TABLE OF CONTENTS

1. INTRODUCTION

• Introduction
• Objectives

2. RETENTION POLICY
3. ARCHIVING POLICY
4. DESTRUCTION POLICY
5. EXCEPTIONS TO THE RETENTION PERIOD
6. RESPONSIBILITIES
7. ENFORCEMENT AND REPORTING BREACHES
Appendix 1: RETENTION PERIODS
Appendix 2: EXCEPTION REQUEST / LITIGATION HOLD FORM

1. INTRODUCTION

Introduction

1. This Data Retention, Archiving and Destruction Policy (the “Policy”) has been adopted by TelAffects in order to set out the principles for retaining, reviewing and destroying data. This Policy covers all employees (whether full time or not) and all directors and officers of TelAffects, wherever they may be located or working. We also expect our consultants and goods and services providers to introduce and follow appropriate data retention practices.
2. This Policy covers all data retained or in TelAffects’ custody or control in whatever medium such data is contained in. This Policy is not therefore restricted to information contained in paper documents but includes data contained in an electronically readable format. For the purposes of convenience, in this Policy, the medium which holds data is called “a Document”.
3. This Policy should be read in conjunction with other policies that have as their objectives the protection and security of data, such as the Information Privacy Policy.

Objectives

1. TelAffects is bound by various obligations with regard to the data that we retain or that is in our custody or under our control. These obligations include how long we may retain data and when and how we can destroy it. The obligations may arise from local laws or regulations or from contracts and promises that we have made to our employees, customers, goods and service providers and our partners.
2. Further, TelAffects may be involved in unpredicted events such as litigation or business disaster recoveries that require us to have access to the original Documents in order to protect TelAffects’ interests or those of our employees, customers, goods and service providers and our partners.
3. As a result, Documents may need to be archived and stored for longer than the data may be needed for day to day operations and business processes. A contract may, for example, expire after two years but other Documents may, by law, need to be retained for a longer period.
4. Broadly, when the Document Retention Period is over and we no longer need the Document, we endeavor to destroy it in a proper manner.

2. RETENTION POLICY

1. Retention is defined as the maintenance of documents in a production or live environment which can be accessed by an authorized user in the ordinary course of business. For the avoidance of doubt, Documents used in staging, development, and testing or draft versions of Documents shall not be retained beyond their active use period nor copied into production or live environments.
2. The retention period of a Document shall be an active use period of two years unless an exception has been obtained permitting a longer or shorter active use period by the business unit or division (“Function”) responsible for creating, using, processing, disclosing storing and destroying the document.
3. After active use has expired and according to appropriate exceptions, Documents shall be archived in accordance with section 3 until the Documents are destroyed in accordance with section 4.
4. For the purposes of enforcing retention in accordance with this policy each function is responsible for the Documents it creates, uses, stores, processes and destroys. A sample list of document types across TelAffects by function is attached as Annex 1. This list shall be maintained by each Function.
5. Each Head of Function shall be responsible for enforcing the retention, archiving and destruction of Documents, and communicating these periods to the relevant employees.
6. Each Head of Function shall be responsible for submitting exception requests to the process, including consulting and receiving legal advice if necessary to justify making an exception request under section 5.
7. The Legal Department may issue a litigation hold request to the Head of Function which requires that documents relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be retained in accordance with instructions from the Legal Department.
8. Each employee shall be responsible for returning Documents in their possession or control to TelAffects upon separation or retirement. Final disposition of such Documents shall be determined by the immediate supervisor in accordance with this policy.

3. ARCHIVING POLICY

1. Archiving is defined as secured storage of Documents such that Documents are rendered inaccessible by authorized users in the ordinary course of business but which can be retrieved by an administrator designated by the head of function for the Documents in question.
   1. Paper records shall be archived in secured storage onsite or secured offsite location, clearly labelled in archive boxes naming the Head of Function, department or division and date to be destroyed.
   2. Electronic records shall be archived in accordance with TelAffects Information Security Standards for access controls and in a format which is appropriate to secure the confidentiality, integrity and accessibility of the Documents.
2. The archiving period of a document shall be seven (7) years unless an exception has been obtained permitting a longer or shorter active use period by the Head of Function responsible for creating, using, processing, disclosing storing and destroying the Document.
   1. An archiving period of more than seven (7) years may be granted by exception for Documents with a vital historical purpose such as corporate records, contracts, technical know-how. The Head of Function will request an exception in accordance with section 5 to archive Documents. Such exception request shall specify the administrative, organizational and technical measures to be undertaken to ensure the confidentiality, integrity and availability of such Documents.
   2. An archiving period of less than seven (7) years may be granted by exception for documents with a limited business purpose such as emails, travel itineraries, pre-trip advisories, or to comply with client or industry requirements (for example PCI).
3. After the archival period has expired, Documents shall be destroyed in accordance with section 4.
4. For the purposes of enforcing archiving in accordance with this policy each function is responsible for the Documents it creates, uses, stores, processes and destroys. A sample list of Document types across TelAffects by function is attached as Annex 1. This list shall be maintained by each Head of Function.
5. The Legal Department may issue a litigation hold request to the Head of Function which requires that documents relating to potential or actual litigation, arbitration or other claims, demands, disputes or regulatory action be archived in accordance with instructions from the Legal Department.
6. Each Head of Function shall be responsible for enforcing the retention, archiving and destruction of Documents, and communicating these periods to the relevant employees.

4. DESTRUCTION POLICY

1. Destruction is defined as physical or technical destruction sufficient to render the information contained in the document irretrievable by ordinary commercially available means.
2. TelAffects Corporate IT shall maintain and enforce a detailed list of approved destruction methods appropriate for each type of information archived whether in physical storage media such as CD-ROMs, DVDs, backup tapes, hard drives, mobile devices, portable drives or in database records or backup files. Paper Documents shall be shredded using a certified third-party provider, or within secure, locked consoles designated in each office from which waste shall be periodically picked up by security screened personnel for disposal.

5. EXCEPTIONS TO THE RETENTION PERIOD

1. Exceptions may be requested under the following circumstances:
   1. The Head of Function shall review and submit to the TelAffects Information Technology Department an exception request to archive data for a different period as prescribed in Annex 1. The reasons may be a client requirement, business requirement, legal requirement or vital historical purpose.
   2. The Exception Request Form shall be reviewed and approved by the TelAffects Information Technology Department to enforce as shown in Annex 2.
2. Documents which consist of Designated Medical Records as defined in Annex 2 shall be archived for 30 years in accordance with regulations requiring the retention of Medical Records.
3. Documents for which the Legal Department has issued a Litigation Hold Order shall be archived retained and destroyed as specified by the Legal Department.

6. RESPONSIBILITIES

1. Heads of Functions shall be responsible for implementing this Policy and ensuring that employees understand this Policy and that they perform the processes and procedures to execute this Policy.
2. The Compliance Committee shall be responsible for auditing compliance with this Policy and providing an audit report with recommendations to be reviewed by General Counsel and by the relevant senior management.

7. ENFORCEMENT AND REPORTING BREACHES

1. Breaches of this Policy may have serious legal and reputation repercussions and could cause material damage to TelAffects. Consequently, breaches can potentially lead to disciplinary action that could include summary dismissal and to legal sanctions, including criminal penalties.

1. All employees are expected to promptly and fully report any breaches of the Policy in accordance with the TelAffects Personal Information Privacy Policy Incident Response Procedures.  Reports made in good faith by someone who has not breached this Policy will not reflect badly on that person or their career at TelAffects.

Appendix 2: EXCEPTION REQUEST / LITIGATION HOLD FORM

Information Security Exception Request Form (ISERF)