Filogix Information Practices Code

Introduction

This Information Practices Code (the "Code") is a formal statement of the information practices of Filogix Inc. and its affiliates (collectively, "Filogix" or "we") and describes the manner in which Filogix deals with and protects the personal information it collects from individuals outside of its employ. Filogix is committed to ensuring that the personal information in our custody remains secure and is not used or disclosed in a manner other than for which consent has been provided. We are committed to adhering to the ten interrelated principles set out below, which principles are based on the Personal Information Protection and Electronic Documents Act ("PIPEDA").

The phrase "personal information" as used in this Code shall have the same meaning as in PIPEDA: information about an identifiable individual, but not including the name, title, business address, or telephone number of an employee of an organization, and not any information which has been deemed to be "information that is publicly available" pursuant to the regulations to PIPEDA, namely:

(a.) personal information consisting of the name, address and telephone number of a subscriber that appears in a telephone directory that is available to the public, where the subscriber can refuse to have the personal information appear in the directory;

(b.) personal information including the name, title, address and telephone number of an individual that appears in a professional or business directory, listing or notice, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the directory, listing or notice;

(c.) personal information that appears in a registry collected under a statutory authority and to which a right of public access is authorized by law, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the registry;

(d.) personal information that appears in a record or document of a judicial or quasi-judicial body, that is available to the public, where the collection, use and disclosure of the personal information relate directly to the purpose for which the information appears in the record or document; and

(e.) personal information that appears in a publication, including a magazine, book or newspaper, in printed or electronic form, that is available to the public, where the individual has provided the information.

The application of this Code is subject to the requirements or provisions of any applicable legislation.

Summary of Principles:

Principle 1 – Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with these ten privacy principles.

Principle 2 – Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Principle 3 – Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 – Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Principle 5 – Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Principle 6 – Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 – Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8 – Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9 – Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 – Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

Principle 1 - Accountability

Filogix is accountable for all personal information in its control. This includes both information under the direct control of Filogix as well as information we have transferred to third parties for data storage. Through the use of contracts or other means, Filogix ensures that such data storage organizations maintain a level of protection comparable to that which applies to information under our direct control.

Even though numerous individuals within Filogix are responsible for the day-to-day collection and processing of personal information, our Privacy Officer is ultimately accountable for the handling of personal information under the control of Filogix and for ensuring that the principles set out in this Code are being complied with. The Privacy Officer is authorized to delegate other individuals within the organization to act on behalf of his or her behalf.

Any questions about the manner in which Filogix handles personal information should be directed to our Privacy Officer, who can be reached by e-mail at privacy@Filogix.com by fax at 416.360.8224 or by mail at 276 King Street West, Suite 400 , Toronto , Ontario , M5V 1J2 .

Although Filogix refers to the Privacy Officer simply by that person's title in our public documents relating to our information protection practices, the Privacy Officer shall provide his or her name and contact particulars to any person who asks for it.

Filogix has implemented policies and practices to give effect to the ten privacy principles forming the basis of this Code. Relevant policies and practices include:

Filogix Information Sensitivity Policy (classifying personal information as requiring more secure treatment and enhanced technological, physical and organizational security measures);
Filogix Data Centre Access Restrictions (procedures to limit access to areas containing customers' personal information to specified, pre-authorized personnel);
Filogix Acceptable Use Policy (requiring the use of technical and physical security measures to maintain confidentiality of personal information);
Filogix Password Policy (imposing technological security measures);
Filogix Risk Assessment Policy (to determine areas of vulnerability in Filogix' key information systems and to initiate proper remediation);
Filogix Audit Policy (allowing security audits to ensure confidentiality of personal information);
Filogix Incident Handling Procedure (providing a procedure to deal with electronic security intrusions);
Data Retention Guidelines (detailing the retention periods for personal information and describing the process for destroying or anonymizing such information); and
Personal Information Complaints and Inquiries procedures (establishing procedures in relation to principles 9 and 10).

In order to ensure that staff is familiar with this Code and Filogix' obligations relating to the protection of personal information in Filogix' control, Filogix has also implemented an internal training and communication program.

Principle 2 - Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

The purposes for which Filogix collects personal information will be specified to the individual from whom the personal information is collected at or before the time that information is collected. This may be done electronically, orally or in writing.

Whenever Filogix collects personal information, we will disclose the purposes for which we are collecting the information, the manner in which we plan to use the information and the entities to which the information will be disclosed. Upon request, persons collecting personal information shall explain these identified purposes as well as the proposed collection, uses and disclosures; alternatively, they shall refer the individual to a designated person at Filogix who shall explain the identified purposes and the proposed collection, uses and disclosures.

For information that we collect through third parties, we require that that third party has obtained the consent of the person to whom that information relates.

We will not use personal information already in our custody for a purpose which was not identified at the time we initially collected the information, unless such new purpose is required by law. Before using this information for any other purpose, we will first obtain the consent of the affected individuals. For an elaboration on consent, please refer to the Consent principle, below (Principle 3).

Principle 3 - Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Filogix makes every reasonable effort to make sure that an individual understands the purposes for which their information will be collected by Filogix and how his or her personal information will be collected, used and disclosed by Filogix. The proposed purposes will be stated in such a manner that the individual giving consent can reasonably understand how the information will be used or disclosed. Filogix will obtain an individual's consent to such collection, use and disclosure of this personal information. In determining the appropriate form of consent, Filogix shall take into account the sensitivity of the personal information and the reasonable expectations of those to whom the information relates.

Filogix does not collect personal information unless it is necessary for the purposes we identify when we collect it. We will not refuse to provide a service to an individual if they choose not to provide us with their personal information, unless we are unable to provide such service without such information.

Subject to legal or contractual restrictions and reasonable notice, individuals may withdraw consent at any time. Upon Filogix being notified that such consent is being withdrawn, the implications of such withdrawal will be explained to the individual.

Note: Notwithstanding the above commentary, in certain circumstances personal information may be collected, used, or disclosed without the knowledge and consent of the individual. The Personal Information Protection and Electronic Documents Act specifically provides for exceptions to this requirement, and any such exceptions shall be deemed to be exceptions to this Code as well. For example, legal, medical, or security reasons may make it impossible or impractical to seek consent. When information is being collected for the detection and prevention of fraud or for law enforcement, seeking the consent of the individual might defeat the purpose of collecting the information. Seeking consent may be impossible or inappropriate when the individual is a minor, seriously ill, or mentally incapacitated.

Principle 4 - Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Filogix does not collect personal information indiscriminately. Both the amount and the type of information collected are limited to that which is necessary to fulfill the identified purposes. Filogix will only collect personal information by fair and lawful means. Filogix receives information from third parties (such as credit bureau and mortgage brokers) that represent that they have the right to disclose the information to Filogix.

Principle 5 - Limiting Use, Disclosure, and Retention

Personal information in the custody of Filogix shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law.

Filogix does not store information it collects indefinitely. Filogix has developed guidelines and procedures with respect to the retention of personal information (the "Data Retention Guidelines"). These guidelines include minimum and maximum retention periods. Personal information used to make decisions directly affecting an individual are subject to a minimum retention period of one year from the date the decision is made. The Data Retention Guidelines ensure that Filogix retains all information in our custody only as long as necessary or relevant to fulfil our identified purposes or as required by law. Personal information that is no longer required for statutory or regulatory requirements or to fulfill the purposes we identified when we collected the information is destroyed, erased or rendered anonymous in the manner described in the Data Retention Guidelines.

Only those employees of Filogix who require access for business reasons, or whose duties reasonably so require, are granted access to personal information in the control of Filogix.

Principle 6 - Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Filogix will use its best efforts to ensure that its technology allows for personal information that is used on an on-going basis, shall be kept accurate, complete and up-to-date so as to minimize the possibility that inaccurate information may be used to make a decision about an individual. Filogix does not routinely update personal information unless it is necessary to fulfil the purposes for which the information is collected.

Principle 7 - Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

As described under Principle 1 - Accountability, Filogix has instituted numerous policies and procedures to safeguard the personal information in its custody. Each of the Filogix Information Sensitivity Policy, the Filogix Acceptable Use Policy and the Filogix Password Policy impose security measures (including organizational, technical and physical measures) to protect personal information in our control against loss and theft. These safeguards also protect information from unauthorized access, disclosure, copying, use, or modification. All personal information in Filogix' control is protected, regardless of the format in which it is stored.

All employees of Filogix with access to personal information are required, as a condition of their employment, to respect the confidentiality of personal information.

Principle 8 - Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Filogix is open about its privacy practices and its procedures for handling personal information. Any questions about the manner in which Filogix handles personal information can be raised with our Privacy Officer.

Filogix makes specific information about its policies and practices relating to the management of personal information readily available to interested individuals. In addition to having provided copies of our Privacy Statement and this Code to our employees, we provide access to our Privacy Statement and this Code on our corporate website (http://www.Filogix.com/) and provide these documents in written form upon request. This Privacy Statement:

discloses that the Privacy Officer is the person who is accountable for Filogix's privacy policies and practices and the person to whom complaints or inquiries can be forwarded;
provides the e-mail address, fax number and postal address for the Privacy Officer; and
describes the means of gaining access to personal information held by Filogix.

Principle 9 - Individual Access

Upon Filogix receiving a written request from an individual (which request shall be assigned to the Privacy Officer for resolution), the Privacy Officer shall inform an individual as to whether or not the organization holds personal information about such individual and, if possible, the source of this information. The Privacy Officer shall require the requesting individual to provide sufficient information to permit Filogix to confirm his or her identity as well as to be able to ascertain the existence, use, and disclosure of personal information. Any information provided by the requesting individual in order to establish identity and ascertain the existence of records shall only be used for this purpose.

If the Privacy Officer determines that there is personal information in relation to the requesting individual, that individual shall be allowed a reasonable opportunity to review the personal information in the custody of Filogix. In addition, Filogix shall provide the requesting individual with an account of the use that has been made or is being made of his or her information and a list of the third parties to which it has been disclosed, attempting to be as specific as reasonably possible. When it is not possible to provide a list of the organizations to which Filogix has actually disclosed information about an individual, Filogix shall provide a list of organizations to which it may have disclosed information about the individual.

The Privacy Officer shall respond to an individual's request within a reasonable time (typically a response will be provided within 30 days of receiving the request) and at minimal or no cost to the individual. Filogix shall provide or make available the requested information in a form that is generally understandable.

If an individual successfully demonstrates the inaccuracy or incompleteness of personal information that is used by Filogix on an on-going basis, upon being advised of such inaccuracy, the Privacy Officer will takes steps to ensure that this information is corrected. In this situation, the Privacy Officer will also send the corrected data to those third parties who have previously accessed the personal information in question. If such information was received from a third party, the Privacy Officer will assist the individual in correcting their personal information with that third party.

As Filogix does not routinely update personal information unless it is necessary to fulfil the purposes for which the information is collected, unless the individual demonstrates the inaccuracy or incompleteness of personal information that is not used by Filogix on an on-going basis, such information will not be edited in Filogix' records. For example, although Filogix makes a copy of certain information in relation to mortgage applications, this copy is retained only for archival purposes and Filogix makes no decision based upon this information. The records are designed to reflect a state of facts at a certain point in time and are not intended to be updated. If such information was received from a third party, the Privacy Officer will assist the individual in correcting their personal information with that third party and will keep a record of the request for correction, but the records of Filogix will remain otherwise unchanged.

Note: Notwithstanding the above commentary, in certain circumstances Filogix may not be able to provide access to all the personal information relating to an individual; the Personal Information Protection and Electronic Documents Act specifically provides for exceptions to this requirement, and any such exceptions shall be deemed to be exceptions to this Code as well. For example, exceptions may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security, or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege. If this information cannot be provided to an individual for one of these reasons, the Privacy Officer will report Filogix' inability to provide access to the Privacy Commissioner of Canada.

Principle 10 - Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance.

In the event that an individual wishes to challenge our compliance with any of these principles, they can contact our Privacy Officer using the contact information set out above. Filogix will investigate all written complaints, and if we find a complaint to be justified, we will take all appropriate measures, including, if necessary, amending our policies and practices.

If an individual is not satisfied with the way the Privacy Officer has responded to a question, the Privacy Commissioner of Canada may be contacted by e-mail at info@privcom.gc.ca, by fax at (613) 947-6850 or by mail at 112 Kent Street, Ottawa, Ontario K1A 1H3.