The records and documents created, used and stored by TELUS Health, its subsidiaries and its affiliates (“TELUS Health” or the “Company”) are among the Company’s most important assets. This includes all Company documents and records in any format or medium, whether hard copy or electronic, including memos, correspondence, reports, working papers, presentations and emails (“Record” or “Records”).
The purpose of this Records Management Policy (“Policy”) is to define and establish requirements for the creation and management of authentic, reliable, enduring and usable Records in support of the business functions and activities of the Company. The Policy is designed to ensure the Company complies with laws and regulations, meets legal/contractual recordkeeping requirements, operates effectively, preserves Records relating to legal and other proceedings and destroys Records when appropriate to do so.
This Policy applies to all areas of the Company (“Program Area”) and to all Records irrespective of format (e.g., records sent or received by email accounts, electronic records, paper records, etc.). Every director, officer, employee and contractor of the Company (collectively “Company Personnel”) is responsible for ensuring that they understand and comply with this Policy.
Creation, Management and Disposition of Records
Every Program Area must, in accordance with the requirements and guidelines established under this Policy, create, manage, and dispose of Records to ensure program accountability and support the Program Area’s business needs. Every Program Area must also ensure that the integrity, reliability and retrievability of Records for ongoing legal, financial or other business purposes.
Accountability for the creation, management and disposition of Records resides with the business owner in the Program Area.
Classification of Records
Records must be classified according to the business functions and activities of each Program Area in a manner that:
- allows complete Records relating to business decisions or transactions to be readily located and retrieved;
- minimizes duplicate storage of Records;
- enables user permissions and privacy and security protections to be applied consistently and appropriately; and
- permits retention requirements to be applied accurately.
In classifying Records, Company Personnel are required to abide by the Company’s Data & Record Classification Policy and Information Security Policy and Standards.
Storage and Management of Records
Records must be stored in shared repositories and managed by each Program Area in a manner such that:
- they can be efficiently located, identified and retrieved for as long as they are needed;
- consistent and comprehensive application of security rules regarding access, modification and disposal are applied;
- unnecessary duplication is eliminated; and
- efficient disposition, including transfer to archives and storage, in accordance with retention requirements is enabled.
Retention and Disposition of Records
Company Personnel must keep Records within a Program Area for as long as is necessary to meet a legitimate business or legal purpose, taking into account applicable legislative and regulatory requirements, and the terms of any agreements with the Company or between the Company, its partners and its clients.
Business owners must ensure that the Records in their Program Areas are managed, stored and disposed of in accordance with the requirements of the applicable Records Retention Schedule (“Schedule”).
The retention requirements for Records, as stipulated in the applicable Schedule, are determined in consultation with subject matter experts in each Program Areas based on:
- business needs;
- legal and regulatory requirements specific to the Records;
- contractual commitments;
- the need to ensure accountability for the activities and decisions documented by the Records; and
- the rights and interests of other stakeholders in the preservation of the Records’ contents.
Records in the possession of the Company including relevant Program Areas may be subject to the following:
- Legal proceedings; and
- Access requests made pursuant to applicable legislative and regulatory requirements and the terms of any other agreements with the Company or between the Company, its partners and its clients.
When a request is received pursuant to any of the above, Company Personnel must preserve and produce all relevant Records and follow the requirements set out in the Legal Hold section of this Policy.
Records created, sent or received using email accounts, including emails themselves, are subject to this Policy.
Before an email account is disabled or deleted, the Records created, sent or received using the email account must be managed in accordance with the requirements set out above.
These types of Records must not be stored in the hard drive of an individual’s computer, on portal devices or removable media, on an individual’s personal network drive or electronic workspace, in email accounts, or in the case of hardcopy records, in an individual’s physical file storage.
Record Archiving and Storage
Hard copies of Records that no longer require immediate access as an active record, but must still be maintained for the remainder of their designated retention period, should be archived. Company Personnel should contact the Corporate Services Department or regional office management to arrange for Record archiving at a Company-approved offsite storage facility. When making arrangements for off-site storage, Company Personnel will need to identify a Record destruction date for destruction purposes.
Records relating to any pending or anticipated legal proceeding, audit or investigation must be preserved. A “Legal Hold” may be placed on any Record regardless of whether the record is the final, official version of the Record. Company Personnel who receive a notice from the Legal, Risk and Privacy Department or through another source that certain Records are subject to a Legal Hold must immediately ensure that all Records subject to the Legal Hold are secure and retained, as described in the Legal Hold notice. If Company Personnel become aware of a pending or anticipated legal proceeding, audit or investigation, or subpoena, they must secure and retain all Records that might be pertinent, and notify the Legal, Risk and Privacy Department.
Under no circumstances should Company Personnel alter, destroy or conceal any Records related to a pending or anticipated legal proceeding, audit or investigation. Any such action could have a material adverse effect on the legal proceeding, audit or investigation. Unauthorized alteration, destruction or concealment of Records may subject Company Personnel to disciplinary action, up to and including termination, as well as to legal liability.
Annual Records Review
Company Personnel must review all Company Records, including emails, in their possession on a regular basis and at a minimum, once a year. In doing so, Company Personnel should identify for destruction any Records that are beyond their designated retention period but retain those that are subject to a Legal Hold or involve an investigation or audit.
Destruction of Records
Records are to be destroyed upon satisfaction of all of the following criteria:
- the Records have served their intended purpose; and
- the applicable retention period has expired; and
- Company Personnel handling the Records has written confirmation that such Records are not subject to a Legal Hold.
Questions and Compliance
Any questions about the retention of Records that are not addressed in this Policy should be directed to the Legal, Risk and Privacy Department, who will provide direction in consultation with subject matter experts in the Program Area to which the Record relates.
Any questions about the archiving and destruction of hard-copy Records (i.e. paper) should be directed to the Corporate Services Department or regional office management.
This Policy will be reviewed periodically and amended as necessary by the Legal, Risk and Privacy Department to reflect any changes in laws, regulations or business requirements.