Rexall Pharmacy Group External Privacy Policy

Purpose

This Privacy Policy (the “Policy”) describes the policies of Rexall Pharmacy Group Ltd. including its Canadian subsidiaries, Rexall/Pharma Plus Pharmacies Ltd., Rexall/Pharma Plus Pharmacies ((B.C.) Ltd. and Rexall/Pharma Plus Pharmacies (Sask.) Ltd. (collectively, “Rexall”) concerning the collection, use and disclosure of personal information by Rexall.

Rexall, a leading drugstore operator, is committed to safeguarding the confidentiality, security and accuracy of personal information, including personal health information, that is collected, used, disclosed and retained by Rexall.

This Policy applies across all Rexall business units and departments and may be supplemented by additional policies and procedures within Rexall business units.

In this Policy, personal information and personal health information are collectively referred to as “Personal Information.”

Privacy Principles

The secure collection use and disclosure of Personal Information is fundamental to Rexall business operations and Rexall strives to provide the best customer service consistent with our privacy obligations under both federal and provincial privacy laws.

Rexall’s methods for collecting, using, disclosing and retaining Personal Information will be compliant with all applicable federal and provincial laws. This includes, as applicable, the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”) and the provincial Personal Information Protection Acts in place in Alberta and British Columbia.

Rexall also complies, where applicable, with laws concerning the collection, use and disclosure of personal health information.

This Policy reflects the 10 key principles/fair information practices of privacy which form part of PIPEDA and Canadian privacy laws. Rexall also complies, and expects all employees to comply, where applicable, with Canada's anti-spam legislation (CASL) dealing with spam, other electronic threats and all electronic messages organizations sent in connection to commercial activity.

The Personal Information that Rexall collects will vary depending on the circumstances, but could include:

  • Name, address, telephone number, email address and other contact information for members of the public who do business with Rexall or who are patients for whom Rexall provides services either directly or through its clients;
  • Credit and other financial information for those individuals who do business with, or obtain services from, Rexall;
  • Insurance information for the provision of health care, or health care related services; and
  • Voice recording information for individuals who contact Rexall and whom Rexall contacts.

1. Accountability:

Rexall is responsible for Personal Information under its control. Rexall is committed to observing high standards of honesty, integrity and ethical conduct in all its operations. This includes respecting the security and privacy of Personal Information that is collected, used, disclosed and retained by Rexall. This commitment is an integral part of Rexall’s cultural foundation and is reflected in the ICARE Principles (i.e., integrity, customer-first, accountability, respect and excellence) which guide our business interactions.

2. Identifying Purposes:

Rexall collects, uses and discloses Personal Information to:

  • provide products and services to individuals or as required under service contracts;
  • administer and manage Rexall’s operations;
  • respond to requests for information and other inquiries from members of the public relating to Rexall products and services;
  • investigate breaches, or potential breaches, of applicable laws;
  • comply with legal and regulatory requirements;
  • enforce or protect our rights;
  • in connection with a commercial transaction including a transaction involving the sale or transfer of all or part of our businesses; and
  • meet or fulfill other purposes permitted or required by law.

3. Consent:

Except as permitted by applicable law, the knowledge and meaningful consent of the individual is required for the collection, use and disclosure of Personal Information and Rexall will ensure that individuals are given an opportunity to provide informed consent at the time of collection whenever required by law and in accordance with this Policy. Individuals who have provided consent can revoke their consent at any time by mailing a signed letter of revocation to: Rexall at 5965 Coopers Avenue, Mississauga, ON L4Z 1R9.

4. Limiting Collection:

Rexall will limit the collection of Personal Information to that which is necessary for the purposes identified above. Information will be collected by fair and lawful means and, where appropriate, will be collected pursuant to contractual arrangements. In some cases, information will be collected from sources other than the individual, for example third parties who represent they have the right to disclose such information to Rexall. Information may also be collected as required or permitted by applicable law.

5. Limiting Use, Disclosure, and Retention:

Rexall recognizes that customers may provide sensitive information to Rexall. Personal Information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required or permitted by law. Personal Information shall be retained only as long as necessary for the fulfilment of those purposes or as required by law.

Rexall limits access to Personal Information by employees, contractors and agents to a “need to know” basis.

Individuals who main-page-dataneed to have access to Personal Information may do so only if such access is necessary and within the scope of that individual’s job responsibility, if contractually or otherwise required or permitted under applicable law and in accordance with this Policy.

Except under the circumstances described above, Rexall employees are not authorized to access or use customers’ Personal Information.

From time to time, Personal Information collected by Rexall may cross provincial or national borders (including but not limited to the United States). That Personal Information would then be subject to legal regulation outside of the organizational restrictions put in place by Rexall.

6. Accuracy:

Personal Information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which the Personal Information was collected. Rexall will update Personal Information only as and when necessary to fulfill the identified purposes or upon notification from the individual or other legally authorized representative.

Individuals wishing to update their Personal Information may make a request to Rexall’s Privacy and Compliance Office by email at privacyofficer@rexall.ca. Rexall will comply with all applicable laws when such a request is made.

7. Safeguards:

Rexall will take appropriate physical, technical and administrative safeguards and precautions to secure Personal Information. Personal Information shall be protected by security safeguards appropriate to the sensitivity of the information and in accordance with McKesson Corporation’s Global IT Security Policy. Rexall is a wholly owned subsidiary of McKesson Corporation.

Suppliers, contractors and agents working for or with Rexall are contractually required to use appropriate physical, technical and administrative safeguards and precautions to secure Personal Information and must have in place privacy policies and practices, including data security policies and practices that are at least as restrictive as this Policy.

Rexall employees and contractors are expected to use secure processes to maintain the integrity of company and customer information including the use of secure encryption whenever Personal Information is transmitted over public networks or is contained on portable or mobile devices used or carried outside Rexall offices.

8. Openness:

Rexall will make its policies and practices surrounding the management of Personal Information, as well as the contact information of its Privacy and Compliance Office, readily available.

9. Individual Access:

Rexall will ensure there are policies and practices in place to ensure individuals can access their Personal Information upon request, subject to certain exceptions under applicable privacy laws.

Exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege.

Individuals making such a request should be aware that their right to access their Personal Information is not absolute.

Rexall may decline such access requests where required to do so under applicable law or regulatory requirements. It is also possible that the Personal Information may no longer exist, or has been made anonymous, in accordance with Rexall information retention practices.

10. Challenging Compliance:

Individuals who wish to challenge Rexall’s compliance with these principles may address their concerns to Rexall’s Privacy and Compliance Office at privacyofficer@rexall.ca. Rexall will investigate all complaints and, if required, will take appropriate measures to resolve the complaint.

Related Information

Rexall is comprised of multiple business units, each of which may consist of one or more functions that are subject to this Policy. Each such business unit function must restrict the collection, use or disclosure of Personal Information to the activities or services that they perform, either for the individual from whom the information was collected, for the business unit’s customers’ operations, or for the business unit’s own purpose. A Rexall business unit may not disclose Personal Information to another function within its business unit, or to another Rexall business unit in a manner that violates the permitted collection, use and disclosure of Personal Information as set out in this Policy. In all cases business units must ensure that Personal Information is securely safeguarded at all times.

Where appropriate, Rexall may also have in place more detailed policies and procedures governing the collection, use and disclosure of personal information in specific parts of its businesses activities. Where such policies are in place, they will be available on the Rexall website.

Updates to this Policy

Rexall will review this Policy periodically and will update this to address changes in applicable laws and regulations as necessary. When updates are made, an update will be posted on the Rexall website. Please check our website to ensure you have the most up-to-date privacy policy.