IPSEN PRIVACY POLICY (CANADA)

General Principles

  1. Ipsen Biopharmaceuticals Canada Inc. is committed to observe the requirements of Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy legislation in provinces which have enacted provincial legislation which is substantially similar to PIPEDA. Ipsen respects the privacy of persons and recognizes the need of persons with whom we do business (including our customers, patients who use our products, patients who participate in clinical trials and our employees), for the appropriate management and protection of any personal information that they agree to provide to us.
  2. The following Privacy Policy incorporates the requirements of the privacy principles as set out in PIPEDA and/or applicable provincial legislation, and provides guidelines on the collection, storage, use and retention of personal information.
  3. All Ipsen employees must be familiar with and observe the requirements of this Policy. Any complaints or breaches of this Privacy Policy shall be promptly reported by the relevant employees who receive or become aware of a complaint or breach to the Privacy Officer as outlined below.

Definitions

  1. “Personal Information” means information about an identifiable individual but does not include the name, title or business address or telephone number of an employee of an organization.
  2. “Personal Health Information” means information concerning the physical or mental health of an identifiable individual, or information concerning health services provided to an individual, where that information is derived from a Health Information Custodian. To the extent that any relevant provincial or federal law contains additional definitions, such definitions prevail.
  3. “Privacy Officer” means the individual or individuals who have been designated responsibility under the applicable provincial or federal law to be accountable for Ipsen’s compliance with such laws.
  4. “Health Information Custodian” means a person or organization designated by provincial healthcare privacy law as having particular obligations relating to Personal Health Information (for example, a physician, nurse or hospital).
  5. The objectives of this policy, which applies to all Ipsen personnel and to any contractors who assist Ipsen in collection, use or disclosure of Personal Information or Personal Health Information, are to:
    1. Assist in achieving regulatory compliance by all Ipsen personnel;
    2. Ensure management and protection of Personal Information and Personal Health Information by identifying, assessing, monitoring and mitigating privacy risks in Ipsen programs and activities which involve the collection, retention, use, disclosure and disposal of such information.

Policy Requirements

  1. Ipsen’s Privacy Officer is responsible to:
    1. Ensure this Privacy Policy’s implementation by all relevant Ipsen employees;
    2. Ensure that this Privacy Policy is available to all Ipsen employees who are responsible for overseeing the collection, use and disclosure of Personal Information and Personal Health Information;
    3. Ensure that employees understand their obligations under provincial and/or federal law;
    4. Ensure that employees are aware of the requirements for breach notification (if any) under the law of the relevant province.
  2. Employees are responsible to ensure:
    1. Collection of Personal Information and/or Personal Health Information as may be necessary;
    2. Accuracy of Personal Information and/or Personal Health Information collected on behalf of Ipsen;
    3. Storage of Personal Information and/or Personal Health Information collected on behalf of Ipsen;
    4. Retention of Personal Information and/or Personal Health Information collected on behalf of Ipsen;
    5. Disclosure of Personal Information and/or Personal Health Information collected on behalf of Ipsen;
    6. Access to Personal Information and/or Personal Health Information collected on behalf of Ipsen; and
    7. Response to complaints to Ipsen concerning privacy compliance.
  3. Collection of Information:

    The Privacy Officer is responsible to:

    1. Ensure that Ipsen employees understand their responsibilities under relevant provincial or federal law to obtain the proper consent from individuals when collecting personal information concerning them;
    2. Review agreements with potential Health Information Custodians to ensure that such agreements are in conformity with the applicable health information privacy legislation (if any) and with Ipsen’s responsibilities under relevant provincial or federal laws concerning obtaining proper consent for the collection of Personal Health Information relating to individuals;
    3. Review agreements with potential government information custodians to ensure that such agreements are in conformity with provincial or federal laws relating to public institution disclosure and confidentiality obligations, and with Ipsen’s responsibilities under relevant provincial or federal laws, concerning obtaining of proper consent for the collection of Personal Information or Personal Health Information concerning individuals;
    4. Ensure that agreements with contractors concerning the collection of Personal Information and Personal Health Information contain requirements that the collection of such information be in conformity with the requirements for proper consent under applicable provincial or federal law.
  4. Accuracy of Information:

    The Privacy Officer is responsible to ensure that persons whose Personal Information and Personal Health Information is retained by Ipsen have reasonable opportunities to review and correct their information, subject to the provisions of relevant provincial or federal law.

  5. Storage of Information:

    The Privacy Officer is responsible to:

    1. Review periodically information storage practices by Ipsen employees to ensure that the appropriate level of security is in place in conformity with relevant provincial or federal law and with the level of confidentiality of the information;
    2. In the event that Personal Information or Personal Health Information is accidentally or deliberately lost or security compromised:
      1. Inform Ipsen’s Law Department;
      2. Perform an assessment of the significance of the loss or breach and the risk such loss or breach poses to affected individuals; and
      3. Where required by relevant provincial or federal law and in consultation with Ipsen’s Law Department, inform the relevant Information Privacy Commissioner of the loss or breach.
  6. Retention of Information: The Privacy Officer is responsible to oversee Ipsen’s information retention practices and policies relating to information stored by Ipsen.
  7. Disclosure of Information:

    The Privacy Officer is responsible to:

    1. Review practices by Ipsen employees to ensure that Personal Information and Personal Health Information are only disclosed as authorized by the person to whom it relates and as required by relevant provincial or federal law;
    2. Review agreements with potential Health Information Custodians to ensure that such agreements are in conformity with relevant privacy law and with Ipsen’s responsibilities under relevant provincial or federal laws that prescribe requirements for limiting disclosure of Personal Health Information; and
    3. Review agreements with potential government information custodians to ensure that such agreements are in conformity with relevant provincial or federal privacy legislation relating to public institutions and with Ipsen’s responsibilities under relevant provincial or federal laws that define requirements for limiting disclosure of Personal Health Information.
  8. Access to Information:

    The Privacy Officer is responsible to:

    1. Exercise discretion under the applicable legislation in a fair, reasonable and impartial manner with respect to decisions made in the processing of requests and the resolution of complaints pursuant to the relevant provincial or federal law;
    2. Direct Ipsen employees to provide accurate, timely and complete responses to requests made under the relevant provincial or federal law;
    3. Prepare written procedures and practices for Ipsen employees to ensure that all reasonable efforts are made to assist a person who requests information as set out above;
    4. Establish processes to respond to requests for access to, and the correction of, personal information and to document deliberations and decisions made concerning requests received under the relevant provincial or federal law.
  9. Complaint Handling:

    The Privacy Officer is responsible to:

    1. Promptly acknowledge privacy-related complaints received by Ipsen;
    2. Review and investigate any such complaints promptly, in consultation with the Law Department;
    3. Notify the complainant of the results of any such review and investigation;
    4. Refer a matter to Ipsen’s Law Department should a complainant initiate further procedures with applicable regulatory authorities.

Review of Ipsen Policies and Procedures

  1. In addition to the above specific information policies, the person(s) designated as Privacy Officer(s) shall be responsible for review of other Ipsen activities, policies and procedures to assess the potential effects of these policies and procedures on compliance with this Privacy Policy.