In conjunction with our Privacy Policy, Elephant & Castle herewith outlines our Privacy Plan that integrates the ten interrelated privacy principles derived from the Code specified in the Personal Information Protection Act.

Elephant and Castle is responsible for personal information under its control and shall designate a Privacy Officer who is accountable for Elephant & Castle's compliance with the principles of the Act.

To ensure accountability, we have established a Privacy Officer, a Privacy Policy and a Privacy Plan. In order to ensure that information is secured, we commit to the following;

• information on the policy and the plan.
• the employees rights to private and accurate information.
• an understanding of what mechanisms we have in place to safeguard the information.
• an understanding of how to access and verify their information.
• an understanding of recourse available if there is a breach.

B. All employees who handle private and personal information will receive additional training on the privacy legislation and the proper handling of private information.

C. Third party contracts will be continually reviewed to ensure that all private information is being relayed for appropriate reasons.

D. Secure storage systems. Personal Information will be stored in secured private areas with limited access, as follows:

Employee and Private information will only be accessed by authorized personnel as outlined below and information will be kept in secured, private storage. Computer files and on-line processing will all be password protected.

The following lists the type of private information and who has access to that information:

Personal Employee Information:

Employment Application: Accessible by the Manager to whom the employee directly reports to, the Hiring Manager, Human Resources Representative, Payroll and Benefit Administrators.

Work Performance Information: Employee and Direct Management will have access to manage employee performance and to support promotion decision making.

Payroll Information: Will only be accessible by the employees responsible for administering payroll and their direct supervisors, the Executive Management, the Human Resources Representative and the two Directors' of Operations.

Benefit Information: Benefit Administrators and Third Party Benefit Providers, i.e. Great West Life.

Medical Information: Benefit Administrators and Managers to whom the employee directly reports when used for purpose listed below.

Private Financial Information of Suppliers, Vendors, Creditors: Accessible by Accounting Department Personnel.

E. Ongoing, scheduled reviews of the Privacy Policy and Procedures will be reviewed by the Privacy Officer to ensure proper compliance.

The purposes for which personal information is collected shall be identified by Elephant and Castle on or before the time the information is collected.

Employment Application Information: Information will be collected to establish, verify and maintain the employment relationship including payroll and benefit administration. Consent is signed for on the application forms.

Medical Information: Information will be collected only for reasonable purposes: to determine benefit eligibility, to determine ability to perform work duties, for administering return to work programs, and for determining the extent of duty to accommodate.

Work Performance Information: Will be collected to manage employee information. Employees will have full access to this information, provided that said information does not reveal personal information of another individual.

Financial Information of Suppliers, Vendors, Creditors: Only to be used for expressed purposes to conduct and support financial and credit functions.

The knowledge and consent of the individual is required for the collection, use and disclosure of personal information, except in specific circumstances as described within the Act.

Employment Applications: When applicants apply for work with Elephant and Castle, they sign their consent and understand they are providing personal information solely for the purpose to establish, verify and maintain the employment contract.

Payroll Information: At time of enrollment, all employees are notified that personal information regarding financial institutions and Social Insurance Numbers are collected to process payroll.

Benefit Information: Upon application for Group Health Care, employees provide personal information and are told that private information is confidential and is only used to administer the Group Extended Health Plan.

The collection of personal information shall be limited to that which is necessary for the purposes identified by Elephant & Castle. Information shall be collected by fair and lawful means.

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfillment of those purposes.

Employment Applicants: Unsolicited Resumes of Applicants shall not be retained, unless a suitable future opportunity is foreseen.

Applicants who were being considered for a position and a decision has been made about an individual, shall have their information retained for one year.

Former Employees - information will be destroyed if no longer necessary for legal or business purposes. Payroll Records must be maintained for 2 years.

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information. Elephant & Castle will apply the same standard of care as it applies to safeguard its own confidential information of a similar nature.

Our safeguards shall protect against loss, theft unauthorized access, disclosure, copying, use or modification. Our safeguards will include, but not be limited to:

1. Physical Measures - secured storage cabinets and secured offices.
2. Organizational Measures - trained employees who understand proper handling of private information and ramifications of inappropriate handling.
3. Technological Measures - secured computer files, passwords and servers.

Elephant & Castle shall make readily available to individuals specific, understandable information about its policies and practices relating to the management of personal information. We will review our Privacy Policy and Plan twice a year to ensure that it is up to date and we will maintain the most current policies and plans on our website for full open access. The Privacy Policy will be available on our website at www.elephantcastle.com.

Any changes or updates to the policy will be communicated to all parties directly via written notification.

Upon request, an individual shall be informed of the existence, use, and disclosure of their personal information, and shall be given access to that information. An individual is entitled to question the accuracy and completeness of the information and have it amended as appropriate.

1. Individual may request, in writing, access to their personal information by writing directly to the Elephant & Castle Privacy Officer.
2. The Privacy Officer may be contacted by the following means:

          Mail:   Privacy Officer
                    Elephant & Castle Group
                    12th Floor, 1190 Hornby Street
                    Vancouver, B.C. V6Z 2K5
                    Tel:  604-684-6457
                    Fax:  604-684-8595
                    Email:  PrivacyOfficer@elephantcastle.com

          The Privacy Officer will respond within 30 days, or if an extension is needed,
          we will notify the individual of the new deadline and the reason for the
          extension. Depending on the request, the Privacy Officer will respond to the
          request and determine the next steps including accessing or correct information.

    3.   Information will not be revealed that will reveal the identity of another
          individual or that individual's person information without that individual's
          consent.

An individual shall be able to question compliance with the above principles to the Privacy Officer accountable for compliance.

1. All challenges to compliance will be received to the attention of the Privacy Officer.
2. All Inquiries about policies and procedures will be responded to in a reasonable time frame.
3. The Privacy Office will try to rectify all challenges brought forward with a suitable remedy to all parities.
4. The Piracy Officer will notify challengers who are still not satisfied that they have recourse through the Provincial Privacy Commissioner who presides over Bill 38 and ensures proper administration of the Personal Information Protection Act.