Common use of Protection of Personal Information Clause in Contracts

Protection of Personal Information. TELUS agrees that: (a) in providing the Services, it shall comply with Privacy Laws; (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controller; (c) TELUS as the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information of the obligations of TELUS respecting confidentiality that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided for in the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its obligations in this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.

Protection of Personal Information. TELUS 23.1 This clause applies only where the Grantee deals with Personal Information when, and for the purpose of, performing the Grant Activity under this Agreement. 23.2 In this clause, the terms 'agency', 'approved privacy code' (APC), 'contracted services provided', 'Australian Privacy Principle' (APP), 'health service' and 'health information' have the same meaning as they have in section 6 of the Privacy Act 1988 (Cth) (Privacy Act) and subcontract and other grammatical forms of that word have the meaning given in section 95B(4) of the Privacy Act. 23.3 The Grantee acknowledges that it may be treated as a contracted services provider and agrees thatin respect of performing this Agreement: 23.3.1 to use or disclose Personal Information obtained during the course of performing the Grant Activity under this Agreement, only for the purposes of this Agreement; 23.3.2 not to do any act or engage in any practice that would breach an APP contained in section 14 of the Privacy Act, which if done or engaged in by an agency, would be a breach of that APP; 23.3.3 to carry out and discharge the obligations contained in the APPs as if it were an agency; 23.3.4 to notify individuals whose Personal Information the Grantee holds, that complaints about acts or practices of the Grantee may be investigated by the Privacy Commissioner who has power to award compensation against APIDTT in appropriate circumstances; 23.3.5 not to use or disclose Personal Information or engage in an act or practice that would breach section 16F (direct marketing) of the Privacy Act, any APP or an APC where that section, APP or APC is applicable to the Grantee, unless: (a) in providing the Servicescase of section 16F, it shall comply with Privacy Laws;the use or disclosure is necessary, directly or indirectly, in the performance of the Grant Activity under this Agreement; or (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course case of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remainAPP or an APC, the exclusive property activity or practice is authorised by this Agreement and engaged in for the purpose of TI as performing the Data controllerGrant Activity under this Agreement and the activity or practice is inconsistent with the APP or APC; 23.3.6 to comply with any request under section 95C of the Privacy Act relating to disclosure of any provisions of this Agreement (cif any) TELUS as that are inconsistent with an APP or an APC binding on a party to this Agreement; 23.3.7 to notify XXXXXX immediately if the Services provider will only Process Grantee becomes aware of a breach or possible breach of any of the obligations contained in, or referred to in this clause, whether by the Grantee or any subcontractor; 23.3.8 to comply with any directions, guidelines, determinations or recommendations of the Privacy Commissioner to the extent that they are consistent with the requirements of this clause; and 23.3.9 to ensure that any officer, employee or agent of the Grantee who is required to deal with Personal Information for the purposes of rendering the Services in accordance with the this Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information is made aware of the obligations of TELUS respecting confidentiality that are contained the Grantee set out in this Article 16 and in Article 15 (Confidential Information);clause. (f) except as may be otherwise expressly provided 23.4 The Grantee agrees to ensure that each subcontract entered into for in the body purpose of fulfilling its obligations under this Agreement or imposes on the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement subcontractor the same obligations respecting confidentiality [***] contained in as the Grantee has under this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third partyclause, including the requirement in relation to subcontracts. 23.5 APIDTT may, at any agent or subcontractor of TELUS, unless: (i) TI has consented time by notice in writing to such disclosure or transferthe Grantee, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained require the written agreement of the third party Grantee to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Informationgive, and to request TELUS arrange for the Personnel to make any changesgive, undertakings in writing, in accordance with a form required by XXXXXX, relating to the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] non-disclosure of Personal Information. 23.6 If the Grantee receives a request under clause 23.5, including those [***] set out elsewhere it agrees to promptly arrange for all such undertakings to be given. 23.7 The Grantee agrees to indemnify APIDTT in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI respect of any inquiriesloss, complaints, liability or notices of investigation expense suffered or non-compliance received incurred by APIDTT which arises directly or indirectly from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its the Grantee's obligations under this clause, or a subcontractor under the subcontract provisions referred to in clause 23.4. 23.8 The Grantee's obligations under this clause are in addition to, and do not restrict, any obligations it may have under the Privacy Act or any privacy codes or privacy principles contained in, authorised by or registered under any Law including any such privacy codes or principles that would apply to the Grantee but for the application of this clause. 23.9 Notwithstanding any other provision in this Article 16clause, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures where the Grantee provides a health service to rectify such breach and prevent any further breaches, and an individual it will: 23.9.1 comply with all reasonable instructions the APPs in relation to the use and disclosure of TI in investigating and remedying health information about the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Lawindividual; and (q) upon the expiry 23.9.2 transfer health information to another health service provider when directed to do so by XXXXXX. 23.10 This clause 23 survives expiration or early termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.

Protection of Personal Information. TELUS 15.1 This clause 15 applies only where the Service Provider deals with Personal Information when, and for the purpose of, providing Services under this Deed. 15.2 The Service Provider acknowledges that it is a ‘contracted service provider’ within the meaning of section 6 of the Privacy Act 1988 (‘the Privacy Act’), and agrees thatin respect of the provision of Services under this Deed: (a) in to use Personal Information obtained during the course of providing the Services, Services only for the purposes for which it shall comply with Privacy Lawsis collected and for fulfilling its obligations under this Deed; (b) as between TI and TELUSnot to do any act or engage in any practice that would breach an Information Privacy Principle (IPP) contained in section 14 of the Privacy Act, all Personal Information (excluding any information which if done or engaged in by an agency, would be a breach of that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllerIPP; (c) TELUS to carry out and discharge the obligations contained in the IPPs as if it were an agency under the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to timePrivacy Act; (d) TELUS shall treat all to notify individuals whose Personal Information as confidential and shall limit access the Service Provider holds, that complaints about acts or practices of the Service Provider may be investigated by the Privacy Commissioner who has power to Personal Information to those Representatives or authorized subcontractors who have a need to access such information award compensation against the Service Provider in order to deliver the Servicesappropriate circumstances; (e) TELUS shall advise its Representatives receiving not to use or disclose Personal Information or engage in an act or practice that would breach section 16F (direct marketing) or a National Privacy Principle (NPP) (particularly NPPs 7 to 10) of the obligations of TELUS respecting confidentiality Privacy Act or an Approved Privacy Code (APC) under the Privacy Act, where that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided for in section, NPP or APC is applicable to the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUSService Provider, unless: (i) TI has consented in writing the case of section 16F - the use or disclosure is necessary, directly or indirectly, to such disclosure or transfer, which consent TI may withhold in its absolute discretiondischarge an obligation under this Deed; andor (ii) TELUS has obtained in the written agreement case of an NPP or an APC - where the activity or practice is engaged in for the purpose of discharging, directly or indirectly, an obligation under this Deed, and the activity or practice which is authorised by this Deed is inconsistent with the NPP or APC; (f) to disclose in writing to any person who asks, the content of the third provisions of this Deed (if any) that are inconsistent with an NPP or an APC binding a party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by itDeed; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in immediately notify the event agency if the Service Provider becomes aware of a disruptionbreach or possible breach of any of the obligations contained in, disaster or failure of TELUS’ primary systems or operational controlsreferred to in, this clause 15; (h) TELUS shall establish, implement, maintain and fully to comply with privacy policies (including privacy breach response) and practices designed any directions, guidelines, determinations or recommendations of the Privacy Commissioner to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations;the extent that they are not inconsistent with the requirements of this clause 15; and (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance that any employee of the Service Provider who is required to deal with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with Personal Information for the [***] to protect [***] purposes of Personal Information, including those [***] this Deed is made aware of the obligations of the Service Provider set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate;clause 15. (k) TELUS shall permit Representatives of TI 15.3 The Service Provider agrees to review [***] and to request TELUS, indemnify AMSA in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI respect of any inquiriesloss, complaints, liability or notices of investigation expense suffered or non-compliance received incurred by AMSA which arises directly or indirectly from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its the obligations in of the Service Provider under this Article 16clause 15. 15.4 In this clause 15, TELUS shall immediately notify TI and TI’s the terms ‘agency’, ‘approved privacy code’ (APC), ‘Information Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breachesPrinciple’ (IPP), and comply with all reasonable instructions ‘National Privacy Principle’ (NPP) have the same meaning as they have in section 6 of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; andPrivacy Act. (q) upon 15.5 The provisions of this clause 15 survive the expiry expiration or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.Deed

Protection of Personal Information. TELUS 28.1 This clause applies only where the Administering Institution deals with Personal Information when, and for the purpose of, conducting the Award Activity under this Agreement. 28.2 The Administering Institution agrees thatto be treated as a contracted service provider and agrees to: (1) use Personal Information held in connection with the performance of the Award Activity under this Agreement only for the purposes of fulfilling its obligations under this Agreement; (2) not to do any act or engage in any practice which if done or engaged in by an agency, would be a breach of an Australian Privacy Principle (APP); (3) carry out and discharge the obligations contained in the APPs as if the Administering Institution were an agency; (4) notify individuals whose Personal Information the Administering Institution holds, that complaints about the Administering Institution’s acts or practices may be investigated by the Australian Information Commissioner who has power to award compensation against the Administering Institution in appropriate circumstances; (5) not to use or disclose Personal Information or engage in an act or practice that would breach section 16F of the Privacy Act (direct marketing), an APP, or an Approved Privacy Code (APC), unless: (a) in providing the Services, it shall comply with Privacy Laws;case of section 16F - the use or disclosure is explicitly required under this Agreement; or (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course case of obtaining services from TI an APP or an APC - where the act or practice is explicitly required under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllerthis Agreement; (c6) TELUS as comply with any request under section 95C of the Services provider will only Process Privacy Act (relating to disclosure of any provisions of this Agreement (if any) that are inconsistent with an APP or an APC binding on a party); (7) immediately notify the Children’s Hospital Foundation if the Administering Institution becomes aware of a breach or possible breach of any of the obligations contained in, or referred to in, this clause 28 whether by the Administering Institution or its officers, employees, agents or any sub-contractor; (8) comply with the Privacy Act (to the extent that Act applies to the Administering Institution), including any guidelines issued by the Australian Privacy Commissioner and approved for the purposes of that Act; (9) comply with any relevant privacy law of a State or Territory (to the extent that such law applies to the Administering Institution); (10) comply with any directions, guidelines, determinations or recommendations of the Privacy Commissioner to the extent that they are consistent with the requirements of this clause 28; (11) ensure that any of the Administering Institution’s employees, agents, officers or volunteers who are required to deal with Personal Information for the purposes of rendering this Agreement are made aware of the Services Administering Institution’s obligations set out in accordance with the Agreement and as otherwise instructed by TI in writing from time to time;this clause 28; and (d12) TELUS shall treat all Personal Information indemnify the Children’s Hospital Foundation as confidential and shall limit access to Personal Information to those Representatives the circumstances require, in respect of any loss, liability or authorized subcontractors who have expense suffered or incurred by the Children’s Hospital Foundation, arising out of or in connection with a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information breach of the obligations of TELUS respecting confidentiality the Administering Institution under this clause 28 or any misuse of Personal Information by the Administering Institution or any disclosure by the Administering Institution in breach of an obligation or confidence, whether arising under the Privacy Act or otherwise. 28.3 The Administering Institution agrees to ensure that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided any sub-contract entered into for in the body purpose of fulfilling the Administering Institution’s obligations under this Agreement or imposes on the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement subcontractor the same obligations respecting confidentiality [***] contained in as the Administering Institution has under this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Termclause 28, including the training of relevant personnelrequirement in relation to subcontracts. 28.4 In this clause 28, as those policies and documented practices relate to Personal Informationthe terms 'agency', 'Approved Privacy Code' (APC), ‘contracted service provider’, and to request TELUS to make any changes, ‘Australian Privacy Principles' (APPs) have the same meaning as they have in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside section 6 of the TELUS location(s) from which the Services are deliveredPrivacy Act, and shall implement ‘sub-contract’ and other grammatical forms of that word has the obligations respecting confidentiality or [***] contained meaning given in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(ssection 95B(4) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its obligations in this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the AgreementPrivacy Act.

Protection of Personal Information. TELUS agrees that: (a) in providing the Services, it shall comply with Privacy Laws; (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controller; (c) TELUS as the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information of the obligations of TELUS respecting confidentiality that are contained in this Article 16 15 and in Article 15 14 (Confidential Information); (f) except as may be otherwise expressly provided for in the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 15 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry inquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry inquiry or complaintcomplaints; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its obligations in this Article 1615, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, or upon request of TI, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.

Protection of Personal Information. TELUS 23.1 This clause applies only where Diabetes Australia deals with Personal Information when, and for the purpose of, performing the Scheme under this Agreement. 23.2 In this clause 23, the terms ‘approved privacy code’ (APC), ‘Information Privacy Principles’ (IPP), ‘National Privacy Principles’ (NPP), ‘health service’ and health information’, have the same meaning as they have in section 6 of the Privacy Xxx 0000 (the Privacy Act). 23.3 Diabetes Australia acknowledges that it may be treated as a 'contracted service provider' within the meaning of section 6 of the Privacy Act and agrees thatin respect of performing the Scheme: (a) in providing to use and disclose Personal Information obtained during the Servicescourse of performing the Scheme under this Agreement, it shall comply with Privacy Lawsonly for the purposes of this Agreement; (b) as between TI and TELUSnot to do any act or engage in any practice that would breach an IPP contained in section 14 of the Privacy Act, all Personal Information (excluding any information which if done or engaged in by the Commonwealth, would be a breach of that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllerIPP; (c) TELUS to carry out and discharge the obligations contained in the IPPs as if it were the Services provider will only Process Personal Information for Commonwealth under the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to timePrivacy Act; (d) TELUS shall treat all not to use or disclose Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information engage in order to deliver the Services; an act or practice that would breach section 16F (edirect marketing) TELUS shall advise its Representatives receiving Personal Information of the obligations of TELUS respecting confidentiality Privacy Act, any NPP or an APC where that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided for in the body of this Agreement section, NPP or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under APC is applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUSDiabetes Australia, unless: (i) TI has consented in the case of section 16F, the use or disclosure is necessary, directly or indirectly, in the performance of the Scheme under this Agreement; or (ii) in the case of an NPP or an APC, the activity or practice is authorised by this Agreement and engaged in for the purpose of performing the Scheme under this Agreement, and the activity or practice is inconsistent with the NPP or APC; (e) to disclose in writing to such disclosure any person who asks, the content of the provisions of this Agreement (if any) that are inconsistent with an NPP or transferan APC binding a party to this Agreement; (f) to immediately notify the Commonwealth if Diabetes Australia becomes aware of a breach or possible breach of any of the obligations contained in, which consent TI may withhold in its absolute discretionor referred to in, this clause 23, whether by Diabetes Australia or any entity it has entered into an arrangement with for the performance of the Scheme;; and (iig) TELUS has obtained to ensure that any employee of Diabetes Australia who is required to deal with Personal Information for the written agreement purposes of this Agreement is made aware of the third party obligations of Diabetes Australia set out in this clause 23. 23.4 Diabetes Australia agrees to comply with all ensure that any arrangement it has entered into for the performance of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order Scheme contains provisions to ensure compliance with TI privacy that that entity has the same awareness and [***] policies;obligations as Diabetes Australia has under this clause. (j) TELUS shall establish23.5 Diabetes Australia agrees to indemnify the Commonwealth in respect of any loss, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement liability or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed expense suffered or incurred by the Parties in writing, TELUS shall not transfer Commonwealth which arises directly or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) indirectly from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its the obligations of Diabetes Australia under this clause 23, or an entity it has entered into an arrangement with for the performance of the Scheme. 23.6 Notwithstanding any other provision in this Article 16clause 23, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures where Diabetes Australia provides a health service to rectify such breach and prevent any further breaches, and an individual it will: (a) comply with all reasonable instructions the NPPs in relation to the use and disclosure of TI in investigating and remedying health information about the breach or otherwise andindividual, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (qb) upon transfer health information to another health service provider when directed to do so by the expiry or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the AgreementCommonwealth.

Protection of Personal Information. TELUS agrees that5.1 The Employee may have access to personal information (as defined in The Freedom of Information and Protection of Privacy Act, C.C.S.M. c. F175, hereinafter referred to as “FIPPA”) in the course of their prescribed duties. Accordingly, while this Agreement is in effect and at all times thereafter, the Employee must: (a) in providing the Services, it shall comply with Privacy Lawsthe principles and provisions of FIPPA including any regulation made thereunder; (b) treat and retain as between TI and TELUSstrictly confidential all personal information, all Personal Information (excluding any information that acquired or to which access has been disclosed by TELUS to TI or a TI Affiliate or subcontractor given in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1of, 2021) is, and shall remainor incidental to, the exclusive property performance of TI as the Data controllerthis Agreement; (c) TELUS as not disclose, nor authorize, nor permit to be disclosed, to any person, corporation or organization now, or at any time in the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing future, such personal information without first obtaining written permission from time to time;Manitoba; and (d) TELUS shall treat all comply with any rules or directions made or given by Manitoba with respect to safeguarding or ensuring the confidentiality and security of such personal information. 5.2 The Employee may have access to personal health information (as defined in The Personal Health Information Act, C.C.S.M, c. P33.5 hereinafter referred to as “PHIA”) in the course providing the Services to Manitoba, which is information of a highly confidential and shall limit sensitive nature. Accordingly, while this Agreement is in effect and at all times thereafter, the Employee must: (a) comply with the principles and provisions of PHIA including any regulation made thereunder; (b) treat and retain as strictly confidential all personal health information acquired or to which access has been given in the course of, or incidental to, the performance of this Agreement; (c) not disclose, nor authorize, nor permit to Personal Information be disclosed, to those Representatives any person, corporation or authorized subcontractors who have a need organization now, or at any time in the future, such personal health information without first obtaining written permission from Manitoba; and (d) comply with any rules or directions made or given by Manitoba with respect to access safeguarding or ensuring the confidentiality and security of such information in order to deliver the Servicespersonal health information; (e) TELUS shall advise its Representatives receiving Personal Information on request of the obligations of TELUS respecting confidentiality that are contained in this Article 16 and in Article 15 (Confidential Information);Manitoba complete any PHIA training provided by Manitoba; and (f) except as may be otherwise expressly provided for in the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information complete and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed abide by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside “PHIA Pledge of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its obligations in this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the AgreementConfidentiality”.

Protection of Personal Information. TELUS agrees that‌ 16.1 This clause 16 applies only where You deal with Personal Information when, and for the purpose of, conducting the Activity under this Agreement. 16.2 You agree to be treated as a 'contracted service provider' within the meaning of section 6 of the Privacy Xxx 0000 (Cth) (the Privacy Act), and agree in respect to the conduct of the Activity under this Agreement: (a) in providing to use or disclose Personal Information obtained during the Servicescourse of conducting the Activity under this Agreement, it shall comply with Privacy Laws;only for the purposes of this Agreement (b) as between TI and TELUSnot to do any act or engage in any practice that would breach an Information Privacy Principle (IPP) contained in section 14 of the Privacy Act, all Personal Information (excluding any information which if done or engaged in by an agency, would be a breach of that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controller;IPP (c) TELUS to carry out and discharge the obligations contained in the IPPs as if You were an agency under that Act (d) to notify individuals whose Personal Information You hold, that complaints about Your acts or practices may be investigated by the Services provider will only Process Information Commissioner who has power to award compensation against You in appropriate circumstances (e) not to use or disclose Personal Information or engage in an act or practice that would breach section 16F (direct marketing), a National Privacy Principle (NPP) (particularly NPPs seven to ten) or an Approved Privacy Code (APC), where that section, NPP or APC is applicable to You, unless: i. in the case of section 16F - the use or disclosure is necessary, directly or indirectly, to discharge an obligation under this Agreement, or ii. in the case of an NPP or an APC - where the activity or practice is engaged in for the purpose of discharging, directly or indirectly, an obligation under this Agreement, and the activity or practice which is authorised by this Agreement is inconsistent with the NPP or APC (f) to disclose in writing to any person who asks, the content of the provisions of this Agreement (if any) that are inconsistent with an NPP or an APC binding a Party to this Agreement (g) to immediately notify Us if You become aware of a breach or possible breach of any of the obligations contained in, or referred to in, this clause 16, whether by You or any subcontractor (h) to comply with any directions, guidelines, determinations or recommendations of the Information Commissioner to the extent that they are not inconsistent with the requirements of this clause 16 (i) to ensure that any of Your employees who are required to deal with Personal Information for the purposes of rendering the Services in accordance with the this Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information are made aware of the Your obligations of TELUS respecting confidentiality that are contained set out in this Article 16 and in Article 15 (Confidential Information);clause 16. (f) except as may be otherwise expressly provided 16.3 You must ensure that any subcontract entered into for in the body purpose of fulfilling Your obligations under this Agreement or contains provisions to ensure that the Schedules, TELUS shall not disclose or transfer Personal Information subcontractor has the same awareness and shall implement the obligations respecting confidentiality [***] contained in as You have under this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Termclause, including the training of relevant personnel, as those policies and documented practices relate requirement in relation to Personal Information, and to request TELUS to make any changes, subcontracts. 16.4 You indemnify Us in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI respect of any inquiriesloss, complaints, liability or notices of investigation expense suffered or non-compliance received incurred by Us which arises directly or indirectly from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its Your obligations in under this Article clause 16, TELUS shall immediately notify TI and TI’s or from a subcontractor's breach of the subcontract provisions referred to in subclause 16.3. 16.5 In this clause 16, the terms 'agency', 'Approved Privacy Officer in writingCode' (APC), take all reasonable measures to rectify such breach and prevent any further breaches'Information Privacy Principles' (IPPs), and comply with all reasonable instructions 'National Privacy Principles' (NPPs) have the same meaning as they have in section 6 of TI the Privacy Act, and ‘subcontract’ and other grammatical forms of that word has the meaning given in investigating and remedying section 95B(4) of the breach Privacy Act. 16.6 The provisions relating to clause 16 shall survive the termination or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination expiration of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.

Protection of Personal Information. TELUS agrees 11.1 The Landlord may receive various types of information from the Tenant and its Affiliates in connection with the Offer to Lease, this Lease and the credit checks referred to in clause 10.2 above, which may include personal information, data and electronic communications and transactions information (hereinafter referred to as "Personal Information") as contemplated in the Protection of Personal Information Act, 4 of 2013 ("POPIA"). It is agreed that: 11.1.1 the Tenant authorises the Landlord and its Affiliates (aand warrants that it has obtained consent from its Affiliates to authorise the Landlord and its Affiliates) in providing to collect, store, use and otherwise process (collectively, "Process") the Services, it shall comply with Privacy Laws; (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controller; (c) TELUS as the Services provider will only Process Personal Information for the purposes purpose of rendering negotiating, executing, implementing, enforcing and otherwise carrying out any act in connection with this Offer and the Services in accordance Lease Agreement, including assessing from time to time the business and financial position of the Tenant and (where relevant) its Affiliates, and for marketing, promotion and financial reporting of its leasing operations, and for complying with the Agreement Landlord's statutory obligations in terms of inter alia the Financial Intelligence Centre Act, the Income Tax Act, the Value-Added Tax Act, the Companies Act and legislation and rules relating to the operation of the Johannesburg Stock Exchange (collectively referred to as "the Stated Purpose"); 11.1.2 the Landlord and its Affiliates may electronically or otherwise instructed Process the Personal Information for the Stated Purpose, and may retain such Personal Information for as long as is necessary in order to achieve, and from time to time comply with, the Stated Purpose, and shall furthermore be entitled to retain it insofar as such retention is necessary in order to comply with any statutory or other legal obligations; 11.1.3 the Landlord will endeavour to treat Personal Information received by TI it with reasonable care. Whenever the Tenant is of the opinion that the Landlord or its Affiliates have failed to do so, the Tenant shall inform Landlord thereof in writing giving specific details of the alleged failure, its effect on the Tenant, and the Tenant's proposed remedy for the failure. Landlord will review the Tenant's written representations and, if within Xxxxxxxx's discretion deemed advisable (and where possible taking commercially reasonable and affordable measures), take corrective ac t i on and in any event within 20 business days inform the Tenant about corrective actions taken, if any. 11.2 Despite such undertaking, the Tenant acknowledges that it is possible for internet-based communications to be intercepted or incorrectly transmitted. Even with the use of encryption, the internet is not a secure medium and privacy cannot be ensured. Internet use and e-mail is vulnerable to interception, fraud and forging. The Tenant accepts such risks, and warrants that its Affiliates have accepted such risks. 11.3 Except to the extent of its own gross negligence, recklessness or wilful misconduct, the Landlord will not be liable for any damages suffered by the Tenant, its Affiliates or any third party as a result of: 11.3.1 the unauthorised or unlawful interception, theft, transmission or disclosure of confidential or other Personal Information disclosed to or held by the Landlord and/or its representatives or agents, by means of internet access, email communications, or otherwise, and/or 11.3.2 any errors in or any changes made to any confidential or other Personal Information. 11.4 To e ns ur e acquaintance with and awareness of the privacy measures and policies of the Landlord, the Tenant warrants that it has read and understood the privacy policies and disclaimers published on the Landlord's website, as amended from time to time;. (d) TELUS shall treat all Personal Information as confidential and shall limit 11.5 The Tenant, having its own access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver commercially sound advice and legal representation, confirms that it is satisfied with the Services; (e) TELUS shall advise its Representatives receiving Personal Information of the obligations of TELUS respecting confidentiality that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided for in the body contents of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Informationclause 10 and, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of extent that the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and contents hereof do not comply with the [***] to protect [***] provisions of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (ksections 5 and 18(1) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this AgreementPOPIA, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(sTenant (on its own behalf and on behalf of its Affiliates) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding consents to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to and furthermore warrants that the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality non-compliance by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its obligations in this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify Landlord with such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law section does not permit TELUS to comply with prejudice the return or destruction legitimate interests of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by Tenant or on behalf of TI, or otherwise, after termination of the Agreementits Affiliates.

Protection of Personal Information. TELUS 15.1 This clause 15 applies only to the extent that the APO deals with Personal Information and Sensitive Information in performing its obligations in accordance with this Deed. 15.2 In this clause 15, the following terms have the same meaning as they have in the Privacy Act:  Personal Information;  Sensitive Information;  an agency; and  APPs (Australian Privacy Principles). 15.3 The APO agrees thatthat in performing its obligations in accordance with this Deed, it will: (a) in providing the Services, it shall comply with Privacy Laws; (b) as between TI and TELUS, all 15.3.1 use or disclose Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor and Sensitive Information obtained in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between performing its obligations in accordance with this Deed only for the Parties dated January 1, 2021) is, and shall remain, the exclusive property purposes of TI as the Data controllerthis Deed; 15.3.2 carry out and discharge the obligations contained in the APPs as if it were an agency; 15.3.3 not do any act or engage in any practice which, if done or engaged in by an agency, would be a breach of an APP; 15.3.4 not use or disclose Personal or Sensitive Information which would breach the Privacy Act (cwhere applied) TELUS as , unless that act or practice is explicitly required under this Deed; 15.3.5 comply with any request under section 95C of the Services provider will only Process Privacy Act; 15.3.6 notify the Department immediately if the APO becomes aware of a breach or possible breach of any of the obligations contained in, or referred to in, this clause 15, whether by the APO, its Personnel and/or an SCO; and 15.3.7 ensure that all Personnel required to deal with Personal Information and Sensitive Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information this Deed are made aware of the obligations of TELUS respecting confidentiality that are contained the APO set out in this Article 16 and in Article 15 (Confidential Information);clause 15. (f) except as may be otherwise expressly provided for in the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUS, unless: (i) TI has consented in writing to such disclosure or transfer, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order 15.4 The APO agrees to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establishthat if it appoints or engages SCOs for the purpose of performing the APO’s obligations under this Deed, implement, maintain and comply with it will impose on any SCOs the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in same obligations that the APO has under this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its obligations in this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreementclause 15.

Protection of Personal Information. TELUS 24.1 This clause 24 applies only where the Service Provider deals with personal information when, and for the purpose of, providing the Services under this Contract. 24.2 In this clause 24, the terms ‘agency’, ‘approved privacy code’ ("APC"), ‘contracted service provider’, ‘Information Privacy Principles’ ("IPPs"), ‘National Privacy Principles’ ("NPPs") and 'personal information' have the same meaning as they have in section 6 of the Privacy Act 1988 (Cth) ("Privacy Act") and ‘subcontract’ and other grammatical forms of that word have the meaning given in subsection 95B (4) of the Privacy Act. 24.3 The Service Provider acknowledges that it may be treated as a ‘contracted service provider’ and agrees thatin respect of the provision of the Services under this Contract: (a) in to use or disclose personal information obtained during the course of providing the ServicesServices under this Contract, it shall comply with Privacy Lawsonly for the purposes of this Contract; (b) as between TI and TELUSnot to do any act or engage in any practice which if done or engaged in by an agency, all Personal Information (excluding any information that has been disclosed by TELUS to TI or would be a TI Affiliate or subcontractor in the course breach of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllerIPP; (c) TELUS to carry out and discharge the obligations contained in the IPPs as the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to timeif it were an agency; (d) TELUS shall treat all Personal to notify individuals whose personal information the Service Provider holds, that complaints about acts or practices of the Service Provider may be investigated by the Information as confidential and shall limit access to Personal Commissioner, the Privacy Commissioner or the Freedom of Information to those Representatives or authorized subcontractors Commissioner who have a need power to access such information award compensation against the Service Provider in order to deliver the Servicesappropriate circumstances; (e) TELUS shall advise its Representatives receiving Personal Information not to use or disclose personal information or engage in an act or practice that would breach section 16F (direct marketing) of the obligations of TELUS respecting confidentiality Privacy Act, an NPP (particularly NPPS 7 to 10) or an APC where that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided for in section, NPP or APC is applicable to the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUSService Provider, unless: (i) TI has consented in writing the case of section 16F, the use or disclosure is necessary, directly or indirectly, to such disclosure or transfer, which consent TI may withhold in its absolute discretiondischarge an obligation under this Contract; andor (ii) TELUS has obtained in the written agreement case of an NPP or an APC, where the third party activity or practice is engaged in for the purpose of discharging, directly or indirectly, an obligation under this Contract, and the activity or practice which is authorised by this Contract is inconsistent with the NPP or APC; (f) to comply with all any request under section 95C of the terms Privacy Act (relating to disclosure of any provisions of this Article 16 Contract (if any) that are inconsistent with respect to Personal Information disclosed an NPP or transferred to it or otherwise collected or compiled by itan APC binding on a Party); (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in immediately notify the event Commonwealth if the Service Provider becomes aware of a disruptionbreach or possible breach of any of the obligations contained in, disaster or failure of TELUS’ primary systems referred to in, this clause 24, whether by the Service Provider or operational controlsany subcontractor; (h) TELUS shall establish, implement, maintain and fully to comply with privacy policies (including privacy breach response) and practices designed any directions, guidelines, determinations or recommendations of the Information Commissioner, the Privacy Commissioner or the Freedom of Information Commissioner to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations;the extent that they are consistent with the requirements of this clause 24; and (i) TELUS shall permit Representatives to ensure that any Service Provider Personnel who are required to deal with personal information for the purposes of TI this Contract are made aware of the obligations of the Service Provider set out in this clause 24. 24.4 The Service Provider agrees to review ensure that any subcontract entered into for the privacy policies and documented practices purpose of TELUS fulfilling its obligations under this Contract imposes on the subcontractor the same obligations as the Service Provider has under this clause 24, including the requirement in relation to subcontracts. 24.5 The Commonwealth may at any time during require the Term, including the training of relevant personnel, as those policies and documented practices relate Service Provider to Personal Informationgive, and to request TELUS arrange for Service Provider Personnel engaged in the performance of the Services to make any changesgive, undertakings in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary writing in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed a form required by the Parties in writingCommonwealth, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing non- disclosure of Personal Informationpersonal information. 24.6 If the Service Provider receives a request under clause 24.5, and TELUS shall it agrees to promptly comply and fully cooperate with arrange for all instructions of TI, as it may reasonably require, such undertakings to be given. 24.7 The Service Provider agrees to indemnify the Commonwealth in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI respect of any inquiriesloss, complaints, liability or notices of investigation expense suffered or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality incurred by the court Commonwealth which arises directly or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or indirectly from a breach of any of its the obligations of the Service Provider under this clause 24, or a subcontractor under the subcontract provisions referred to in clause 24.4. 24.8 The Service Provider’s obligations under this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer clause 24 are in writing, take all reasonable measures to rectify such breach and prevent any further breachesaddition to, and comply with all reasonable instructions of TI in investigating and remedying do not restrict, any obligations it may have under the breach Privacy Act or otherwise andany privacy codes or privacy principles contained in, upon request authorised by TI, provide commercially reasonable assistance, or registered under any law including records any such privacy codes or information, principles that would apply to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination Service Provider but for the application of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreementclause 24. PART 4 SUBCONTRACTING

Protection of Personal Information. TELUS 22.1 This clause applies only where the Grantee deals with Personal Information when, and for the purpose of, performing the Grant Activity under this Agreement. 22.2 In this clause, the terms 'agency', 'approved privacy code' (APC), 'contracted services provided', 'Australian Privacy Principle' (APP), 'health service' and 'health information' have the same meaning as they have in section 6 of the Privacy Act 1988 (Cth) (Privacy Act) and subcontract and other grammatical forms of that word have the meaning given in section 95B(4) of the Privacy Act. 22.3 The Grantee acknowledges that it may be treated as a contracted services provider and agrees thatin respect of performing this Agreement: 22.3.1 to use or disclose Personal Information obtained during the course of performing the Grant Activity under this Agreement, only for the purposes of this Agreement; 22.3.2 not to do any act or engage in any practice that would breach an APP contained in section 14 of the Privacy Act, which if done or engaged in by an agency, would be a breach of that APP; 22.3.3 to carry out and discharge the obligations contained in the APPs as if it were an agency; 22.3.4 to notify individuals whose Personal Information the Grantee holds, that complaints about acts or practices of the Grantee may be investigated by the Privacy Commissioner who has power to award compensation against APIDTT in appropriate circumstances; 22.3.5 not to use or disclose Personal Information or engage in an act or practice that would breach section 16F (direct marketing) of the Privacy Act, any APP or an APC where that section, APP or APC is applicable to the Grantee, unless: (a) in providing the Servicescase of section 16F, it shall comply with Privacy Laws;the use or disclosure is necessary, directly or indirectly, in the performance of the Grant Activity under this Agreement; or (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course case of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remainAPP or an APC, the exclusive property activity or practice is authorised by this Agreement and engaged in for the purpose of TI as performing the Data controllerGrant Activity under this Agreement and the activity or practice is inconsistent with the APP or APC; 22.3.6 to comply with any request under section 95C of the Privacy Act relating to disclosure of any provisions of this Agreement (cif any) TELUS as that are inconsistent with an APP or an APC binding on a party to this Agreement; 22.3.7 to notify XXXXXX immediately if the Services provider will only Process Grantee becomes aware of a breach or possible breach of any of the obligations contained in, or referred to in this clause, whether by the Grantee or any subcontractor; 22.3.8 to comply with any directions, guidelines, determinations or recommendations of the Privacy Commissioner to the extent that they are consistent with the requirements of this clause; and 22.3.9 to ensure that any officer, employee or agent of the Grantee who is required to deal with Personal Information for the purposes of rendering the Services in accordance with the this Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information is made aware of the obligations of TELUS respecting confidentiality that are contained the Grantee set out in this Article 16 and in Article 15 (Confidential Information);clause. (f) except as may be otherwise expressly provided 22.4 The Grantee agrees to ensure that each subcontract entered into for in the body purpose of fulfilling its obligations under this Agreement or imposes on the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement subcontractor the same obligations respecting confidentiality [***] contained in as the Grantee has under this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third partyclause, including the requirement in relation to subcontracts. 22.5 APIDTT may, at any agent or subcontractor of TELUS, unless: (i) TI has consented time by notice in writing to such disclosure or transferthe Grantee, which consent TI may withhold in its absolute discretion; and (ii) TELUS has obtained require the written agreement of the third party Grantee to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Informationgive, and to request TELUS arrange for the Personnel to make any changesgive, undertakings in writing, in accordance with a form required by XXXXXX, relating to the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] non-disclosure of Personal Information. 22.6 If the Grantee receives a request under clause 22.5, including those [***] set out elsewhere it agrees to promptly arrange for all such undertakings to be given. 22.7 The Grantee agrees to indemnify APIDTT in this Agreement or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed by the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI respect of any inquiriesloss, complaints, liability or notices of investigation expense suffered or non-compliance received incurred by APIDTT which arises directly or indirectly from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its the Grantee's obligations under this clause, or a subcontractor under the subcontract provisions referred to in clause 22.4. 22.8 The Grantee's obligations under this clause are in addition to, and do not restrict, any obligations it may have under the Privacy Act or any privacy codes or privacy principles contained in, authorised by or registered under any Law including any such privacy codes or principles that would apply to the Grantee but for the application of this clause. 22.9 Notwithstanding any other provision in this Article 16clause, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures where the Grantee provides a health service to rectify such breach and prevent any further breaches, and an individual it will: 22.9.1 comply with all reasonable instructions the APPs in relation to the use and disclosure of TI in investigating and remedying health information about the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Lawindividual; and (q) upon the expiry 22.9.2 transfer health information to another health service provider when directed to do so by XXXXXX. 22.10 This clause 22 survives expiration or early termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.

Protection of Personal Information. TELUS 23.1 This clause applies only where the Institution deals with Personal Information when, and for the purpose of, conducting the Project under this Agreement. 23.2 The Institution agrees thatto be treated as a contracted service provider and agrees to: (a) use Personal Information held in providing connection with the Services, it shall comply with Privacy Lawsperformance of the Projects under this Agreement only for the purposes of fulfilling its obligations under this Agreement; (b) as between TI and TELUSnot to do any act or engage in any practice which if done or engaged in by an agency, all Personal would be a breach of an Information Privacy Principle (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllerIPP); (c) TELUS carry out and discharge the obligations contained in the IPPs as if the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to timeInstitution were an agency; (d) TELUS shall treat all notify individuals whose Personal Information as confidential and shall limit access the Institution holds, that complaints about the Institution’s acts or practices may be investigated by the Privacy Commissioner who has power to Personal Information to those Representatives or authorized subcontractors who have a need to access such information award compensation against the Institution in order to deliver the Servicesappropriate circumstances; (e) TELUS shall advise its Representatives receiving not to use or disclose Personal Information or engage in an act or practice that would breach section 16F of the obligations of TELUS respecting confidentiality that are contained in this Article 16 and in Article 15 Privacy Xxx 0000 (Confidential Informationdirect marketing); , a National Privacy Principle (fNPP), (particularly NPPs 7 to10) except as may be otherwise expressly provided for in the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUSan Approved Privacy Code (APC), unless: (i) TI has consented in writing to such the case of section 16F – the use or disclosure or transfer, which consent TI may withhold in its absolute discretionis explicitly required under this Agreement; andor (ii) TELUS has obtained in the written agreement case of an NPP or an APC – where the act or practice is explicitly required under this Agreement ; (f) comply with any request under section 95C of the third party Privacy Act (relating to comply with all disclosure of the terms any provisions of this Article 16 Agreement (if any) that are inconsistent with respect to Personal Information disclosed an NPP or transferred to it or otherwise collected or compiled by itan APC binding on a Party); (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in immediately notify Cancer Australia if the event Institution becomes aware of a disruptionbreach or possible breach of any of the obligations contained in, disaster or failure of TELUS’ primary systems referred to in, this clause 23, whether by the Institution or operational controlsany subcontractor; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies the Privacy Xxx 0000 (to the extent that Act applies to the Institution), including privacy breach response) any guidelines issued by Cancer Australia and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operationsapproved for the purposes of that Act; (i) TELUS shall permit Representatives comply with any relevant privacy law of TI State or Territory (to review the privacy policies and documented practices of TELUS at any time during extent that such law applies to the Term, including the training of relevant personnel, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policiesInstitution); (j) TELUS shall establish, implement, maintain and comply with any directions, guidelines, determinations or recommendations of the [***] Privacy Commissioner to protect [***] the extent that they are consistent with the requirements of Personal Information, including those [***] set out elsewhere in this Agreement or the Schedules, which the Parties agree are adequateclause 23; (k) TELUS shall permit Representatives ensure that any of TI the Institution’s employees, agents, officers or volunteers who are required to review [***] and to request TELUS, deal with Personal Information for the purposes of this Agreement are made aware of the Institution’s obligations set out in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***];this clause 23; and (l) unless otherwise agreed by indemnify Cancer Australia and each Funding Partner (if any) as the Parties in writing, TELUS shall not transfer or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably circumstances require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI respect of any inquiriesloss, complaintsliability or expense suffered or incurred by Cancer Australia, arising out of or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of the obligations of the Institution under this clause 23 or any of its obligations in this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer in writing, take all reasonable measures to rectify such breach and prevent any further breaches, and comply with all reasonable instructions of TI in investigating and remedying the breach or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or termination of this Agreement, TELUS shall cease any and all use misuse of Personal Information by the Institution or any disclosure by the Institution in breach of an obligation or confidence, whether arising under the Privacy Xxx 0000 or otherwise. Cancer Australia will hold the indemnity rights of the Funding Partners (if any) under this clause 23.2 on trust for them and shall, at may act as agent of the written request Funding Partners (if any) in any action under the indemnity. 23.3 The Institution agrees to ensure that any subcontract entered into for the purpose of TI, either securely return all Personal Information to TIfulfilling the Institution’s obligations under this Agreement imposes on the subcontractor the same obligations as the Institution has under this clause 23, including any copies the requirement in every mediarelation to subcontracts. 23.4 In this clause 23, or securely the terms ‘agency’, ‘Approved Privacy Code’ (APC), ‘contracted service provider’, ‘Information Privacy Principles’ (IPPs), and permanently destroy it using appropriate means and certify ‘National Privacy Principles’ (NPPs) have the same meaning as they have in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction section 6 of the Personal InformationPrivacy Xxx 0000, TELUS warrants and ‘subcontract’ and other grammatical forms of that it shall ensure word has the strict confidentiality meaning given in section 95B(4) of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the AgreementPrivacy Xxx 0000.

Protection of Personal Information. TELUS agrees that14.1 This clause applies only where the Contractor deals with Personal Information when, and for the purpose of, providing the Services under this Contract. 14.2 In this clause, the terms: (a) in providing the Services, it shall comply with Privacy Lawsagency; (b) as between TI and TELUS, all Personal Information (excluding any information that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllercontracted service provider; (c) TELUS registered APP code (RAC); and (d) Australian Privacy Principle (APP), have the same meaning as they have in the Privacy Xxx 0000 (‘the Privacy Act’) and ‘subcontract’ and other grammatical forms of that word have the meaning given in section 95B(4) of the Privacy Act. 14.3 The Contractor acknowledges that it may be treated as a ‘contracted service provider’ and agrees in respect of the provision of the Services provider will under this Contract: (a) to use or disclose Personal Information obtained during the course of providing the Services under this Contract, only Process for the purposes of this Contract; (b) not to do any act or engage in any practice which if done or engaged in by an agency, would be a breach of an APP; (c) to notify individuals whose Personal Information the Contractor holds, that complaints about acts or practices of the Contractor may be investigated by the Privacy Commissioner who has power to award compensation against the Contractor in appropriate circumstances; (d) comply with the obligations contained in the APPs that apply to the Contractor; (e) not to use or disclose Personal Information or engage in an act or practice that would breach an APP or a RAC, whichever is applicable to the Contractor, unless the activity or practice is engaged in for the purpose of discharging, directly or indirectly, an obligation under this Contract, and the activity or practice which is authorised by this Contract is inconsistent with the APP or RAC, whichever is applicable to the Contractor; (f) to comply with any request under section 95C of the Privacy Act ; (g) to immediately notify the Department if the Contractor becomes aware of a breach or possible breach of any of the obligations contained in, or referred to in this clause, whether by the Contractor or any subcontractor; (h) to comply with any directions, guidelines, determinations or recommendations of the Privacy Commissioner to the extent that they are consistent with the requirements of this clause; and (i) to ensure that any officers, employees or agents of the Contractor who are required to deal with Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to time; (d) TELUS shall treat all Personal Information as confidential and shall limit access to Personal Information to those Representatives or authorized subcontractors who have a need to access such information in order to deliver the Services; (e) TELUS shall advise its Representatives receiving Personal Information this Contract are made aware of the obligations of TELUS respecting confidentiality that are contained the Contractor set out in this Article 16 and in Article 15 (Confidential Information);clause. (f) except 14.4 The Contractor agrees to ensure that any subcontract entered into for the purpose of fulfilling its obligations under this Contract imposes on the subcontractor the same obligations as may be otherwise expressly provided for in the body of Contractor has under this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third partyclause, including any agent or subcontractor of TELUS, unless:the requirement in relation to subcontracts. (i) TI has consented in writing to such disclosure or transfer, which consent TI 14.5 The Department may withhold in its absolute discretion; and (ii) TELUS has obtained the written agreement of the third party to comply with all of the terms of this Article 16 with respect to Personal Information disclosed or transferred to it or otherwise collected or compiled by it; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in the event of a disruption, disaster or failure of TELUS’ primary systems or operational controls; (h) TELUS shall establish, implement, maintain and fully comply with privacy policies (including privacy breach response) and practices designed to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations; (i) TELUS shall permit Representatives of TI to review the privacy policies and documented practices of TELUS at any time during require the Term, including the training of relevant personnel, as those policies and documented practices relate Contractor to Personal Informationgive, and to request TELUS arrange for Contractor Personnel to make any changesgive, undertakings in accordance with writing in a form required by the Change Management ProceduresDepartment, that TI, acting reasonably, considers necessary in order relating to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] non-disclosure of Personal Information. 14.6 If the Contractor receives a request under clause 14.5, including those [***] set out elsewhere it agrees to promptly arrange for all such undertakings to be given. 14.7 The Contractor agrees to indemnify the Commonwealth in this Agreement respect of any loss, liability or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed expense suffered or incurred by the Parties in writing, TELUS shall not transfer Commonwealth which arises directly or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) indirectly from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its the obligations of the Contractor under this clause, or a subcontractor under the subcontract provisions referred to in clause 14.4. 14.8 The Contractor’s obligations under this Article 16, TELUS shall immediately notify TI and TI’s Privacy Officer clause are in writing, take all reasonable measures to rectify such breach and prevent any further breachesaddition to, and comply with all reasonable instructions do not restrict, any obligations it may have under the Privacy Act or any privacy codes or privacy principles contained in, authorised by or registered under any law including any such privacy codes or principles that would apply to the Contractor but for the application of TI in investigating and remedying this clause. 14.9 This clause survives the breach expiration or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon the expiry or earlier termination of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the AgreementContract.

Protection of Personal Information. TELUS 14.1 This clause 14 applies only where the Organisation deals with Personal Information when, and for the purpose of, conducting the Activity under this Agreement. 14.2 The Organisation agrees thatto be treated as a 'contracted service provider' within the meaning of section 6 of the Privacy Act, and agrees in respect to the conduct of the Activity under this Agreement: (a) in providing to use or disclose Personal Information obtained during the Servicescourse of conducting the Activity under this Agreement, it shall comply with Privacy Lawsonly for the purposes of this Agreement; (b) as between TI and TELUSnot to do any act or engage in any practice that would breach an Information Privacy Principle (IPP) contained in section 14 of the Privacy Act, all Personal Information (excluding any information which if done or engaged in by an agency, would be a breach of that has been disclosed by TELUS to TI or a TI Affiliate or subcontractor in the course of obtaining services from TI under an Amended and Restated Master Services Agreement between the Parties dated January 1, 2021) is, and shall remain, the exclusive property of TI as the Data controllerIPP; (c) TELUS to carry out and discharge the obligations contained in the IPPs as if the Services provider will only Process Personal Information for the purposes of rendering the Services in accordance with the Agreement and as otherwise instructed by TI in writing from time to timeOrganisation were an agency under that Act; (d) TELUS shall treat all to notify individuals whose Personal Information as confidential and shall limit access the Organisation holds, that complaints about the Organisation’s acts or practices may be investigated by the Privacy Commissioner who has power to Personal Information to those Representatives or authorized subcontractors who have a need to access such information award compensation against the Organisation in order to deliver the Servicesappropriate circumstances; (e) TELUS shall advise its Representatives receiving not to use or disclose Personal Information of or engage in an act or practice that would breach section 16F (direct marketing), a National Privacy Principle (NPP) (particularly NPPs 7 to 10) or an Approved Privacy Code (APC), where that section, NPP or APC is applicable to the obligations of TELUS respecting confidentiality that are contained in this Article 16 and in Article 15 (Confidential Information); (f) except as may be otherwise expressly provided for in the body of this Agreement or the Schedules, TELUS shall not disclose or transfer Personal Information and shall implement the obligations respecting confidentiality [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from disclosing or transferring any Personal Information, to any third party, including any agent or subcontractor of TELUSOrganisation, unless: (i) TI has consented in writing the case of section 16F - the use or disclosure is necessary, directly or indirectly, to such disclosure or transfer, which consent TI may withhold in its absolute discretiondischarge an obligation under this Agreement; andor (ii) TELUS has obtained in the written agreement case of an NPP or an APC - the activity or practice is engaged in for the purpose of discharging, directly or indirectly, an obligation under this Agreement; (f) to disclose in writing to any person who asks, the content of the third party to comply with all of the terms provisions of this Article 16 Agreement (if any) that are inconsistent with respect an NPP or an APC binding a Party to Personal Information disclosed or transferred to it or otherwise collected or compiled by itthis Agreement; (g) TELUS shall take all agreed steps to implement [***], including measures required under applicable Privacy Laws, to [***] Personal Information against [***], including in immediately notify the event Department if the Organisation becomes aware of a disruptionbreach or possible breach of any of the obligations contained in, disaster or failure of TELUS’ primary systems referred to in, this clause 14, whether by the Organisation or operational controlsany subcontractor; (h) TELUS shall establish, implement, maintain and fully to comply with privacy policies (including privacy breach response) and practices designed any directions, guidelines, determinations or recommendations of the Privacy Commissioner to protect Personal Information from unauthorized access, use or disclosure or processing more generally, which will be specific to TELUS locations and operations;the extent that they are not inconsistent with the requirements of this clause 14; and (i) TELUS shall permit Representatives to ensure that any of TI the Organisation’s employees, officers, Advisers or volunteers who are required to review deal with Personal Information for the privacy policies purposes of this Agreement are made aware of the Organisation’s obligations set out in this clause 14. 14.3 The Organisation agrees to ensure that any subcontract entered into for the purpose of fulfilling the Organisation’s obligations under this Agreement contains provisions to ensure that the subcontractor has the same awareness and documented practices of TELUS at any time during obligations as the TermOrganisation has under this clause, including the training requirement in relation to subcontracts. 14.4 The Organisation agrees to indemnify the Commonwealth in respect of relevant personnelany loss, as those policies and documented practices relate to Personal Information, and to request TELUS to make any changes, in accordance with the Change Management Procedures, that TI, acting reasonably, considers necessary in order to ensure compliance with TI privacy and [***] policies; (j) TELUS shall establish, implement, maintain and comply with the [***] to protect [***] of Personal Information, including those [***] set out elsewhere in this Agreement liability or the Schedules, which the Parties agree are adequate; (k) TELUS shall permit Representatives of TI to review [***] and to request TELUS, in accordance with the Change Management Procedures, to implement [***] as TI, acting reasonably, considers necessary in order to ensure compliance with [***]; (l) unless otherwise agreed expense suffered or incurred by the Parties in writing, TELUS shall not transfer Commonwealth which arises directly or otherwise Process any Personal Information, either physically or electronically outside of the TELUS location(s) indirectly from which the Services are delivered, and shall implement the obligations respecting confidentiality or [***] contained in this Agreement, the Schedules or under applicable Laws that are intended to prevent TELUS Representatives or subcontractors from accessing Personal Information from outside of, the TELUS location(s) from which the Services are delivered and pursuant to which Services the Personal Information is being disclosed or accessed; (m) TELUS shall immediately forward to the TI Privacy Office: (i) any enquiry by any individual relating to, among other things, access to, or the amendment of, any Personal Information, or (ii) any complaint received by TELUS relating to the Processing of Personal Information, and TELUS shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiry or complaint; (n) unless expressly prohibited by Law, TELUS shall immediately notify TI of any inquiries, complaints, or notices of investigation or non-compliance received from any Canadian or foreign Governmental Authorities related to the Processing of Personal Information, and it shall promptly comply and fully cooperate with all instructions of TI, as it may reasonably require, in responding to such enquiries, complaints or notices, and any action taken in connection therewith; (o) if TELUS is required or becomes compelled by a Law or a judicial, regulator or administrative order to disclose any Personal Information, TELUS shall, unless expressly prohibited by Law, promptly (and in any event before complying with any such requirement) notify TI in writing and shall comply and fully cooperate with all instructions of TI with respect to all related , including taking legally available steps to resist or limit the disclosure and to maintain confidentiality by the court or regulatory or administrative body; (p) if TELUS becomes aware of, or has reason to suspect, a security breach related to Personal Information, any unauthorized access to, or Processing of, any Personal Information, or a breach of any of its the Organisation’s obligations under this clause 14, or a subcontractor under the subcontract provisions referred to in subclause 14.3. 14.5 In this Article 16clause 14, TELUS shall immediately notify TI and TI’s the terms 'agency', 'Approved Privacy Officer in writingCode' (APC), take all reasonable measures to rectify such breach and prevent any further breaches'Information Privacy Principles' (IPPs), and comply with all reasonable instructions 'National Privacy Principles' (NPPs) have the same meaning as they have in section 6 of TI the Privacy Act, and ‘subcontract’ and other grammatical forms of that word has the meaning given in investigating and remedying section 95B(4) of the breach Privacy Act. 14.6 The operation of this clause 14 survives the expiration or otherwise and, upon request by TI, provide commercially reasonable assistance, including records or information, to enable TI to comply with obligations imposed on TI by applicable Law; and (q) upon earlier termination of the expiry or termination Term of this Agreement, TELUS shall cease any and all use of Personal Information and shall, at the written request of TI, either securely return all Personal Information to TI, including any copies in every media, or securely and permanently destroy it using appropriate means and certify in writing such return/destruction within a timeframe requested by TI, acting reasonably. In the event applicable Law does not permit TELUS to comply with the return or destruction of the Personal Information, TELUS warrants that it shall ensure the strict confidentiality of the Personal Information and that it shall not Process any Personal Information by or on behalf of TI, or otherwise, after termination of the Agreement.