TABLE OF CONTENTS

1.0 Policy Purpose and Scope

2.0 Responsibilities

3.0 Policy Statements

4.0 Procedures and Guidelines

5.0 Destruction

6.0 References

7.0 Approval

PROPRIETARY INFORMATION

The Standard Operating Procedures described within this manual are the property of Herbaland and are confidential documents

1.0 Policy Purpose and Scope

The collection, use and disclosure of personal information is governed by the Personal Information

Protection Act in BC, and there are Federal and International standards that govern the protection of

privacy. These standards ensure that organizations recognize the right of individuals to protect their

personal information and the needs of organizations to collect, use or disclose personal information for

purposes that a reasonable person would consider appropriate in the circumstances.

This Policy has been developed by, and is enforced by, the Privacy Protection Officers of Herbaland

Naturals Inc. It seeks to address the 10 Principals of Privacy Protection

2.0 Responsibilities

If you have any questions or concerns about your Privacy or suspect that there has been a breach of

Privacy, immediately contact one of the Designated Privacy Officers:

Cathy Bond | Human Resources | (604) 284-5050 Extension 113 | hr@herbaland.ca

Baljeet Kaur | Information Technology | (604) 284-5050 Extension 116 | it@herbaland.ca

Madeleine Gwynne | Regulatory Affairs | (604) 284-5050 Extension 172 | ra2@herbaland.ca

3.0 Policy Statements

We collect your personal information in order to pay you legally, prove you are eligible to work in Canada for us, identify your personal relationships for benefit and Emergency contact information.

3.1 Human Resources

   3.1.1 Human Resources General:

• We need your resume certificates so we can better prepare training opportunities.
• Because HR is the holder of all the personnel files, we need accurate information to ensure pay scales are accurate, positions are accurate and to determine level of competency.

   3.1.2 Payroll:

•  We need your full legal name to ensure the CRA can match your name with your SIN.
•  We need your Social Insurance Number so the CRA can identify for tax purposes.
• We need your banking information to deposit your bi-weekly pay into the bank (only direct deposit is allowed)

   3.1.3 Benefits:

• We require you to complete a benefits form to allow our Provider to add you to our plan if you are a full-time employee who has passed their probation.
• We need details on this form to be completed to allow the plan to add your beneficiaries for both in case of death and for coverage to include them.

   3.1.4 We will periodically reach out to ensure we have accurate information such as address, name (sometimes over your employment relationship this can change) and banking. We ensure that the CRA has all the details they legally require to verify identity and tax class.

   3.1.5 Paper copies of all information are locked in the HR or Accounting offices with access limited to only those who require it. You may ask for copies or to view your files, your request must be in writing; this process can take as long as 30 days depending on what and why you are requesting it. We have the right to charge for copies of the information and to be present when you review your details.

3.2 IT Privacy Policy Statement

• All data on company-provided computers, phones, and other devices is considered company property and must be used for work-related purposes only.
• We may access these devices to maintain systems, ensure security, and support operations. Employees should have no expectation of personal privacy when using company equipment.
• Any files, messages, or activity on company devices may be monitored or reviewed in accordance with company policy. Unauthorized personal use or storage of private data is not permitted.
• By using company equipment, you acknowledge that all data belongs to the company and may be accessed by the IT team when necessary.

3.3 Training Records and Qualifications Privacy Policy Statements

   3.3.1 Training Records:

• We log your training records as secured digital and paper-based files to meet our quality and compliance requirements as food manufacturers. Copies of these records may be made available during audits and inspections to qualified agencies.
• Training records for Good Manufacturing Practices are maintained and filed by the Quality Department. Any other training is kept in HR in personal files (paper & electronic)

   3.3.2 Role Qualifications:

• We collect and store employee qualifications and credentials as secured digital and paper-based files (eg. Certificates, Resumes, Job Description) to meet our quality and compliance requirements. Copies of these records may be made available during audits and inspections to qualified agencies.

3.4 Vendors, Clients, Contractors Privacy Policy Statement

   3.4.1 Vendor information:

• We collect and store information on vendors, distributors and their supplied products as secured digital and paper-based files to meet quality and compliance requirements. Copies of these records may be made available during audits and inspections to qualified agencies. Non-Disclosure Agreements may also be entered into and are subject to the additional privacy terms set forward in the agreement

   3.4.2 Client information:

• We collect and store information on clients (Business to Business and Business to Consumer) as secure digital and paper-based files to meet quality and compliance requirements. Copies of these records may be made available during audits and 
• inspections to qualified agencies. Non-Disclosure Agreements may also be entered into and are subject to the additional privacy terms set forward in the agreement

   3.4.3 Third party service providers

• We collect and store information on Third-Party Service Providers as secure digital and paper-based files to meet quality and compliance requirements. Copies of these records may be made available during audits and inspections to qualified agencies. Non-Disclosure Agreements may also be entered into and are subject to the additional privacy terms set forward in the agreement.

   3.4.4 Licensing/Certifying agencies

• We collect and store information on Licensing and Certifying agencies and their employees for business continuity and mandatory retention of records. Copies of these records may be made available during audits and inspections to qualified agencies.

4.0 Procedures and Guidelines

   4.1 Requests to review personal files:

• The company will respond within 30 days to allow an employee to view their file. If the file is requested by a 3rd party, there is a charge per sheet copied. The person may view their file while the appropriate Privacy Officer is present. The company will share the most complete version of the file that is available.

   4.2 Complaints:

• We will accept complaints in writing and must have a name so we can address the findings to the appropriate person. We will not accept complaints submitted on another person’s behalf.
• Should there be a complaint in how we manage or collect our private information, the appropriate Privacy Officer will investigate the complaint and put a response in writing, if it is an area outside the Privacy Officers area, they will work directly with the department head to resolve the situation. If clarification is required, we will contact the complainant to ensure a timely resolution will be had.
• Internal: employees – complaints can be managed and followed up on in confidential manner.
• There will be no retaliatory action taken against a complainant.

     4.2.1 If the complaint comes from outside: (Customer, Supplier, other)

• The Privacy officers will assign the appropriate officer to address a complaint from outside the company. It is noted that if the person is not satisfied with the organization’s response, they may contact the Information and Privacy Commissioner
• When there is a resolution identified, we will correct any issues that prove to be against the privacy regulations set forth under PIPA. We will immediately forward our results and action to the complainant.

5.0 Destruction

• Once personal information of any content is no longer required, i.e. personnel files, we will engage a company to shred/destroy the paper copies. For electronic files: our IT department will ensure total destruction of content once no longer required by law or regulation.

6.0 References

• Protecting Personal Information - Province of British Columbia
• Ten Principles of Privacy Protection - Province of British Columbia
• Assign Privacy Officers - Province of British Columbia