ETHICAL AND RESPONSIBLE BUSINESS AND LEADERSHIP IN HEALTH

At Medibank, our values guide everything we do. We’re committed to acting with integrity and embedding ethical, responsible practices across our business and supply chain. Whether it’s with our customers, our people, our community or our partners, we’re focused on doing what’s right. For details about our progress against our sustainability commitments in ethical and responsible business and leadership in health, refer to our Sustainability summary 2025 and our ESG databook 2025.

Our work in ethical and responsible business and leadership in health is guided by our material topics and commitments:  

Responsible decision making centred on customers and patients  

• Support ethical decision making to improve resilience and impact of supply chains  
• Strengthen governance practices for strong and resilient business  

Responsible use and protection of customer data  

• Continue to monitor and respond to the ongoing risk of cybercrime  
• Responsible and ethical use of artificial intelligence that supports exploration of its capabilities to enable our people to better the customer experience 

We’re committed to sound governance practices that meet the expectations of our customers, shareholders and other stakeholders. Details of our corporate governance, including a copy of our Corporate Governance Statement, Constitution and Board and Committee charters and key governance related policies are available on our corporate governance webpage.  

Medibank seeks to maintain a strong culture of accountability, underpinned by clear behavioural expectations outlined in our Code of Conduct and supported by our consequence management framework. Where expectations are not met, appropriate actions are taken, including performance impacts tied to remuneration. We uphold a zero-tolerance approach to sexual harassment, with all employees completing annual compliance training and access to safe, confidential reporting channels. Our Whistleblower policy sets out how employees can report concerns anonymously. 

With 100% of our operations based in Australia and tax payments made solely in Australia, we’re proud of our contribution to Australia’s public finances. We see this as an important element in meeting the expectations of our customers, regulators and community that we pay our fair share. Read our voluntary Tax Transparency reports. 

We don’t make political donations to any political party, politician or candidate. When there is a legitimate business reason, we attend some political functions related to public policy discussions relevant to our business. 

Each year, all our people are required to complete compulsory compliance training modules. This training supports our people to understand our regulatory obligations and where relevant, employees also complete additional compulsory training specific to the requirements of their individual roles. The training modules completed by our people include:  

• The way we do things here (Code of Conduct, Values and 2030 Vision)  
• Anti-bribery and corruption  
• Introduction to information security  
• Introduction to risk  
• Health, safety and wellbeing at Medibank 
• Privacy

Clinical governance  

Clinical quality, safety governance and our aim to improve our health services are both fundamental enablers of Amplar Health’s focus on improving healthcare experiences and providing greater access, choice and control for people in Australia to manage their health. Timely clinical input and evidence-based care are essential to our work and under our clinical governance model, everyone at Amplar Health is accountable for the safety of health services. Our Clinical Governance and Quality Framework aligns with our broader corporate governance and enterprise risk practices and supports our focus on enhanced patient safety and quality of care. 

The evolving cyber threat landscape

We continue to monitor and respond to the ongoing risk of cybercrime. Our strategic approach and roadmap of uplift activities are designed to continue maturing our cybersecurity approach and better enable us to respond to the cyber threat landscape, which continues to evolve rapidly. It encompasses:   

• Further strengthening our core cybersecurity services  
• Continuing to mature our risk management culture and practices  
• Assessing our capability maturity pursuant to the National Institute of Standards and Technology’s (NIST) cyber security framework  
• Ongoing enhancement of our security detection and response capabilities 

Strengthening customer privacy across our business 

Our Data Ethics and Privacy Squad continues its work on governance, culture and accountability in the Responsible Use of Customer Data. Where relevant, artificial intelligence (AI) ethics are considered in the procurement, development and deployment of new AI tools. Our Enterprise Consent Framework focuses on ensuring consistency in how we collect, store and verify consent in the use of customer data.  

Our Privacy Policy outlines how we collect, use and manage customer data, including how individuals can access their personal information. Our security and privacy information on our Medibank and ahm websites informs our customers about staying safe online and outlines the security measures we have in place to protect their information. We also have Amplar Health Privacy Policy that is reflective of the delivery of healthcare.  

Our privacy framework 

We’re committed to protecting our customers’ personal information and building trust through strong privacy practices. Our privacy framework is built on 6 key principles that guide the way we work: 

1. Promoting a culture of privacy awareness: We foster a workplace where privacy is front of mind, and our people understand the importance of protecting personal information.
2. Taking responsibility for the information we handle: We recognise that we manage sensitive information and operate across diverse areas of business. We take a careful and considered approach to respecting privacy in everything we do.
3. Integrating privacy into our broader risk and compliance systems: Privacy is not treated in isolation - it’s part of our enterprise risk, compliance and incident management systems.
4. Managing privacy risk openly and proactively: We apply a risk-based approach and support open conversations about privacy risks to help manage them early and effectively.
5. Embedding good privacy practices into our everyday work: We design our systems and processes with privacy in mind, so that good privacy practices are part of our day-to-day operations.
6. Holding ourselves to a high standard: We expect best-practice privacy compliance from our people and the systems we use, and we’re continually improving.

Artificial intelligence (AI)

The use of new tools and technologies such as AI brings exciting opportunities to help us deliver on our purpose of Better Health for Better Lives. We have a comprehensive policy to govern AI use within Medibank. It incorporates our commitment to ensuring the responsible use of data with security measures and privacy protections in place. In 2025, we executed a business-wide campaign to educate Medibank employees on the safe use of AI tools, embedding strong technology and risk management practices.