2022 ESG Report Introduction ESG at Manulife Environmental Social Governance Corporate Governance Human Rights Risk Management Ethics and Compliance Tax Strategy Data Security and Privacy Executive Compensation Practices Responsible Product Governance Public Policy Performance Data Abbreviations and Acronyms We have a global framework for managing the company’s privacy risk, which is overseen by our Global Chief Privacy Officer, who is accountable to the Global Compliance Chief and is appointed by the Executive Risk Committee. On a quarterly basis, we report on privacy to senior management and the Audit Committee of Board of Directors. The framework is designed to: • Help ensure compliance with legal and regulatory requirements governing the protection of personal information in all the jurisdictions in which Manulife operates, while also promoting consistency in personal information handling practices throughout the company. • Maintain and foster customer and employee trust. • Minimize the occurrence and impact of privacy-related incidents. Our framework establishes standards for: • Ensuring applicable privacy legislation and regulations are understood and requirements reflected in applicable business processes, controls, and disclosures. • Identifying and managing privacy-related risks, including those that may be introduced by new or changed initiatives. • Collecting and handling personal information, including limiting collection and ensuring it is carried out in fair and legal ways. • Handling requests from individuals, including privacy-related complaints, concerns, and consent withdrawals. • Privacy incident management, including root cause analysis and corrective actions. • Sharing personal information with third parties, requiring them to comply with our internal framework through privacy and security clauses within contracts. • Safeguarding personal information. • Monitoring compliance with the framework. • Reporting, managing, and escalating all privacy-related complaints to appropriate levels within the company. • Privacy and data security training for all employees, including part-time and contractors. We are responsible for personal information in our possession, including information transferred to service providers who perform duties on our behalf. When we share personal information with our service providers, they must protect it in ways that are consistent with our privacy policies and practices. We are obligated to notify individuals of certain types of breaches in many of the jurisdictions where we operate, and we have internal protocols in place to help ensure these notifications are completed, as and when required. As a provider of financial products and services, we collect and use our customers’ personal information through the normal course of our business. Our customers trust that we will safeguard the privacy of the information in our care, and we take this responsibility very seriously. Details given to customers about how we handle their personal information include: • The nature of information collected, why it is captured, and how it is captured • How the collected information is used • Any options they may have for deciding how their personal information is collected, used, retained, and processed • How long the information is kept on corporate files • Safeguards in place to protect the information • Involvement of service providers • How to contact us if they have questions or concerns In 2022, we procured industry-leading privacy program management software. The software is currently being implemented and will be adopted by our businesses using a phased approach. The software includes tools for helping to manage privacy incidents, conducting privacy impact assessments, and maintaining inventories of data processing activities. We require all privacy-related complaints to be properly managed and escalated to appropriate levels within the organization. Privacy complaint data is included in management reporting. If required, we will consider disciplinary action in light of the seriousness of the infraction and in line with our Code of Business Conduct. Manulife did not experience any material breaches in 2022 and so did not need to consider disciplinary action. If required, disciplinary action would be considered in light of the seriousness of the infraction and in line with Manulife’s Code of Business Conduct. Number of substantiated privacy complaints from a regulatory body 0 Number of complaints received from outside parties and substantiated by Manulife 68 0 Percentage of eligible employees who completed privacy and information security training 10 0% Information security breaches or other cyber security incidents 69 0 Data breaches 70 0 Customers and employees affected by data breaches 0 Number of phishing simulation tests conducted globally with Manulife employees and contractors 3 5 7, 5 4 3 68 In 2022, Manulife did not re ceive any material privacy complaints and did not experience any material privacy incidents. 69 Manulife did not exp erience any data incidents that required reporting to global data protection authorities in 2022. 70 A data breac h is a security violation or incident that leads to unintended access to sensitive or critical data or its exposure to an unauthorized party. Manulife reports on material data breaches that would require reporting to global data protection authorities. 75