Guidance

Call Off Schedule Templates

Updated 29 September 2020

Call Off Schedule Templates

TABLE OF CONTENTS

CALL OFF SCHEDULE 1 – DEFINITIONS: 3

CALL OFF SCHEDULE 2 – GOODS AND/OR SERVICES: 28

ANNEX 1 – THE SERVICES: 29

ANNEX 2 – THE GOODS: 30

CALL OFF SCHEDULE 3 – CALL OFF AGREEMENT CHARGES, PAYMENT AND INVOICING: 31 ANNEX1 –CALL OFF AGREEMENT CHARGES38 ANNEX 2 – PAYMENT TERMS/PROFILE: 39

ANNEX 1 – TEST ISSUES – SEVERITY LEVELS: 50

ANNEX 2 – TEST CERTIFICATE: 51

ANNEX 3 – SATISFACTION CERTIFICATE: 52

ANNEX 1 TO PART A – SERVICE LEVELS AND SERVICE CREDITS TABLE: 57

PART B – PERFORMANCE MONITORING: 59

ANNEX 1 TO PART B – ADDITIONAL PERFORMANCE MONITORING REQUIREMENTS: 61

CALL OFF SCHEDULE 7 – SECURITY: 63

ANNEX 1 – BASELINE SECURITY REQUIREMENTS: 77

ANNEX 2 – SECURITY POLICY: 80

[OPTIONAL CALL OFF SCHEDULE 10 – STAFF TRANSFER: 100

ANNEX TO PART A – PENSIONS: 109

ANNEX TO PART B – PENSIONS: 119

ANNEX TO SCHEDULE 10 – LIST OF NOTIFIED SUB-CONTRACTORS] 134

CALL OFF SCHEDULE 11 – DISPUTE RESOLUTION PROCEDURE: 135

CALL OFF SCHEDULE 12 – VARIATION FORM: 141

CALL OFF SCHEDULE 13 – TRANSPARENCY REPORTS: 143

ANNEX 1 – LIST OF TRANSPARENCY REPORTS: 144

CALL OFF SCHEDULE 14 – CALL OFF TENDER: 145

CALL OFF SCHEDULE 15 – SUPPLIER SOFTWARE, CUSTOMER SOFTWARE AND THIRD PARTY SOFTWARE: 146

CALL OFF SCHEDULE 1: DEFINITIONS 1. In accordance with Clause 1 (Definitions and Interpretation) of this Call Off Agreement including its recitals the following expressions shall have the following meanings:

Achieve: means in respect of a Test, to successfully pass such Test without any Test Issues in accordance with the Test Strategy Plan and in respect of a Milestone, the issue of a Satisfaction Certificate in respect of that Milestone and “Achieved”, “Achieving” and “Achievement” shall be construed accordingly.

Acquired Rights Directive: means the European Council Directive77/187/EEC on the approximation of laws of European member states relating to the safeguarding of employees’ rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses, as amended or re-enacted from time to time.

Additional Clauses: means the additional Clauses in Call Off Schedule 14 (Alternative and/or Additional Clauses) and any other additional Clauses set out in the Call Off Order Form or elsewhere in this Call Off Agreement .

Affected Party: means the party seeking to claim relief in respect of a Force Majeure.

Affiliates: has the meaning given to it in Framework Schedule 1 (Definitions).

Approval: means the prior written consent of the Customer and “Approve” and “Approved” shall be construed accordingly.

Approved Sub- Licensee: “means any of the following: a) a Central Government Body.

b) any third party providing goods and/or services to a Central Government Body. and/or c) any body (including any private sector body) which performs or carries on any of the functions and/or activities that previously had been performed and/or carried on by the Customer. “ Auditor: “means: a) the Customer’s internal and external auditors.

b) the Customer’s statutory or regulatory auditors.

c) the Comptroller and Auditor General, their staff and/or any appointed representatives of the National Audit Office.

d) HM Treasury or the Cabinet Office.

e) any party formally appointed by the Customer to carry out audit or similar review functions. and f) successors or assigns of any of the above. “ **Authority: has the meaning given to it in Framework Schedule 1 (Definitions).

BACS: means the Bankers’ Automated Clearing Services, which is a scheme for the electronic processing of financial transactions within the United Kingdom.

**BCDR Goods and/or Services: means the Business Continuity Goods and/or Services and Disaster Recovery Goods and/or Services.

BCDR Plan: means the plan prepared pursuant to paragraph 2 of Call Off Schedule 8 (Business Continuity and Disaster Recovery), as may be amended from time to time.

Business Continuity Goods and/or Services: has the meaning given to it in paragraph 4.2.2 of Call Off Schedule 8 (Business Continuity and Disaster Recovery).

Call Off Commencement Date: means the date of commencement of this Call Off Agreement set out in the Call Off Order Form.

Call Off Agreement: means this contract between the Customer and the Supplier (entered into pursuant to the provisions of the Framework Agreement), which consists of the terms set out in the Call Off Order Form and the Call Off General Terms and Conditions.

Call Off Agreement Charges: means the prices (inclusive of any Milestone Payments and exclusive of any applicable VAT), payable to the Supplier by the Customer under this Call Off Agreement, as set out in Annex 1 of Call Off Schedule 3 (Call Off Agreement Charges, Payment and Invoicing), for the full and proper performance by the Supplier of its obligations under this Call Off Agreement less any Deductions.

Call Off Agreement Period: means the term of this Call Off Agreement from the Call Off Commencement Date until the Call Off Expiry Date.

Call Off Agreement Year: means a consecutive period of twelve (12)Months commencing on the Call Off Commencement Date or each anniversary thereof.

Call Off Expiry Date: “means: (a) the end date of the Call Off Initial Period or any Call Off Extension Period. or (b) if this Call Off Agreement is terminated before the date specified in (a) above, the earlier date of termination of this Call Off Agreement. “ Call Off Extension Period: means such period or periods up to a maximum of the number of years in total as may be specified by the Customer, pursuant to Clause 5.2 and in the Call Off Order Form.

Call Off Guarantee: means a deed of guarantee that may be required under this Call Off Agreement in favour of the Customer in the form set out in Framework Schedule 13 (Guarantee) granted pursuant to Clause 7 (Call Off Guarantee).

Call Off Guarantor: means the person, in the event that a Call Off Guarantee is required under this Call Off Agreement, acceptable to the Customer to give a Call Off Guarantee.

Call Off Initial Period: means the initial term of this Call Off Agreement from the Call Off Commencement Date to the end date of the initial term stated in the Call Off Order Form.

Call Off Order Form : means the order form applicable to and set out in Part 1 of this Call Off Agreement .

Call Off Procedure: has the meaning given to it in Framework Schedule 1 (Definitions).

Call Off Schedule: means a schedule to this Call Off Agreement .

Call Off Tender: means the tender submitted by the Supplier in response to the Customer’s Statement of Requirements following a Further Competition Procedure and set out at Call Off Schedule 15 (Call Off Tender).

Call Off Terms: means the terms applicable to and set out in Part 2 of this Call Off Agreement .

Central Government Body: has the meaning given to it in Framework Schedule 1 (Definitions).

Change in Law: means any change in Law which impacts on the supply of the Goods and/or Services and performance of the Call Off Agreement which comes into force after the Call Off Commencement Date.

Change of Control: has the meaning given to it in Framework Schedule 1 (Definitions).

Charges: means the charges raised under or in connection with this Call Off Agreement from time to time, which shall be calculated in a manner that is consistent with the Charging Structure.

Charging Structure: means the structure to be used in the establishment of the charging model which is applicable to the Call Off Contract, which is set out in Framework Schedule 3 (Framework Prices and Charging Structure).

Commercially Sensitive Information: means the Confidential Information listed in the Call Off Order Form (if any) comprising of commercially sensitive information relating to the Supplier, its IPR or its business or which the Supplier has indicated to the Customer that, if disclosed by the Customer, would cause the Supplier significant commercial disadvantage or material financial loss.

Comparable Supply: means the supply of Goods and/or Services to another customer of the Supplier that are the same or similar to the Goods and/or Services.

Compensation for Critical Service Level Failure: has the meaning given to it in Clause 14.2.2 Critical Service Level Failure).

Confidential Information: means the Customer’s Confidential Information and/or the Supplier’s Confidential Information, as the context specifies.

Continuous Improvement Plan: means a plan for improving the provision of the Goods and/or Services and/or reducing the Charges produced by the Supplier pursuant to Framework Schedule 12 (Continuous Improvement and Benchmarking).

Contracting Authority: means the Authority, the Customer and any other bodies listed in the OJEU Notice.

Control: has the meaning given to it in Framework Schedule 1 (Definitions).

Conviction: means other than for minor road traffic offences, any previous or pending prosecutions, convictions, cautions and binding over orders (including any spent convictions as contemplated by section 1(1) of the Rehabilitation of Offenders Act 1974 by virtue of the exemptions specified in Part II of Schedule 1 of the Rehabilitation of Offenders Act 1974 (Exemptions) Order 1975 (SI 1975/1023) or any replacement or amendment to that Order, or being placed on a list kept pursuant to section 1 of the Protection of Children Act 1999 or being placed on a list kept pursuant to the Safeguarding Vulnerable Groups Act 2006.

Costs: “the following costs (without double recovery) to the extent that they are reasonably and properly incurred by the Supplier in providing the Goods and/or Services: a) the cost to the Supplier or the Key Sub-Contractor (as the context requires), calculated per Man Day, of engaging the Supplier Personnel, including: i) base salary paid to the Supplier Personnel.

ii) employer’s national insurance contributions.

iii) pension contributions.

iv) car allowances.

v) any other contractual employment benefits.

vi) staff training.

vii) work place accommodation.

viii)work place IT equipment and tools reasonably necessary to provide the Goods and/or Services (but not including items included within limb (b) below). and ix) reasonable recruitment costs, as agreed with the Customer.

b) costs incurred in respect of those Supplier Assets which are detailed on the Registers and which would be treated as capital costs according to generally accepted accounting principles within the UK, which shall include the cost to be charged in respect of Supplier Assets by the Supplier to the Customer or (to the extent that risk and title in any Supplier Asset is not held by the Supplier) any cost actually incurred by the Supplier in respect of those Supplier Assets.

c) operational costs which are not included within (a) or (b) above, to the extent that such costs are necessary and properly incurred by the Supplier in the provision of the Goods and/or Services.

d) Reimbursable Expenses to the extent these have been specified as allowable in the Call Off Order Form and are incurred in delivering any Goods and/or Services where the Call Off Agreement Charges for those Goods and/or Services are to be calculated on a Fixed Price or Firm Price pricing mechanism (as set out in Framework Schedule 3 (Framework Prices and Charging Structure).

but excluding: a) Overhead.

b) financing or similar costs.

c) maintenance and support costs to the extent that these relate to maintenance and/or support Goods and/or Services provided beyond the Call Off Agreement Period whether in relation to Supplier Assets or otherwise.

d) taxation.

e) fines and penalties.

f) amounts payable under Clause 25 (Benchmarking). and g) non-cash items (including depreciation, amortisation,” Critical Service Level Failure: means any instance of critical service level failure specified in the Call Off Order Form.

Crown: has the meaning given to it in Framework Schedule 1 (Definitions).

Crown Body: has the meaning given to it in Framework Schedule 1 (Definitions).

CRTPA: has the meaning given to it in Framework Schedule 1 (Definitions).

Customer: means the customer(s) identified in the Call Off Order Form.

Customer Assets: means the Customer’s infrastructure, data, software, materials, assets, equipment or other property owned by and/or licensed or leased to the Customer and which is or may be used in connection with the provision of the Goods and/or Services.

Customer Background IPR: “means: a) IPRs owned by the Customer before the Call Off Commencement Date, including IPRs contained in any of the Customer’s Know-How, documentation, software, processes and procedures.

b) IPRs created by the Customer independently of this Call Off Agreement . and/or c) Crown Copyright which is not available to the Supplier otherwise than under this Call Off Agreement. “ Customer Cause: means any breach of the obligations of the Customer or any other default, act, omission, negligence or statement of the Customer, of its employees, servants, agents in connection with or in relation to the subject-matter of this Call Off Agreement and in respect of which the Customer is liable to the Supplier.

Customer Data: “means: a) the data, text, drawings, diagrams, images or sounds (together with any database made up of any of these) which are embodied in any electronic, magnetic, optical or tangible media, including any Customer’s Confidential Information, and which: i) are supplied to the Supplier by or on behalf of the Customer. or ii) the Supplier is required to generate, process, store or transmit pursuant to this Call Off Agreement . or b) any Personal Data for which the Customer is the Data Controller. “ Customer Premises: means premises owned, controlled or occupied by the Customer which are made available for use by the Supplier or its Sub-Contractors for the provision of the Goods and/or Services (or any of them).

Customer Property: means the property, other than real property and IPR, including any equipment issued or made available to the Supplier by the Customer in connection with this Call Off Agreement .

Customer Representative: means the representative appointed by the Customer from time to time in relation to this Call Off Agreement .

Customer Responsibilities: means the responsibilities of the Customer set out in Call Off Schedule 4 (Implementation Plan) and any other responsibilities of the Customer in the Call Off Order Form or agreed in writing between the Parties from time to time in connection with this Call Off Agreement .

Customer’s Confidential Information: “means: a) all Personal Data and any information, however it is conveyed, that relates to the business, affairs, developments, property rights, trade secrets, Know- How and IPR of the Customer (including all Customer Background IPR and Project Specific IPR).

b) any other information clearly designated as being confidential (whether or not it is marked ““confidential””) or which ought reasonably be considered confidential which comes (or has come) to the Customer’s attention or into the Customer’s possession in connection with this Call Off Agreement . and c) information derived from any of the above. “ Data Controller: has the meaning given to it in Framework Schedule 1 (Definitions).

Data Processor: has the meaning given to it in Framework Schedule 1 (Definitions).

Data Protection Legislation or DPA: has the meaning given to it in Framework Schedule 1 (Definitions).

Data Subject: has the meaning given to it in Framework Schedule 1 (Definitions).

Data Subject Access Request: means a request made by a Data Subject in accordance with rights granted pursuant to the DPA to access his or her Personal Data.

Deductions: means all Service Credits, Delay Payments or any other deduction which the Customer is paid or is payable under this Call Off Agreement .

Default: means any breach of the obligations of the Supplier (including but not limited to including abandonment of this Call Off Agreement in breach of its terms) or any other default (including material Default), act, omission, negligence or statement of the Supplier, of its Sub-Contractors or any Supplier Personnel howsoever arising in connection with or in relation to the subject-matter of this Call Off Agreement and in respect of which the Supplier is liable to the Customer.

Delay: “means: a) a delay in the Achievement of a Milestone by its Milestone Date. or b) a delay in the design, development, testing or implementation of a Deliverable by the relevant date set out in the Implementation Plan. “ Delay Payments: means the amounts payable by the Supplier to the Customer in respect of a delay in respect of a Milestone as specified in the Implementation Plan.

Delay Period Limit : shall be the number of days specified in Call Off Schedule 4 (Implementation Plan) for the purposes of Clause 16.4.1(b)(ii).

Deliverable: means an item or feature in the supply of the Goods and/or Services delivered or to be delivered by the Supplier at or before a Milestone Date listed in the Implementation Plan (if any) or at any other stage during the performance of this Call Off Agreement .

Delivery: means delivery in accordance with the terms of this Call Off Agreement as confirmed by the issue by the Customer of a Satisfaction Certificate in respect of the relevant Milestone thereof (if any) or otherwise in accordance with this Call Off Agreement and accepted by the Customer and “Deliver” and “Delivered” shall be construed accordingly.

Disaster: means the occurrence of one or more events which, either separately or cumulatively, mean that the Goods and/or Services, or a material part thereof will be unavailable (or could reasonably be anticipated to be unavailable) for the period specified in the Call Off Order Form (for the purposes of this definition the “Disaster Period”).

Disaster Recovery Goods and/or Services: means the Goods and/or Services embodied in the processes and procedures for restoring the provision of Goods and/or Services following the occurrence of a Disaster, as detailed further in Call Off Schedule 8 (Business Continuity and Disaster Recovery).

Disclosing Party: has the meaning given to it in Clause 34.4.1 (Confidentiality).

Dispute: means any dispute, difference or question of interpretation arising out of or in connection with this Call Off Agreement, including any dispute, difference or question of interpretation relating to the Goods and/or Services, failure to agree in accordance with the Variation Procedure or any matter where this Call Off Agreement directs the Parties to resolve an issue by reference to the Dispute Resolution Procedure.

Dispute Notice: means a written notice served by one Party on the other stating that the Party serving the notice believes that there is a Dispute.

Dispute Resolution Procedure: means the dispute resolution procedure set out in Call Off Schedule 11 (Dispute Resolution Procedure).

Documentation: “means all documentation as: a) is required to be supplied by the Supplier to the Customer under this Call Off Agreement .

b) would reasonably be required by a competent third party capable of Good Industry Practice contracted by the Customer to develop, configure, build, deploy, run, maintain, upgrade and test the individual systems that provide the Goods and/or Services.

c) is required by the Supplier in order to provide the Goods and/or Services. and/or d) has been or shall be generated for the purpose of providing the Goods and/or Services. “ DOTAS: has the meaning given to it in Framework Schedule 1 (Definitions).

Due Diligence Information: means any information supplied to the Supplier by or on behalf of the Customer prior to the Call Off Commencement Date.

Employee Liabilities: “means all claims, actions, proceedings, orders, demands, complaints, investigations (save for any claims for personal injury which are covered by insurance) and any award, compensation, damages, tribunal awards, fine, loss, order, penalty, disbursement, payment made by way of settlement and costs, expenses and legal costs reasonably incurred in connection with a claim or investigation including in relation to the following: a) redundancy payments including contractual or enhanced redundancy costs, termination costs and notice payments.

b) unfair, wrongful or constructive dismissal compensation.

c) compensation for discrimination on grounds of sex, race, disability, age, religion or belief, gender reassignment, marriage or civil partnership, pregnancy and maternity or sexual orientation or claims for equal pay.

d) compensation for less favourable treatment of part- time workers or fixed term employees.

e) outstanding debts and unlawful deduction of wages including any PAYE and National Insurance Contributions in relation to payments made by the Customer or the Replacement Supplier to a Transferring Supplier Employee which would have been payable by the Supplier or the Sub-Contractor if such payment should have been made prior to the Service Transfer Date.

f) claims whether in tort, contract or statute or otherwise.

g) any investigation by the Equality and Human Rights Commission or other enforcement, regulatory or supervisory body and of implementing any requirements which may arise from such investigation. “ Employment Regulations: means the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) as amended or replaced or any other Regulations implementing the Acquired Rights Directive.

Environmental Policy: means to conserve energy, water, wood, paper and other resources, reduce waste and phase out the use of ozone depleting substances and minimise the release of greenhouse gases, volatile organic compounds and other substances damaging to health and the environment, including any written environmental policy of the Customer.

Environmental Information Regulations or EIRs: has the meaning given to it in Framework Schedule 1 (Definitions).

Estimated Year 1 Call Off Agreement Charges: means the sum in pounds estimated by the Customer to be payable by it to the Supplier as the total aggregate Call Off Agreement Charges from the Call Off Commencement Date until the end of the first Call Off Agreement Year stipulated in the Call Off Order Form.

Exit Plan: means the exit plan described in paragraph 5 of Call Off Schedule 9 (Exit Management).

Expedited Dispute Timetable: means the timetable set out in paragraph 5 of Call Off Schedule 11 (Dispute Resolution Procedure).

FOIA: has the meaning given to it in Framework Schedule 1 (Definitions).

Force Majeure: “means any event, occurrence, circumstance, matter or cause affecting the performance by either the Customer or the Supplier of its obligations arising from: a) acts, events, omissions, happenings or non-happenings beyond the reasonable control of the Affected Party which prevent or materially delay the Affected Party from performing its obligations under this Call Off Agreement .

b) riots, civil commotion, war or armed conflict, acts of terrorism, nuclear, biological or chemical warfare.

c) acts of the Crown, local government or Regulatory Bodies.

d) fire, flood or any disaster. and e) an industrial dispute affecting a third party for which a substitute third party is not reasonably available but excluding: i) any industrial dispute relating to the Supplier, the Supplier Personnel (including any subsets of them) or any other failure in the Supplier or the Sub- Contractor’s supply chain. and ii) any event, occurrence, circumstance, matter or cause which is attributable to the wilful act, neglect or failure to take reasonable precautions against it by the Party concerned. and iii) any failure of delay caused by a lack of funds. “ Force Majeure Notice: means a written notice served by the Affected Party on the other Party stating that the Affected Party believes that there is a Force Majeure Event.

Former Supplier: means a supplier supplying the goods and/or Services to the Customer before the Relevant Transfer Date that are the same as or substantially similar to the Goods and/or Services (or any part of the Goods and/or Services) and shall include any sub-contractor of such supplier (or any sub-contractor of any such sub-contractor).

Framework Agreement: means the framework agreement between the Authority and the Supplier referred to in the Call Off Order Form.

Framework Commencement Date: means the date of commencement of the Framework Agreement as stated in the Call Off Schedule 1 (Definitions).

Framework Period: means the period from the Framework Commencement Date until the expiry or earlier termination of the Framework Agreement.

Framework Price(s): means the price(s) applicable to the provision of the Goods and/or Services set out in Framework Schedule 3 (Framework Prices and Charging Structure).

Framework Schedule: means a schedule to the Framework Agreement.

Fraud: has the meaning given to it in Framework Schedule 1 (Definitions).

Further Competition Procedure: means the further competition procedure described in paragraph 3 of Framework Schedule 5 (Call Off Procedure).

General Anti-Abuse Rule: has the meaning given to it in Framework Schedule 1 (Definitions).

General Change in Law: means a Change in Law where the change is of a general legislative nature (including taxation or duties of any sort affecting the Supplier) or which affects or relates to a Comparable Supply.

Good Industry Practice: has the meaning given to it in Framework Schedule 1 (Definitions).

Goods: means the goods to be provided by the Supplier to the Customer as specified in Annex 2 of Call Off Schedule 2 (Goods and and/or Services).

Government: has the meaning given to it in Framework Schedule 1 (Definitions).

Government Procurement Card: means the Government’s preferred method of purchasing and payment for low value goods or services https://www.gov.uk/government/publications/government- procurement-card–2 .

Halifax Abuse Principle: has the meaning given to it in Framework Schedule 1 (Definitions).

HMRC: means Her Majesty’s Revenue and Customs.

Holding Company: has the meaning given to it in Framework Schedule 1 (Definitions).

ICT Policy: means the Customer’s policy in respect of information and communications technology, referred to in the Call Off Order Form, which is in force as at the Call Off Commencement Date (a copy of which has been supplied to the Supplier), as updated from time to time in accordance with the Variation Procedure.

Impact Assessment: has the meaning given to it in Clause 22.1.3 (Variation Procedure).

Implementation Plan: means the plan set out in the Call Off Schedule 4 (Implementation Plan).

Information: has the meaning given to it in Framework Schedule 1 (Definitions).

Installation Works: means all works which the Supplier is to carry out at the beginning of the Call Off Agreement Period to install the Goods in accordance with the Call Off Order Form.

Insolvency Event: “means, in respect of the Supplier or Framework Guarantor or Call Off Guarantor (as applicable): a) a proposal is made for a voluntary arrangement within PartI of the Insolvency Act 1986 or of any other composition scheme or arrangement with, or assignment for the benefit of, its creditors. or b) a shareholders’ meeting is convened for the purpose of considering a resolution that it be wound up or a resolution for its winding-up is passed (other than as part of, and exclusively for the purpose of, a bona fide reconstruction or amalgamation). or c) a petition is presented for its winding up (which is not dismissed within fourteen (14) Working Days of its service) or an application is made for the appointment of a provisional liquidator or a creditors’ meeting is convened pursuant to section 98 of the Insolvency Act 1986. or d) a receiver, administrative receiver or similar officer is appointed over the whole or any part of its business or assets. or e) an application order is made either for the appointment of an administrator or for an administration order, an administrator is appointed, or notice of intention to appoint an administrator is given. or f) it is or becomes insolvent within the meaning of section 123 of the Insolvency Act 1986. or g) being a ““small company”” within the meaning of section382(3) of the Companies Act 2006, a moratorium comes into force pursuant to Schedule A1 of the Insolvency Act 1986. or h) where the Supplier or Framework Guarantor or Call Off Guarantor is an individual or partnership, any event analogous to those listed in limbs (a) to (g) (inclusive) occurs in relation to that individual or partnership. or i) any event analogous to those listed in limbs (a) to (h) (inclusive) occurs under the law of any other jurisdiction. “ Intellectual Property Rights or IPR: “means a) copyright, rights related to or affording protection similar to copyright, rights in databases, patents and rights in inventions, semi-conductor topography rights, trade marks, rights in internet domain names and website addresses and other rights in trade or business names, designs, Know-How, trade secrets and other rights in Confidential Information.

b) applications for registration, and the right to apply for registration, for any of the rights listed at (a) that are capable of being registered in any country or jurisdiction. and c) all other rights having equivalent or similar effect in any” IPR Claim: means any claim of infringement or alleged infringement (including the defence of such infringement or alleged infringement) of any IPR, used to provide the Goods and/or Services or as otherwise provided and/or licensed by the Supplier (or to which the Supplier has provided access) to the Customer in the fulfilment of its obligations under this Call Off Agreement .

Key Performance Indicators or KPIs: means the performance measurements and targets in respect of the Supplier’s performance of the Framework Agreement set out in Part B of Framework Schedule 2 (Goods and/or Services and Key Performance Indicators).

Key Personnel: means the individuals (if any) identified as such in the Call Off Order Form.

Key Role(s): has the meaning given to it in Clause 26.1 (Key Personnel).

Key Sub-Contract: means each Sub-Contract with a Key Sub-Contractor.

Key Sub-Contractor: “means any claim of infringement or alleged infringement (including the defence of such infringement or alleged infringement) of any IPR, used to provide the Goods and/or Services or as otherwise provided and/or licensed by the Supplier (or to which the Supplier has provided access) to the Customer in the fulfilment of its obligations under this Call Off Agreement .

means the performance measurements and targets in respect of the Supplier’s performance of the Framework Agreement set out in Part B of Framework Schedule 2 (Goods and/or Services and Key Performance Indicators).

means the individuals (if any) identified as such in the Call Off Order Form.

has the meaning given to it in Clause 26.1 (Key Personnel).

means each Sub-Contract with a Key Sub-Contractor. “ Know-How: means all ideas, concepts, schemes, information, knowledge, techniques, methodology, and anything else in the nature of know-how relating to the Goods and/or Services but excluding know-how already in the other Party’s possession before the Call Off Commencement Date.

Law: means any law, subordinate legislation within the meaning of Section21(1) of the Interpretation Act 1978, bye-law, enforceable right within the meaning of Section 2 of the European Communities Act 1972, regulation, order, regulatory policy, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements with which the Supplier is bound to comply.

Losses: means all losses, liabilities, damages, costs, expenses (including legal fees), disbursements, costs of investigation, litigation, settlement, judgment, interest and penalties whether arising in contract, tort (including negligence), breach of statutory duty, misrepresentation or otherwise and “Loss” shall be interpreted accordingly.

Man Day: means 7.5 Man Hours, whether or not such hours are worked consecutively and whether or not they are worked on the same day.

Man Hours: means the hours spent by the Supplier Personnel properly working on the provision of the Goods and/or Services including time spent travelling (other than to and from the Supplier’s offices, or to and from the Sites) but excluding lunch breaks.

Milestone: means an event or task described in the Implementation Plan which, if applicable, must be completed by the relevant Milestone Date.

Milestone Date: means the target date set out against the relevant Milestone in the Implementation Plan by which the Milestone must be Achieved.

Milestone Payment: means a payment identified in the Implementation Plan to be made following the issue of a Satisfaction Certificate in respect of Achievement of the relevant Milestone.

Month: means a calendar month and “Monthly” shall be interpreted accordingly.

Occasion of Tax Non- Compliance: “means: a) any tax return of the Supplier submitted to a Relevant Tax Authority on or after 1 October 2012 which is found on or after 1 April 2013 to be incorrect as a result of: i) a Relevant Tax Authority successfully challenging the Supplier under the General Anti-Abuse Rule or the Halifax Abuse Principle or under any tax rules or legislation in any jurisdiction that have an effect equivalent or similar to the General Anti-Abuse Rule or the Halifax Abuse Principle.

ii) the failure of an avoidance scheme which the Supplier was involved in, and which was, or should have been, notified to a Relevant Tax Authority under DOTAS or any equivalent or similar regime in any jurisdiction. and/or b) any tax return of the Supplier submitted to a Relevant Tax Authority on or after 1 October 2012 which gives rise, on or after 1 April 2013, to a criminal conviction in any jurisdiction for tax related offences which is not spent at the Call Off Commencement Date or to a civil penalty for fraud or evasion. “ Open Book Data: “means complete and accurate financial and non-financial information which is sufficient to enable the Customer to verify the Call Off Agreement Charges already paid or payable and Call Off Agreement Charges forecast to be paid during the remainder of this Call Off Agreement, including details and all assumptions relating to: a) the Supplier’s Costs broken down against each Good and/or Service and/or Deliverable, including actual capital expenditure (including capital replacement costs) and the unit cost and total actual costs of all goods and/or services.

b) operating expenditure relating to the provision of the Goods and/or Services including an analysis showing: i) the unit costs and quantity of Goods and any other consumables and bought-in goods and/or services.

ii) manpower resources broken down into the number and grade/role of all Supplier Personnel (free of any contingency) together with a list of agreed rates against each manpower grade.

iii) a list of Costs underpinning those rates for each manpower grade, being the agreed rate less the Supplier’s Profit Margin. and iv) Reimbursable Expenses, if allowed under the Call Off Order Form.

c) Overheads.

d) all interest, expenses and any other third party financing costs incurred in relation to the provision of the Goods and/or Services.

e) the Supplier Profit achieved over the Call Off Agreement Period and on an annual basis.

f) confirmation that all methods of Cost apportionment and Overhead allocation are consistent with and not more onerous than such methods applied generally by the Supplier.

g) an explanation of the type and value of risk and contingencies associated with the provision of the Goods and/or Services, including the amount of money attributed to each risk and/or contingency. and h) the actual Costs profile for each Service Period. “ Order: means the order for the provision of the Goods and/or Services placed by the Customer with the Supplier in accordance with the Framework Agreement and under the terms of this Call Off Agreement .

Other Supplier: means any supplier to the Customer (other than the Supplier) which is notified to the Supplier from time to time and/or of which the Supplier should have been aware.

Over-Delivered Goods: has the meaning given to it in Clause 9.5.1 (Over-Delivered Goods).

Overhead: means those amounts which are intended to recover a proportion of the Supplier’s or the Key Sub-Contractor’s (as the context requires) indirect corporate costs (including financing, marketing, advertising, research and development and insurance costs and any fines or penalties) but excluding allowable indirect costs apportioned to facilities and administration in the provision of Supplier Personnel and accordingly included within limb (a) of the definition of “Costs”.

Parent Company: means any company which is the ultimate Holding Company of the Supplier and which is either responsible directly or indirectly for the business activities of the Supplier or which is engaged by the same or similar business to the Supplier. The term “Holding or Parent Company” shall have the meaning ascribed by the Companies Act 2006 or any statutory re- enactment or amendment thereto.

Party: means the Customer or the Supplier and “Parties” shall mean both of them.

Performance Monitoring System: has the meaning given to it in paragraph 1.1.2 in Part B of Schedule 6 (Service Levels, Service Credits and Performance Monitoring).

Performance Monitoring Reports: has the meaning given to it in paragraph 3.1 of Part B of Schedule 6 (Service Level, Service Credit and Performance Monitoring).

Personal Data: has the meaning given to it in Framework Schedule 1 (Definitions).

PQQ Response: means, where the Framework Agreement has been awarded under the Restricted Procedure, the response submitted by the Supplier to the Pre-Qualification Questionnaire issued by the Authority, and the expressions “Restricted Procedure” and “Pre-Qualification Questionnaire” shall have the meaning given to them in the Regulations.

Processing: has the meaning given to it in the Data Protection Legislation but, for the purposes of this Call Off Agreement, it shall include both manual and automatic processing and “Process” and “Processed” shall be interpreted accordingly.

Prohibited Act: “relevant function or activity.

b) to directly or indirectly request, agree to receive or accept any financial or other advantage as an inducement or a reward for improper performance of a relevant function or activity in connection with this Agreement.

c) committing any offence: i) under the Bribery Act 2010 (or any legislation repealed or revoked by such Act). or ii) under legislation or common law concerning fraudulent acts. or iii) defrauding, attempting to defraud or conspiring to defraud the Customer. or iv) any activity, practice or conduct which would constitute one of the offences listed under (c) above if such activity, practice or conduct had been carried out in the UK. “ Project Specific IPR: “means: a) Intellectual Property Rights in items created by the Supplier (or by a third party on behalf of the Supplier) specifically for the purposes of this Call Off Agreement and updates and amendments of these items including (but not limited to) database schema. and/or b) IPR in or arising as a result of the performance of the Supplier’s obligations under this Call Off Agreement and all updates and amendments to the same.

but shall not include the Supplier Background IPR. “ Recipient: has the meaning given to it in Clause 34.4.1 (Confidentiality).

Rectification Plan: means the rectification plan pursuant to the Rectification Plan Process.

Rectification Plan Process: means the process set out in Clause 38.2 (Rectification Plan Process).

Registers: has the meaning given to in Call Off Schedule 9 (Exit Management).

Regulations: has the meaning given to it in Framework Schedule 1 (Definitions).

Reimbursable Expenses: has the meaning given to it in Call Off Schedule 3 (Call Off Agreement Charges, Payment and Invoicing).

Related Supplier: means any person who provides goods and/or services to the Customer which are related to the Goods and/or Services from time to time.

Relevant Conviction: means a Conviction that is relevant to the nature of the Goods and/or Services to be provided or as specified in the Call Off Order Form.

Relevant Requirements: means all applicable Law relating to bribery, corruption and fraud, including the Bribery Act 2010 and any guidance issued by the Secretary of State for Justice pursuant to section 9 of the Bribery Act 2010.

Relevant Tax Authority: means HMRC, or, if applicable, the tax authority in the jurisdiction in which the Supplier is established.

Relevant Transfer: means a transfer of employment to which the Employment Regulations applies.

Relevant Transfer Date: means, in relation to a Relevant Transfer, the date upon which the Relevant Transfer takes place.

Relief Notice: has the meaning given to it in Clause 39.2.2 (Supplier Relief Due to Customer Cause).

Replacement Goods: means any goods which are substantially similar to any of the Goods and which the Customer receives in substitution for any of the Goods following the Call Off Expiry Date, whether those goods are provided by the Customer internally and/or by any third party.

Replacement Services: means any services which are substantially similar to any of the Services and which the Customer receives in substitution for any of the Services following the Call Off Expiry Date, whether those services are provided by the Customer internally and/or by any third party.

Replacement Sub- Contractor: means a sub-contractor of the Replacement Supplier to whom Transferring Supplier Employees will transfer on a Service Transfer Date (or any sub-contractor of any such sub- contractor).

Replacement Supplier: means any third party provider of Replacement Goods and/or Services appointed by or at the direction of the Customer from time to time or where the Customer is providing Replacement Goods and/or Services for its own account, shall also include the Customer.

Request for Information: means a request for information or an apparent request relating to this Call Off Agreement or the provision of the Goods and/or Services or an apparent request for such information under the FOIA or the EIRs.

Restricted Countries: has the meaning given to it in Clause 34.6.3 (Protection of Personal Data).

Satisfaction Certificate: means the certificate materially in the form of the document contained in Call Off Schedule 5 (Testing) granted by the Customer when the Supplier has Achieved a Milestone or a Test.

Security Management Plan: means the Supplier’s security management plan prepared pursuant to paragraph 4 of Call Off Schedule 7 (Security) a draft of which has been provided by the Supplier to the Customer in accordance with paragraph 4 of Call Off Schedule 7 (Security) and as updated from time to time.

Security Policy: means the Customer’s security policy, referred to in the Call Off Order Form, in force as at the Call Off Commencement Date (a copy of which has been supplied to the Supplier), as updated from time to time and notified to the Supplier.

Security Policy Framework: the current HMG Security Policy Framework that can be found at https://www.gov.uk/government/publications/security- policy-framework .

**Service Credit Cap: has the meaning given to it in the Call Off Order Form.

Service Credits: means any service credits specified in Annex 1 to Part A of Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring) being payable by the Supplier to the Customer in respect of any failure by the Supplier to meet one or more Service Levels.

Service Failure: means an unplanned failure and interruption to the provision of the Goods and/or Services, reduction in the quality of the provision of the Goods and/or Services or event which could affect the provision of the Goods and/or Services in the future.

Service Level Failure: means a failure to meet the Service Level Performance Measure in respect of a Service Level Performance Criterion.

Service Level Performance Criteria: has the meaning given to it in paragraph 3.2 of Part A of Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring).

Service Level Performance Measure: shall be as set out against the relevant Service Level Performance Criterion in Annex 1 of PartA of Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring).

Service Level Threshold: shall be as set out against the relevant Service Level Performance Criterion in Annex 1 of PartA of Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring).

Service Levels: means any service levels applicable to the provision of the Goods and/or Services under this Call Off Agreement specified in Annex 1 to Part A of Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring).

Service Period: has the meaning given to in paragraph 4.1 of Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring).

Service Transfer: means any transfer of the Goods and/or Services (or any part of the Goods and/or Services), for whatever reason, from the Supplier or any Sub-Contractor to a Replacement Supplier or a Replacement Sub-Contractor.

Service Transfer Date: means the date of a Service Transfer.

Services: means the services to be provided by the Supplier to the Customer as referred to in Annex A of Call Off Schedule 2 (Goods and Services).

Sites: “means any premises (including the Customer Premises, the Supplier’s premises or third party premises) from, to or at which: a) the Goods and/or Services are (or are to be) provided. or b) the Supplier manages, organises or otherwise directs the provision or the use of the Goods and/or Services.” Specific Change in Law: means a Change in Law that relates specifically to the business of the Customer and which would not affect a Comparable Supply.

Staffing Information: has the meaning give to it in Call Off Schedule 10 (Staff Transfer).

Standards: “means any: a) standards published by BSI British Standards, the National Standards Body of the United Kingdom, the International Organisation for Standardisation or other reputable or equivalent bodies (and their successor bodies) that a skilled and experienced operator in the same type of industry or business sector as the Supplier would reasonably and ordinarily be expected to comply with.

b) standards detailed in the specification in Framework Schedule 2 (Goods and/or Services and Key Performance Indicators).

c) standards detailed by the Customer in the Call Off Order Form or agreed between the Parties from time to time.

d) relevant Government codes of practice and guidance applicable from time to time.” Statement of Requirements: means a statement issued by the Customer detailing its requirements in respect of Goods and/or Services issued in accordance with the Call Off Procedure.

Sub-Contract: “means any contract or agreement (or proposed contract or agreement), other than this Call Off Agreement or the Framework Agreement, pursuant to which a third party: a) provides the Goods and/or Services (or any part of them).

b) provides facilities or services necessary for the provision of the Goods and/or Services (or any part of them). and/or c) is responsible for the management, direction or control of the provision of the Goods and/or Services (or any part of them). “ **Sub-Contractor: means any person other than the Supplier, who is a party to a Sub-Contract and the servants or agents of that person.

Supplier: means the person, firm or company with whom the Customer enters into this Call Off Agreement as identified in the Call Off Order Form.

Supplier Assets: means all assets and rights used by the Supplier to provide the Goods and/or Services in accordance with this Call Off Agreement but excluding the Customer Assets.

Supplier Background IPR: “means a) Intellectual Property Rights owned by the Supplier before the Call Off Commencement Date, for example those subsisting in the Supplier’s standard development tools, program components or standard code used in computer programming or in physical or electronic media containing the Supplier’s Know-How or generic business methodologies. and/or b) Intellectual Property Rights created by the Supplier independently of this Call Off Agreement,” Supplier Equipment: means the Supplier’s hardware, computer and telecoms devices, equipment, plant, materials and such other items supplied and used by the Supplier (but not hired, leased or loaned from the Customer) in the performance of its obligations under this Call Off Agreement .

Supplier Non- Performance: has the meaning given to it in Clause 38.1.3 (Supplier Relief Due to Customer Cause).

Supplier Personnel: means all directors, officers, employees, agents, consultants and contractors of the Supplier and/or of any Sub-Contractor engaged in the performance of the Supplier’s obligations under this Call Off Agreement .

Supplier Profit: means, in relation to a period or a Milestone (as the context requires), the difference between the total Call Off Charges (in nominal cash flow terms but excluding any Deductions) and total Costs (in nominal cash flow terms) for the relevant period or in relation to the relevant Milestone.

Supplier Profit Margin: means, in relation to a period or a Milestone (as the context requires), the Supplier Profit for the relevant period or in relation to the relevant Milestone divided by the total Call Off Agreement Charges over the same period or in relation to the relevant Milestone and expressed as a percentage.

Supplier Representative: means the representative appointed by the Supplier named in the Call Off Order Form.

Supplier’s Confidential Information: “means a) any information, however it is conveyed, that relates to the business, affairs, developments, IPR of the Supplier (including the Supplier Background IPR) trade secrets, Know-How, and/or personnel of the Supplier.

b) any other information clearly designated as being confidential (whether or not it is marked as ““confidential””) or which ought reasonably to be considered to be confidential and which comes (or has come) to the Supplier’s attention or into the Supplier’s possession in connection with this Call Off Agreement .

c) information derived from any of the above.” Template Call Off Order Form: means the template Call Off Order Form in Annex 1 of Framework Schedule 4 (Template Call Off Order Form and Template Call Off Terms).

Template Call Off Terms: means the template terms and conditions in Annex 2 of Framework Schedule 4 (Template Call Off Order Form and Template Call Off Terms).

Tender: means the tender submitted by the Supplier to the Authority and annexed to or referred to in Framework Schedule 21.

Termination Notice: means a written notice of termination given by one Party to the other, notifying the Party receiving the notice of the intention of the Party giving the notice to terminate this Call Off Agreement on a specified date and setting out the grounds for termination.

Test Issue: means any variance or non-conformity of the Goods and/or Services or Deliverables from their requirements as set out in the Call Off Agreement .

Test Plan: means a plan: a) for the Testing of the Deliverables. and b) setting out other agreed criteria related to the achievement of Milestones, as described further in paragraph 4 of Call of Schedule 5 (Testing). “ Test Strategy: means a strategy for the conduct of Testing as described further in paragraph 3 of Call Off Schedule 5 (Testing).

Tests and Testing: means any tests required to be carried out pursuant to this Call Off Agreement as set out in the Test Plan or elsewhere in this Call Off Agreement and “Tested” shall be construed accordingly.

Third Party IPR: means Intellectual Property Rights owned by a third party which is or will be used by the Supplier for the purpose of providing the Goods and/or Services.

Transferring Customer Employees: those employees of the Customer to whom the Employment Regulations will apply on the Relevant Transfer Date.

Transferring Former Supplier Employees: in relation to a Former Supplier, those employees of the Former Supplier to whom the Employment Regulations will apply on the Relevant Transfer Date.

Transferring Supplier Employees: means those employees of the Supplier and/or the Supplier’s Sub-Contractors to whom the Employment Regulations will apply on the Service Transfer Date. Transparency Principles: has the meaning given to it in Framework Schedule 1 (Definitions).

Transparency Reports: means the information relating to the Services and performance of this Call Off Agreement which the Supplier is required to provide to the Authority in accordance with the reporting requirements in Schedule 13.

Undelivered Goods: has the meaning given to it in Clause 9.4.1 (Goods).

Undelivered Goods and/or Services: has the meaning given to it in Clause 8 (Goods and/or Services).

Undisputed Sums Time Period: has the meaning given to it Clause 41.1(Termination of Customer Cause for Failure to Pay).

Valid Invoice: means an invoice issued by the Supplier to the Customer that complies with the invoicing procedure in paragraph 7 (Invoicing Procedure) of Call Off Schedule 3 (Call Off Agreement Charges, Payment and Invoicing).

Variation: has the meaning given to it in Clause 22.1 (Variation Procedure).

Variation Form: means the form set out in Call Off Schedule 12 (Variation Form).

Variation Procedure: means the procedure set out in Clause 22 (Variation Procedure).

VAT: has the meaning given to it in Framework Schedule 1 (Definitions).

Warranty Period: means, in relation to any Goods, the warranty period specified in the Call Off Order Form.

Worker: means any one of the Supplier Personnel which the Customer, in its reasonable opinion, considers is an individual to which Procurement Policy Note 08/15 (Tax Arrangements of Public Appointees) https://www.gov.uk/government/publications/procurement- policy-note-0815-tax-arrangements-of-appointees applies in respect of the Goods and/or Services.

Working Day: means any day other than a Saturday or Sunday or public holiday in England and Wales unless specified otherwise by Parties in this Call Off Agreement.

CALL OFF SCHEDULE 2: GOODS AND/OR SERVICES

1 INTRODUCTION

1.1 This Call Off Schedule 2 specifies the:

1.1.1 Services to be provided under this Call Off Agreement, in Annex 1; and

1.1.2 Goods to be provided under this Call Off Agreement, in Annex 2.

ANNEX 1: THE SERVICES

[Completed by the customer at call off]

ANNEX 2: THE GOODS

[Completed by the customer at call off]

CALL OFF SCHEDULE 3: CALL OFF AGREEMENT CHARGES, PAYMENT AND INVOICING

1 DEFINITIONS

1.1 The following terms used in this Call Off Schedule 3 shall have the following meaning:

Indexation: means the adjustment of an amount or sum in accordance with paragraph 11 of this Call Off Schedule 3;

Indexation Adjustment Date: has the meaning given to it in paragraph 11.1.1(a) of this Call Off Schedule 3;

Reimbursable Expenses: means the reasonable out of pocket travel and subsistence (for example, hotel and food) expenses, properly and necessarily incurred in the performance of the Services, calculated at the rates and in accordance with the Customer’s expenses policy current from time to time, but not including:

a) travel expenses incurred as a result of Supplier Personnel travelling to and from their usual place of work, or to and from the premises at which the Services are principally to be performed, unless the Customer otherwise agrees in advance in writing; and

b) subsistence expenses incurred by Supplier Personnel whilst performing the Services at their usual place of work, or to and from the premises at which the Services are principally to be performed;

Review Adjustment Date: has the meaning given to it in paragraph 10.1.2 of this Call Off Schedule 3;

CPI: means the Consumer Prices Index as published by the Office of National Statistics ( http://www.statistics.gov.uk/instantfigures.asp); and

Supporting Documentation: means sufficient information in writing to enable the Customer to reasonably to assess whether the Call Off Agreement Charges, Reimbursable Expenses and other sums due from the Customer under this Call Off Agreement detailed in the information are properly payable.

2 GENERAL PROVISIONS

2.1 This Call Off Schedule 3 details:

2.1.1 the Call Off Agreement Charges for the Goods and/or the Services under this Call Off Agreement; and

2.1.2 the payment terms/profile for the Call Off Agreement Charges;

2.1.3 the invoicing procedure; and

2.1.4 the procedure applicable to any adjustments of the Call Off Agreement Charges.

3 CALL OFF AGREEMENT CHARGES

3.1 The Call Off Agreement Charges which are applicable to this Call Off Agreement are set out in Annex 1 of this Call Off Schedule 3.

3.2 The Supplier acknowledges and agrees that:

3.2.1 in accordance with paragraph 2 (General Provisions) of Framework Schedule 3 (Framework Prices and Charging Structure), the Call Off Agreement Charges can in no event exceed the Framework Prices set out in Annex 3 to Framework Schedule 3 (Framework Prices and Charging Structure); and

3.2.2 subject to paragraph 8 of this Call Off Schedule 3 (Adjustment of Call Off Agreement Charges), the Call Off Agreement Charges cannot be increased during the Call Off Agreement Period.

C4 OSTS AND EXPENSES

4.1 Except as expressly set out in paragraph 5 of this Call Off Schedule 3 (Reimbursable Expenses), the Call Off Agreement Charges include all costs and expenses relating to the Goods and/or Services and/or the Supplier’s performance of its obligations under this Call Off Agreement and no further amounts shall be payable by the Customer to the Supplier in respect of such performance, including in respect of matters such as:

4.1.1 any incidental expenses that the Supplier incurs, including travel, subsistence and lodging, document or report reproduction, shipping, desktop or office equipment costs required by the Supplier Personnel, network or data interchange costs or other telecommunications charges; or

4.1.2 any amount for any services provided or costs incurred by the Supplier prior to the Call Off Commencement Date.

5 REIMBURSEABLE EXPENSES

5.1 If the Customer has so specified in the Call Off Order Form, the Supplier shall be entitled to be reimbursed by the Customer for Reimbursable Expenses (in addition to being paid the relevant Call Off Agreement Charges under this Call Off Agreement ), provided that such Reimbursable Expenses are supported by Supporting Documentation. The Customer shall provide a copy of their current expenses policy to the Supplier upon request.

6 PAYMENT TERMS/PAYMENT PROFILE

6.1 The payment terms/profile which are applicable to this Call Off Agreement are set out in Annex 2 of this Call Off Schedule 3.

7 INVOICING PROCEDURE

7.1 The Customer shall pay all sums properly due and payable to the Supplier in cleared funds within thirty (30) days of receipt of a Valid Invoice, submitted to the address specified by the Customer in paragraph 7.6 of this Call Off Schedule 3 and in accordance with the provisions of this Call Off Agreement.

7.2 The Supplier shall ensure that each invoice (whether submitted electronically through a purchase-to-pay (P2P) automated system (or similar) or in a paper form, as the Customer may specify (but, in respect of paper form, subject to paragraph 7.3)):

7.2.1 contains:

(a) all appropriate references, including the unique order reference number set out in the Call Off Order Form; and

(b) a detailed breakdown of the Delivered Goods and/or Services, including the Milestone(s) (if any) and Deliverable(s) within this Call Off Agreement to which the Delivered Goods and/or Services relate, against the applicable due and payable Call Off Agreement Charges; and

7.2.2 shows separately:

(a) any Service Credits due to the Customer; and

(b) the VAT added to the due and payable Call Off Agreement Charges in accordance with Clause 23.2.1 of this Call Off Agreement (VAT) and the tax point date relating to the rate of VAT shown; and

7.2.3 is exclusive of any Management Charge (and the Supplier shall not attempt to increase the Call Off Agreement Charges or otherwise recover from the Customer as a surcharge the Management Charge levied on it by the Authority); and

7.2.4 it is supported by any other documentation reasonably required by the Customer to substantiate that the invoice is a Valid Invoice.

7.3 If the Customer is a Central Government Body, the Customer’s right to request paper form invoicing shall be subject to procurement policy note 11/15 (available at https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/4374 71/PPN_e-invoicing.pdf)), which sets out the policy in respect of unstructured electronic invoices submitted by the Supplier to the Customer (as may be amended from time to time).

7.4 The Supplier shall accept the Government Procurement Card as a means of payment for the Goods and/or Services where such card is agreed with the Customer to be a suitable means of payment. The Supplier shall be solely liable to pay any merchant fee levied for using the Government Procurement Card and shall not be entitled to recover this charge from the Customer.

7.5 All payments due by one Party to the other shall be made within thirty (30) days of receipt of a Valid Invoice unless otherwise specified in this Call Off Agreement, in cleared funds, to such bank or building society account as the recipient Party may from time to time direct.

7.6 The Supplier shall submit invoices directly to the Customer’s billing address set out in the Call Off Order Form.

8 ADJUSTMENT OF CALL OFF AGREEMENT CHARGES

8.1 The Call Off Agreement Charges shall only be varied:

8.1.1 due to a Specific Change in Law in relation to which the Parties agree that a change is required to all or part of the Call Off Agreement Charges in accordance with Clause 22.2 of this Call Off Agreement (Legislative Change);

8.1.2 in accordance with Clause 23.1.4 of this Call Off Agreement (Call Off Agreement Charges and Payment) where all or part of the Call Off Agreement Charges are reduced as a result of a reduction in the Framework Prices;

8.1.3 where all or part of the Call Off Agreement Charges are reduced as a result of a review of the Call Off Agreement Charges in accordance with Clause 18 of this Call Off Agreement (Continuous Improvement);

8.1.4 where all or part of the Call Off Agreement Charges are reduced as a result of a review of Call Off Agreement Charges in accordance with Clause 25 of this Call Off Agreement (Benchmarking);

8.1.5 where all or part of the Call Off Agreement Charges are reviewed and reduced in accordance with paragraph 9 of this Call Off Schedule 3;

8.1.6 where a review and increase of Call Off Agreement Charges is requested by the Supplier and Approved, in accordance with the provisions of paragraph 10 of this Call Off Schedule 3; or

8.1.7 where Call Off Agreement Charges or any component amounts or sums thereof are expressed in this Call Off Schedule 3 as “subject to increase by way of Indexation”, in accordance with the provisions in paragraph 11 of this Call Off Schedule 3.

8.2 Subject to paragraphs 8.1.1 to 8.1.5 of this Call Off Schedule 3, the Call Off Agreement Charges will remain fixed for the number of Contract Years specified in the Call Off Order Form.

9 SUPPLIER PERIODIC ASSESSMENT OF CALL OFF AGREEMENT CHARGES

9.1 Every six (6) Months during the Call Off Agreement Period, the Supplier shall assess the level of the Call Off Agreement Charges to consider whether it is able to reduce them.

9.2 Such assessments by the Supplier under paragraph 9 of this Call Off Schedule 3 shall be carried out on the dates specified in the Call Off Order Form in each Contract Year (or in the event that such dates do not, in any Contract Year, fall on a Working Day, on the next Working Day following such dates). To the extent that the Supplier is able to decrease all or part of the Call Off Agreement Charges it shall promptly notify the Customer in writing and such reduction shall be implemented in accordance with paragraph 12.1.5 of this Call Off Schedule 3 below.

10. SUPPLIER REQUEST FOR INCREASE OF THE CALL OFF AGREEMENT CHARGES

10.1 If the Customer has so specified in the Call Off Order Form, the Supplier may request an increase in all or part of the Call Off Agreement Charges in accordance with the remaining provisions of this paragraph 10 subject always to:

10.1.1 paragraph 3.2 of this Call Off Schedule 3;

10.1.2 the Supplier’s request being submitted in writing at least three (3) Months before the effective date for the proposed increase in the relevant Call Off Agreement Charges (“Review Adjustment Date”) which shall be subject to paragraph 10.2 of this Call Off Schedule 3; and

10.1.3 the Approval of the Customer which shall be granted in the Customer’s sole discretion.

10.2 The earliest Review Adjustment Date will be the first (1st) Working Day following the anniversary of the Call Off Commencement Date after the expiry of the period specified in paragraph 8.2 of this Schedule 3 during which the Contract Charges shall remain fixed (and no review under this paragraph 10 is permitted). Thereafter any subsequent increase to any of the Call Off Agreement Charges in accordance with this paragraph 10 of this Call Off Schedule 3 shall not occur before the anniversary of the previous Review Adjustment Date during the Call Off Agreement Period.

10.3 To make a request for an increase of some or all of the Call Off Agreement Charges in accordance with this paragraph 10, the Supplier shall provide the Customer with:

10.3.1 a list of the Call Off Agreement Charges it wishes to review;

10.3.2 for each of the Call Off Agreement Charges under review, written evidence of the justification for the requested increase including:

(a) a breakdown of the profit and cost components that comprise the relevant Call Off Agreement Charge;

(b) details of the movement in the different identified cost components of the relevant Call Off Agreement Charge;

(c) reasons for the movement in the different identified cost components of the relevant Call Off Agreement Charge;

(d) evidence that the Supplier has attempted to mitigate against the increase in the relevant cost components; and

(e) evidence that the Supplier’s profit component of the relevant Call Off Agreement Charge is no greater than that applying to Call Off Agreement Charges using the same pricing mechanism as at the Call Off Commencement Date.

11 INDEXATION

11.1 Where the Call Off Agreement Charges or any component amounts or sums thereof are expressed in this Call Off Schedule 3 as “subject to increase by way of Indexation” the following provisions shall apply:

11.1.1 the relevant adjustment shall:

(a) be applied on the effective date of the increase in the relevant Call Off Agreement Charges by way of Indexation (“Indexation Adjustment Date”) which shall be subject to paragraph 11.1.2 of this Call Off Schedule 3;

(b) be determined by multiplying the relevant amount or sum by the percentage increase or changes in the Consumer Price Index published for the twelve (12) Months ended on the 31st of January immediately preceding the relevant Indexation Adjustment Date;

(c) where the published CPI figure at the relevant Indexation Adjustment Date is stated to be a provisional figure or is subsequently amended, that figure shall apply as ultimately confirmed or amended unless the Customer and the Supplier shall agree otherwise;

(d) if the CPI is no longer published, the Customer and the Supplier shall agree a fair and reasonable adjustment to that index or, if appropriate, shall agree a revised formula that in either event will have substantially the same effect as that specified in this Call Off Schedule 3.

11.1.2 The earliest Indexation Adjustment Date will be the (1st) Working Day following the expiry of the period specified in paragraph 8.2 of this Call Off Schedule 3 during which the Contract Charges shall remain fixed (and no review under this paragraph 11 is permitted Call Off Commencement Date. Thereafter any subsequent increase by way of Indexation shall not occur before the anniversary of the previous Indexation Adjustment Date during the Call Off Agreement Period;

11.1.3 Except as set out in this paragraph 11 of this Call Off Schedule 3, neither the Call Off Agreement Charges nor any other costs, expenses, fees or charges shall be adjusted to take account of any inflation, change to exchange rate, change to interest rate or any other factor or element which might otherwise increase the cost to the Supplier or Sub-Contractors of the performance of their obligations under this Call Off Agreement

12 IMPLEMENTATION OF ADJUSTED CALL OFF AGREEMENT CHARGES

12.1 Variations in accordance with the provisions of this Call Off Schedule 3 to all or part the Call Off Agreement Charges (as the case may be) shall be made by the Customer to take effect:

12.1.1 in accordance with Clause 22.2 of this Call Off Agreement (Legislative Change) where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.1 of this Call Off Schedule 3;

12.1.2 in accordance with Clause 23.1.4 of this Call Off Agreement (Call Off Agreement Charges and Payment) where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.2 of this Call Off Schedule 3;

12.1.3 in accordance with Clause 18 of this Call Off Agreement (Continuous Improvement) where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.3 of this Call Off Schedule 3;

12.1.4 in accordance with Clause 25 of this Call Off Agreement (Benchmarking) where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.4 of this Call Off Schedule 3;

12.1.5 on the dates specified in the Call Off Order Form where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.5 of this Call Off Schedule 3;

12.1.6 on the Review Adjustment Date where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.6 of this Call Off Schedule 3;

12.1.7 on the Indexation Adjustment Date where an adjustment to the Call Off Agreement Charges is made in accordance with paragraph 8.1.7 of this Call Off Schedule 3;

and the Parties shall amend the Call Off Agreement Charges shown in Annex 1 to this Call Off Schedule 3 to reflect such variations.

ANNEX 1: CALL OFF AGREEMENT CHARGES

[Completed by the customer at call off]

ANNEX 2: PAYMENT TERMS/PROFILE

[Completed by the customer at call off]

[CALL OFF SCHEDULE 4: IMPLEMENTATION PLAN AND CUSTOMER RESPONSIBILITIES]

OPTIONAL SCHEDULE – SEE OPTIONAL CLAUSE 6 – IMPLEMENTATION PLAN

1 INTRODUCTION

1.1 This Call Off Schedule 4 specifies the Implementation Plan in accordance with which the Supplier shall provide the Goods and/or Services.

2 IMPLEMENTATION PLAN

2.1 The Implementation Plan is set out below.

2.2 The Milestones to be Achieved are Identified below:

| Milestone | Deliverables | Duration | Milestone Date | Customer Responsibilities | Milestone Payments | Delay Payments | |———–|————–|———-|—————-|—————————|——————–|—————-| | | | | | | | | The Milestones will be Achieved in accordance with Call Off Schedule 5 (Testing). For the purposes of Clause 6.3.1(b)(ii) the number of days shall be [insert number of days] days (‘the Delay Period Limit’).

[CALL OFF SCHEDULE 5: TESTING]

OPTIONAL SCHEDULE – SEE OPTIONAL CLAUSE 12 – TESTING

1 DEFINITIONS

1.1 In this Call Off Schedule 5, the following definitions shall apply:

Component: means any constituent parts of the Goods and/or Services, bespoke or COTS, hardware or software.

COTS: means commercially available off the shelf software, being software that is commonly used and is provided in a standard form and on standard licence terms which are not typically negotiated by the licensor.

Material Test Issue: means a Test Issue of Severity Level 1 or Severity Level 2.

Severity Level: means the level of severity of a Test Issue, the criteria for which are described in Annex 1.

Test Certificate: means a certificate materially in the form of the document contained in Annex2 issued by the Customer when a Deliverable has satisfied its relevant Test Success Criteria.

Test Issue Management Log: means a log for the recording of Test Issues as described further in paragraph 10.1 of this Call Off Schedule 5.

Test Issue Threshold: means, in relation to the Tests applicable to a Milestone, a maximum number of Severity Level 3, Severity Level 4 and Severity Level 5 Test Issues as set out in the relevant Test Plan.

Test Reports: means the reports to be produced by the Supplier setting out the results of Tests.

Test Specification: means the specification that sets out how Tests will demonstrate that the Test Success Criteria have been satisfied, as described in more detail in paragraph 7 of this Call Off Schedule 5.

Test Strategy: means a strategy for the conduct of Testing as described further in paragraph 5 of this Call Off Schedule.

Test Success Criteria: means, in relation to a Test, the test success criteria for that Test as referred to in paragraph 7 of this Call Off Schedule.

Test Witness: means any person appointed by the Customer pursuant to paragraph 11 of this Call Off Schedule and.

Testing Procedures: means the applicable testing procedures and Test Success Criteria set out in this Schedule

2 INTRODUCTION

2.1 This Call Off Schedule 5 (Testing) sets out the approach to Testing and the different Testing activities to be undertaken, including the preparation and agreement of the Test Strategy and Test Plan.

3 RISK

3.1 The issue of a Test Certificate, a Satisfaction Certificate and/or a conditional Satisfaction Certificate shall not:

3.1.1 operate to transfer any risk that the relevant Deliverable or Milestone is complete or will meet and/or satisfy the Customer’s requirements for that Deliverable or Milestone; or

3.1.2 affect the Customer’s right subsequently to reject:

(a) all or any element of the Deliverables to which a Test Certificate relates; or

(b) any Milestone to which the Satisfaction Certificate relates.

3.2 Notwithstanding the issuing of any Satisfaction Certificate, the Supplier shall remain solely responsible for ensuring that:

3.2.1 the Goods and/or Services are implemented in accordance with this Call Off Agreement ; and

3.2.2 each Service Level is met.

4 TESTING OVERVIEW

4.1 All Tests conducted by the Supplier shall be conducted in accordance with the Test Strategy, Test Specification and the Test Plan.

4.2 The Supplier shall not submit any Deliverable for Testing:

4.2.1 unless the Supplier is reasonably confident that it will satisfy the relevant Test Success Criteria;

4.2.2 until the Customer has issued a Test Certificate in respect of any prior, dependant Deliverable(s); and

4.2.3 until the Parties have agreed the Test Plan and the Test Specification relating to the relevant Deliverable(s).

4.3 The Supplier shall use reasonable endeavours to submit each Deliverable for Testing or re-Testing by or before the date set out in the Implementation Plan for the commencement of Testing in respect of the relevant Deliverable.

4.4 Prior to the issue of a Test Certificate, the Customer shall be entitled to review the relevant Test Reports and the Test Issue Management Log.

4.5 Any Disputes between the Supplier and the Customer regarding this Testing shall be referred to the Dispute Resolution Procedure.

5 TEST STRATEGY

5.1 The Supplier shall develop the final Test Strategy as soon as practicable after the Call Off Commencement Date but in any case no later than twenty (20) Working Days (or such other period as the Parties may agree) after the Call Off Commencement Date.

5.2 The final Test Strategy shall include:

5.2.1 an overview of how Testing will be conducted in relation to the Implementation Plan;

5.2.2 the process to be used to capture and record Test results and the categorisation of Test Issues;

5.2.3 the procedure to be followed should a Deliverable fail a Test, fail to satisfy the Test Success Criteria or where the Testing of a Deliverable produces unexpected results, including a procedure for the resolution of Test Issues;

5.2.4 the procedure to be followed to sign off each Test;

5.2.5 the process for the production and maintenance of Test Reports, including templates for the Test Reports and the Test Issue Management Log, and a sample plan for the resolution of Test Issues

5.2.6 the names and contact details of the Customer’s and the Supplier’s Test representatives;

5.2.7 a high level identification of the resources required for Testing, including facilities, infrastructure, personnel and reports relating to such personnel, and Customer and/or third party involvement in the conduct of the Tests;

5.2.8 the technical environments required to support the Tests; and

5.2.9 the procedure for managing the configuration of the Test environments.

6 TEST PLANS

6.1 The Supplier shall develop Test Plans and submit these for Approval as soon as practicable but in any case no later than twenty (20) Working Days (or such other period as the Parties may agree in the Test Strategy or otherwise) prior to the start date for the relevant Testing as specified in the Implementation Plan.

6.2 Each Test Plan shall include as a minimum:

6.2.1 the relevant Test definition and the purpose of the Test, the Milestone to which it relates, the requirements being Tested and, for each Test, the specific Test Success Criteria to be satisfied;

6.2.2 a detailed procedure for the Tests to be carried out, including:

(a) the relevant Test Issue Thresholds;

(b) the timetable for the Tests including start and end dates;

(c) the Testing mechanism;

(d) dates and methods by which the Customer can inspect Test results or witness the Tests in order to establish that the Test Success Criteria have been met;

(e) the mechanism for ensuring the quality, completeness and relevance of the Tests;

(f) the format and an example of Test progress reports and the process with which the Customer accesses daily Test schedules;

(g) the process which the Customer will use to review Test Issues and the Supplier’s progress in resolving these on a timely basis; and

(h) the re-Test procedure, the timetable and the resources which would be required for re-Testing; and

(i) the process for escalating Test Issues from a re-test situation to the taking of specific remedial action to resolve the Test Issue.

6.3 The Customer shall not unreasonably withhold or delay its approval of the Test Plan provided that the Supplier shall implement any reasonable requirements of the Customer in the Test Plan.

7 TEST SUCCESS CRITERIA

7.1 The Test Success Criteria for all Tests shall be agreed between the Parties as part of the relevant Test Plan pursuant to paragraph 6 of this Call Off Schedule 5.

8 TEST SPECIFICATION

8.1 Following approval of a Test Plan, the Supplier shall develop the Test Specification for the relevant Deliverables as soon as reasonably practicable and in any event at least 10 Working Days (or such other period as the Parties may agree in the Test Strategy or otherwise agree in writing) prior to the start of the relevant Testing (as specified in the Implementation Plan).

8.2 Each Test Specification shall include as a minimum:

8.2.1 the specification of the Test data, including its source, scope, volume and management, a request (if applicable) for relevant Test data to be provided by the Customer and the extent to which it is equivalent to live operational data;

8.2.2 a plan to make the resources available for Testing;

8.2.3 Test scripts;

8.2.4 Test pre-requisites and the mechanism for measuring them; and

8.2.5 expected Test results, including:

(a) a mechanism to be used to capture and record Test results; and

(b) a method to process the Test results to establish their content.

9 TESTING

9.1 Before submitting any Deliverables for Testing the Supplier shall subject the relevant Deliverables to its own internal quality control measures.

9.2 The Supplier shall manage the progress of Testing in accordance with the relevant Test Plan and shall carry out the Tests in accordance with the relevant Test Specification Tests may be witnessed by the Test Witnesses in accordance with paragraph 11 of this Call Off Schedule.

9.3 The Supplier shall notify the Customer at least 10 Working Days (or such other period as the Parties may agree in writing) in advance of the date, time and location of the relevant Tests and the Customer shall ensure that the Test Witnesses attend the Tests, except where the Customer has specified in writing that such attendance is not necessary.

9.4 The Customer may raise and close Test Issues during the Test witnessing process.

9.5 The Supplier shall provide to the Customer in relation to each Test:

9.5.1 a draft Test Report not less than 2 Working Days (or such other period as the Parties may agree in writing) prior to the date on which the Test is planned to end; and

9.5.2 the final Test Report within 5 Working Days (or such other period as the Parties may agree in writing) of completion of Testing.

9.6 Each Test Report shall provide a full report on the Testing conducted in respect of the relevant Deliverables, including:

9.6.1 an overview of the Testing conducted;

9.6.2 identification of the relevant Test Success Criteria that have been satisfied;

9.6.3 identification of the relevant Test Success Criteria that have not been satisfied together with the Supplier’s explanation of why those criteria have not been met;

9.6.4 the Tests that were not completed together with the Supplier’s explanation of why those Tests were not completed;

9.6.5 the Test Success Criteria that were satisfied, not satisfied or which were not tested, and any other relevant categories, in each case grouped by Severity Level in accordance with paragraph 10.1 of this Call Off Schedule; and

9.6.6 the specification for any hardware and software used throughout Testing and any changes that were applied to that hardware and/or software during Testing.

9.7 When the Supplier has completed a Milestone it shall submit any Deliverables relating to that Milestone for Testing.

9.8 Each party shall bear its own costs in respect of the Testing However, if a Milestone is not Achieved the Customer shall be entitled to recover from the Supplier, any reasonable additional costs it may incur as a direct result of further review or re-Testing of a Milestone.

9.9 If the Supplier successfully completes the requisite Tests, the Customer shall issue a Satisfaction Certificate as soon as reasonably practical following such successful completion Notwithstanding the issuing of any Satisfaction Certificate, the Supplier shall remain solely responsible for ensuring that the Goods and/or Services are implemented in accordance with this Call Off Agreement

10 TEST ISSUES

10.1 Where a Test Report identifies a Test Issue, the Parties shall agree the classification of the Test Issue using the criteria specified in Annex 1 and the Test Issue Management

Log maintained by the Supplier shall log Test Issues reflecting the Severity Level allocated to each Test Issue.

10.2 The Supplier shall be responsible for maintaining the Test Issue Management Log and for ensuring that its contents accurately represent the current status of each Test Issue at all relevant times The Supplier shall make the Test Issue Management Log available to the Customer upon request.

10.3 The Customer shall confirm the classification of any Test Issue unresolved at the end of a Test in consultation with the Supplier If the Parties are unable to agree the classification of any unresolved Test Issue, the Dispute shall be dealt with in accordance with the Dispute Resolution Procedure using the Expedited Dispute Timetable.

11 TEST WITNESSING

11.1 The Customer may, in its sole discretion, require the attendance at any Test of one or more Test Witnesses selected by the Customer, each of whom shall have appropriate skills to fulfil the role of a Test Witness.

11.2 The Supplier shall give the Test Witnesses access to any documentation and Testing environments reasonably necessary and requested by the Test Witnesses to perform their role as a Test Witness in respect of the relevant Tests.

11.3 The Test Witnesses:

11.3.1 shall actively review the Test documentation;

11.3.2 will attend and engage in the performance of the Tests on behalf of the Customer so as to enable the Customer to gain an informed view of whether a Test Issue may be closed or whether the relevant element of the Test should be re-Tested;

11.3.3 shall not be involved in the execution of any Test;

11.3.4 shall be required to verify that the Supplier conducted the Tests in accordance with the Test Success Criteria and the relevant Test Plan and Test Specification;

11.3.5 may produce and deliver their own, independent reports on Testing, which may be used by the Customer to assess whether the Tests have been Achieved;

11.3.6 may raise Test Issues on the Test Issue Management Log in respect of any Testing; and

11.4 may require the Supplier to demonstrate the modifications made to any defective Deliverable before a Test Issue is closed.

12 TEST QUALITY AUDIT

12.1 Without prejudice to its rights pursuant to Clause 21 (Records, Audit Access and Open Book Data), the Customer or an agent or contractor appointed by the Customer may perform on-going quality audits in respect of any part of the Testing (each a “Testing Quality Audit”) subject to the provisions set out in the agreed Quality Plan.

12.2 The focus of the Testing Quality Audits shall be on:

12.2.1 adherence to an agreed methodology;

12.2.2 adherence to the agreed Testing process;

12.2.3 adherence to the Quality Plan;

12.2.4 review of status and key development issues; and

12.2.5 identification of key risk areas.

12.3 The Supplier shall allow sufficient time in the Test Plan to ensure that adequate responses to a Testing Quality Audit can be provided.

12.4 The Customer will give the Supplier at least 5 Working Days’ written notice of the Customer’s intention to undertake a Testing Quality Audit and the Supplier may request, following receipt of that notice, that any Testing Quality Audit be delayed by a reasonable time period if in the Supplier’s reasonable opinion, the carrying out of a Testing Quality Audit at the time specified by the Customer will materially and adversely impact the Implementation Plan.

12.5 A Testing Quality Audit may involve document reviews, interviews with the Supplier Personnel involved in or monitoring the activities being undertaken pursuant to this Schedule, the Customer witnessing Tests and demonstrations of the Deliverables to the Customer Any Testing Quality Audit shall be limited in duration to a maximum time to be agreed between the Supplier and the Customer on a case by case basis (such agreement not to be unreasonably withheld or delayed) The Supplier shall provide all reasonable necessary assistance and access to all relevant documentation required by the Customer to enable it to carry out the Testing Quality Audit.

12.6 If the Testing Quality Audit gives the Customer concern in respect of the Testing Procedures or any Test, the Customer shall:

12.6.1 discuss the outcome of the Testing Quality Audit with the Supplier, giving the Supplier the opportunity to provide feedback in relation to specific activities; and

12.6.2 subsequently prepare a written report for the Supplier detailing its concerns,

and the Supplier shall, within a reasonable timeframe, respond in writing to the Customer’s report.

12.7 In the event of an inadequate response to the written report from the Supplier, the Customer (acting reasonably) may withhold a Test Certificate (and consequently delay the grant of a Satisfaction Certificate) until the issues in the report have been addressed to the reasonable satisfaction of the Customer.

13 OUTCOME OF TESTING

13.1 The Customer will issue a Test Certificate when the Deliverables satisfy the Test Success Criteria in respect of that Test without any Test Issues.

13.2 If the Deliverables (or any relevant part) do not satisfy the Test Success Criteria then the Customer shall notify the Supplier and:

13.2.1 the Customer may issue a Test Certificate conditional upon the remediation of the Test Issues;

13.2.2 where the Parties agree that there is sufficient time prior to the relevant Milestone Date, the Customer may extend the Test Plan by such reasonable period or periods as the Parties may reasonably agree and require the Supplier

to rectify the cause of the Test Issue and re-submit the Deliverables (or the relevant part) to Testing; or

13.2.3 where the failure to satisfy the Test Success Criteria results, or is likely to result, in the failure (in whole or in part) by the Supplier to meet a Milestone, then without prejudice to the Customer’s other rights and remedies, such failure shall constitute a material Default.

13.3 The Customer shall be entitled, without prejudice to any other rights and remedies that it has under this Call Off Agreement, to recover from the Supplier any reasonable additional costs it may incur as a direct result of further review or re-Testing which is required for the Test Success Criteria for that Deliverable to be satisfied.

13.4 The Customer shall issue a Satisfaction Certificate in respect of a given Milestone as soon as is reasonably practicable following:

13.4.1 the issuing by the Customer of Test Certificates and/or conditional Test Certificates in respect of all Deliverables related to that Milestone which are due to be Tested; and

13.4.2 performance by the Supplier to the reasonable satisfaction of the Customer of any other tasks identified in the Implementation Plan as associated with that Milestone (which may include the submission of a Deliverable that is not due to be Tested, such as the production of Documentation).

13.5 The grant of a Satisfaction Certificate shall entitle the Supplier to the receipt of a payment in respect of that Milestone in accordance with the provisions of any Implementation Plan and Schedule 3 (Call Off Agreement Charging, Payment and Invoicing).

13.6 If a Milestone is not Achieved, the Customer shall promptly issue a report to the Supplier setting out:

13.6.1 the applicable Test Issues; and

13.6.2 any other reasons for the relevant Milestone not being Achieved.

13.7 If there are Test Issues but these do not exceed the Test Issues Threshold, then provided there are no Material Test Issues, the Customer shall issue a Satisfaction Certificate.

13.8 If there is one or more Material Test Issue(s), the Customer shall refuse to issue a Satisfaction Certificate and, without prejudice to the Customer’s other rights and remedies, such failure shall constitute a material Default.

13.9 If there are Test Issues which exceed the Test Issues Threshold but there are no Material Test Issues, the Customer may at its discretion (without waiving any rights in relation to the other options) choose to issue a Satisfaction Certificate conditional on the remediation of the Test Issues in accordance with an agreed Rectification Plan provided that:

13.9.1 any Rectification Plan shall be agreed before the issue of a conditional Satisfaction Certificate unless the Customer agrees otherwise (in which case the Supplier shall submit a Rectification Plan for approval by the Customer within 10 Working Days of receipt of the Customer’s report pursuant to paragraph 13.3 of this Call Off Schedule); and

13.9.2 where the Customer issues a conditional Satisfaction Certificate, it may (but shall not be obliged to) revise the failed Milestone Date and any subsequent Milestone Date.

ANNEX 1: TEST ISSUES – SEVERITY LEVELS

1 SEVERITY 1 ERROR

1.1 This is an error that causes non-recoverable conditions, e.g it is not possible to continue using a Component, a Component crashes, there is database or file corruption, or data loss.

2 SEVERITY 2 ERROR

2.1 This is an error for which, as reasonably determined by the Customer, there is no practicable workaround available, and which:

2.1.1 causes a Component to become unusable;

2.1.2 causes a lack of functionality, or unexpected functionality, that has an impact on the current Test; or

2.1.3 has an adverse impact on any other Component(s) or any other area of the Goods and/or Services;

3 SEVERITY 3 ERROR

3.1 This is an error which:

3.1.1 causes a Component to become unusable;

3.1.2 causes a lack of functionality, or unexpected functionality, but which does not impact on the current Test; or

3.1.3 has an impact on any other Component(s) or any other area of the Goods and/or Services;

but for which, as reasonably determined by the Customer, there is a practicable workaround available;

4 SEVERITY 4 ERROR

4.1 This is an error which causes incorrect functionality of a Component or process, but for which there is a simple, Component based, workaround, and which has no impact on the current Test, or other areas of the Goods and/or Services; and

5 SEVERITY 5 ERROR

5.1 This is an error that causes a minor problem, for which no workaround is required, and which has no impact on the current Test, or other areas of the Go

ANNEX 2: TEST CERTIFICATE

To: [insert name of Supplier]

FROM: [insert name of Customer] [insert Date: dd/mm/yyyy]

Dear Sirs,

TEST CERTIFICATE

Deliverable(s): [Insert relevant description of the agreed Deliverables/Milestones]

We refer to the agreement (“Call Off Agreement “) [insert Call Off Agreement reference number] relating to the provision of the [insert description of the Goods and/or Services] between the [insert Customer name] (“Customer”) and [insert Supplier name] (“Supplier”) dated [insert Call Off Commencement Date dd/mm/yyyy].

The definitions for any capitalised terms in this certificate are as set out in the Call Off Agreement

[We confirm that all of the Deliverables listed above have been tested successfully in accordance with the Test Plan relevant to those Deliverables.]

[OR]

[This Test Certificate is issued pursuant to paragraph 13.1 of Call Off Schedule 5 (Testing) of this Call Off Agreement on the condition that any Test Issues are remedied in accordance with the Rectification Plan attached to this certificate.]

Yours faithfully [insert Name] [insert Position] acting on behalf of [insert name of Customer]

ANNEX 3: SATISFACTION CERTIFICATE

To: [insert name of Supplier]

From: [insert name of Customer] [insert Date dd/mm/yyyy]

Dear Sirs,

SATISFACTION CERTIFICATE

Milestone(s): [Insert relevant description of the agreed Milestones].

We refer to the agreement (“Call Off Agreement “) [insert Call Off Agreement reference number] relating to the provision of the [insert description of the Goods and/or Services] between the [insert Customer name] (“Customer”) and [insert Supplier name] (“Supplier”) dated [insert Call Off Commencement Date dd/mm/yyyy ].

The definitions for any capitalised terms in this certificate are as set out in the Call Off Agreement

[We confirm that all the Deliverables relating to [insert relevant description of agreed Milestones and/or reference number(s) from the Implementation Plan] have been tested successfully in accordance with the Test Plan [or that a conditional Test Certificate has been issued in respect of those Deliverables that have not satisfied the relevant Test Success Criteria].

[OR]

[This Satisfaction Certificate is granted pursuant to paragraph 13.1 of Call Off Schedule 5 (Testing) of this Call Off Agreement on the condition that any Test Issues are remedied in accordance with the Rectification Plan attached to this certificate.]

[You may now issue an invoice in respect of the Milestone Payment associated with this Milestone in accordance with the provisions of Call Off Schedule 3 (Call Off Agreement Charges, Payment and Invoicing)].

Yours faithfully [insert Name] [insert Position]

acting on behalf of [insert name of Customer]

[CALL OFF SCHEDULE 6: SERVICE LEVELS, SERVICE CREDITS AND PERFORMANCE MONITORING]

OPTIONAL SCHEDULE – SEE OPTIONAL CLAUSE 13 – SERVICE LEVELS AND SERVICE CREDITS

1 SCOPE

1.1 This Call Off Schedule 6 (Service Levels, Service Credits and Performance Monitoring) sets out the Service Levels which the Supplier is required to achieve when providing the Goods and/or Services, the mechanism by which Service Level Failures and Critical Service Level Failures will be managed and the method by which the Supplier’s performance in the provision by it of the Goods and/or Services will be monitored.

1.2 This Call Off Schedule 6 comprises:

1.2.1 Part A: Service Levels and Service Credits;

1.2.2 Annex 1 to Part A - Service Levels and Service Credits Table;

1.2.3 Part B: Performance Monitoring; and

1.2.4 Annex 1 to Part B: Additional Performance Monitoring Requirements.

PART A: SERVICE LEVELS AND SERVICE CREDITS

1 GENERAL PROVISIONS

1.1 The Supplier shall provide a proactive Call Off Agreement manager to ensure that all Service Levels in this Call Off Agreement and Key Performance Indicators in the Framework Agreement are achieved to the highest standard throughout, respectively, the Call Off Agreement Period and the Framework Period.

1.2 The Supplier shall provide a managed service through the provision of a dedicated Call Off Agreement manager where required on matters relating to:

1.2.1 [Supply performance;

1.2.2 Quality of [Goods and/or Services];

1.2.3 Customer support;

1.2.4 Complaints handling; and 1.2.5 Accurate and timely invoices.]

1.3 The Supplier accepts and acknowledges that failure to meet the Service Level Performance Measures set out in the table in Annex 1 to this Part A of this Call Off Schedule 6 will result in Service Credits being issued to Customers.

2 PRINCIPAL POINTS

2.1 The objectives of the Service Levels and Service Credits are to:

2.1.1 ensure that the Goods and/or Services are of a consistently high quality and meet the requirements of the Customer;

2.1.2 provide a mechanism whereby the Customer can attain meaningful recognition of inconvenience and/or loss resulting from the Supplier’s failure to deliver the level of service for which it has contracted to deliver; and

2.1.3 incentivise the Supplier to comply with and to expeditiously remedy any failure to comply with the Service Levels.

3 SERVICE LEVELS

3.1 Annex 1 to this Part A of this Call Off Schedule 6 sets out the Service Levels the performance of which the Parties have agreed to measure.

3.2 The Supplier shall monitor its performance of this Call Off Agreement by reference to the relevant performance criteria for achieving the Service Levels shown in Annex 1 to this Part A of this Call Off Schedule 6 (the “Service Level Performance Criteria”) and shall send the Customer a Performance Monitoring Report detailing the level of service which was achieved in accordance with the provisions of Part B (Performance Monitoring) of this Call Off Schedule 6.

3.3 The Supplier shall, at all times, provide the Goods and/or Services in such a manner that the Service Levels Performance Measures are achieved.

3.4 If the level of performance of the Supplier of any element of the provision by it of the Goods and/or Services during the Call Off Agreement Period:

3.4.1 is likely to or fails to meet any Service Level Performance Measure or

3.4.2 is likely to cause or causes a Critical Service Failure to occur,

3.4.3 the Supplier shall immediately notify the Customer in writing and the Customer, in its absolute discretion and without prejudice to any other of its rights howsoever arising including under Clause 13 of this Call Off Agreement (Service Levels and Service Credits), may:

(a) require the Supplier to immediately take all remedial action that is reasonable to mitigate the impact on the Customer and to rectify or prevent a Service Level Failure or Critical Service Level Failure from taking place or recurring; and

(b) if the action taken under paragraph (a) above has not already prevented or remedied the Service Level Failure or Critical Service Level Failure, the Customer shall be entitled to instruct the Supplier to comply with the Rectification Plan Process; or

(c) if a Service Level Failure has occurred, deduct from the Call Off Agreement Charges the applicable Service Level Credits payable by the Supplier to the Customer in accordance with the calculation formula set out in Annex 1 of this Part A of this Call Off Schedule 6; or

(d) if a Critical Service Level Failure has occurred, exercise its right to Compensation for Critical Service Level Failure in accordance with Clause 14 of this Call Off Agreement (Critical Service Level Failure) (including subject, for the avoidance of doubt, the proviso in Clause

14.2.2 of this Call Off Agreement in relation to Material Breach).

3.5 Approval and implementation by the Customer of any Rectification Plan shall not relieve the Supplier of any continuing responsibility to achieve the Service Levels, or remedy any failure to do so, and no estoppels or waiver shall arise from any such Approval and/or implementation by the Customer.

4 SERVICE CREDITS

4.1 Annex 1 to this Part A of this Call Off Schedule 6 sets out the formula used to calculate a Service Credit payable to the Customer as a result of a Service Level Failure in a given service period which, for the purpose of this Call Off Schedule 6, shall be a recurrent period of [one Month] during the Call Off Agreement Period (the “Service Period”).

4.2 Annex 1 to this Part A of this Call Off Schedule 6 includes details of each Service Credit available to each Service Level Performance Criterion if the applicable Service Level Performance Measure is not met by the Supplier.

4.3 The Customer shall use the Performance Monitoring Reports supplied by the Supplier under Part B (Performance Monitoring) of this Call Off Schedule 6 to verify the calculation and accuracy of the Service Credits, if any, applicable to each relevant Service Period.

4.4 Service Credits are a reduction of the amounts payable in respect of the Goods and/or Services and do not include VAT The Supplier shall set-off the value of any Service Credits against the appropriate invoice in accordance with calculation formula in Annex 1 of Part A of this Call Off Schedule 6.

5 NATURE OF SERVICE CREDITS

5.1 The Supplier confirms that it has modelled the Service Credits and has taken them into account in setting the level of the Call Off Agreement Charges Both Parties agree that the Service Credits are a reasonable method of price adjustment to reflect poor performance.

Service Levels Service Credit for each Service Period
Service Level Performance Criteria Key Indicator Service Level Performance Measure Service Level Threshold  
Accurate and timely billing of Customer Accuracy/Timelines at least 98% at all times   0.5% Service Credit gained for each percentage under the specified Service Level Performance Measure
Access to Customer support Availability at least 98% at all times   0.5% Service Credit gained for each percentage under the specified Service Level Performance Measure
Complaints Handling Availability/ Timelines at least 98% at all times   0.5% Service Credit gained for each percentage under the specified Service Level Performance Measure
Provision of specific Goods and/or Services Quality at least 98% at all times   2% Service Credit gained for each percentage under the specified Service Level Performance Measure
Timely provision of the Goods and/or Services [hours a day, days a week. Goods and/or Services Availability at least 98% at all times   2% Service Credit gained for each percentage under the specified Service Level Performance Measure]

The Service Credits is calculated on the basis of the following formula:

Formula: x% (Service Level Performance Measure) - x% (actual Service Level performance) = x% of the Call Off Agreement Charges payable to the Customer as Service Credits to be deducted from the next Valid Invoice payable by the Customer
Worked example: 98% (e.g. Service Level Performance Measure requirement for Service Level Performance Criterion of accurate and timely billing to Customer) - 75% (e.g. actual performance achieved against this Service Level Performance Criterion in a Service Period) = 23% of the Call Off Agreement Charges payable to the Customer as Service Credits to be deducted from the next Valid Invoice payable by the Customer]

PART B: PERFORMANCE MONITORING

1 PRINCIPAL POINTS

1.1 Part B to this Call Off Schedule 6 provides the methodology for monitoring the provision of the Goods and/or Services:

1.1.1 to ensure that the Supplier is complying with the Service Levels; and

1.1.2 for identifying any failures to achieve Service Levels in the performance of the Supplier and/or provision of the Goods and/or Services (“Performance Monitoring System”).

1.2 Within twenty (20) Working Days of the Call Off Commencement Date the Supplier shall provide the Customer with details of how the process in respect of the monitoring and reporting of Service Levels will operate between the Parties and the Parties will endeavour to agree such process as soon as reasonably possible.

2 REPORTING OF SERVICE FAILURES

2.1 The Supplier shall report all failures to achieve Service Levels and any Critical Service Level Failure to the Customer in accordance with the processes agreed in paragraph 1.2 of Part B of this Call Off Schedule 6 above.

3 PERFORMANCE MONITORING AND PERFORMANCE REVIEW

3.1 The Supplier shall provide the Customer with performance monitoring reports (“Performance Monitoring Reports”) in accordance with the process and timescales agreed pursuant to paragraph 1.2 of Part B of this Call Off Schedule 6 above which shall contain, as a minimum, the following information in respect of the relevant Service Period just ended:

3.1.1 for each Service Level, the actual performance achieved over the Service Level for the relevant Service Period;

3.1.2 a summary of all failures to achieve Service Levels that occurred during that Service Period;

3.1.3 any Critical Service Level Failures and details in relation thereto;

3.1.4 for any repeat failures, actions taken to resolve the underlying cause and prevent recurrence;

3.1.5 the Service Credits to be applied in respect of the relevant period indicating the failures and Service Levels to which the Service Credits relate; and

3.1.6 such other details as the Customer may reasonably require from time to time.

3.2 The Parties shall attend meetings to discuss Performance Monitoring Reports (“Performance Review Meetings”) on a monthly basis (unless otherwise agreed). The Performance Review Meetings will be the forum for the review by the Supplier and the Customer of the Performance Monitoring Reports. The Performance Review Meetings shall (unless otherwise agreed):

3.2.1 take place within one (1) week of the Performance Monitoring Reports being issued by the Supplier;

3.2.2 take place at such location and time (within normal business hours) as the Customer shall reasonably require unless otherwise agreed in advance;

3.2.3 be attended by the Supplier’s Representative and the Customer’s Representative; and

3.2.4 be fully minuted by the Supplier. The prepared minutes will be circulated by the Supplier to all attendees at the relevant meeting and also to the Customer’s Representative and any other recipients agreed at the relevant meeting. The minutes of the preceding month’s Performance Review Meeting will be agreed and signed by both the Supplier’s Representative and the Customer’s Representative at each meeting.

3.3 The Customer shall be entitled to raise any additional questions and/or request any further information regarding any failure to achieve Service Levels.

3.4 The Supplier shall provide to the Customer such supporting documentation as the Customer may reasonably require in order to verify the level of the performance by the Supplier and the calculations of the amount of Service Credits for any specified Service Period.

4 SATISFACTION SURVEYS

4.1 In order to assess the level of performance of the Supplier, the Customer may undertake satisfaction surveys in respect of the Supplier’s provision of the Goods and/or Services.

4.2 The Customer shall be entitled to notify the Supplier of any aspects of their performance of the provision of the Goods and/or Services which the responses to the Satisfaction Surveys reasonably suggest are not in accordance with this Call Off Agreement.

4.3 All other suggestions for improvements to the provision of Goods and/or Services shall be dealt with as part of the continuous improvement programme pursuant to Clause 13 of this Call Off Agreement (Continuous Improvement).

ANNEX 1 TO PART B: ADDITIONAL PERFORMANCE MONITORING REQUIREMENTS

In this Annex 1 to Part B of Call Off Schedule 6, the following definitions shall apply, if selected by the Customer in the Call Off Order Form:

Project Manager: means the manager described in paragraph 1.1 of this Annex;

Technical Board: means the board described in paragraph 1.1 of this Annex;

1 MANAGEMENT OF THE GOODS AND/OR SERVICES

1.1 The Supplier and the Customer shall each appoint a Project Manager for the purposes of this Call Off Agreement through whom the provision of the Goods and/or Services shall be managed at a day-to-day.

1.2 Both parties shall ensure that appropriate resource is made available on a regular basis including, for example, a Technical Board such that the aims, objectives and specific provisions of this Call Off Agreement can be fully realised.

2 TECHNICAL BOARD

2.1 The Technical Board shall be established by the Customer for the purposes of this Call Off Agreement on which the Supplier and the Customer shall be represented.

2.2 The Technical Board members, frequency and location of board meetings and planned start date by which the board shall be established shall be set out in Annex [x].

2.3 In the event that either Party wishes to replace any of its appointed board members, that party shall notify the other in writing of the proposed change for agreement by the other Party (such agreement not to be unreasonably withheld or delayed). Notwithstanding the foregoing it is intended that each Customer board member has at all times a counterpart Supplier board member of equivalent seniority and expertise.

2.4 Each Party shall ensure that its board members shall make all reasonable efforts to attend board meetings at which that board member’s attendance is required. If any board member is not able to attend a board meeting, that person shall use all reasonable endeavours to ensure that a delegate attends the Technical Board meeting in his/her place (wherever possible) is properly briefed and prepared and that he/she is debriefed by such delegate after the board meeting.

2.5 The Technical Board shall be accountable to the Project Managers for oversight of the technology used by the Supplier and ensuring that technological choices are made to maximise the long term value of the Goods and/or Services.

2.6 The Technical Board shall:

2.6.1 assure compliance with the overall technical architecture of the Customer and with Government IT Strategy (as defined at https://www.gov.uk/government/uploads/system/uploads/attachment_data

/file/85968/uk-government-government-ict-strategy_0.pdf);

2.6.2 grant dispensations for variations from such compliance where appropriate;

2.6.3 assure the coherence and consistency of the systems architecture for the provision of the Goods and/or Services;

2.6.4 monitor developments in new technology and reporting on their potential benefit to the provision of the Goods and/or Services;

2.6.5 provide advice, guidance and information on technical issues; and

2.6.6 assure that the technical architecture for the provision of the Goods and/or Services is aligned to the requirements specified in Call Off Schedule 2 (Goods and Services) and has sufficient flexibility to cope with future requirements of the Customer.

CALL OFF SCHEDULE 7: SECURITY

[SHORT FORM – PARAGRAPHS 1 TO 5]

1 DEFINITIONS

1.1 In this Call Off Schedule 7, the following definitions shall apply:

Breach of Security: means the occurrence of:

a) any unauthorised access to or use of the Goods and/or Services, the Sites and/or any Information and Communication Technology (“ICT”), information or data (including the Confidential Information and the Customer Data) used by the Customer and/or the Supplier in connection with this Call Off Agreement; and/or

b) the loss and/or unauthorised disclosure of any information or data (including the Confidential Information and the Customer Data), including any copies of such information or data, used by the Customer and/or the Supplier in connection with this Call Off Agreement,

in either case as more particularly set out in the Security Policy;

2 INTRODUCTION

2.1 The purpose of this Call Off Schedule 7 is to ensure a good organisational approach to security under which the specific requirements of this Call Off Agreement will be met;

2.2 This Call Off Schedule 7 covers:

2.2.1 principles of protective security to be applied in delivering the Goods and/or Services;

2.2.2 the creation and maintenance of the Security Management Plan; and

2.2.3 obligations in the event of actual or attempted Breaches of Security.

3 PRINCIPLES OF SECURITY

3.1 The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on security.

3.2 The Supplier shall be responsible for the effective performance of its security obligations and shall at all times provide a level of security which:

3.2.1 is in accordance with the Law and this Call Off Agreement;

3.2.2 as a minimum demonstrates Good Industry Practice;

3.2.3 complies with the Security Policy;

3.2.4 meets any specific security threats of immediate relevance to the Goods and/or Services and/or the Customer Data; and

3.2.5 complies with the Customer’s ICT Policy.

3.3 Subject to Clause 3 of this Call Off Agreement (Security and Protection of Information) the references to standards, guidance and policies contained or set out in paragraph

3.2 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time.

3.4 In the event of any inconsistency in the provisions of the above standards, guidance and policies, the Supplier should notify the Customer’s Representative of such inconsistency immediately upon becoming aware of the same, and the Customer’s Representative shall, as soon as practicable, advise the Supplier which provision the Supplier shall be required to comply with.

4 SECURITY MANAGEMENT PLAN

4.1 Introduction

4.1.1 The Supplier shall develop and maintain a Security Management Plan in accordance with this Call Off Schedule 7. The Supplier shall thereafter comply with its obligations set out in the Security Management Plan.

4.2 Content of the Security Management Plan

4.2.1 The Security Management Plan shall:

(a) comply with the principles of security set out in paragraph 3 of this Call Off Schedule 7 and any other provisions of this Call Off Agreement relevant to security;

(b) identify the necessary delegated organisational roles defined for those responsible for ensuring it is complied with by the Supplier;

(c) detail the process for managing any security risks from Sub-Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the provision of the Goods and/or Services, the Customer Premises, the Sites and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services;

(d) unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Agreement or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services;

(e) set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Agreement;

(f) set out the plans for transitioning all security arrangements and responsibilities for the Supplier to meet the full obligations of the security requirements set out in this Call Off Agreement and the Security Policy; and

(g) be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the provision of the Goods and/or Services and shall only reference documents which are in the possession of the Parties or whose location is otherwise specified in this Call Off Schedule 7.

4.3 Development of the Security Management Plan

4.3.1 Within twenty (20) Working Days after the Call Off Commencement Date (or such other period agreed by the Parties in writing) and in accordance with paragraph 4.4 (Amendment and Revision of the Security Management Plan), the Supplier shall prepare and deliver to the Customer for Approval a fully complete and up to date Security Management Plan which will be based on the draft Security Management Plan.

4.3.2 If the Security Management Plan submitted to the Customer in accordance with paragraph 4.3.1, or any subsequent revision to it in accordance with paragraph 4.4 (Amendment and Revision of the Security Management Plan), is Approved it will be adopted immediately and will replace the previous version of the Security Management Plan and thereafter operated and maintained in accordance with this Call Off Schedule 7. If the Security Management Plan is not Approved, the Supplier shall amend it within ten (10) Working Days or such other period as the Parties may agree in writing of a notice of non- approval from the Customer and re-submit to the Customer for Approval. The parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the parties may agree in writing) from the date of its first submission to the Customer. If the Customer does not approve the Security Management Plan following its resubmission, the matter will be resolved in accordance with the Dispute Resolution Procedure.

4.3.3 The Customer shall not unreasonably withhold or delay its decision to Approve or not the Security Management Plan pursuant to paragraph 4.3.2. However a refusal by the Customer to Approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph

4.2 shall be deemed to be reasonable.

4.3.4 Approval by the Customer of the Security Management Plan pursuant to paragraph 4.3.2 of this Call Off Schedule 7 or of any change to the Security Management Plan in accordance with paragraph 4.4 shall not relieve the Supplier of its obligations under this Call Off Schedule 7.

4.4 Amendment and Revision of the Security Management Plan

4.4.1 The Security Management Plan shall be fully reviewed and updated by the Supplier at least annually to reflect:

(a) emerging changes in Good Industry Practice;

(b) any change or proposed change to the Goods and/or Services and/or associated processes;

(c) any change to the Security Policy;

(d) any new perceived or changed security threats; and

(e) any reasonable change in requirements requested by the Customer.

4.4.2 The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amendment of the Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation:

(a) suggested improvements to the effectiveness of the Security Management Plan;

(b) updates to the risk assessments; and

(c) suggested improvements in measuring the effectiveness of controls.

4.4.3 Subject to paragraph 4.4.4, any change or amendment which the Supplier proposes to make to the Security Management Plan (as a result of a review carried out in accordance with paragraph 4.4.1, a request by the Customer or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved by the Customer.

4.4.4 The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Agreement

5 BREACH OF SECURITY

5.1 Either party shall notify the other in accordance with the agreed security incident management process (as detailed in the Security Management Plan if one exists) upon becoming aware of any Breach of Security or any potential or attempted Breach of Security.

5.2 Without prejudice to the security incident management process, upon becoming aware of any of the circumstances referred to in paragraph 5.1, the Supplier shall:

5.2.1 immediately take all reasonable steps(which shall include any action or changes reasonably required by the Customer) necessary to:

(a) minimise the extent of actual or potential harm caused by any Breach of Security;

(b) remedy such Breach of Security to the extent possible and protect the integrity of the Customer and the provision of the Goods and/or Services to the extent within its control against any such Breach of Security or attempted Breach of Security;

(c) prevent an equivalent breach in the future exploiting the same cause failure; and

(d) as soon as reasonably practicable provide to the Customer, where the Customer so requests, full details (using the reporting mechanism defined by the Security Management Plan if one exists) of the Breach of Security or attempted Breach of Security, including a cause analysis where required by the Customer.

5.3 In the event that any action is taken in response to a Breach of Security or potential or attempted Breach of Security that demonstrates non-compliance of the Security Management Plan with the Security policy or the requirements of this Call Off Schedule 7, then any required change to the Security Management Plan shall be at no cost to the Customer.

[LONG FORM – PARAGRAPHS 1 TO 8]

1 DEFINITIONS

1.1 In this Call Off Schedule 7, the following definitions shall apply:

Breach of Security: means the occurrence of:

a) any unauthorised access to or use of the Goods and/or Goods and/or Services, the Sites and/or any Information and Communication Technology (“ICT”), information or data (including the Confidential Information and the Customer Data) used by the Customer and/or the Supplier in connection with this Call Off Agreement ; and/or

b) the loss and/or unauthorised disclosure of any information or data (including the Confidential Information and the Customer Data), including any copies of such information or data, used by the Customer and/or the Supplier in connection with this Call Off Agreement,

in either case as more particularly set out in the security requirements in the Security Policy;

ISMS: the information security management system and process developed by the Supplier in accordance with paragraph 3 (ISMS) as updated from time to time in accordance with this Schedule 7; and

Security Tests: tests to validate the ISMS and security of all relevant processes, systems, incident response plans, patches to vulnerabilities and mitigations to Breaches of Security.

2 INTRODUCTION

2.1 The Parties acknowledge that the purpose of the ISMS and Security Management Plan are to ensure a good organisational approach to security under which the specific requirements of this Call Off Agreement will be met.

2.2 The Parties shall each appoint a security representative to be responsible for Security. The initial security representatives of the Parties are as set out in the Call Off Order Form.

2.3 If the persons named in paragraphs Error! Reference source not found. and Error! Reference source not found. are included as Key Personnel, Clause 26 (Key Personnel) shall apply in relation to such persons.

2.4 The Customer shall clearly articulate its high level security requirements so that the Supplier can ensure that the ISMS, security related activities and any mitigations are driven by these fundamental needs.

2.5 Both Parties shall provide a reasonable level of access to any members of their personnel for the purposes of designing, implementing and managing security.

2.6 The Supplier shall use as a minimum Good Industry Practice in the day to day operation of any system holding, transferring or processing Customer Data and any system that could directly or indirectly have an impact on that information, and shall ensure that Customer Data remains under the effective control of the Supplier at all times.

2.7 The Supplier shall ensure the up-to-date maintenance of a security policy relating to the operation of its own organisation and systems and on request shall supply this document as soon as practicable to the Customer.

2.8 The Customer and the Supplier acknowledge that information security risks are shared between the Parties and that a compromise of either the Supplier or the Customer’s security provisions represents an unacceptable risk to the Customer requiring immediate communication and co-operation between the Parties.

3 ISMS

3.1 The Supplier shall develop and submit to the Customer for the Customer’s Approval, within twenty (20) working days after the Call Off Commencement Date or such other date as agreed between the Parties, an information security management system for the purposes of this Call Off Agreement, which shall have been tested in accordance with Call Off Schedule 5 (Testing) and shall comply with the requirements of paragraphs

3.3 to 3.5 of this Call Off Schedule 7 (Security).

3.2 The Supplier acknowledges that the Customer places great emphasis on the reliability of the performance of the Goods and/or Services, confidentiality, integrity and availability of information and consequently on the security provided by the ISMS and that the Supplier shall be responsible for the effective performance of the ISMS.

3.3 The ISMS shall:

3.3.1 unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the provision of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, information and data (including the Customer’s Confidential Information and the Customer Data) to the extent

used by the Customer or the Supplier in connection with this Call Off Agreement ;

3.3.2 meet the relevant standards in ISO/IEC 27001 and ISO/IEC27002 in accordance with Paragraph 7;and

3.3.3 at all times provide a level of security which:

(a) is in accordance with the Law and this Call Off Agreement ;

(b) complies with the Baseline Security Requirements;

(c) as a minimum demonstrates Good Industry Practice;

(d) complies with the Security Policy;

(e) complies with at least the minimum set of security measures and standards as determined by the Security Policy Framework (Tiers 1-4) https://www.gov.uk/government/uploads/system/uploads/attachm ent_data/file/255910/HMG_Security_Policy_Framework_V11.0.pdf ;

(f) takes account of guidance issued by the Centre for Protection of National Infrastructure on Risk Management http://www.cpni.gov.uk/Documents/Publications/2005/2005003-

Risk_management.pdf

(g) complies with HMG Information Assurance Maturity Model and Assurance Framework

http://www.cesg.gov.uk/publications/Documents/iamm-assessment- framework.pdf

(h) meets any specific security threats of immediate relevance to the ISMS, the Goods and/or Services and/or Customer Data;

(i) addresses issues of incompatibility with the Supplier’s own organisational security policies;

(j) complies with ISO/IEC27001 and ISO/IEC27002 in accordance with paragraph 7; and

(k) complies with the Customer’s ICT policies.

3.3.4 document the security incident management processes and incident response plans;

3.3.5 document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Goods and/or Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Customer approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy; and

3.3.6 be certified by (or by a person with the direct delegated authority of) a Supplier’s main board representative, being the “Chief Security Officer”, “Chief Information Officer”, “Chief Technical Officer” or “Chief Financial Officer” (or equivalent as agreed in writing by the Customer in advance of issue of the relevant Security Management Plan).

3.4 Subject to Clause 33.9.4 of this Call Off Agreement (Security and Protection of Information) the references to Standards, guidance and policies contained or set out in paragraph 3.3 of this Call Off Schedule 7 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, as notified to the Supplier from time to time.

3.5 In the event that the Supplier becomes aware of any inconsistency in the provisions of the standards, guidance and policies set out in paragraph 3.3 of this Call Off Schedule 7, the Supplier shall immediately notify the Customer Representative of such inconsistency and the Customer Representative shall, as soon as practicable, notify the Supplier as to which provision the Supplier shall comply with.

3.6 If the ISMS submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule 7. If the ISMS is not Approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re- submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period as the Parties may agree in writing) from the date of the first submission of the ISMS to the Customer. If the Customer does not Approve the ISMS following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph 3 of this Call Off Schedule 7 may be unreasonably withheld or delayed. However any failure to approve the ISMS on the grounds that it does not comply with any of the requirements set out in paragraphs 3.3 to 3.5 of this Call Off Schedule 7 shall be deemed to be reasonable.

3.7 Approval by the Customer of the ISMS pursuant to paragraph 3.6 of this Call Off Schedule 7 or of any change to the ISMS shall not relieve the Supplier of its obligations under this Call Off Schedule 7.

  1. SECURITY MANAGEMENT PLAN

4.1 Within twenty (20) Working Days after the Call Off Commencement Date, the Supplier shall prepare and submit to the Customer for Approval in accordance with paragraph 4 of this Call Off Schedule 7 a fully developed, complete and up-to-date Security Management Plan which shall comply with the requirements of paragraph 4.2 of this Call Off Schedule 7.

4.2 The Security Management Plan shall:

4.2.1 be based on the initial Security Management Plan set out in Annex 2 (Security Management Plan);

4.2.2 comply with the Baseline Security Requirements and Security Policy;

4.2.3 identify the necessary delegated organisational roles defined for those responsible for ensuring this Call Off Schedule 7 is complied with by the Supplier;

4.2.4 detail the process for managing any security risks from Sub-Contractors and third parties authorised by the Customer with access to the Goods and/or Services, processes associated with the delivery of the Goods and/or Services, the Customer Premises, the Sites, the Supplier System, the Customer System

(to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) and any system that could directly or indirectly have an impact on that information, data and/or the Goods and/or Services;

4.2.5 unless otherwise specified by the Customer in writing, be developed to protect all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services, including the Customer Premises, the Sites, the Supplier System, the Customer System (to the extent that it is under the control of the Supplier) and any ICT, Information and data (including the Customer’s Confidential Information and the Customer Data) to the extent used by the Customer or the Supplier in connection with this Call Off Agreement or in connection with any system that could directly or indirectly have an impact on that Information, data and/or the Goods and/or Services;

4.2.6 set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Goods and/or Services and all processes associated with the delivery of the Goods and/or Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Goods and/or Services comply with the provisions of this Call Off Schedule 7 (including the requirements set out in paragraph 3.3 of this Call Off Schedule);

4.2.7 demonstrate that the Supplier’s approach to delivery of the Goods and/or Services has minimised the Customer and Supplier effort required to comply with this Call Off Schedule through consideration of available, appropriate and practicable pan-government accredited services (for example, ‘platform as a service’ offering from the G-Cloud catalogue);

4.2.8 set out the plans for transitioning all security arrangements and responsibilities from those in place at the Call Off Commencement Date to those incorporated in the ISMS within the timeframe agreed between the Parties .

4.2.9 set out the scope of the Customer System that is under the control of the Supplier;

4.2.10 be structured in accordance with ISO/IEC27001 and ISO/IEC27002, cross- referencing if necessary to other Schedules which cover specific areas included within those standards; and

4.2.11 be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Customer engaged in the Goods and/or Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Call Off Schedule 7 .

4.3 If the Security Management Plan submitted to the Customer pursuant to paragraph 3.1 of this Call Off Schedule 7 is Approved by the Customer, it shall be adopted by the Supplier immediately and thereafter operated and maintained in accordance with this Call Off Schedule 7. If the Security Management Plan is not approved by the Customer, the Supplier shall amend it within ten (10) Working Days of a notice of non-approval from the Customer and re-submit it to the Customer for Approval. The Parties shall use all reasonable endeavours to ensure that the Approval process takes as little time as possible and in any event no longer than fifteen (15) Working Days (or such other period

as the Parties may agree in writing) from the date of the first submission to the Customer of the Security Management Plan. If the Customer does not Approve the Security Management Plan following its resubmission, the matter shall be resolved in accordance with the Dispute Resolution Procedure. No Approval to be given by the Customer pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Management Plan on the grounds that it does not comply with the requirements set out in paragraph 4.2 of this Call Off Schedule 7 shall be deemed to be reasonable.

4.4 Approval by the Customer of the Security Management Plan pursuant to paragraph 4.3 of this Call Off Schedule 7 or of any change or amendment to the Security Management Plan shall not relieve the Supplier of its obligations under this Call Off Schedule 7.

5 AMENDMENT AND REVISION OF THE ISMS AND SECURITY MANAGEMENT PLAN

5.1 The ISMS and Security Management Plan shall be fully reviewed and updated by the Supplier and at least annually to reflect:

5.1.1 emerging changes in Good Industry Practice;

5.1.2 any change or proposed change to the Supplier System, the Goods and/or Services and/or associated processes;

(a) any new perceived or changed security threats; and

5.1.3 any changes to the Security Policy;

5.1.4 any new perceived or changed security threats; and

5.1.5 any reasonable change in requirement requested by the Customer.

5.2 The Supplier shall provide the Customer with the results of such reviews as soon as reasonably practicable after their completion and amend the ISMS and Security Management Plan at no additional cost to the Customer. The results of the review shall include, without limitation:

5.2.1 suggested improvements to the effectiveness of the ISMS;

5.2.2 updates to the risk assessments;

5.2.3 proposed modifications to the procedures and controls that affect information security to respond to events that may impact on the ISMS; and

5.2.4 suggested improvements in measuring the effectiveness of controls.

5.3 Subject to paragraph 5.4 of this Call Off Schedule 7, any change which the Supplier proposes to make to the ISMS or Security Management Plan (as a result of a review carried out pursuant to paragraph 5.1 of this Call Off Schedule 7, a Customer request, a change to Annex 1 (Security) or otherwise) shall be subject to the Variation Procedure and shall not be implemented until Approved in writing by the Customer.

5.4 The Customer may, where it is reasonable to do so, Approve and require changes or amendments to the ISMS or Security Management Plan to be implemented on timescales faster than set out in the Variation Procedure but, without prejudice to their effectiveness, all such changes and amendments shall thereafter be subject to the Variation Procedure for the purposes of formalising and documenting the relevant change or amendment for the purposes of this Call Off Agreement

6 SECURITY TESTING

6.1 The Supplier shall conduct Security Tests from time to time (and at least annually across the scope of the ISMS) and additionally after any change or amendment to the ISMS (including security incident management processes and incident response plans) or the Security Management Plan. Security Tests shall be designed and implemented by the Supplier so as to minimise the impact on the delivery of the Goods and/or Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the Customer. Subject to compliance by the Supplier with the foregoing requirements, if any Security Tests adversely affect the Supplier’s ability to deliver the Goods and/or Services so as to meet the Service Level Performance Measures, the Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests.

6.2 The Customer shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Customer with the results of such Security Tests (in a form approved by the Customer in advance) as soon as practicable after completion of each Security Test.

6.3 Without prejudice to any other right of audit or access granted to the Customer pursuant to this Call Off Agreement, the Customer and/or its authorised representatives shall be entitled, at any time upon giving reasonable notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the ISMS and the Supplier’s compliance with the ISMS and the Security Management Plan. The Customer may notify the Supplier of the results of such tests after completion of each such test. If any such Customer’s test adversely affects the Supplier’s ability to deliver the Goods and/or Services so as to meet the Target Performance Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the Customer’s test.

6.4 Where any Security Test carried out pursuant to paragraphs 6.2 or 6.3 of this Call Off Schedule 7 reveals any actual or potential Breach of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Supplier shall promptly notify the Customer of any changes to the ISMS and to the Security Management Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Customer’s prior written Approval, the Supplier shall implement such changes to the ISMS and the Security Management Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Customer or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the ISMS or Security Management Plan is to address a non-compliance with the Security Policy or security requirements (as set out in Annex 1 (Security) to this Call Off Schedule 7) or the requirements of this Call Off Schedule 7, the change to the ISMS or Security Management Plan shall be at no cost to the Customer.

6.5 If any repeat Security Test carried out pursuant to paragraph 6.4 of this Call Off Schedule 7 reveals an actual or potential Breach of Security exploiting the same root cause failure, such circumstance shall constitute a material Default of this Call Off Agreement

7 ISMS COMPLIANCE

7.1 The Customer shall be entitled to carry out such security audits as it may reasonably deem necessary in order to ensure that the ISMS maintains compliance with the principles and practices of ISO 27001 and/or the Security Policy.

7.2 If, on the basis of evidence provided by such security audits, it is the Customer’s reasonable opinion that compliance with the principles and practices of ISO/IEC 27001 and/or the Security Policy are not being achieved by the Supplier, then the Customer shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to implement and remedy. If the Supplier does not become compliant within the required time then the Customer shall have the right to obtain an independent audit against these standards in whole or in part.

7.3 If, as a result of any such independent audit as described in paragraph 7.2 of this Call Off Schedule 7 the Supplier is found to be non-compliant with the principles and practices of ISO/IEC 27001 and/or the Security Policy then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Customer in obtaining such audit.

  1. BREACH OF SECURITY

8.1 Either Party shall notify the other in accordance with the agreed security incident management process as defined by the ISMS upon becoming aware of any breach of security or any potential or attempted Breach of Security.

8.2 Without prejudice to the security incident management process, upon becoming aware of any of the circumstances referred to in paragraph 8.1 of this Call Off Schedule 7, the Supplier shall:

8.2.1 immediately take all reasonable steps (which shall include any action or changes reasonably required by the Customer) necessary to:

(a) minimise the extent of actual or potential harm caused by any Breach of Security;

(b) remedy such Breach of Security or any potential or attempted Breach of Security in order to protect the integrity of the Customer Property and/or Customer Assets and/or ISMS to the extent that this is within the Supplier’s control;

(c) apply a tested mitigation against any such Breach of Security or attempted Breach of Security and provided that reasonable testing has been undertaken by the Supplier, if the mitigation adversely affects the Supplier’s ability to provide the Goods and/or Services so as to meet the relevant Service Level Performance Measures, the Supplier shall be granted relief against any resultant under- performance for such period as the Customer, acting reasonably, may specify by written notice to the Supplier;

(d) prevent a further Breach of Security or any potential or attempted Breach of Security in the future exploiting the same root cause failure; and

(e) supply any requested data to the Customer (or the Computer Emergency Response Team for UK Government (“GovCertUK”)) on

the Customer’s request within two (2) Working Days and without charge (where such requests are reasonably related to a possible incident or compromise); and

(f) as soon as reasonably practicable provide to the Customer full details (using the reporting mechanism defined by the ISMS) of the Breach of Security or attempted Breach of Security, including a root cause analysis where required by the Customer.

8.3 In the event that any action is taken in response to a Breach of Security or potential or attempted Breach of Security that demonstrates non-compliance of the ISMS with the Security Policy or the requirements of this Call Off Schedule 7, then any required change to the ISMS shall be at no cost to the Customer.

9 VULNERABILITES AND CORRECTIVE ACTION

9.1 The Customer and the Supplier acknowledge that from time to time vulnerabilities in the ICT Environment will be discovered which unless mitigated will present an unacceptable risk to the Customer’s information.

9.2 The severity of threat vulnerabilities for Supplier COTS Software and Third Party COTS Software shall be categorised by the Supplier as ‘Critical’, ‘Important’ and ‘Other’ by aligning these categories to the vulnerability scoring according to the agreed method in the ISMS and using the appropriate vulnerability scoring systems including:

9.2.1 the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST http://nvd.nist.gov/cvss.cfm); and

9.2.2 Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively.

9.3 The Supplier shall procure the application of security patches to vulnerabilities within a maximum period from the public release of such patches with those vulnerabilities categorised as ‘Critical’ within 14 days of release, ‘Important’ within 30 days of release and all ‘Other’ within 60 Working Days of release, except where:

9.3.1 the Supplier can demonstrate that a vulnerability is not exploitable within the context of any Service (e.g. because it resides in a software component which is not running in the service) provided vulnerabilities which the Supplier asserts cannot be exploited within the context of a Service must be remedied by the Supplier within the above timescales if the vulnerability becomes exploitable within the context of the Service;

9.3.2 the application of a ‘Critical’ or ‘Important’ security patch adversely affects the Supplier’s ability to deliver the Services in which case the Supplier shall be granted an extension to such timescales of 5 days, provided the Supplier had followed and continues to follow the security patch test plan agreed with the Customer; or

9.3.3 the Customer agrees a different maximum period after a case-by-case consultation with the Supplier under the processes defined in the ISMS.

9.4 The Supplier Solution and Implementation Plan shall include provisions for major version upgrades of all Supplier COTS Software and Third Party COTS Software to be upgraded within 6 months of the release of the latest version, such that it is no more than one major version level below the latest release (normally codified as running software no older than the ‘n-1 version’) throughout the Term unless:

9.4.1 where upgrading such Supplier COTS Software and Third Party COTS Software reduces the level of mitigations for known threats, vulnerabilities or exploitation techniques, provided always that such upgrade is made within 12 months of release of the latest version ; or

9.4.2 is agreed with the Customer in writing.

9.5 The Supplier shall:

9.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Central Government Body;

9.5.2 ensure that the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) is monitored to facilitate the detection of anomalous behaviour that would be indicative of system compromise;

9.5.3 ensure it is knowledgeable about the latest trends in threat, vulnerability and exploitation that are relevant to the ICT Environment by actively monitoring the threat landscape during the Call Off Agreement Period;

9.5.4 pro-actively scan the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) for vulnerable components and address discovered vulnerabilities through the processes described in the ISMS as developed under Paragraph 3.3.5;

9.5.5 from the date specified in the Security Management Plan provide a report to the Customer within five (5) Working Days of the end of each month detailing both patched and outstanding vulnerabilities in the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) and any elapsed time between the public release date of patches and either time of application or for outstanding vulnerabilities the time of issue of such report;

9.5.6 propose interim mitigation measures to vulnerabilities in the ICT Environment known to be exploitable where a security patch is not immediately available;

9.5.7 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the ICT Environment); and

9.5.8 inform the Customer when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the ICT Environment and provide initial indications of possible mitigations.

9.6 If the Supplier is unlikely to be able to mitigate the vulnerability within the timescales under this Paragraph 9, the Supplier shall immediately notify the Customer.

9.7 A failure to comply with Paragraph 9.3 shall constitute a Notifiable Default, and the Supplier shall comply with the Rectification Plan Process.

ANNEX 1: BASELINE SECURITY REQUIREMENTS

1 HIGHER CLASSIFICATIONS

1.1 The Supplier shall not handle Customer information classified SECRET or TOP SECRET except if there is a specific requirement and in this case prior to receipt of such information the Supplier shall seek additional specific guidance from the Customer.

2 END USER DEVICES

2.1 When Customer Data resides on a mobile, removable or physically uncontrolled device it must be stored encrypted using a product or system component which has been formally assured through a recognised certification process of the UK Government Communications Electronics Security Group (“CESG”) to at least Foundation Grade, for example, under the CESG Commercial Product Assurance scheme (“CPA”).

2.2 Devices used to access or manage Customer Data and services must be under the management authority of Customer or Supplier and have a minimum set of security policy configuration enforced. These devices must be placed into a ‘known good’ state prior to being provisioned into the management authority of the Customer. Unless otherwise agreed with the Customer in writing, all Supplier devices are expected to meet the set of security requirements set out in the CESG End User Devices Platform Security Guidance (https://www.gov.uk/government/collections/end-user-devices- security-guidance–2). Where the guidance highlights shortcomings in a particular platform the Supplier may wish to use, then these should be discussed with the Customer and a joint decision shall be taken on whether the residual risks are acceptable. Where the Supplier wishes to deviate from the CESG guidance, then this should be agreed in writing on a case by case basis with the Customer.

3 DATA PROCESSING, STORAGE, MANAGEMENT AND DESTRUCTION

3.1 The Supplier and Customer recognise the need for the Customer’s information to be safeguarded under the UK Data Protection regime or a similar regime. To that end, the Supplier must be able to state to the Customer the physical locations in which data may be stored, processed and managed from, and what legal and regulatory frameworks Customer Data will be subject to at all times.

3.2 The Supplier shall agree any change in location of data storage, processing and administration with the Customer in advance where the proposed location is outside the UK. Such approval shall not be unreasonably withheld or delayed unless specified otherwise in this Agreement and provided that storage, processing and management of any Customer Data is only carried out offshore within:

3.2.1 the European Economic Area (EEA);

3.2.2 in the US if the Supplier and or any relevant Sub-Contractor have signed up to the US-EU Privacy Shield Register; or

3.2.3 in another country or territory outside the EEA if that country or territory ensures an adequate level of protection by reason of its domestic law or of the international commitments it has entered into which have been defined as adequate by the EU Commission.

3.3 The Supplier shall:

3.3.1 provide the Customer with all Customer Data on demand in an agreed open format;

3.3.2 have documented processes to guarantee availability of Customer Data in the event of the Supplier ceasing to trade;

3.3.3 securely destroy all media that has held Customer Data at the end of life of that media in line with Good Industry Practice; and

3.3.4 securely erase any or all Customer Data held by the Supplier when requested to do so by the Customer.

4 NETWORKING

4.1 The Customer requires that any Customer Data transmitted over any public network (including the Internet, mobile networks or un-protected enterprise network) or to a mobile device must be encrypted using a product or system component which has been formally assured through a certification process recognised by CESG, to at least Foundation Grade, for example, under CPA or through the use of pan-government accredited encrypted networking services via the Public Sector Network (“PSN”) framework (which makes use of Foundation Grade certified products).

4.2 The Customer requires that the configuration and use of all networking equipment to provide the Services, including those that are located in secure physical locations, are at least compliant with Good Industry Practice.

5 SECURITY ARCHITECTURES

5.1 The Supplier shall apply the ‘principle of least privilege’ (the practice of limiting systems, processes and user access to the minimum possible level) to the design and configuration of IT systems which will process or store Customer Data.

5.2 When designing and configuring the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) the Supplier shall follow Good Industry Practice and seek guidance from recognised security professionals with the appropriate skills and/or a CESG Certified Professional certification (http://www.cesg.gov.uk/awarenesstraining/IA-certification/Pages/index.aspx) for all bespoke or complex components of the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier).

6 PERSONNEL SECURITY

6.1 Supplier Personnel shall be subject to pre-employment checks that include, as a minimum: identity, unspent criminal convictions and right to work.

6.2 The Supplier shall agree on a case by case basis Supplier Personnel roles which require specific government clearances (such as ‘SC’) including system administrators with privileged access to IT systems which store or process Customer Data.

6.3 The Supplier shall prevent Supplier Personnel who are unable to obtain the required security clearances from accessing systems which store, process, or are used to manage Customer Data except where agreed with the Customer in writing.

6.4 All Supplier Personnel that have the ability to access Customer Data or systems holding Customer Data shall undergo regular training on secure information management principles. Unless otherwise agreed with the Customer in writing, this training must be undertaken annually.

6.5 Where the Supplier or Sub-Contractors grants increased ICT privileges or access rights to Supplier Personnel, those Supplier Personnel shall be granted only those permissions necessary for them to carry out their duties. When staff no longer need elevated privileges or leave the organisation, their access rights shall be revoked within one (1) Working Day.

7 IDENTITY, AUTHENTICATION AND ACCESS CONTROL

7.1 The Supplier shall operate an access control regime to ensure all users and administrators of the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) are uniquely identified and authenticated when accessing or administering the Services. Applying the ‘principle of least privilege’, users and administrators shall be allowed access only to those parts of the ICT Environment that they require. The Supplier shall retain an audit record of accesses.

8 AUDIT AND MONITORING

8.1 The Supplier shall collect audit records which relate to security events in the systems or that would support the analysis of potential and actual compromises. In order to facilitate effective monitoring and forensic readiness such Supplier audit records should (as a minimum) include:

8.1.1 Logs to facilitate the identification of the specific asset which makes every outbound request external to the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier). To the extent the design of the Goods and/or Services allows such logs shall include those from DHCP servers, HTTP/HTTPS proxy servers, firewalls and routers.

8.1.2 Security events generated in the ICT Environment (to the extent that the ICT Environment is within the control of the Supplier) and shall include: privileged account logon and logoff events, the start and termination of remote access sessions, security alerts from desktops and server operating systems and security alerts from third party security software.

8.2 The Supplier and the Customer shall work together to establish any additional audit and monitoring requirements for the ICT Environment.

8.3 The Supplier shall retain audit records collected in compliance with this Paragraph 8 for a period of at least 6 months.

[CALL OFF SCHEDULE 8: BUSINESS CONTINUITY AND DISASTER RECOVERY]

OPTIONAL SCHEDULE – SEE OPTIONAL CLAUSE 15 – BUSINESS CONTINUITY AND DISASTER RECOVERY

1 DEFINITIONS

1.1 In this Call Off Schedule 8, the following definitions shall apply:

Business Continuity Plan: has the meaning given to it in paragraph 2.2.1(b) of this Call Off Schedule 8;

Disaster Recovery Plan: has the meaning given to it in 2.2.1(c) of this Call Off Schedule 8;

Disaster Recovery System: means the system embodied in the processes and procedures for restoring the provision of Goods and/or Services following the occurrence of a disaster;

Review Report: has the meaning given to it in paragraph 6.2 of this Call Off Schedule 8;

Supplier’s Proposals: has the meaning given to it in paragraph 6.2.3 of this Call Off Schedule 8;

2 BCDR PLAN

2.1 Within thirty (30) Working Days from the Call Off Commencement Date the Supplier shall prepare and deliver to the Customer for the Customer’s written approval a plan, which shall detail the processes and arrangements that the Supplier shall follow to:

2.1.1 ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Goods and/or Services; and

2.1.2 the recovery of the Goods and/or Services in the event of a Disaster.

2.2 The BCDR Plan shall:

2.2.1 be divided into three parts:

(a) Part A which shall set out general principles applicable to the BCDR Plan;

(b) Part B which shall relate to business continuity (the “Business Continuity Plan”); and

(c) Part C which shall relate to disaster recovery (the “Disaster Recovery Plan”); and

2.2.2 unless otherwise required by the Customer in writing, be based upon and be consistent with the provisions of paragraphs 3, 4 and 5.

2.3 Following receipt of the draft BCDR Plan from the Supplier, the Customer shall:

2.3.1 review and comment on the draft BCDR Plan as soon as reasonably practicable; and

2.3.2 notify the Supplier in writing that it approves or rejects the draft BCDR Plan no later than twenty (20) Working Days after the date on which the draft BCDR Plan is first delivered to the Customer.

2.4 If the Customer rejects the draft BCDR Plan:

2.4.1 the Customer shall inform the Supplier in writing of its reasons for its rejection; and

2.4.2 the Supplier shall then revise the draft BCDR Plan (taking reasonable account of the Customer’s comments) and shall re-submit a revised draft BCDR Plan to the Customer for the Customer’s approval within twenty (20) Working Days of the date of the Customer’s notice of rejection. The provisions of paragraphs 2.3 and 2.4 of this Call Off Schedule 8 shall apply again to any resubmitted draft BCDR Plan, provided that either Party may refer any disputed matters for resolution by the Dispute Resolution Procedure at any time.

3 PART A OF THE BCDR PLAN AND GENERAL PRINCIPLES AND REQUIREMENTS

3.1 Part A of the BCDR Plan shall:

3.1.1 set out how the business continuity and disaster recovery elements of the BCDR Plan link to each other;

3.1.2 provide details of how the invocation of any element of the BCDR Plan may impact upon the operation of the provision of the Goods and/or Services and any goods and/or services provided to the Customer by a Related Supplier;

3.1.3 contain an obligation upon the Supplier to liaise with the Customer and (at the Customer’s request) any Related Suppliers with respect to issues concerning business continuity and disaster recovery where applicable;

3.1.4 detail how the BCDR Plan links and interoperates with any overarching and/or connected disaster recovery or business continuity plan of the Customer and any of its other Related Supplier in each case as notified to the Supplier by the Customer from time to time;

3.1.5 contain a communication strategy including details of an incident and problem management service and advice and help desk facility which can be accessed via multi-channels (including but without limitation a web-site (with FAQs), e- mail, phone and fax) for both portable and desk top configurations, where required by the Customer;

3.1.6 contain a risk analysis, including:

(a) failure or disruption scenarios and assessments and estimates of frequency of occurrence;

(b) identification of any single points of failure within the provision of Goods and/or Services and processes for managing the risks arising therefrom;

(c) identification of risks arising from the interaction of the provision of Goods and/or Services and with the goods and/or services provided by a Related Supplier; and

(d) a business impact analysis (detailing the impact on business processes and operations) of different anticipated failures or disruptions;

3.1.7 provide for documentation of processes, including business processes, and procedures;

3.1.8 set out key contact details (including roles and responsibilities) for the Supplier (and any Sub-Contractors) and for the Customer;

3.1.9 identify the procedures for reverting to “normal service”;

3.1.10 set out method(s) of recovering or updating data collected (or which ought to have been collected) during a failure or disruption to ensure that there is no more than the accepted amount of data loss and to preserve data integrity;

3.1.11 identify the responsibilities (if any) that the Customer has agreed it will assume in the event of the invocation of the BCDR Plan; and

3.1.12 provide for the provision of technical advice and assistance to key contacts at the Customer as notified by the Customer from time to time to inform decisions in support of the Customer’s business continuity plans.

3.2 The BCDR Plan shall be designed so as to ensure that:

3.2.1 the Goods and/or Services are provided in accordance with this Call Off Agreement at all times during and after the invocation of the BCDR Plan;

3.2.2 the adverse impact of any Disaster, service failure, or disruption on the operations of the Customer is minimal as far as reasonably possible;

3.2.3 it complies with the relevant provisions of ISO/IEC 27002 and all other industry standards from time to time in force; and

3.2.4 there is a process for the management of disaster recovery testing detailed in the BCDR Plan.

3.3 The BCDR Plan shall be upgradeable and sufficiently flexible to support any changes to the Goods and/or Services or to the business processes facilitated by and the business operations supported by the provision of Goods and/or Services.

3.4 The Supplier shall not be entitled to any relief from its obligations under the Service Levels or to any increase in the Charges to the extent that a Disaster occurs as a consequence of any breach by the Supplier of this Call Off Agreement

4 BUSINESS CONTINUITY PLAN - PRINCIPLES AND CONTENTS

4.1 The Business Continuity Plan shall set out the arrangements that are to be invoked to ensure that the business processes and operations facilitated by the provision of Goods and/or Services remain supported and to ensure continuity of the business operations supported by the Services including, unless the Customer expressly states otherwise in writing:

4.1.1 the alternative processes (including business processes), options and responsibilities that may be adopted in the event of a failure in or disruption to the provision of Goods and/or Services; and

4.1.2 the steps to be taken by the Supplier upon resumption of the provision of Goods and/or Services in order to address any prevailing effect of the failure or disruption including a root cause analysis of the failure or disruption.

4.2 The Business Continuity Plan shall:

4.2.1 address the various possible levels of failures of or disruptions to the provision of Goods and/or Services;

4.2.2 set out the goods and/or services to be provided and the steps to be taken to remedy the different levels of failures of and disruption to the Goods and/or Services (such goods and/or services and steps, the “Business Continuity Goods and/or Services”);

4.2.3 specify any applicable Service Levels with respect to the provision of the Business Continuity Services and details of any agreed relaxation to the Service Levels in respect of the provision of other Goods and/or Services during any period of invocation of the Business Continuity Plan; and

4.2.4 clearly set out the conditions and/or circumstances under which the Business Continuity Plan is invoked.

5 DISASTER RECOVERY PLAN - PRINCIPLES AND CONTENTS

5.1 The Disaster Recovery Plan shall be designed so as to ensure that upon the occurrence of a Disaster the Supplier ensures continuity of the business operations of the Customer supported by the Services following any Disaster or during any period of service failure or disruption with, as far as reasonably possible, minimal adverse impact.

5.2 The Disaster Recovery Plan shall be invoked only upon the occurrence of a Disaster.

5.3 The Disaster Recovery Plan shall include the following:

5.3.1 the technical design and build specification of the Disaster Recovery System;

5.3.2 details of the procedures and processes to be put in place by the Supplier in relation to the Disaster Recovery System and the provision of the Disaster Recovery Services and any testing of the same including but not limited to the following:

(a) data centre and disaster recovery site audits;

(b) backup methodology and details of the Supplier’s approach to data back-up and data verification;

(c) identification of all potential disaster scenarios;

(d) risk analysis;

(e) documentation of processes and procedures;

(f) hardware configuration details;

(g) network planning including details of all relevant data networks and communication links;

(h) invocation rules;

(i) Service recovery procedures; and

(j) steps to be taken upon resumption of the provision of Goods and/or Services to address any prevailing effect of the failure or disruption of the provision of Goods and/or Services;

5.3.3 any applicable Service Levels with respect to the provision of the Disaster Recovery Services and details of any agreed relaxation to the Service Levels in respect of the provision of other Goods and/or Services during any period of invocation of the Disaster Recovery Plan;

5.3.4 details of how the Supplier shall ensure compliance with security standards ensuring that compliance is maintained for any period during which the Disaster Recovery Plan is invoked;

5.3.5 access controls to any disaster recovery sites used by the Supplier in relation to its obligations pursuant to this Schedule 8; and

5.3.6 testing and management arrangements.

  1. REVIEW AND AMENDMENT OF THE BCDR PLAN

6.1 The Supplier shall review the BCDR Plan (and the risk analysis on which it is based):

6.1.1 on a regular basis and as a minimum once every six (6) months;

6.1.2 within three calendar months of the BCDR Plan (or any part) having been invoked pursuant to paragraph 7; and

6.1.3 where the Customer requests any additional reviews (over and above those provided for in paragraphs 6.1.1and 6.1.2 of this Call Off Schedule 8) by notifying the Supplier to such effect in writing, whereupon the Supplier shall conduct such reviews in accordance with the Customer’s written requirements. Prior to starting its review, the Supplier shall provide an accurate written estimate of the total costs payable by the Customer for the Customer’s approval. The costs of both Parties of any such additional reviews shall be met by the Customer except that the Supplier shall not be entitled to charge the Customer for any costs that it may incur above any estimate without the Customer’s prior written approval.

6.2 Each review of the BCDR Plan pursuant to paragraph 6.1 of this Call off Schedule 8 shall be a review of the procedures and methodologies set out in the BCDR Plan and shall assess their suitability having regard to any change to the Goods and/or Services or any underlying business processes and operations facilitated by or supported by the Services which have taken place since the later of the original approval of the BCDR Plan or the last review of the BCDR Plan and shall also have regard to any occurrence of any event since that date (or the likelihood of any such event taking place in the foreseeable future) which may increase the likelihood of the need to invoke the BCDR Plan. The review shall be completed by the Supplier within the period required by the BCDR Plan or, if no such period is required, within such period as the Customer shall reasonably require. The Supplier shall, within twenty (20) Working Days of the conclusion of each such review of the BCDR Plan, provide to the Customer a report (a “Review Report”) setting out:

6.2.1 the findings of the review;

6.2.2 any changes in the risk profile associated with the provision of Goods and/or Services; and

6.2.3 the Supplier’s proposals (the “Supplier’s Proposals”) for addressing any changes in the risk profile and its proposals for amendments to the BCDR Plan following the review detailing the impact (if any and to the extent that the Supplier can reasonably be expected to be aware of the same) that the implementation of such proposals may have on any goods, services or systems provided by a third party.

6.3 Following receipt of the Review Report and the Supplier’s Proposals, the Customer shall:

6.3.1 review and comment on the Review Report and the Supplier’s Proposals as soon as reasonably practicable; and

6.3.2 notify the Supplier in writing that it approves or rejects the Review Report and the Supplier’s Proposals no later than twenty (20) Working Days after the date on which they are first delivered to the Customer.

6.4 If the Customer rejects the Review Report and/or the Supplier’s Proposals:

6.4.1 the Customer shall inform the Supplier in writing of its reasons for its rejection; and

6.4.2 the Supplier shall then revise the Review Report and/or the Supplier’s Proposals as the case may be (taking reasonable account of the Customer’s comments and carrying out any necessary actions in connection with the revision) and shall re-submit a revised Review Report and/or revised Supplier’s Proposals to the Customer for the Customer’s approval within twenty (20) Working Days of the date of the Customer’s notice of rejection. The provisions of paragraphs 6.3 and 6.4 of this Call Off Schedule 8 shall apply again to any resubmitted Review Report and Supplier’s Proposals, provided that either Party may refer any disputed matters for resolution by the Dispute Resolution Procedure at any time.

6.5 The Supplier shall as soon as is reasonably practicable after receiving the Customer’s approval of the Supplier’s Proposals (having regard to the significance of any risks highlighted in the Review Report) effect any change in its practices or procedures necessary so as to give effect to the Supplier’s Proposals. Any such change shall be at the Supplier’s expense unless it can be reasonably shown that the changes are required because of a material change to the risk profile of the Goods and/or Services.

7 TESTING OF THE BCDR PLAN

7.1 The Supplier shall test the BCDR Plan on a regular basis (and in any event not less than once in every Contract Year). Subject to paragraph 7.2 of this Call Off Schedule 8, the Customer may require the Supplier to conduct additional tests of some or all aspects of the BCDR Plan at any time where the Customer considers it necessary, including where there has been any change to the Goods and/or Services or any underlying business processes, or on the occurrence of any event which may increase the likelihood of the need to implement the BCDR Plan.

7.2 If the Customer requires an additional test of the BCDR Plan, it shall give the Supplier written notice and the Supplier shall conduct the test in accordance with the Customer’s requirements and the relevant provisions of the BCDR Plan. The Supplier’s costs of the additional test shall be borne by the Customer unless the BCDR Plan fails the additional test in which case the Supplier’s costs of that failed test shall be borne by the Supplier.

7.3 The Supplier shall undertake and manage testing of the BCDR Plan in full consultation with the Customer and shall liaise with the Customer in respect of the planning, performance, and review, of each test, and shall comply with the reasonable requirements of the Customer in this regard. Each test shall be carried out under the supervision of the Customer or its nominee.

7.4 The Supplier shall ensure that any use by it or any Sub-Contractor of “live” data in such testing is first approved with the Customer. Copies of live test data used in any such testing shall be (if so required by the Customer) destroyed or returned to the Customer on completion of the test.

7.5 The Supplier shall, within twenty (20) Working Days of the conclusion of each test, provide to the Customer a report setting out:

7.5.1 the outcome of the test;

7.5.2 any failures in the BCDR Plan (including the BCDR Plan’s procedures) revealed by the test; and

7.5.3 the Supplier’s proposals for remedying any such failures.

7.6 Following each test, the Supplier shall take all measures requested by the Customer, (including requests for the re-testing of the BCDR Plan) to remedy any failures in the BCDR Plan and such remedial activity and re-testing shall be completed by the Supplier, at no additional cost to the Customer, by the date reasonably required by the Customer and set out in such notice.

7.7 For the avoidance of doubt, the carrying out of a test of the BCDR Plan (including a test of the BCDR Plan’s procedures) shall not relieve the Supplier of any of its obligations under this Call Off Agreement

7.8 The Supplier shall also perform a test of the BCDR Plan in the event of any major reconfiguration of the Goods and/or Services or as otherwise reasonably requested by the Customer.

8 INVOCATION OF THE BCDR PLAN

8.1 In the event of a complete loss of service or in the event of a Disaster, the Supplier shall immediately invoke the BCDR Plan (and shall inform the Customer promptly of such invocation). In all other instances the Supplier shall invoke or test the BCDR Plan only with the prior consent of the Customer.

[CALL OFF SCHEDULE 9: EXIT MANAGEMENT]

OPTIONAL SCHEDULE – SEE OPTIONAL CLAUSE 45.5 – EXIT MANAGEMENT

1 DEFINITIONS

1.1 In this Call Off Schedule 9, the following definitions shall apply:

Exclusive Assets: means those Supplier Assets used by the Supplier or a Key Sub-Contractor which are used exclusively in the provision of the Goods and/or Services;

Exit Information: has the meaning given to it in paragraph 4.1 of this Call Off Schedule 9;

Exit Manager: means the person appointed by each Party pursuant to paragraph 3.4 of this Call Off Schedule 9 for managing the Parties’ respective obligations under this Call Off Schedule 9;

Net Book Value: means the net book value of the relevant Supplier Asset(s) calculated in accordance with the depreciation policy of the Supplier set out in the letter in the agreed form from the Supplier to the Costumer of even date with this Call Off Agreement ;

Non-Exclusive Assets: means those Supplier Assets (if any) which are used by the Supplier or a Key Sub-Contractor in connection with the Goods and/or Services but which are also used by the Supplier or Key Sub- Contractor for other purposes;

Registers: means the register and configuration database referred to in paragraphs 3.1.1 and 3.1.2 of this Call Off Schedule 9;

Termination Assistance: means the activities to be performed by the Supplier pursuant to the Exit Plan, and any other assistance required by the Customer pursuant to the Termination Assistance Notice;

Termination Assistance Notice: has the meaning given to it in paragraph 6.1 of this Call Off Schedule 9;

Termination Assistance Period: means in relation to a Termination Assistance Notice, the period specified in the Termination Assistance Notice for which the Supplier is required to provide the Termination Assistance as such period may be extended pursuant to paragraph 6.2 of this Call Off Schedule 9;

Transferable Assets: means those of the Exclusive Assets which are capable of legal transfer to the Customer;

Transferable Contracts: means the Sub-Contracts, licences for Supplier’s Software, licences for Third Party Software or other agreements which are necessary to enable the Customer or any Replacement Supplier to provide the Goods and/or Services or the Replacement Goods and/or Replacement Services, including in relation to licences all relevant Documentation;

Transferring Assets: has the meaning given to it in paragraph 9.2.1 of this Call Off Schedule 9;

Transferring Contracts: has the meaning given to it in paragraph 9.2.3 of this Call Off Schedule 9.

  1. INTRODUCTION

2.1 This Call Off Schedule 9 describes provisions that should be included in the Exit Plan, the duties and responsibilities of the Supplier to the Customer leading up to and covering the Call Off Expiry Date and the transfer of service provision to the Customer and/or a Replacement Supplier.

2.2 The objectives of the exit planning and service transfer arrangements are to ensure a smooth transition of the availability of the Goods and/or Services from the Supplier to the Customer and/or a Replacement Supplier at the Call Off Expiry Date.

3 OBLIGATIONS DURING THE CALL OFF AGREEMENT PERIOD TO FACILITATE EXIT

3.1 During the Call Off Agreement Period, the Supplier shall:

3.1.1 create and maintain a Register of all:

(a) Supplier Assets, detailing their:

(i) make, model and asset number;

(ii) ownership and status as either Exclusive Assets or Non- Exclusive Assets;

(iii) Net Book Value;

(iv) condition and physical location; and

(v) use (including technical specifications); and

(b) Sub-Contracts and other relevant agreements (including relevant software licences, maintenance and support agreements and equipment rental and lease agreements) required for the performance of the Goods and/or Services;

3.1.2 create and maintain a configuration database detailing the technical infrastructure and operating procedures through which the Supplier provides the Goods and/or Services, which shall contain sufficient detail to permit the Customer and/or Replacement Supplier to understand how the Supplier provides the Goods and/or Services and to enable the smooth transition of the Goods and/or Services with the minimum of disruption;

3.1.3 agree the format of the Registers with the Customer as part of the process of agreeing the Exit Plan; and

3.1.4 at all times keep the Registers up to date, in particular in the event that Assets, Sub-Contracts or other relevant agreements are added to or removed from the Goods and/or Services.

3.2 The Supplier shall:

3.2.1 procure that all Exclusive Assets listed in the Registers are clearly marked to identify that they are exclusively used for the provision of the Goods and/or Services under this Call Off Agreement ; and

3.2.2 (unless otherwise agreed by the Customer in writing) procure that all licences for Third Party Software and all Sub-Contracts shall be assignable and/or capable of novation at the request of the Customer to the Customer (and/or its nominee) and/or any Replacement Supplier upon the Supplier ceasing to provide the Goods and/or Services (or part of them) without restriction (including any need to obtain any consent or approval) or payment by the Customer.

3.3 Where the Supplier is unable to procure that any Sub-Contract or other agreement referred to in paragraph 3.2.2 of this Call Off Schedule 9 which the Supplier proposes to enter into after the Call Off Commencement Date is assignable and/or capable of novation to the Customer (and/or its nominee) and/or any Replacement Supplier without restriction or payment, the Supplier shall promptly notify the Customer of this and the Parties shall (acting reasonably and without undue delay) discuss the appropriate action to be taken which, where the Customer so directs, may include the Supplier seeking an alternative Sub-Contractor or provider of goods and/or services to which the relevant agreement relates.

3.4 Each Party shall appoint a person for the purposes of managing the Parties’ respective obligations under this Call Off Schedule 9 and provide written notification of such appointment to the other Party within three (3) months of the Call Off Commencement Date. The Supplier’s Exit Manager shall be responsible for ensuring that the Supplier and its employees, agents and Sub-Contractors comply with this Call Off Schedule 9. The Supplier shall ensure that its Exit Manager has the requisite authority to arrange and procure any resources of the Supplier as are reasonably necessary to enable the Supplier to comply with the requirements set out in this Call Off Schedule 9. The Parties’ Exit Managers will liaise with one another in relation to all issues relevant to the termination of this Call Off Agreement and all matters connected with this Call Off Schedule 9 and each Party’s compliance with it.

  1. OBLIGATIONS TO ASSIST ON RE-TENDERING OF GOODS AND/OR SERVICES

4.1 On reasonable notice at any point during the Call Off Agreement Period, the Supplier shall provide to the Customer and/or its potential Replacement Suppliers (subject to the potential Replacement Suppliers entering into reasonable written confidentiality undertakings), the following material and information in order to facilitate the preparation by the Customer of any invitation to tender and/or to facilitate any potential Replacement Suppliers undertaking due diligence:

4.1.1 details of the Service(s);

4.1.2 a copy of the Registers, updated by the Supplier up to the date of delivery of such Registers;

4.1.3 an inventory of Customer Data in the Supplier’s possession or control;

4.1.4 details of any key terms of any third party contracts and licences, particularly as regards charges, termination, assignment and novation;

4.1.5 a list of on-going and/or threatened disputes in relation to the provision of the Goods and/or Services;

4.1.6 all information relating to Transferring Supplier Employees or those who may be Transferring Supplier Employees’ required to be provided by the Supplier under this Call Off Agreement such information to include the Staffing Information as defined in Schedule 10 (Staff Transfer); and

4.1.7 such other material and information as the Customer shall reasonably require, (together, the “Exit Information”).

4.2 The Supplier acknowledges that the Customer may disclose the Supplier’s Confidential Information to an actual or prospective Replacement Supplier or any third party whom the Customer is considering engaging to the extent that such disclosure is necessary in connection with such engagement (except that the Customer may not under this paragraph 4.2 of this Call Off Schedule 9 disclose any Supplier’s Confidential Information which is information relating to the Supplier’s or its Sub-Contractors’ prices or costs).

4.3 The Supplier shall:

4.3.1 notify the Customer within five (5) Working Days of any material change to the Exit Information which may adversely impact upon the provision of any Goods and/or Services and shall consult with the Customer regarding such proposed material changes; and

4.3.2 provide complete updates of the Exit Information on an as-requested basis as soon as reasonably practicable and in any event within ten (10) Working Days of a request in writing from the Customer.

4.4 The Supplier may charge the Customer for its reasonable additional costs to the extent the Customer requests more than four (4) updates in any six (6) month period.

4.5 The Exit Information shall be accurate and complete in all material respects and the level of detail to be provided by the Supplier shall be such as would be reasonably necessary to enable a third party to:

4.5.1 prepare an informed offer for those Goods and/or Services; and

4.5.2 not be disadvantaged in any subsequent procurement process compared to the Supplier (if the Supplier is invited to participate).

  1. EXIT PLAN

5.1 The Supplier shall, within three (3) months after the Call Off Commencement Date, deliver to the Customer an Exit Plan which:

5.1.1 sets out the Supplier’s proposed methodology for achieving an orderly transition of the Goods and/or Services from the Supplier to the Customer and/or its Replacement Supplier on the expiry or termination of this Call Off Agreement ;

5.1.2 complies with the requirements set out in paragraph 5.3 of this Call Off Schedule 9;

5.1.3 is otherwise reasonably satisfactory to the Customer.

5.2 The Parties shall use reasonable endeavours to agree the contents of the Exit Plan. If the Parties are unable to agree the contents of the Exit Plan within twenty (20) Working Days of its submission, then such Dispute shall be resolved in accordance with the Dispute Resolution Procedure.

5.3 Unless otherwise specified by the Customer or Approved, the Exit Plan shall set out, as a minimum:

5.3.1 how the Exit Information is obtained;

5.3.2 the management structure to be employed during both transfer and cessation of the Goods and/or Services;

5.3.3 the management structure to be employed during the Termination Assistance Period;

5.3.4 a detailed description of both the transfer and cessation processes, including a timetable;

5.3.5 how the Goods and/or Services will transfer to the Replacement Supplier and/or the Customer, including details of the processes, documentation, data transfer, systems migration, security and the segregation of the Customer’s technology components from any technology components operated by the Supplier or its Sub-Contractors (where applicable);

5.3.6 details of contracts (if any) which will be available for transfer to the Customer and/or the Replacement Supplier upon the Call Off Expiry Date together with any reasonable costs required to effect such transfer (and the Supplier agrees that all assets and contracts used by the Supplier in connection with the provision of the Goods and/or Services will be available for such transfer);

5.3.7 proposals for the training of key members of the Replacement Supplier’s personnel in connection with the continuation of the provision of the Goods and/or Services following the Call Off Expiry Date charged at rates agreed between the Parties at that time;

5.3.8 proposals for providing the Customer or a Replacement Supplier copies of all documentation:

(a) used in the provision of the Goods and/or Services and necessarily required for the continued use thereof, in which the Intellectual Property Rights are owned by the Supplier; and

(b) relating to the use and operation of the Goods and/or Services;

5.3.9 proposals for the assignment or novation of the provision of all services, leases, maintenance agreements and support agreements utilised by the Supplier in connection with the performance of the supply of the Goods and/or Services;

5.3.10 proposals for the identification and return of all Customer Property in the possession of and/or control of the Supplier or any third party (including any Sub-Contractor);

5.3.11 proposals for the disposal of any redundant Goods and/or Services and materials;

5.3.12 procedures to:

(a) deal with requests made by the Customer and/or a Replacement Supplier for Staffing Information pursuant to Call Off Schedule 10 (Staff Transfer);

(b) determine which Supplier Personnel are or are likely to become Transferring Supplier Employees; and

(c) identify or develop any measures for the purpose of the Employment Regulations envisaged in respect of Transferring Supplier Employees;

5.3.13 how each of the issues set out in this Call Off Schedule 9 will be addressed to facilitate the transition of the Goods and/or Services from the Supplier to the Replacement Supplier and/or the Customer with the aim of ensuring that there is no disruption to or degradation of the Goods and/or Services during the Termination Assistance Period; and

5.3.14 proposals for the supply of any other information or assistance reasonably required by the Customer or a Replacement Supplier in order to effect an orderly handover of the provision of the Goods and/or Services.

6 TERMINATION ASSISTANCE

6.1 The Customer shall be entitled to require the provision of Termination Assistance at any time during the Call Off Agreement Period by giving written notice to the Supplier (a “Termination Assistance Notice”) at least four (4) months prior to the Call Off Expiry Date or as soon as reasonably practicable (but in any event, not later than one (1) month) following the service by either Party of a Termination Notice. The Termination Assistance Notice shall specify:

6.1.1 the date from which Termination Assistance is required;

6.1.2 the nature of the Termination Assistance required; and

6.1.3 the period during which it is anticipated that Termination Assistance will be required, which shall continue no longer than twelve (12) months after the date that the Supplier ceases to provide the Goods and/or Services.

6.2 The Customer shall have an option to extend the Termination Assistance Period beyond the period specified in the Termination Assistance Notice provided that such extension shall not extend for more than six (6) months after the date the Supplier ceases to provide the Goods and/or Services or, if applicable, beyond the end of the Termination Assistance Period and provided that it shall notify the Supplier to such effect no later than twenty (20) Working Days prior to the date on which the provision of Termination Assistance is otherwise due to expire. The Customer shall have the right to terminate its requirement for Termination Assistance by serving not less than (20) Working Days’ written notice upon the Supplier to such effect.

7 TERMINATION ASSISTANCE PERIOD

7.1 Throughout the Termination Assistance Period, or such shorter period as the Customer may require, the Supplier shall:

7.1.1 continue to provide the Goods and/or Services (as applicable) and, if required by the Customer pursuant to paragraph 6.1 of this Call Off Schedule 9, provide the Termination Assistance;

7.1.2 in addition to providing the Goods and/or Services and the Termination Assistance, provide to the Customer any reasonable assistance requested by the Customer to allow the Goods and/or Services to continue without interruption following the termination or expiry of this Call Off Agreement and to facilitate the orderly transfer of responsibility for and conduct of the Goods and/or Services to the Customer and/or its Replacement Supplier;

7.1.3 use all reasonable endeavours to reallocate resources to provide such assistance as is referred to in paragraph 7.1.2 of this Call Off Schedule 9 without additional costs to the Customer;

7.1.4 provide the Goods and/or Services and the Termination Assistance at no detriment to the Service Level Performance Measures, save to the extent that the Parties agree otherwise in accordance with paragraph 7.3; and

7.1.5 at the Customer’s request and on reasonable notice, deliver up-to-date Registers to the Customer.

7.2 Without prejudice to the Supplier’s obligations under paragraph 7.1.3 of this Call Off Schedule 9, if it is not possible for the Supplier to reallocate resources to provide such assistance as is referred to in paragraph 7.1.2 of this Call Off Schedule 9 without additional costs to the Customer, any additional costs incurred by the Supplier in providing such reasonable assistance which is not already in the scope of the Termination Assistance or the Exit Plan shall be subject to the Variation Procedure.

7.3 If the Supplier demonstrates to the Customer’s reasonable satisfaction that transition of the Goods and/or Services and provision of the Termination Assist during the Termination Assistance Period will have a material, unavoidable adverse effect on the Supplier’s ability to meet one or more particular Service Level Performance Measure(s), the Parties shall vary the relevant Service Level Performance Measure(s) and/or the applicable Service Credits to take account of such adverse effect.

8 TERMINATION OBLIGATIONS

8.1 The Supplier shall comply with all of its obligations contained in the Exit Plan.

8.2 Upon termination or expiry (as the case may be) or at the end of the Termination Assistance Period (or earlier if this does not adversely affect the Supplier’s performance of the Goods and/or Services and the Termination Assistance and its compliance with the other provisions of this Call Off Schedule 9), the Supplier shall:

8.2.1 cease to use the Customer Data;

8.2.2 provide the Customer and/or the Replacement Supplier with a complete and uncorrupted version of the Customer Data in electronic form (or such other format as reasonably required by the Customer);

8.2.3 erase from any computers, storage devices and storage media that are to be retained by the Supplier after the end of the Termination Assistance Period all Customer Data and promptly certify to the Customer that it has completed such deletion;

8.2.4 return to the Customer such of the following as is in the Supplier’s possession or control:

(a) all copies of the Customer Software and any other software licensed by the Customer to the Supplier under this Call Off Agreement ;

(b) all materials created by the Supplier under this Call Off Agreement in which the IPRs are owned by the Customer;

(c) any parts of the ICT Environment and any other equipment which belongs to the Customer;

(d) any items that have been on-charged to the Customer, such as consumables; and

(e) all Customer Property issued to the Supplier under Clause 31 of this Call Off Agreement (Customer Property). Such Customer Property shall be handed back to the Customer in good working order (allowance shall be made only for reasonable wear and tear);

(f) any sums prepaid by the Customer in respect of Goods and/or Services not Delivered by the Call Off Expiry Date;

8.2.5 vacate any Customer Premises;

8.2.6 remove the Supplier Equipment together with any other materials used by the Supplier to supply the Goods and/or Services and shall leave the Sites in a clean, safe and tidy condition. The Supplier is solely responsible for making good any damage to the Sites or any objects contained thereon, other than fair wear and tear, which is caused by the Supplier and/or any Supplier Personnel;

8.2.7 provide access during normal working hours to the Customer and/or the Replacement Supplier for up to twelve (12) months after expiry or termination to:

(a) such information relating to the Goods and/or Services as remains in the possession or control of the Supplier; and

(b) such members of the Supplier Personnel as have been involved in the design, development and provision of the Goods and/or Services and who are still employed by the Supplier, provided that the Customer and/or the Replacement Supplier shall pay the reasonable costs of the Supplier actually incurred in responding to requests for access under this paragraph.

8.3 Upon termination or expiry (as the case may be) or at the end of the Termination Assistance Period (or earlier if this does not adversely affect the Supplier’s performance of the Goods and/or Services and the Termination Assistance and its compliance with the other provisions of this Call Off Schedule 9), each Party shall return to the other Party (or if requested, destroy or delete) all Confidential Information of the other Party and shall certify that it does not retain the other Party’s Confidential Information save to the extent (and for the limited period) that such information needs to be retained by the Party in question for the purposes of providing or receiving any Goods and/or Services or termination services or for statutory compliance purposes.

8.4 Except where this Call Off Agreement provides otherwise, all licences, leases and authorisations granted by the Customer to the Supplier in relation to the Goods and/or Services shall be terminated with effect from the end of the Termination Assistance Period.

9 ASSETS, SUB-CONTRACTS AND SOFTWARE

9.1 Following notice of termination of this Call Off Agreement and during the Termination Assistance Period, the Supplier shall not, without the Customer’s prior written consent:

9.1.1 terminate, enter into or vary any Sub-Contract;

9.1.2 (subject to normal maintenance requirements) make material modifications to, or dispose of, any existing Supplier Assets or acquire any new Supplier Assets; or

9.1.3 terminate, enter into or vary any licence for software in connection with the provision of Goods and/or Services.

9.2 Within twenty (20) Working Days of receipt of the up-to-date Registers provided by the Supplier pursuant to paragraph 7.1.5 of this Call Off Schedule 9, the Customer shall provide written notice to the Supplier setting out:

9.2.1 which, if any, of the Transferable Assets the Customer requires to be transferred to the Customer and/or the Replacement Supplier (“Transferring Assets”);

9.2.2 which, if any, of:

(a) the Exclusive Assets that are not Transferable Assets; and

(b) the Non-Exclusive Assets,

the Customer and/or the Replacement Supplier requires the continued use of; and

9.2.3 which, if any, of Transferable Contracts the Customer requires to be assigned or novated to the Customer and/or the Replacement Supplier (the “Transferring Contracts”),

in order for the Customer and/or its Replacement Supplier to provide the Goods and/or Services from the expiry of the Termination Assistance Period. Where requested by the Customer and/or its Replacement Supplier, the Supplier shall provide all reasonable assistance to the Customer and/or its Replacement Supplier to enable it to determine which Transferable Assets and Transferable Contracts the Customer and/or its Replacement Supplier requires to provide the Goods and/or Services or the Replacement Goods and/or Replacement Services.

9.3 With effect from the expiry of the Termination Assistance Period, the Supplier shall sell the Transferring Assets to the Customer and/or its nominated Replacement Supplier for a consideration equal to their Net Book Value, except where the cost of the Transferring Asset has been partially or fully paid for through the Call Off Agreement Charges at the Call Off expiry Date, in which case the Customer shall pay the Supplier the Net Book Value of the Transferring Asset less the amount already paid through the Call Off Agreement Charges.

9.4 Risk in the Transferring Assets shall pass to the Customer or the Replacement Supplier (as appropriate) at the end of the Termination Assistance Period and title to the Transferring Assets shall pass to the Customer or the Replacement Supplier (as appropriate) on payment for the same.

9.5 Where the Supplier is notified in accordance with paragraph 9.2.2 of this Call Off Schedule 9 that the Customer and/or the Replacement Supplier requires continued use of any Exclusive Assets that are not Transferable Assets or any Non-Exclusive Assets, the Supplier shall as soon as reasonably practicable:

9.5.1 procure a non-exclusive, perpetual, royalty-free licence (or licence on such other terms that have been agreed by the Customer) for the Customer and/or the Replacement Supplier to use such assets (with a right of sub-licence or assignment on the same terms); or failing which

9.5.2 procure a suitable alternative to such assets and the Customer or the Replacement Supplier shall bear the reasonable proven costs of procuring the same.

9.6 The Supplier shall as soon as reasonably practicable assign or procure the novation to the Customer and/or the Replacement Supplier of the Transferring Contracts. The Supplier shall execute such documents and provide such other assistance as the Customer reasonably requires to effect this novation or assignment.

9.7 The Customer shall:

9.7.1 accept assignments from the Supplier or join with the Supplier in procuring a novation of each Transferring Contract; and

9.7.2 once a Transferring Contract is novated or assigned to the Customer and/or the Replacement Supplier, carry out, perform and discharge all the obligations and liabilities created by or arising under that Transferring Contract and exercise its rights arising under that Transferring Contract, or as applicable, procure that the Replacement Supplier does the same.

9.8 The Supplier shall hold any Transferring Contracts on trust for the Customer until such time as the transfer of the relevant Transferring Contract to the Customer and/or the Replacement Supplier has been effected.

9.9 The Supplier shall indemnify the Customer (and/or the Replacement Supplier, as applicable) against each loss, liability and cost arising out of any claims made by a counterparty to a Transferring Contract which is assigned or novated to the Customer (and/or Replacement Supplier) pursuant to paragraph 9.6 of this Call Off Schedule 9 in relation to any matters arising prior to the date of assignment or novation of such Transferring Contract.

10 SUPPLIER PERSONNEL

10.1 The Customer and Supplier agree and acknowledge that in the event of the Supplier ceasing to provide the Goods and/or Services or part of them for any reason, Call Off Schedule 10 (Staff Transfer) shall apply.

10.2 The Supplier shall not and shall procure that any relevant Sub-Contractor shall not take any step (expressly or implicitly and directly or indirectly by itself or through any other person) without the prior written consent of the Customer to dissuade or discourage any employees engaged in the provision of the Goods and/or Services from transferring

their employment to the Customer and/or the Replacement Supplier and/or Replacement Sub-Contractor.

10.3 During the Termination Assistance Period, the Supplier shall and shall procure that any relevant Sub-Contractor shall:

10.3.1 give the Customer and/or the Replacement Supplier and/or Replacement Sub- Contractor reasonable access to the Supplier’s personnel and/or their consultation representatives to present the case for transferring their employment to the Customer and/or the Replacement Supplier and/or to discuss or consult on any measures envisaged by the Customer, Replacement Supplier and/or Replacement Sub-Contractor in respect of persons expected to be Transferring Supplier Employees;

10.3.2 co-operate with the Customer and the Replacement Supplier to ensure an effective consultation process and smooth transfer in respect of Transferring Supplier Employees in line with good employee relations and the effective continuity of the Services.

10.4 The Supplier shall immediately notify the Customer or, at the direction of the Customer, the Replacement Supplier of any period of notice given by the Supplier or received from any person referred to in the Staffing Information, regardless of when such notice takes effect.

10.5 The Supplier shall not for a period of twelve (12) months from the date of transfer re- employ or re-engage or entice any employees, suppliers or Sub-Contractors whose employment or engagement is transferred to the Customer and/or the Replacement Supplier except that this paragraph 10.5 shall not apply where an offer is made pursuant to an express right to make such offer under Call Off Schedule 10.1 (Staff Transfer) in respect of a Transferring Supplier Employee not identified in the Supplier’s Final Supplier Personnel List.

11 CHARGES

11.1 Except as otherwise expressly specified in this Call Off Agreement, the Supplier shall not make any charges for the services provided by the Supplier pursuant to, and the Customer shall not be obliged to pay for costs incurred by the Supplier in relation to its compliance with, this Call Off Schedule 9 including the preparation and implementation of the Exit Plan, the Termination Assistance and any activities mutually agreed between the Parties to carry on after the expiry of the Termination Assistance Period.

12 APPORTIONMENTS

12.1 All outgoings and expenses (including any remuneration due) and all rents, royalties and other periodical payments receivable in respect of the Transferring Assets and Transferring Contracts shall be apportioned between the Customer and the Supplier and/or the Replacement Supplier and the Supplier (as applicable) as follows:

12.1.1 the amounts shall be annualised and divided by 365 to reach a daily rate;

12.1.2 the Customer shall be responsible for (or shall procure that the Replacement Supplier shall be responsible for) or entitled to (as the case may be) that part of the value of the invoice pro rata to the number of complete days following the transfer, multiplied by the daily rate; and

12.1.3 the Supplier shall be responsible for or entitled to (as the case may be) the rest of the invoice.

12.2 Each Party shall pay (and/or the Customer shall procure that the Replacement Supplier shall pay) any monies due under paragraph 12.1 of this Call Off Schedule 9 as soon as reasonably practicable.

[CALL OFF SCHEDULE 10: STAFF TRANSFER]

OPTIONAL SCHEDULE – SEE OPTIONAL CLAUSE 28 – STAFF TRANSFER

1 DEFINITIONS

In this Call Off Schedule 10, the following definitions shall apply: Admission Agreement: An admission agreement in the form available on the Civil Service Pensions website immediately prior to the Relevant Transfer Date to be entered into by the Supplier where it agrees to participate in the Schemes in respect of the Services;

Eligible Employee: any Fair Deal Employee who at the relevant time is an eligible employee as defined in the Admission Agreement;

Fair Deal Employees: those Transferring Customer Employees who are on the Relevant Transfer Date entitled to the protection of New Fair Deal (and, in the event that Part B of this Call Off Schedule 10 applies, any Transferring Former Supplier Employees who originally transferred pursuant to a Relevant Transfer under the Employment Regulations (or the predecessor legislation to the Employment Regulations), from employment with a public sector employer and who were once eligible to participate in the Schemes and who at the Relevant Transfer Date become entitled to the protection of New Fair Deal);

Former Supplier: a supplier supplying services to the Customer before the Relevant Transfer Date that are the same as or substantially similar to the Services (or any part of the Services) and shall include any sub- contractor of such supplier (or any sub-contractor of any such sub-contractor);

New Fair Deal: the revised Fair Deal position set out in the HM Treasury guidance: “Fair Deal for staff pensions: staff transfer from central government” issued in October 2013 including any amendments to that document immediately prior to the Relevant Transfer Date;

Notified Sub-Contractor: a Sub-Contractor identified in the Annex to this Call Off Schedule 10 to whom Transferring Customer Employees and/or Transferring Former Supplier Employees will transfer on a Relevant Transfer Date;

Replacement Sub-Contractor: a sub-contractor of the Replacement Supplier to whom Transferring Supplier Employees will transfer on a Service Transfer Date (or any sub-contractor of any such sub-contractor);