Data privacy and information security

Our customers, team members and investors expect us to demonstrate that we collect data appropriately, use it for purposes that advance their interests and keep it secure. Our approach to data governance encompasses the protection and appropriate use of data across its lifecycle, and we incorporate data governance proactively as a core consideration in all of our business initiatives and technology decisions.

The BCE Inc. Board of Directors adopted an enhanced data governance policy in 2020, bringing together multiple existing policies and programs in the interrelated areas of privacy, information security, data access management and records management. We have implemented mandatory data governance training for all employees as part of our biannual code of business conduct training program. We have also created an internal data governance site to centralize resources and answer frequently asked questions for team members.

Privacy

Customer awareness about the importance of protecting their personal information, and privacy considerations relating to their use of our services continue to increase. This has attracted the attention of lawmakers and regulators. There has also been increased regulatory scrutiny over the use, collection and disclosure of personal information in Canada. Our continued focus in this area aligns with our Strategic Imperative to champion the customer experience.

We value the trust our customers place in us when sharing their personal information. We are committed to being accountable for how we collect, use and disclose personal information. Our privacy policy sets out what information we collect, how and why we collect, use and sometimes disclose it, how and when we may request informed consent from our customers, how customers can access their personal information and how they can contact us if they have questions or concerns.

Every year, all Bell team members must individually review and sign the Bell Code of Business Conduct. Reinforcing the importance of safeguarding customer information and using it only in accordance with our privacy policy

User consent and purpose of data collection

Bell's privacy policy explains how and when we collect, use and disclose personal information, including how we share personal information within the Bell group of companies. We keep information only as long as we need to or as required by law. Moreover, Bell does not disclose a customer's confidential information to government agencies, unless it is required or permitted by law (such as where it is necessary to investigate the contravention of a law or to prevent fraud and secure our networks) or in the case of an emergency where there is an imminent danger to life or property.

Team member training and privacy tools

We provide our team members with information and ongoing training regarding the importance of respecting the privacy of our customers’ and team members’ personal information. We publish information on our intranet site that clearly defines roles, processes, training support and more. In 2021, we implemented mandatory data governance training for all employees as part of our biannual code of business conduct training program.

Information Security

Our industry, like many others, is subject to constant cyber threats. We need to be able to identify and address information security risks in a timely manner in order to protect systems and information and help deliver on our Strategic Imperative to champion customer experience. Avoiding information security incidents can also limit increased expenses associated with remediation efforts and legal exposure, aligning with our Strategic Imperative to operate with agility and cost efficiency.

We strive to maintain the security of our systems and customers' data. To do this, we implement prevention, detection and response programs related to security threats. As we provide ongoing training to our team members on data protection, we also continue to help define industry security and risk management practices.

At Bell, we seek to protect our networks, systems, applications and the personal information they contain against all threats, including cyber attacks, unauthorized access or entry, damage from fire and natural events, among others. We strive to protect the competitiveness of Canadian businesses using Bell's services, by seeking to maintain network security and stability. We make continual investments to improve the performance and availability of our services and networks, and deploy layers of security controls to protect against cyber threats. Cyber security threats continue to evolve as new technologies emerge – such as 5G, cloud computing and IoT. Bell's Information Security program addresses the confidentiality, integrity and availability of existing and emerging technologies. Embedding a security mindset and appropriate protections into everything we do describes Bell's security-by-design approach.

Oversight

BCE's full Board is entrusted with the responsibility for identifying and overseeing the principal risks that our business is exposed to and seeking to ensure there are processes in place to effectively identify, monitor and manage them. While the Board has the overall responsibility for risk, the responsibility for certain elements of the Risk Oversight program is delegated to Board committees. This ensures that these elements (which are reported to the Board regularly) are treated with the appropriate expertise, attention and diligence.

BCE's Risk and Pension Fund Committee is accountable for overseeing Bell's information security risks and strategy. Operational business unit leaders are central to the proactive identification and management of risk on a daily basis. Business unit leaders have access to a range of corporate support functions that provide independent expertise to reinforce the implementation of risk management approaches.

The Corporate Security function is responsible for all aspects of security. Our Corporate Security professionals have a deep understanding of the business, the risk environment and the external stakeholder environment, and they set the standards for the organization in our security policies and monitor the organization's performance against these requirements. They also collaborate with operational business unit leaders to develop strategies and action plans to mitigate areas of risk.

Framework, policies and certification

To protect existing assets, we have developed a framework based on industry best practices and standards, including, but not limited to, those of the Information Security Forum (ISF), the International Organization for Standardization (ISO), the National Institute of Standards and Technology (NIST) and the Payment Card Industry Data Security Standard (PCI DSS). This framework consists of 10 strategic Information Security pillars and is supported by a series of policies, directives and standards defining security controls to protect our assets and data. In 2021, we completed a third-party evaluation of Bell's information security management system (ISMS) and strategy, reinforcing our alignment with best practices and leadership in the industry. We have assessed and aligned 100% of our ISMS against the ISO standard, with the intent to use as base to build on and maintain our information security management system. We already conduct Service Organization Control (SOC 1 & 2) audits on specific services across Bell to provide independent assurance on security, availability and privacy controls to our customers. We rely on a robust assurance process to conduct assessments on projects, identify areas of risk and establish action plans to ensure systems are deployed with the appropriate level of security. In consideration of the evolving nature and sophistication of information security threats around the world, we rapidly adapt our security policies and procedures.

Bell’s information security pillars

Threats and incidents

We have an internal Cyber Threat Intelligence team that identifies threats facing Bell and our customers, and complements the intelligence we gather from other industry sources. For example, Bell is a founding member of the Canadian Cyber Threat Exchange (CCTX), a national, cross-sector threat forum where security professionals exchange actionable threat intelligence and mitigation measures with peers.

Information security awareness and education is an important part of team member onboarding and mandatory training at Bell. Be Cyber Savvy is Bell’s information security education program. This program includes access to our specialized cyber awareness platform, annual training and monthly phishing simulations, as well as a wide variety of materials available to employees such as webinars, articles, podcasts and an annual virtual conference. As of December 31, 2023, 95% of onboarded employees have completed baseline training, achieving our goal of a 90% completion rate. Our 2023 phishing simulation report rate is at 33%, and we observed a 142% increase in reported phishing simulations from fully trained employees compared to non-trained employees. These initiatives enable a stronger cybersecurity culture and a greater awareness of cybersecurity risks.

Customers

Consistent with Bell's position as an established provider of security services for Canadian businesses and organizations, our Managed IoT Security Service provides comprehensive security to keep our customers' networks and systems safe and secure as they adopt IoT technologies. Our full suite of security services is monitored by Bell's Security Operations Centre, the centre is staffed 24/7 to provide incident and policy management, policy management and to reporting on all security related incidents.

Contract requirements

Third-party data processors are required to implement adequate measures to ensure information security. We hold suppliers accountable through contractual clauses, requiring that the appropriate controls are in place to protect Bell’s data and systems. Where a supplier handles sensitive information that belongs to a Bell company, a Bell customer or one of our team members, the supplier must comply with all applicable privacy laws in the jurisdiction in which they operate, as well as the contractual obligations set forth in the agreement. Bell reserves the right to assess and monitor suppliers' practices regarding information security protection. Suppliers must notify Bell immediately of all actual or suspected privacy breaches, information security incidents or loss of Bell's data and the supplier must assist Bell in managing the consequences of such events.

External collaboration and partnerships

Bell is a founding member of CCTX, which aims to help public and private organizations share cyber threat and mitigation information across industries and sectors in Canada. Bell is also a founding member of the Canadian Security Telecommunications Advisory Committee (CSTAC), where we work together to drive best practices and improve the security and resiliency of Canada's connected world along with other Canadian telecommunications providers, government departments and law enforcement agencies.

Bell is recognized as a Canadian security leader by IDC Canada. IDC Canada evaluates security providers on their current capabilities and future strategies for delivery of security services. Bell’s leadership was recognized in the 2015, 2016, 2017, 2018, 2019, and 2022 IDC Canada reports.

Wireless health and safety and social acceptability of our network

In Canada, Health Canada reviews studies from around the world, conducts its own research and sets guidelines for human exposure to RF electromagnetic fields. The guidelines are documented as Safety Code 6 . This code sets the limits for safe exposure to RF emissions for all people, including vulnerable populations and people who work near RF emission sources. The code also outlines safety requirements for the installation and operation of devices that emit RF fields, such as mobile phones, Wi-Fi technologies and base station antennas.

Innovation, Science and Economic Development Canada (ISED) has made compliance to Safety Code 6 mandatory for all proponents and operators of radio installations. ISED is responsible for approving RF equipment using Health Canada's Safety Code 6 standard for exposure and performing compliance assessments.

The safety and security of our customers is our top priority. Bell only purchases mobile phones that meet Health Canada's Safety Code 6 RF emission requirements. Bell also ensures that all of the wireless network equipment that we place on towers, buildings and other support structures meets these requirements. When selecting the location of new telecommunication sites, Bell is sensitive to community concerns with respect to location and placement of facilities. Before selecting or acquiring property for any new telecommunication site, Bell first determines whether it is feasible to place antennas on existing structures, such as buildings and pre-existing towers. In this regard, Bell seeks to comply with ISED's guidelines for public and municipal consultation as set out in ISED’s Client Procedures Circular CPC-2-0-03, Radio communication and Broadcasting Antenna Systems.