized, de-identified or aggregated information that cannot reasonably be associated with a specific individual.
Business Contact Information means the name, title, business address (including business email address), business telephone or fax numbers of an employee of an organization that is collected, used or disclosed for the purpose of communicating with the individual in relation to their employment, business or profession.
Customer means a customer of TELUS who is a business, enterprise, or other organization but is not an individual consumer contracting directly with TELUS.
Customer Personal Information means Personal Information provided to TELUS by, or collected by TELUS on behalf of, the Customer in order to provide services to the Customer and may include Personal Information of Customer’s End-users.
End-user means a customer, client, contractor or employee of a Customer where the use of TELUS services is not being provided under an individual consumer agreement with TELUS.
Scope and application
Our Accountability Commitment
As a service provider, TELUS is responsible for Customer Personal Information in TELUS’ possession or custody, including information that has been transferred for processing by TELUS to our service providers or a third party in the course of providing services to our Customers.
Protecting privacy is an integral part of our services. All members of TELUS’ Executive team have a responsibility to enable and oversee operational compliance with TELUS’ privacy policies and procedures within their own areas of responsibility, ensuring all business units are properly aware of, and are resourced to meet our privacy obligations
Our Data & Trust Office
TELUS has appointed a Chief Data & Trust Officer to oversee the TELUS Data & Trust Office. The Office is responsible for maintaining an accountable privacy management program specifically designed to protect the privacy of our Customers’ End-users, and for setting policies and procedures to earn and maintain our Customers’ trust in our data handling practices.
Finally, we have embraced the seven foundational principles of Privacy by Design, striving to embed these privacy enhancing principles into our product and service development processes.
As TELUS does not have a direct relationship with the End-users of our Customers, TELUS relies on and requires Customers to ensure that they have obtained all necessary consents from such End-users, provided all necessary notices to End-Users, and otherwise have all necessary authority to permit the collection, use or disclosure of Customer Personal Information by and between the Customer and TELUS.
Collection and use
To establish and maintain a responsible commercial relationship with Customers and to provide ongoing service;
To understand Customer and End-user needs and preferences;
To develop, enhance, promote or provide products and services to our Customers;
To manage and develop our business and operations, including the diagnosis of technical problems or for improved functionality, and to maintain and enhance safety and security for our Customers;
To meet contractual, legal, and regulatory requirements;
To investigate and resolve incidents, and End-user and Customer complaints or disputes; and
For the provision of products and services on behalf of Customers (in compliance with contractual obligations), including for billing purposes.
Disclosures and transfers for processing
TELUS discloses Customer Personal Information only as required or permitted pursuant to the terms and conditions of the contract with the Customer or as otherwise required or permitted by applicable law. TELUS may transfer Customer Personal Information for processing to a service provider who has been contracted to provide services on TELUS’ behalf.
Unless otherwise set out in the Customer contract, Customer Personal Information may be stored, transferred, viewed, accessed, processed, handled or otherwise used from outside Canada by TELUS or our service providers. Such information is protected with appropriate security safeguards, but may be available to foreign government agencies under applicable law. In particular, Customer Personal Information may be stored in the cloud, which may include transfers of data outside of Canada.
When roaming outside of Canada, the storage, treatment and transfer of Customer Personal Information and data may be subject to laws or regulations different from those in Canada.
TELUS has a policy respecting records retention and an associated retention schedule and will keep Customer Personal Information only as long as it remains necessary or relevant for the identified purposes and in order for TELUS to perform the services or in accordance with the terms and conditions of the contract with the Customer, unless otherwise required to meet legal or regulatory requirements. After such time, TELUS will return or destroy Customer Personal Information in accordance with the terms and conditions of the contract with the Customer.
TELUS relies on our Customers to ensure the initial and ongoing accuracy and completeness of the Customer Personal Information that has been provided to TELUS for the identified purposes and in order for TELUS to perform the services.
TELUS maintains an information security governance program to protect Customer Personal Information.
TELUS, in compliance with our security policy and data centre security standard, employs security measures appropriate to the sensitivity of the information in an effort to protect Customer Personal Information against such risks as loss or theft, unauthorized access, disclosure, copying, use, modification or destruction.
To the extent practical and applicable in the context of the services, TELUS implements, maintains, updates and monitors the following technical, administrative and organizational measures to help protect the security, integrity, availability and confidentiality of Personal Information:
Implementing a Secure by Design methodology in our work processes, where applicable.
Restricting and securing access to TELUS’ applications, operating systems and network platforms through the use of access controls, unique username and passwords and two factor authentication, thereby ensuring access only to authorized TELUS representatives.
Protecting data through networking and web application firewalls, as well as intrusion detection and intrusion prevention systems.
Employing technologies such as tokenization, de-identification, industry-standard encryption for data at rest and in transit and other mechanisms to protect Personal Information, as applicable.
Utilizing endpoint security software that scans sensitive application files and file systems for malware and taking appropriate action in response.
Monitoring networks and applications for security incidents and regularly testing incident response plans.
Maintaining a business continuity and contingency plan applicable to our operations, reviewed and updated annually to address any material deficiencies.
Regularly testing our safeguards and our overall security program.
Developing a governance structure that promotes and values privacy and that enables TELUS team members to make the right decisions about how to respect privacy when handling Customer Personal Information.
Requiring secure disposal of any media containing Customer Personal Information.
Prohibiting the use of Customer Personal Information in non-production or demonstration environments except with the express consent of the Customer or as otherwise required or permitted by law.
Limiting access to Customer Personal Information to a need-to-know basis and applying the principles of least privilege and role-based access control.
Identifying and assessing reasonably foreseeable risks to the integrity, confidentiality or availability of Customer Personal Information that we hold and taking reasonable steps to mitigate those risks through the implementation of safeguards.
Collecting, using and disclosing Customer Personal Information to fulfill the Services purchased by the Customer and as requested or instructed by the Customer.
Requiring all TELUS employees and subcontractors to:
put privacy first when handling Customer Personal Information;
receive mandatory training that outlines their obligations to protect Customer privacy;
learn about TELUS’ Privacy Management Program, which documents TELUS’ key commitments to protecting the privacy of TELUS customers, and sets out some of the ways that TELUS has operationalized those commitments and the organizational structure TELUS has implemented in order to do so;
comply with TELUS’ corporate security policies that address authorization, access control, privileges, monitoring, terminating and revoking access to TELUS’ applications and associated IT infrastructure and network platforms; and
sign employment agreements that include contractual provisions for the safeguarding and proper usage of confidential information (including Customer Personal Information) accessible to our employees in the course of their employment, and taking appropriate disciplinary measures where necessary.
Protecting Customer Personal Information shared with service providers by employing contractual or other means in an effort to ensure that any such service provider will provide a comparable level of protection while Customer Personal Information is being processed by that service provider.
TELUS’ facilities are secured and meet industry standards and certifications.
Access to high-security areas is restricted and TELUS representatives wear badges and must either scan the badge or enter access codes for entry.
Visitors must register prior to entry and/or be escorted at all times when at TELUS production data centres and facilities.
These data centres are housed in non-descript facilities with access strictly controlled both at the perimeter and at building ingress points by professional security staff using video surveillance, intrusion detection systems, and other electronic means.
TELUS data centres employ automatic fire detection and suppression equipment that utilizes smoke detection sensors in all data centre environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms.
The data centre electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week.
Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centres use generators to provide back-up power for the entire facility.
Data centres are conditioned to maintain atmospheric conditions at optimal levels. TELUS representatives and systems monitor and control temperature and humidity at appropriate levels.
Unless we specifically contract to do so as part of the provision of services to a Customer, TELUS will not generally respond directly to access or correction requests or inquiries of our Customers’ End-users. We will instead make reasonable efforts to direct inquiries and requests made by End-users to the appropriate Customer.
TELUS has established practices and procedures for incident readiness and response designed to identify the cause, extent and nature of an incident involving Customer Personal Information and to allow timely reporting to the Customer in accordance with our contractual terms. Except as described below, the Customer is generally responsible for managing security incidents with its End Users. TELUS will provide reasonable and timely assistance to our Customers to investigate and assist Customers with respect to their obligations, if any, to notify affected individuals (including End Users) and/or report the incident to regulatory authorities or other parties.
In the case of an incident resulting from a breach of TELUS’ security safeguards that affects the data of a Customer End-user’s to whom the service is provided directly by TELUS, TELUS will have sole responsibility for any obligation to notify affected End Users and/or report the incident to regulatory authorities or other parties. We will rely on the Customer to provide reasonable and timely assistance to TELUS with respect to investigation and fulfilling its obligations.
Inquiries or complaints about the manner in which TELUS or our service providers treat Customer Personal Information can be forwarded on a confidential basis to our Chief Data & Trust Officer.
TELUS maintains procedures for addressing and responding to all inquiries or complaints about TELUS’ handling of Personal Information.