Privacy and information security
Our customers, team members and investors expect us to demonstrate that we collect data appropriately, use it for purposes that advance their interests, and keep it secure. Our approach to data governance encompasses the protection and appropriate use of data across its life cycle, and we incorporate data governance proactively as a core consideration in all our business initiatives and technology decisions.
The BCE Board adopted an enhanced data governance policy in 2020, bringing together multiple existing policies and programs in the interrelated areas of privacy, information security, data access management and records management. In 2021, we implemented mandatory data governance training for all employees.
WHY IT MATTERStagGRI 103
Customers are becoming increasingly aware of the importance of protecting their personal information as well as privacy considerations regarding their use of wireless, Internet, and media services. This has attracted the attention of lawmakers and regulators, and changes to privacy laws have been proposed in a number of Canadian jurisdictions. There has also been increased regulatory scrutiny of the use, collection, and disclosure of personal information in Canada. Our continued focus in this area aligns with our strategic imperative to champion the customer experience.
WHAT WE ARE DOING
At Bell, we value the trust you place in us when sharing your personal information. Bell will not disclose a customer’s confidential information to government agencies unless it is required or permitted by law (such as when it is necessary to investigate the contravention of a law or to prevent fraud and secure our networks), or in the case of an emergency where there is an imminent danger to life or property. This is our commitment to you:
- We commit to being accountable to you for how we collect, use and disclose your personal information.
- We only collect, use or disclose your personal information if we have your consent, or in circumstances where your consent is not necessary (such as an emergency situation).
- We only collect your personal information in fair and legal ways. We limit our collection of your personal information to the purposes identified in advance to you.
- We use or disclose your personal information for the reasons it is collected, when it is otherwise allowed, or as required by law. We keep the information only as long as we need to, or as required by law.
- We correct your personal information when you inform us of mistakes or let us know that updates are required.
- We do our best to keep your personal information safe, and ensure we use physical, technical and administrative safeguards appropriate to the sensitivity of the information. If we transfer your personal information to our suppliers, we ensure your information is appropriately protected.
- We make information available to you about our information management policies and practices.
- We will provide you with access to the personal information we hold about you upon written request, unless restricted by law.
- We are here to listen, and to help. If you have concerns, please contact us at email@example.com.
Number of unresolved well-founded privacy complaints
Target: 0 unresolved well-founded privacy complaints from the Office of the Privacy Commissioner of Canada
Information security tagGRI 418-1, SASB: TC-TL-220a.1; TC-SI-220a.1-2-3-4
WHY IT MATTERS tagGRI 103
Our industry is particularly vulnerable to cybersecurity threats, giving rise to new and emerging standards and regulations. We need to be able to identify and address information security risks in a timely manner in order to be in a better position to protect our market share and reputation, and these efforts align with our strategic imperative to champion customer experience, while at the same time reducing exposure to cyberattacks. Avoiding data breaches can also limit the increase in expenses associated with remediation efforts and legal exposures, aligning with our strategic imperative to operate with agility and cost efficiency.
WHAT WE ARE DOING
We are focused on maintaining the trust that our customers have in us to protect their data. To do this, we implement prevention, detection and response programs related to security threats. In addition, we are helping define industry security and risk management practices, and we train our team members on data protection.
Consistent with Bell’s position as a longstanding leader in providing security services to Canadian businesses and organizations, our Managed IoT Security service provides an advanced layer of comprehensive security services that help keep our customers’ IT infrastructure and systems safe and secure as they adopt IoT technologies.
Our full suite of security services is monitored by Bell’s Security Operations Centre, where a team of more than 190 accredited security professionals are at work 24/7 providing incident management and policy management, and reporting on all security-related incidents.
Bell is also dedicated to protecting its networks, systems, applications, data centres, records and the personal information they contain against all threats including cyberattacks, unauthorized access or entry and damage from fire, natural and other events. Given that the vast majority of Canada’s 100 largest companies use Bell services, we understand and make every effort to protect the competitiveness of Canadian businesses by seeking to maintain network security and stability. That entails continuous investment to upgrade performance. We also deploy defensive layers and controls that are complemented by rigorous monitoring and regular security testing.
As a representative for Canada in the not-for-profit, member-driven Information Security Forum, Bell helps lead the establishment and development of security and risk management practices. We also adhere to a number of international security standards and frameworks, including the Information Security Forum Standard of Good Practice. Bell is also a founding member of the Canadian Cyber Threat Exchange (CCTX.ca), which seeks to help public and private organizations collaborate and share cyber-threat information across different industries and sectors in Canada.
Bell continues to work with government, law enforcement agencies and the technology industry to combat the growth of hacking and other cybercrimes.
Improving awareness and corporate culture around security
In February 2021, we launched our Be Cyber Savvy information security training program. This training program includes onboarding to our specialized Cyber Savvy platform, performing phishing simulations and taking four courses, which team members have a year to complete once they are onboarded. We have onboarded 100% of selected team members in 2021, and plan for all these team members to fully complete the training cycle by the end of 2022. We adjusted the training completion target date from 2021 to 2022 to allow for onboarded members to complete the full training. On December 31, 2021, 70% of selected members had completed the full training program. Additionally, we set a new target for an improved phishing simulation report rate for our team members, with the goal to improve our phishing simulation report rate year-over-year. These initiatives enable a stronger cybersecurity culture and greater awareness of cybersecurity risks. We also aim to align our program to ISO 27001 by the end of 2023.
Key target: Selected employees to complete Bell’s Be Cyber Savvy information security training program by the end of 2022
As of December 31,2021
Training completed 70%
To learn more about how to protect your personal information, visit Bell’s security and fraud prevention resources on Bell.ca and see the Data privacy and information security information sheet on our website. tagSASB: TC-TL-220a