MASTER PRIVACY POLICY

Effective Date: February 2026

OBJECTIVE AND SCOPE OF POLICY

Workplace Medical Corp. (“WMC”) is a national provider of occupational health, disability management, occupational safety, and related workforce health services to organizations across Canada. WMC is dedicated to maintaining high standards of confidentiality with respect to all information entrusted to it, with a particular focus on health information.

This Privacy Policy (the “Policy”) affirms WMC’s commitment to protecting the privacy of clients, individuals, and other stakeholders, and describes WMC’s practices regarding the collection, use, disclosure, retention, and safeguarding of Personal Information (as defined below) in the course of delivering its services.

At WMC, safeguarding confidentiality and protecting personal and health information is fundamental to the way we conduct our business. This commitment applies equally to services delivered in person and to services delivered through digital, virtual, or technology-enabled platforms. As service delivery models and technologies have evolved, WMC has extended its privacy and security practices to ensure that interactions conducted through electronic or online channels are subject to the same standards of care, privacy, and protection as those conducted through traditional means.

WMC’s obligations as a provider of occupational health, disability management, occupational safety, and occupational training services are governed, in part, by applicable federal and provincial legislation, as well as by the professional and ethical standards applicable to its healthcare professionals and practitioners as members of their respective regulatory bodies and professional associations (including, where applicable, the Canadian Medical Association, the College of Family Physicians of Canada, and the College of Physicians and Surgeons of Ontario). The obligations set out in this Policy apply to all professionals, employees, contractors, and agents who provide services in connection with WMC’s operations and the delivery of services to clients. Other applicable laws and internal policies govern the protection of Personal Information relating to WMC’s partners, associates, and employees.

For the purposes of this Policy, “Demographic Information” means any information, other than Health Information (as defined below), recorded in any form, about an identified individual or an individual whose identity may reasonably be inferred or determined from the information.

This Policy does not apply to information, recorded in any form, about more than one individual where the identity of the individuals is not known and cannot reasonably be inferred from the information (“Aggregated Information”). WMC may use Aggregated Information for business, operational, analytical, or reporting purposes, provided that such use is reasonable and does not identify any individual.

For the purposes of this Policy, “Health Information”, with respect to an individual and recorded in any form, means:

1. information concerning the physical or mental health of the individual;
2. information concerning any health or medical examination, assessment, or service provided to the individual;
3. information concerning the donation by the individual of any bodily substance or information derived from the testing or examination of a body part or bodily substance of the individual;
4. information collected in the course of providing occupational health, disability management, occupational safety, or related services to the individual; or
5. information collected incidentally in connection with the provision of such services.

Demographic Information and Health Information are referred to collectively in this Policy as “Personal Information.”

PROTECTING YOUR PRIVACY – OUR COMMITMENT TO YOU

At Workplace Medical Corp. (“WMC”), protecting privacy is fundamental to how we deliver our services and conduct our business. Our commitment to privacy means that:

1. Personal Information collected in the course of providing services to employers and individuals is treated as confidential and handled with care;
2. Personal Information is not sold;

• Individuals have appropriate control over how their Personal Information is collected, used, and disclosed, subject to applicable legal and contractual requirements;

1. Individuals are provided with access to their Personal Information held by WMC, in accordance with applicable laws;
2. Individuals may request correction of inaccurate or incomplete Personal Information; and
3. Privacy considerations are respected in WMC’s communications, marketing, and business development activities.

WMC is committed to meeting or exceeding the privacy standards established by applicable federal and provincial privacy legislation and recognized industry standards. All information-handling practices are designed to comply with the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and applicable provincial privacy laws, as amended from time to time.

PIPEDA and comparable provincial legislation are grounded in the following ten guiding privacy principles:

1. Accountability
2. Identifying Purposes
3. Consent
4. Limiting Collection
5. Limiting Use, Disclosure, and Retention
6. Accuracy
7. Safeguards
8. Openness
9. Individual Access
10. Challenging Compliance

This Privacy Policy has been developed to reflect and support each of these principles and to provide transparency regarding how WMC manages Personal Information across its services, systems, and operations.

WHAT INFORMATION IS COLLECTED? WHY DOES WMC COLLECT PERSONAL INFORMATION?

Having accurate and up-to-date information enables Workplace Medical Corp. (“WMC”) to deliver services effectively, make appropriate assessments and recommendations, and, where applicable, inform individuals and organizations about additional services that may be relevant or beneficial.

WMC generally collects Personal Information from its clients and from individuals participating in employer-sponsored programs. Personal Information is collected with the knowledge and consent of the individual, except where otherwise permitted or required by law. WMC may also collect anonymous or non-personal information, as described below.

Personal Information refers to information about an identifiable individual and may be factual or subjective in nature.

With appropriate consent, WMC may collect Personal Information during medical assessments, through in-person interactions, by telephone, by mail, through secure digital or virtual platforms, or from an individual’s treating healthcare provider or other authorized third parties.

Types of Personal Information Collected

The types of Personal Information that WMC may collect and maintain in an individual’s file include, but are not limited to, the following:

1. a) Demographic Information

• Name
• Mailing address
• Email address
• Telephone number
• Date of birth
• Place of employment
• Occupation
• Health insurance or plan identification number (where required for service delivery)

As outlined in PIPEDA, Personal Information does not include the name, title, business address, or business telephone number of an employee of an organization where such information is used solely for business communications.

1. b) Health Information

• Physical measurements relevant to assessments (e.g., height, weight)
• Personal medical history, including allergies
• Family medical history, where relevant
• Medical records or reports provided by a treating healthcare provider
• Results of medical, clinical, or diagnostic tests (including, where applicable, blood tests, imaging, audiometric testing, pulmonary function testing, and other occupational assessments)
• Dates and outcomes of consultations or examinations
• Findings and conclusions arising from medical or occupational health evaluations

For medical examinations conducted in person, remotely, or through correspondence with individuals or their treating healthcare providers, WMC is required to collect, organize, and maintain a medical chart containing information relevant to the assessment and services provided.

Sources of Personal Information

To the greatest extent possible, WMC collects Personal Information directly from the individual concerned. In certain circumstances, and with appropriate consent, WMC may collect Personal Information from other sources, including but not limited to:

• Employers
• Treating or consulting healthcare providers
• Insurers or benefit administrators

In limited circumstances, WMC may collect Personal Information from sources other than the individual where justified by a serious and legitimate reason, where the collection is in the interest of the individual or the employer program, and where the information cannot reasonably be obtained from the individual in a timely manner, as permitted by law.

Purposes for Collection

WMC collects Personal Information for purposes that vary depending on the nature of the services being provided. These purposes may include, but are not limited to:

1. Providing occupational health services, including post-offer assessments, periodic medical examinations, and role-specific medical testing;
2. Providing disability management and absence management services;

• Delivering workplace wellness and health promotion services;

1. Providing emergency response training, first aid training, and occupational health and safety training;
2. Supporting program administration, quality assurance, regulatory compliance, and aggregated statistical analysis.

WMC collects only the Personal Information that is reasonably necessary for these identified purposes.

Anonymous / Non-Personal Information

WMC may collect anonymous or non-personal information that does not identify an individual. This information cannot be associated with or traced back to a specific person.

For example, WMC’s websites and digital platforms may automatically collect certain anonymous information when visited, such as pages accessed, browser type, encryption level, and Internet Protocol (IP) address. This information is used for analytical, security, and service-improvement purposes only.

Individuals may browse WMC’s websites without providing Personal Information unless they voluntarily choose to do so.

Ownership of Personal Information

Personal Information belongs to the individual to whom it relates. This Policy outlines how individuals may request access to, correction of, or copies of their Personal Information.

The format, organization, systems, and tools used to collect, store, process, and manage Personal Information, including medical records, charts, software, databases, applications, methodologies, and processes, are the property of WMC.

HOW DOES WMC OBTAIN CONSENT TO USE AND DISCLOSE PERSONAL INFORMATION?

Workplace Medical Corp. (“WMC”) obtains consent from individuals prior to collecting, using, or disclosing Personal Information, except where otherwise permitted or required by law. In the context of occupational health and related services, consent is generally obtained in writing before any medical examination, assessment, or service is provided.

Personal Information is collected, used, and disclosed only for the purposes described in this Policy. By providing Personal Information to WMC, an individual acknowledges and consents to the collection, use, and disclosure of that information in accordance with this Policy.

Participation in WMC services is voluntary. Individuals are not required to provide Personal Information; however, if consent is not provided, or if certain information is withheld, WMC may be unable to complete a medical examination, provide specific services, or make appropriate recommendations. In the context of occupational health or disability management services, an individual’s decision to withhold information may limit WMC’s ability to provide advice, conduct follow-up, or suggest appropriate alternatives.

Consent may be withdrawn at any time by providing written notice to WMC, subject to legal, regulatory, or contractual restrictions and reasonable notice requirements. Withdrawal of consent may affect WMC’s ability to continue providing certain services.

Our Employees

In the course of daily operations, access to Personal Information is restricted to authorized employees, contractors, and professionals who require access for legitimate business or clinical purposes.

Access to Health Information is limited to regulated healthcare professionals (including physicians, nurses, and technicians) and other individuals on a strict need-to-know basis in order to support service delivery, administration, or compliance obligations.

As a condition of employment or engagement, all WMC employees and contractors are required to comply with WMC’s privacy standards, internal policies, and applicable laws and regulations. Employees receive training regarding privacy obligations and are required to sign a code of conduct and/or confidentiality agreement that prohibits the unauthorized access to or disclosure of Personal Information.

Unauthorized access to, use of, or disclosure of Personal Information by a WMC employee or contractor is strictly prohibited and may result in disciplinary action, up to and including termination of employment or engagement.

Outside Service Suppliers

In order to deliver certain services, WMC may engage external organizations or healthcare professionals to perform specialized functions, such as independent medical evaluations, diagnostic testing, or other professional services.

In these circumstances, WMC may disclose limited Personal Information to trusted third-party service providers solely for the purpose of enabling them to perform services on WMC’s behalf. Such disclosures are made with appropriate consent and only where the service provider has agreed to:

• Use Personal Information solely for the authorized purposes;
• Act in accordance with WMC’s instructions; and
• Comply with applicable privacy laws and the principles set out in this Policy.

WMC remains responsible for the protection of Personal Information that is processed or handled by third-party service providers acting on its behalf.

WHEN WOULD WMC USE OR DISCLOSE PERSONAL INFORMATION WITHOUT CONSENT?

There are limited circumstances in which the use or disclosure of Demographic Information and/or Health Information may be justified, permitted, or required without an individual’s consent, in accordance with applicable laws.

Such circumstances may include the following:

1. Legal and Regulatory Requirements
   Where required by law, regulation, or by an order or requirement of a court, administrative agency, regulatory body, or other governmental authority. In such cases, WMC discloses only the information that is specifically required and takes reasonable steps to confirm that the request is lawful and properly authorized.
2. Protection of Life, Health, or Safety
   Where WMC has reasonable grounds to believe that the disclosure is necessary to protect the rights, privacy, safety, or property of an identifiable individual or group, including in circumstances involving an emergency that threatens the life, health, or security of an individual.
3. Legal Rights and Remedies
   Where disclosure is necessary to establish, exercise, or defend WMC’s legal rights, pursue available remedies, or limit potential damages that WMC may sustain.
4. Publicly Available Information
   Where the information is publicly available and its use or disclosure is permitted by applicable privacy legislation.
5. Minimum Necessary Disclosure and Notification
   In all cases where Personal Information is used or disclosed without consent, WMC limits the information disclosed to what is reasonably necessary for the identified purpose. Where disclosure occurs in the context of an emergency involving a threat to life, health, or security, WMC will, where appropriate and permitted by law, inform the individual of the disclosure after the fact.

WMC does not sell, trade, barter, or exchange Personal Information for consideration under any circumstances.

ACCURACY OF YOUR PERSONAL INFORMATION

Workplace Medical Corp. (“WMC”) relies on Personal Information, including Health Information, to support medical assessments, service delivery, and related decisions. It is therefore important that the Personal Information collected and maintained by WMC is accurate, current, and complete for the purposes for which it is used.

WMC takes reasonable steps to ensure that Personal Information in its possession is accurate and up to date at the time it is collected and throughout its use, as required for service delivery and regulatory compliance.

Individuals who have provided Personal Information to WMC may request access to their information in order to verify its accuracy and request corrections, where appropriate.

Requests for access to Personal Information must be submitted in writing. Upon receipt of a request, WMC will provide the requestor with a reasonable estimate of any applicable costs associated with locating, reproducing, or transmitting the requested records, including costs related to staff time and copying, as permitted by law.

Where the request relates to Health Information, and where required or appropriate, a regulated healthcare professional may review the information with the individual or with staff authorized to facilitate access, in accordance with applicable professional standards and legal requirements.

If an individual wishes to view original records, access will be supervised by authorized WMC personnel to preserve the integrity and security of the records. Requests to view original records must be made in writing, and WMC will provide a reasonable cost estimate for any associated transcription, reproduction, or transmission of information.

CORRECTING YOUR PERSONAL INFORMATION

If an individual who has provided Personal Information to Workplace Medical Corp. (“WMC”) believes that the information held by WMC is inaccurate, incomplete, or out of date, the individual may request that the information be corrected.

Upon verification of the requested correction, WMC will update the Personal Information as appropriate and, upon request, provide the individual with confirmation or a copy of the corrected information, subject to applicable legal requirements.

All requests to access or request corrections to Personal Information must be submitted to WMC in writing. WMC will respond to requests for access or correction in a timely manner and, in all cases, within the timeframes required by applicable privacy legislation.

Where additional time is required to respond to a request, or where WMC is unable to grant a request for access or correction, WMC will provide the individual with a written explanation, subject to any legal or regulatory restrictions. Where an extension applies, WMC will notify the individual of the new response timeframe and the reasons for the extension.

RETENTION AND DISPOSAL OF PERSONAL INFORMATION

Workplace Medical Corp. (“WMC”) retains Personal Information only for as long as necessary to fulfill the purposes for which it was collected, to support service delivery, and to comply with applicable legal, regulatory, and professional requirements. Retention periods vary depending on the nature of the information, the type of service provided, and relevant legislative or regulatory obligations.

In some cases, Personal Information may be retained beyond the end of an individual’s relationship with WMC where necessary to address follow-up matters, respond to inquiries, manage risk, or comply with legal or regulatory requirements. In all cases, information is retained only for the minimum period reasonably required for these purposes.

Health Information is retained in accordance with applicable federal and provincial laws, professional standards, and health regulations. Depending on the nature of the service and jurisdiction, retention periods for medical records may extend for significant periods, including up to the timeframes prescribed under applicable provincial health and safety or health information legislation.

When Personal Information is no longer required for WMC’s purposes, it is securely destroyed, deleted, erased, or anonymized in a manner that protects confidentiality and privacy and complies with applicable laws and regulations. Disposal methods are appropriate to the sensitivity of the information and may include secure shredding of physical records and secure deletion or anonymization of electronic records.

Where third-party service providers are engaged to support secure destruction or disposal of Personal Information, such providers are required to adhere to contractual privacy and confidentiality obligations consistent with this Policy and applicable legislation.

SECURITY

Workplace Medical Corp. (“WMC”) uses a combination of administrative, technical, and physical safeguards to protect Personal Information against unauthorized access, disclosure, inappropriate alteration or misuse, loss, or theft. Security measures are designed to be appropriate to the sensitivity of the information and the nature of the services provided.

Access to Personal Information is restricted to authorized employees, contractors, and professionals who require access for legitimate business or clinical purposes. Access privileges are assigned based on role and responsibility and are reviewed periodically.

1. Client Files

Electronic client files are maintained in secure environments with controlled and restricted access. Physical records are stored in locked, fire-resistant filing cabinets or secured filing areas with appropriate environmental and safety protections. Access to physical and electronic record storage areas is limited to authorized personnel only.

2. Electronic Security

WMC manages its information systems using security practices aligned with recognized industry standards. Security controls and practices are reviewed regularly and updated as technologies, risks, and regulatory expectations evolve.

Security is built into WMC’s information systems and processes, including systems used to store, transmit, and access Personal Information. Technical safeguards may include authentication controls, access logging, monitoring, and other measures appropriate to the sensitivity of the information.

Where WMC operates websites, web applications, or digital platforms that collect or store Personal Information, encryption and other protective measures are used to enhance security when individuals access secured areas. Access to WMC systems or applications that contain Personal Information requires appropriate authentication credentials and security controls to safeguard against unauthorized access.

Communicating Personal Information to WMC

WMC seeks to balance security, effectiveness, and practicality in its communications with clients and individuals. Depending on the nature and sensitivity of the information and the circumstances, WMC may use different communication methods.

Where appropriate, secure or encrypted communication methods may be used. In some circumstances, less secure communication methods, such as standard email, may be used with the knowledge or consent of the recipient. Individuals should be aware that standard email communications may not be fully secure and may carry risks if intercepted or misdirected.

Individuals are encouraged to contact WMC if they have concerns about communication methods or require secure alternatives for the transmission of sensitive information.

WMC WEBSITE AND DIGITAL PLATFORMS

Workplace Medical Corp. (“WMC”) provides access to publicly available websites, as well as secure digital platforms and client portals used to support service delivery and program administration.

When individuals visit WMC’s websites or digital platforms, WMC’s servers may automatically collect certain technical and usage information, such as domain name, date and time of access, pages visited, browser type, and related technical data. This information is collected and used in aggregated form for internal purposes only, including to:

• Manage and maintain WMC’s websites and digital platforms
• Monitor performance and diagnose technical issues
• Improve website functionality, content, and user experience
• Support security monitoring and system integrity

Where individuals voluntarily provide information through online forms, surveys, registrations, or subscriptions (such as electronic newsletters), that information is collected and used for the purposes disclosed at the time of collection and in accordance with this Policy.

Cookies and Similar Technologies

WMC’s websites may use cookies or similar technologies to support functionality, improve user experience, and gather aggregated usage information. Cookies are small data files that may be stored on a user’s device when visiting a website.

Most web browsers are set to accept cookies by default. Individuals may choose to modify their browser settings to refuse cookies or to receive alerts when cookies are being used. Please note that disabling cookies may limit access to certain features or functionality of WMC’s websites or digital platforms.

AMENDMENT OF WMC PRACTICES AND THIS POLICY

This Privacy Policy is effective as of February 2026 and has been in effect, in earlier forms, since January 1, 2004. WMC reviews its privacy practices and this Policy on a regular basis to reflect changes in services, technologies, legal requirements, and regulatory expectations.

Any revisions to this Policy will be posted on WMC’s website. Unless otherwise required by law, changes will apply to Personal Information collected after the effective date of the revised Policy, as well as to Personal Information already in WMC’s custody or control.

CONTACTING US – QUESTIONS OR CONCERNS ABOUT THIS POLICY

Individuals who have questions or concerns regarding:

1. access to their Personal Information;
2. the collection, use, management, or disclosure of Personal Information; or
3. this Privacy Policy,

may contact Workplace Medical Corp.’s designated Privacy Officer in writing.

WMC is committed to maintaining and protecting the Personal Information under its control. In support of this commitment, WMC has designated an individual (and, where appropriate, additional individuals) who are accountable for ensuring compliance with this Policy and with applicable privacy legislation.

Questions, concerns, or suggestions regarding this Policy should be submitted in writing to:

Privacy Officer
Workplace Medical Corp.
130 Wilson Street
Hamilton, Ontario, Canada L8R 1E2
Fax: (905) 522-0425
Email: contact@workplacemedical.com

WMC will respond to requests for access to Personal Information or to privacy-related inquiries as expeditiously as possible and, in all cases, within the timeframes required by applicable privacy legislation. Where an extension of time is required, or where a request cannot be granted, WMC will provide a written explanation, subject to any legal restrictions, and will advise the individual of the reason for the extension or refusal and of any applicable next steps.

Individuals who believe that their privacy rights have been infringed upon may file a complaint with the Office of the Privacy Commissioner of Canada. The Privacy Commissioner acts as an independent ombudsman and may seek to resolve complaints through investigation, mediation, and other appropriate means.

Further information about the Privacy Commissioner of Canada and the complaint process is available at: https://www.priv.gc.ca