Courtyard Group Privacy Code Purpose Scope Courtyard Group is committed to respecting personal privacy, safeguarding This Privacy Code applies to Courtyard Group partners, principals, confidential information and ensuring the security of personal health consultants, employees, students and any other individual (collectively information handled in the course of providing consulting services and “Courtyard Group”) with access to personal information or personal health personal information it holds about its employees, consultants, sub- information. Courtyard Group must comply with this Privacy Code strictly contractors and clients. The term “personal information” means information at all times. The Privacy Code shall be interpreted in accordance with about an identifiable individual, including any confidential information about the applicable privacy statutes where Courtyard Group accesses, holds a Courtyard Group employee, consultant, sub-contractor and client. Personal or manages personal information as a result of providing services to its information does not include contact information, such as the name, title, clients. business address or telephone number of an employee of an organization. This Privacy Code reflects internationally accepted fair information practices While many of Courtyard Group’s clients are governed by various private, which form the basis for the legislative statutes and regulations in many public and/or health sector specific privacy legislation, this Privacy Code also countries around the world. The Privacy Code will continue to evolve over recognizes and assumes responsibility for the protection of any “personal time to reflect legislative changes and current best practices in privacy and information” or “personal health information” (as these terms are defined in data protection. the applicable statute) provided to, or accessed by, Courtyard Group for the sole purpose of providing contracted services to its clients in any country Practices for handling personal information in compliance with these where Courtyard Group conducts business. Such information is considered principles are summarized below. strictly confidential and may only be accessed on a need-to-know basis. All Courtyard Group activities in relation to personal health information will 1.1 Principle 1 – Accountability for Personal Information adhere to the clients’ policies and procedures. Courtyard Group is responsible for protecting personal information and The purpose of the Privacy Code is to establish privacy guidelines for personal health information it accesses, holds or manages on behalf of or Courtyard Group when it accesses, modifies, transmits, retains or disposes about its employees, consultants, sub-contractors and clients whether off of personal information or personal health information during the course of site or on site. Courtyard Group is also responsible for protecting personal its business activities. To this end, this Privacy Code fosters transparency, information and personal health information that it transfers to its sub- accountability and increased awareness of Courtyard Group’s information contractors as a result of or in connection with providing services to its practices. clients. Courtyard Group Privacy Code In the case of sub-contractors, Courtyard Group will use contractual means purposes. From time to time, Courtyard Group may also access personal to ensure a comparable level of data protection while a third party handles health information in the custody/control of its clients for the purpose of such information on its behalf. Such contracts shall include standard privacy providing contracted services on behalf of its clients. clauses dealing with the confidentiality and security of personal information Upon request, Courtyard Group shall inform its employees, sub-contractors in accordance with applicable privacy legislation and this Privacy Code, which and clients of the purpose for which it collects, uses or discloses personal are to form part of the Terms and Conditions of the contract. information as well as the purpose for which it may need to access personal health information. Personal information is collected, wherever possible, Accountability for Courtyard Group’s compliance with this Privacy Code and directly from employees, consultants, clients or through referrals where an relevant privacy legislation rests with the Privacy Officer who reports directly individual has requested that such information be provided to Courtyard to one of the Managing Partners of the firm. The Privacy Officer is responsible Group. Courtyard Group may also collect personal information from third for ensuring compliance with this Privacy Code and relevant legislation as parties, including government agencies, who have the authority to disclose well as receiving privacy complaints and managing privacy breaches. A the information. breach of this Privacy Code may result in suspending the user’s access rights to personal information and personal health information and disciplinary 1.3 Principle 3 - Consent action, including suspension or dismissal. In the case of sub-contractors, a breach may result in termination of the sub-contract agreement. Except where the law authorizes collection and use of personal information or Courtyard Group provides a privacy orientation session and on-going personal health information on behalf of its clients without consent, prior to privacy training to give effect to this Privacy Code and relevant legislation. collecting and using such information, Courtyard Group shall obtain consent In addition, Courtyard Group ensures that every employee, consultant or of the individual who supplied the information or someone duly authorized to student with access to personal information or personal health information act on that individual’s behalf. Such consent may be withdrawn at any time by shall sign a confidentiality agreement that includes an acknowledgement contacting the Privacy Officer, subject to any legal or contractual restrictions that he or she is bound by this Privacy Code. and upon reasonable notice to Courtyard Group. Where Courtyard Group requires access to personal health information in the course of providing 1.2 Principle 2 – Identifying Purposes for Collecting Personal services to its clients, Courtyard Group acknowledges that obtaining consent Information at the point of collection rests with the client and that additional consent is not required by Courtyard Group for the sole purposes of assisting its clients with work on its behalf and for the purpose consented to by the individual, Courtyard Group collects personal information from its employees, except as required by law. consultants, sub-contractors and clients. Courtyard Group collects personal information from its clients for the purpose of providing them with business services and products; it also collects personal information about its employees and sub-contractors for general contact and human resources Courtyard Group Privacy Code 1.4 Principle 4 – Limiting Collection Courtyard Group is required to destroy the information, it shall ensure that its employees, consultants, sub-contractors or personnel: Courtyard Group only collects personal information and/or accesses personal health information as required to fulfill the purposes identified in this Privacy a) physically destroy all print and other hard copies by cross-shredding Code. Courtyard Group collects and/or accesses such information by fair it; and lawful means. Courtyard does not collect personal health information. b) erase, scrub or otherwise remove all electronic, digital or other versions of it from every item of equipment and all media (including 1.5 Principle 5 – Limiting Use, Disclosure and Retention disks, tapes, computers, servers, and related peripheral equipment such as disk arrays, tapes or disk backup units) that it has installed, Courtyard Group shall not use or disclose personal information or personal downloaded, or otherwise put onto; or health information in its custody or control, or to which it has access in the c) otherwise obliterate it. course of providing contract services, except as necessary in the course of providing the services. Courtyard Group will only access, use, disclose the Courtyard Group shall also ensure that any partners, principals, consultants, minimum amount of personal information or personal health information employees, students, sub-contractors or any other individual with access necessary to fulfill the identified purpose. to personal information or personal health information who have been terminated or have resigned immediately return the information as well as For example, Courtyard Group uses personal information to provide any hardware belonging to Courtyard Group. Courtyard Group administrators business services, for billing, record-keeping, account collection and other shall also ensure that pass cards are returned, usernames and passwords client contact and service matters, to manage and develop its business and are revoked and changed to ensure no access to any applications, hardware, operations. Courtyard Group will never disclose personal information or software, network and facilities belonging to Courtyard Group and any personal health information to a third party without consent or unless it is client. required by law or as necessary to provide client services (e.g. to a sub- contractor) provided that adequate contractual measures are in place to 1.6 Principle 6 – Accuracy protect the information in accordance with this Privacy Code and applicable legislation. Courtyard Group shall ensure that all personal information it collects and holds is accurate, complete and up-to-date by routinely updating such Courtyard Group shall retain personal information and personal health information and/or making amendments upon request, where appropriate. information no longer than necessary to provide its clients with contracted Courtyard Group must notify its Human Resources Department of any services. As such, Courtyard Group takes security precautions when changes or updates that will affect their personnel records. disposing and/or destroying such information. Specifically, upon completion of a contract, all personal information and personal health information it receives or accesses from its clients shall be returned or destroyed. If Courtyard Group Privacy Code 1.7 Principle 7 – Safeguards Courtyard Group will notify its clients and its Privacy Officer at the Courtyard Group takes reasonable efforts to protect personal information first reasonable opportunity if personal information or personal health against loss, theft, unauthorized access, disclosure, copying, use, information handled by Courtyard Group and/or its sub-contractors is modification or destruction by using appropriate physical, organizational and stolen, lost or accessed by unauthorized persons. technological measures to respect the confidentiality of all personal and/or personal health information it holds or accesses. Methods of protection 1.9 Principle 9 – Individual Access include but are not limited to: Courtyard Group provides it employees, consultants, sub-contractors and • Physical Safeguards: locked filing cabinets, restricted access to clients with access to their personal information upon request so that they offices (access keys, pass cards); may know what information Courtyard Group holds about them and to • Organizational Safeguards: limited access to personal information provide an opportunity to verify the accuracy of their information and to on a need-to-know basis, staff privacy orientation and training, correct any inaccuracies. confidentiality pledges; random audits; • Technical Safeguards: username and passwords, anti-virus Courtyard Group reserves the right not to provide access where providing such protection, encryption, firewalls, acceptable business disaster access would compromise the personal security or commercial confidentiality recovery plans and date backup. of Courtyard Group or its clients or where personal information is protected by professional confidentiality standards or solicitor-client privilege. Courtyard 1.8 Principle 8 – Openness about Policies and Practices Group does not provide access nor does it have the authority to provide patients with any access to the personal health information it accesses on Courtyard Group makes this Privacy Code, including the name, title, and behalf of its clients during the course of providing its contracted services. contact information of its Privacy Officer accountable for Courtyard Group’s Privacy Code and to whom access requests, inquires and complaints may 1.10 Principle 10 – Challenging Compliance be directed. Any privacy-related questions, concerns or complaints should be made in The Privacy Code will be available at www.courtyard-group.com. writing to the designated Privacy Officer at email@example.com. Subject to applicable legislation, Courtyard Group reserves the right to Courtyard Group will inform its staff and clients who make inquires or monitor any and all aspects of its information systems and infrastructures lodge complaints of relevant complaint procedures. Courtyard Group will including, but not limited to visited internet sites, instant messaging investigate all complaints and will take appropriate measures, including systems, chat groups, news groups and e-mail sent and/or received via amending its Privacy Code as necessary. Courtyard Group’s business email address.