Dated 2009 NHS BUSINESS SERVICES AUTHORITY AND RELIANCE SECURE TASK MANAGEMENT LIMITED FRAMEWORK AGREEMENT for the provision of Lone Worker Services Contents Clause 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 10-404788-3 Page Definitions and Interpretation .....................................................................................................1 Scope of this Framework Agreement.........................................................................................2 Implementation Plan ..................................................................................................................3 The Available Services...............................................................................................................3 Standards and Regulations ........................................................................................................4 Ordering Procedures ..................................................................................................................4 Charges for Services..................................................................................................................5 Representatives .........................................................................................................................6 Governance ................................................................................................................................6 Business Continuity....................................................................................................................6 Management Information ...........................................................................................................7 Amendments to this Framework Agreement .............................................................................7 Marketing ...................................................................................................................................7 Communications ........................................................................................................................7 Financial standing of the Supplier ..............................................................................................8 Term, suspension and termination.............................................................................................9 Consequences of termination and expiry.................................................................................11 Force Majeure ..........................................................................................................................12 Warranties and representations ...............................................................................................13 Limitation of liability ..................................................................................................................14 Complaints handling.................................................................................................................16 Authority Data ..........................................................................................................................16 Data Protection ........................................................................................................................17 Personnel Security ...................................................................................................................19 Intellectual Property Rights ......................................................................................................19 Confidentiality...........................................................................................................................20 Publicity ....................................................................................................................................22 Dispute resolution ....................................................................................................................22 Insurance .................................................................................................................................22 Recovery of sums due .............................................................................................................22 Statutory requirements .............................................................................................................22 Environmental requirements ....................................................................................................23 Discrimination...........................................................................................................................23 Corrupt gifts and payments of commission ..............................................................................23 Granting of Trade Marks ..........................................................................................................24 Transfer and sub-contracting ...................................................................................................24 Rights of Third Parties..............................................................................................................26 Audit .........................................................................................................................................27 Freedom of information ............................................................................................................28 Customer satisfaction monitoring.............................................................................................29 Legislative change ...................................................................................................................29 Statutory invalidity ....................................................................................................................30 Severability ...............................................................................................................................30 Waiver ......................................................................................................................................30 Non-exclusivity .........................................................................................................................30 Law and Jurisdiction.................................................................................................................31 Entire agreement......................................................................................................................31 Schedule 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 10-404788-3 Definitions ................................................................................................................................33 Model Contracts .......................................................................................................................40 Part 1 - Model Contract (Customer funded) .............................................................................40 Part 2 - Model Contract (Authority part funded) .......................................................................42 The Available Services, Service Management, Minimum Service Levels and Standard Service Credits .........................................................................................................................44 Part 3.1 - Service Management ...............................................................................................44 Part 3.2 - User Training ............................................................................................................57 Part 3.3 - Alarm Receiving Centre (ARC) ................................................................................64 Part 3.4 - User Devices ............................................................................................................72 Part 3.5 - Networks ..................................................................................................................77 Part 3.6 - Account Management ..............................................................................................80 Part 3.7 - Supplier Innovation and Continuous Improvement ..................................................83 Part 3.8 - Invoicing Mechanism ................................................................................................84 Part 3.9- Service Levels and Service Credits ..........................................................................87 Part 3.10 – Service Levels and Service Credits ......................................................................90 Part 3.11 - Operational Reporting ..........................................................................................108 Delays and Implementation ...................................................................................................112 Part 1 - Delays .......................................................................................................................112 Part 2 - Implementation Plan .................................................................................................114 The Maximum Charges ..........................................................................................................117 Ordering Procedures ..............................................................................................................128 Part 1 – Joint Funded .............................................................................................................130 Part 2 – Direct Funded ...........................................................................................................131 Management Information .......................................................................................................132 Agreement Change Procedure ..............................................................................................137 Maximum Charges Variation Procedure ................................................................................141 Sub-Contractors .....................................................................................................................145 Model Self Audit Certificate ....................................................................................................154 Governance ............................................................................................................................155 Solution ..................................................................................................................................163 Security Policy........................................................................................................................173 Marketing and Communications ............................................................................................208 Part 1 - Exit Assistance ..........................................................................................................214 Part 2 – Staff Transfer ............................................................................................................216 Standards and Regulations ....................................................................................................226 Insurance Requirements ........................................................................................................229 This Framework Agreement is made on 2009 Between (1) The NHS Business Services Authority (as agent for the Department of Health) (Authority); and (2) Reliance Secure Task Management Limited (No. 2057887) whose registered office is at Boundary House, Cricketfield Road, Uxbridge, Middlesex UB8 1QG (Supplier). Whereas (A) On 27 May 2008 the Authority placed a contract notice, reference 2008/5 101-135947 in the Official Journal of the European Union seeking expressions of interest from Suppliers for the provision of services to public sector bodies under a framework agreement; (B) Following the subsequent procurement process the Authority selected the Supplier to enter into a Framework Agreement; (C) The Supplier has agreed to enter into this Framework Agreement with the Authority for the provision of Services; (D) The Department of Health has designated central funds to support the provision of Services within the NHS. These funds may be made available to Customers for procuring Services under this Framework Agreement and where such funds are available the Authority shall, in addition to a Customer, enter into a Contract with the Supplier for the provision of Services but solely for the purpose of making certain payments in respect of the Services; and (E) This Framework Agreement provides that Customers may enter into separate Contracts with the Supplier by placing an Order. It is agreed 1 Definitions and Interpretation 1.1 As used in this Framework Agreement: (a) the terms and expressions set out in schedule 1 (Definitions) shall have the meanings set out therein; (b) the masculine includes the feminine and the neuter; (c) the singular includes the plural and vice versa; and (d) the words "include", "include"; and "including" are to be construed as if they were immediately followed by the words "without limitation". 1.2 A reference to any statute, enactment, order, regulation or other similar instrument shall be construed as a reference to the statute, enactment, order, regulation or instrument as amended by any subsequent statute, enactment, order, regulation or instrument or as contained in any subsequent re-enactment thereof. 1.3 A reference to any document other than as specified in clause 1.2 shall be construed as a reference to the document as at the date of execution of this Framework Agreement. 10-404788-3 1 1.4 Headings are included in this Framework Agreement for ease of reference only and shall not affect the interpretation or construction of this Framework Agreement. 1.5 References to "clauses" and "schedules" other than in schedule 2 (Model Contract) are, unless otherwise provided or the context so necessitates, references to the clauses of and schedules to this Framework Agreement. References to "paragraphs" are, unless otherwise provided, references to paragraphs of the schedule in which the references are made. 1.6 References to "clauses" and "schedules" in schedule 2 (Model Contract) are, unless otherwise provided or the context so necessitates, references to the clauses of and schedules to the Contract and references in schedule 2 (Model Contract) to "paragraphs" are, unless otherwise provided, references to paragraphs of the schedule to the Contract in which the references are made. 1.7 Terms or expressions contained in this Framework Agreement or a Contract which are capitalised but which do not have an interpretation in schedule 1 (Definitions) or schedule 2 (Model Contract) as appropriate shall be interpreted in accordance with the common interpretation within the mobile communications industry where appropriate. Otherwise they shall be interpreted in accordance with the dictionary meaning. 1.8 The use of "[♦]" in schedule 2 (Model Contract) indicates where information shall be inserted by the Supplier or Customer for each Contract. Such information shall be obtained from the Catalogue and the relevant Order. 1.9 In the event and to the extent only of any conflict between the clauses together with schedule 1 (Definitions) and the remainder of the schedules, the clauses together with schedule 1 (Definitions) shall prevail over the remainder of the schedules. The remainder of the schedules (other than the Catalogue and schedule 13 (Solution)) shall, in turn prevail over the Catalogue and schedule 13 (Solution). In the event of any conflict between the Catalogue and schedule 13 (Solution) the Catalogue shall prevail. 2 Scope of this Framework Agreement 2.1 This Framework Agreement governs the overall relationship of the Authority with the Supplier with respect to the provision of the Services to Customers. The Customers are entitled (but not required) at any time during the Term to order Services from the Catalogue in accordance with the Ordering Procedure. The Supplier shall provide to that Customer such Services in accordance with all applicable provisions of the relevant Contract. 2.2 The Supplier hereby acknowledges that: 10-404788-3 (a) all obligations entered into under a Contract, and the liabilities incurred by the Supplier, are given, entered into, or incurred in favour of and for the benefit of each Customer; (b) each Contract forms a separate agreement between the Customer and the Supplier in respect of the Services ordered under it; and (c) with respect to each Contract, the Authority does not give any warranties or indemnities, and does not accept any liability or responsibility under this Framework Agreement for any obligation, debt or liability of or incurred by a Customer under a Contract. 2 2.3 The Supplier shall not commit any act, nor forbear to commit any act, that shall compromise a Customer's compliance with the Guidance Notes. 2.4 Any Contract entered into under this Framework Agreement shall commence on the date of the execution of that Contract and shall expire no later than five (5) years after such execution. 2.5 The Supplier shall not enter into a contract with a Health Service Body for the provision of services in the nature of the Available Services, other than in the form of the Model Contract. 3 Implementation Plan The Supplier shall implement the Solution in accordance with the Implementation Plan and schedule 4 (Delays) and maintain the Solution to enable provision of the Services throughout the Term. 4 The Available Services 4.1 Each of the services specified in schedule 3 (Services) shall be made available to Customers and Potential Customers and shall be listed as a Catalogue Entry in the Catalogue. When a specific Available Service is the subject of an Order by a Customer, it will be referred to in the ensuing Contract as an Ordered Service. 4.2 The Supplier shall maintain the organisational and technical ability and capacity to provide the Available Services in accordance with this Framework Agreement as the Available Services are required from time to time by Customers. 4.3 The Supplier shall enter into a Contract on the terms and conditions prescribed in the relevant Model Contract with each Customer that places an Order in accordance with the provisions of this Framework Agreement. 4.4 The Supplier shall maintain and keep up to date the Catalogue throughout the Term. Any amendment to the Catalogue, other than an amendment to the specification of each Catalogue Entry and its relevant Charges, shall be subject to the Agreement Change Procedures. 4.5 The Supplier shall, no less than once in every 6 months, carry out a review of: (a) the Available Services; (b) the Solution; and (c) new lone worker devices (New Devices), taking account of technological and operational developments and advancements in the delivery of services similar to the Services. 4.6 10-404788-3 If following a review pursuant to clause 4.5, the Supplier identifies changes to the Available Services that could improve the Services then the Supplier shall provide a written report of its findings to the Authority within 14 days of such review. Any potential changes or New Devices agreed to be considered by the Authority and the Supplier, will be subject to testing by the Supplier, at the Supplier's cost, and the Supplier shall submit its findings to the Authority for consideration in a written report. Following such consideration, if the Authority wishes to make the change or add the New Devices to the Catalogue, the Supplier shall propose such change through the Agreement Change Procedures. 3 4.7 The Supplier hereby licenses the Authority for the Term on a royalty-free basis to use, copy and publish (electronically and in hard copy formats) the descriptions of the Catalogue Entries provided by the Supplier. All Intellectual Property Rights of the Supplier (or its SubContractors) in such descriptions (except insofar as such descriptions derive from material provided by the Authority) shall remain with the Supplier (or its Sub-Contractors). 4.8 The Supplier shall comply with its obligations in schedule 3 (Services) regarding the recording of and provision of information relating to Red Alerts and Amber Alerts. 5 Standards and Regulations 5.1 The Supplier shall provide the Services and meet its responsibilities and obligations hereunder in accordance with the Standards and Regulations as set out in schedule 17 (Standards and Regulations). 5.2 The Supplier shall indemnify, defend and hold harmless the Authority from any fine awarded against the Authority by the Regulatory Bodies or any payment required by the Regulatory Bodies to be made to any third parties to the extent arising as a result of a breach of contract or negligent act or omissions of the Supplier. 6 Ordering Procedures 6.1 Each Customer shall be entitled at any time during the Term to place an order for Services from the Supplier by serving an Order in accordance with the Ordering Procedures. Each Order will specify which of the Model Contracts the Customer requires the Services to be provided under, which shall be dependent upon whether the Authority will provide funding for the Services. 6.2 Each Order shall contain the information listed in paragraph 3 of schedule 6 (Ordering Procedure). 6.3 The Authority and the Supplier agree that any document or communication, including a document or communication in the apparent form of an Order, which: (a) does not contain all of the information listed in paragraph 3 of schedule 6 (Ordering Procedure); and/or (b) purports to exclude or vary any of the terms and conditions of the Model Contract, other than in accordance with the provisions of schedule 6 (Ordering Procedure), shall not constitute an Order under this Framework Agreement. 6.4 6.5 10-404788-3 The Supplier shall, within two (2) Working Days of receipt of an Order; either: (a) acknowledge in writing (which, for the purposes of this clause 6.4(a), shall include email) receipt of that Order to the Customer (with a copy to the Authority) and state that it is unable to fulfil the Order; or (b) acknowledge in writing (which, for the purposes of this clause 6.4(b), shall include email) receipt of that Order to the Customer (with a copy to the Authority) and state its acceptance of that Order. In the event that the Supplier accepts the Order in accordance with the provisions of clause 6.4(b), the Supplier shall: 4 (a) simultaneously with that acceptance notify the Customer of the proposed dates for commencement of the Ordered Services; and (b) following confirmation of the proposed dates for commencement, send the Order duly countersigned by an authorised officer of the Supplier to the Customer (with a copy to the Authority). 6.6 If the Supplier wishes to query any matter in relation to an Order served on it by a Customer, the Supplier shall raise the matter with the relevant Customer as soon as practicable and in any event within two (2) Working Days of receipt of that Order. The Supplier shall agree the Order with the Customer as soon as possible thereafter and in any event no later than the Service Commencement Date. 6.7 Subject to clause 6.8, a binding agreement for the provision of the Ordered Services shall be formed on the Customer's receipt of the countersigned Order pursuant to clause 6.5(b). 6.8 In respect of any Contract to which the Authority is a party, a binding agreement for the provision of the Ordered Services shall not be formed until the Authority has signed the Contract, in accordance with schedule 6 (Ordering Procedure). 7 Charges for Services 7.1 Charges 7.2 10-404788-3 (a) The Charges applicable for each Service shall be as set out in schedule 5 (Charges) to each Contract. (b) The Supplier agrees not to levy any Charges under any Contract that are in excess of the Maximum Charges from time to time. (c) The Maximum Charges shall be varied in accordance with the provisions of schedule 9 (Charges Variation Procedure). (d) The Supplier may lower any or all of the Charges applicable to the Supplier's Catalogue Entries from time to time by giving 20 Working Days' notice to the Authority, but may at no time ask to have advertised in the Catalogue any Charges that are in excess of the Maximum Charges from time to time. Benchmarking (a) The Authority may benchmark the Charges advertised in the Catalogue and/or the Maximum Charges at any time during the Term in order to compare such Charges with charges offered by third parties and by the Supplier to other customers. (b) The Authority shall be entitled to use any model to determine the achievement of value for money to carry out the benchmarking evaluation referred to in clause 7.2(a). (c) The Authority shall be entitled to publish the results of any benchmarking of the Charges to Customers and Potential Customers. (d) The Supplier shall use all reasonable endeavours and act in good faith to supply information required by the Authority in order to undertake the benchmarking referred to in this clause 7.2, such information requirements to be at the discretion of the Authority. 5 8 Representatives 8.1 Each party shall notify the other in accordance with clause 14 (Communications) of the persons appointed by it from time to time to fulfil the roles identified in schedule 12 (Governance). These shall be known as the Authority Representatives and the Supplier Representatives (as appropriate) and they shall have the authority to act on behalf of their respective party on the matters set out in, or in connection with, this Framework Agreement. Either party may, by further written notice to the other party, revoke or amend the authority of its Representative or appoint a new Representative. 8.2 The respective Representatives shall be sufficiently senior within the organisation of the appointing party, and granted sufficient authority by that party, to ensure full cooperation in relation to the operation and the management of this Framework Agreement. 8.3 The Supplier shall ensure that the role of the Supplier Representatives are not vacant for any longer than 10 Working Days and that any replacements shall be appropriately qualified and experienced and fully competent to carry out the tasks assigned to the Supplier Representative whom he or she has replaced. 9 Governance The Supplier and the Authority shall comply with their respective contract management obligations set out in schedule 12 (Governance). 10 Business Continuity 10.1 The Supplier shall ensure that it is able to implement the Business Continuity Plan at any time in accordance with its terms to ensure continuity of service provision and to minimise the consequences of any failure in the Solution on the provision of the Services. 10.2 The Supplier shall test the Business Continuity Plan on a regular basis (and in any event not less than once in every 12 month period). The Authority may require the Supplier to conduct additional tests of the Business Continuity Plan where the Authority considers it necessary, including where there has been any change to the Services or any underlying business processes, or on the occurrence of any event which may increase the likelihood of the need to implement the Business Continuity Plan. 10.3 If the Authority requires an additional test of the Business Continuity Plan it shall give the Supplier written notice and the Supplier shall conduct the test in accordance with the Authority’s requirements and the relevant provisions of the Business Continuity Plan. The Supplier's costs of the additional test shall be borne by the Authority unless the Business Continuity Plan fails the additional test in which case the Supplier's costs of that failed test shall be borne by the Supplier. 10.4 Following each test, the Supplier shall send to the Authority a written report summarising the results of the test and shall promptly implement any actions or remedial measures which the Authority considers to be necessary as a result of those tests. 10.5 The Supplier shall undertake regular risk assessments in relation to the provision of the Services not less than once every six months and shall provide the results of, and any recommendations in relation to, those risk assessments to the Authority promptly in writing following each review. 10-404788-3 6 11 Management Information 11.1 The Supplier shall submit Management Information to the Authority in accordance with the provisions of schedule 7 (Management Information), throughout the Term and thereafter in respect of any extant Contract. 11.2 The Supplier shall implement and maintain an Order processing system that identifies and records all Orders. Such system shall enable the Supplier to track all Orders and ascertain their status at any time and shall produce the Records specified in clause 38, Audit. 12 Amendments to this Framework Agreement 12.1 No amendment to the provisions of this Framework Agreement, other than a variation of the Charges pursuant to the provisions of schedule 9 (Charges Variation Procedure), shall be effective unless made in accordance with the Agreement Change Procedures. 12.2 The control of changes to this Framework Agreement shall be in accordance with the Agreement Change Procedures. For these purposes a "Change" shall include any amendment to this Framework Agreement and any amendments to the Catalogue. For each Change that is agreed by the Authority and the Supplier pursuant to this clause 12, this Framework Agreement or the Catalogue shall be amended to the extent necessary to give effect to that Change, and for this purpose the Authority and the Supplier shall use the form of amendment as set out in schedule 8 (Agreement Change Procedures). Unless and until such amendment is made in accordance with this clause 12, no Change shall be considered effective, and this Framework Agreement and the Catalogue shall not in any way be considered to have been varied. 12.3 In the event that a Change is implemented pursuant to the provisions of clause 12.2 and such Change is to schedule 2 (Model Contract), the Change shall be implemented in schedule 2 (Model Contract) and the Authority and the Supplier shall agree implementation of the Change to extant affected Contracts as follows: (a) the Change shall not be implemented in any extant Contracts; or (b) the Supplier shall give each Customer that is the party to each such affected extant Contract the option to implement the Change in their Contract pursuant to the procedure for contract change set out in the relevant Contract. 12.4 Subject to clauses 12.2 and 12.3, no change shall be made to any extant Contract without the written consent of the Authority. 13 Marketing The Supplier shall undertake marketing of this Framework Agreement and Services to Potential Customers in accordance with the provisions of schedule 15 (Marketing), throughout the Term. 14 Communications 14.1 Except as otherwise expressly provided, no communication from one party to the other shall have any validity under this Framework Agreement unless made in writing (which shall, save as expressly provided otherwise, exclude communications by e-mail) by or on behalf of the party sending such communication. 10-404788-3 7 14.2 Any notice or other communication whatsoever which either the Authority or the Supplier is required or authorised by this Framework Agreement to give or make to the other shall be given or made by first class post in a prepaid letter, addressed to the other at the address specified in clause 14.3. Such notice or communication shall be deemed, for the purposes of this Framework Agreement, to have been given or made two (2) Working Days after dispatch by the sender. 14.3 For the purposes of clause 14.2 the address of each party shall be: For the Authority: Address: Commercial Services (Lone Worker Project) Lower Ground Bridge House 152 Pilgrim Street Newcastle upon Tyne NE1 6SN For the attention of: the Lone Worker Contract Manager For the Supplier: Address: Reliance Secure Task Management, Surety House, Concorde Road, Patchway, Bristol, BS34 5TB For the attention of: the Managing Director 15 Financial standing of the Supplier 15.1 The Authority may from time to time during the Term assess the financial standing of the Supplier including an assessment of credit ratings as published by a credit rating agency appointed by the Authority. In the event that the Authority considers that the financial status of the Supplier represents a substantial risk to the Supplier's ability to perform its obligations under Contracts the Authority will discuss that risk with the Supplier. 15.2 Following such discussions, if the Authority concludes that there remains a substantial risk the Authority may by notice in writing suspend the right of the Supplier to accept further Orders without specific prior written agreement from the Authority. 15.3 In the event that the Authority takes the actions specified in clause 15.2, the Supplier may invite the Authority at any time to carry out a new assessment, giving evidence of changes to the financial standing of itself. 15.4 Where the Authority carries out a new assessment, and it concludes that there is no longer a substantial risk to the Supplier's ability to perform its obligations under Contracts, it shall advise the Supplier that the provisions of clause 15.2 no longer apply and recommence the publication of Services in the Catalogue. 10-404788-3 8 16 Term, suspension and termination 16.1 This Framework Agreement shall commence on the date hereof and, subject to clause 17.7, shall remain in force until the earlier of the expiry or early termination of the last Contract entered into pursuant to this Framework Agreement unless terminated earlier pursuant to this clause 16. The Supplier shall only be entitled to accept Orders or enter into any Contracts for a period of three (3) years, subject to an extension at the option of the Authority for a period of one (1) year, unless terminated earlier pursuant to this clause 16. The Authority may exercise the option to extend the right for the Supplier to accept Orders under this Framework Agreement in accordance with this clause 16.1 by serving written notice on the Supplier to that effect no later than 6 months before expiry of the three (3) year period. 16.2 The Authority may at any time by notice in writing suspend the right of the Supplier to accept further Orders for Services without specific prior written agreement from the Authority in the event that: (a) the Supplier does not maintain its ability and capacity in respect of those Services in accordance with the provisions of clause 4.2; or (b) the Supplier fails to submit Management Information in respect of those Services in accordance with the provisions of clause 11.1; or (c) the Supplier commits any breach of any of the Contracts that would entitle the Customer under that Contract to terminate that Contract (whether or not the relevant Customer does terminate that Contract); or (d) any of the Termination Events specified in clause 16.5 occur, provided that such notice shall take effect no sooner than 10 Business Days following the service of such notice where the events leading to such notice are those listed in clause 16.2(a) and clause 16.2(b) and in all other circumstances such notice may have immediate effect. 16.3 At any time following service of a notice of suspension pursuant to clause 16.2 the Supplier may serve notice on the Authority providing full details of the rectification of the events giving rise to the suspension and steps taken by the Supplier to prevent their repeat. Following the giving of such notice by the Supplier the Authority shall, where it is satisfied, acting reasonably, that the events have been rectified and steps taken are sufficient to prevent a repeat of such events occurring, restore the ability of the Supplier to accept further Orders for Services without specific prior written agreement from the Authority. 16.4 The Authority may at any time by notice in writing terminate this Framework Agreement as from the date of service of such notice, or a later date specified in such notice, if any of the Termination Events specified in clause 16.5 occur. 16.5 Termination Events (a) 10-404788-3 A Change of Control where the proposed new owner has: (i) been convicted of a criminal offence relating to the conduct of its business or profession; or (ii) committed an act of grave misconduct in the course of its business or profession; or 9 failed to comply with any obligations relating to the payment of any taxes or social security contributions; or (iv) made any serious misrepresentations in the tendering process for any project or matter in which the public sector has or had a significant participation; or (v) previously failed to obtain any licences and/or membership of any body which would be necessary if it were to provide services equivalent to the Services. (b) A Change of Control occurs and there are reasonable grounds for the Authority to withhold its consent relating to the financial standing of the new owner, any security concerns arising from the new ownership or issues relating to the provision of the Services by the new owner. (c) Any of the events listed in clause 16.5(a)(i) to 16.5(a)(iv) occur in relation to or in respect of the Supplier itself, or if the Authority has reasonable grounds to object to the Supplier arising from security concerns in respect of the Supplier. (d) The Supplier: (e) 10-404788-3 (iii) (i) being an individual, or where the Supplier is a firm, any partner or partners in that firm who together are able to exercise direct or indirect control, as defined by Section 416 of the Income and Corporation Taxes Act 1988, shall at any time become bankrupt or shall have a receiving order or administration order made against him or shall make any composition or arrangement with or for the benefit of his creditors, or shall make any conveyance or assignment for the benefit of his creditors, or shall purport so to do, or appears unable to pay or to have no reasonable prospect of being able to pay a debt within the meaning of Section 268 of the Insolvency Act 1986, or any application shall be made under any bankruptcy or insolvency act for the time being in force for sequestration of his estate, or a trust deed shall be granted by him on behalf of his creditors, or any similar event occurs under the law of any other jurisdiction; or (ii) being a company, passes a resolution, or the court makes an order that the Supplier or its Parent Company be wound up otherwise than for the purpose of a bona fide reconstruction or amalgamation, or a receiver, manager or administrator on behalf of a creditor is appointed in respect of the business or any part thereof of the Supplier or the Parent Company (or an application for the appointment of an administrator is made or notice to appoint an administrator is given in relation to the Supplier or the Parent Company), or circumstances arise which entitle the court or a creditor to appoint a receiver, manager or administrator or which entitle the court otherwise than for the purpose of a bona fide reconstruction or amalgamation to make a winding-up order, or the Supplier or its Parent Company is unable to pay its debts within the meaning of Section 123 of the Insolvency Act 1986 (except where the claim is made under Section 123(1)(a) and is for an amount of less than ten thousand pounds (£10,000)) or any similar event occurs under the law of any other jurisdiction. Where the circumstances detailed in clause 19.2 (Warranties and Representations) or clause 34.2 (Corrupt Gifts and Payments of Commission) arise. 10 16.6 16.7 (f) The Supplier fails to meet any Default Service Level, as set out in part 3.10 of schedule 3 (Services), on three occasions within any consecutive 12 month period. (g) In the event that any authorisation or licence required by the Supplier to provide the Ordered Services, including any licence under the Wireless Telegraphy Act 1949 and the general authorisation under the Communications Act 2003, is revoked or withdrawn. For the purposes of clause 16.5(a) the following shall be disregarded: (a) any change in beneficial or legal ownership of any shares that are listed on a stock exchange resulting in the relevant shareholding being less than or equal to five per cent (5%) of the total issued share capital; and (b) any transfer of shares or of any interest in shares by a person to its Affiliate where such transfer forms part of a bona fide reorganisation or restructuring. Without prejudice to the provisions of clause 16.2 the Authority may at any time by notice in writing terminate this Framework Agreement forthwith if the Supplier is in material Default of any obligation under this Framework Agreement and: (a) the material Default is capable of remedy and the Supplier shall have failed to remedy the material Default within thirty (30) Days of written notice to the Supplier specifying the material Default and requiring its remedy; or (b) the material Default is not capable of remedy. 16.8 The Supplier shall promptly notify the Authority in writing on each occasion of the occurrence of any of the events specified in clause 16.5(c). 16.9 The Authority shall only be permitted to exercise its rights pursuant to clause 16.5(c) for six (6) Months after service of a notice by the Supplier pursuant to clause 16.8 relative to each such Change of Control and shall not be permitted to exercise such rights where the Authority has agreed in advance in writing to the particular Change of Control and such Change of Control takes place as proposed. 17 Consequences of termination and expiry 17.1 Notwithstanding the service of a notice to terminate this Framework Agreement, the Supplier shall continue to fulfil its obligations under this Framework Agreement until the date of expiry or termination of this Framework Agreement or such other date as required under this clause 17. 17.2 A termination of this Framework Agreement shall not cause any Contracts to terminate automatically. For the avoidance of doubt, all Contracts shall remain in force unless and until they are terminated or expire in accordance with their own terms. 17.3 On termination of this Framework Agreement, the Supplier shall cease to use all Authority Data and within ten (10) Working Days of the date of termination, the Supplier shall return to the Authority any data and Confidential Information belonging to the Authority in the Supplier's possession, power or control, either in its then current format or in a format nominated by the Authority, together with all training manuals and other related documentation, and any other information and all copies thereof owned by the Authority, save that it may keep one copy of any such data or information: 10-404788-3 11 (a) for a period of up to twelve (12) Months to comply with its obligations under clause 17.4, or such period as is necessary for such compliance; and (b) for such period as is necessary to enable the Supplier to perform its obligations under any Contract. 17.4 The Supplier shall comply with its obligations as set out in the Exit Plan, to manage a smooth transition of the provision of the Devices and Services from the Supplier to a new contractor or the Authority. 17.5 The Parties shall continue to comply with their respective obligations under schedule 9 (Charges Variation Procedure). 17.6 The Authority shall be entitled to require access to data or information to be provided under this Framework Agreement and arising from the provision of the Services by the Supplier until the latest of: (a) the expiry of a period of twelve (12) Months following termination or expiry of this Framework Agreement; or (b) the expiry of a period of three (3) Months following the date on which the Supplier ceases to provide any Ordered Services under any Contract. 17.7 The provisions of clauses 1, 14, 17, 19, 20, 22, 23, 25, 26, 28, 30, 35, 37, 42 to 47 (inclusive) and the relevant provisions of the Exit Plan, schedules 1 (Definitions) and 7 (Management Information) (and without limitation to the foregoing, any other provision of this Framework Agreement which by its terms is to be performed or observed notwithstanding termination or expiry or which is expressed to survive termination or expiry) shall survive the termination or expiry of this Framework Agreement, together with any other provision which is either expressed to or by implication is intended to survive termination. 18 Force Majeure 18.1 Subject to the remaining provisions of this clause 18, either party to this Framework Agreement may claim relief from liability for non-performance of its obligations to the extent this is due to a Force Majeure Event. In particular, the Supplier shall be relieved from its Service Credits obligation to the extent that the Services are affected by the Force Majeure Event and the Charges shall be reduced to the extent that the Customer does not receive the Services as a result of the Force Majeure Event. 18.2 A party cannot claim relief if the Force Majeure Event is attributable to its wilful act, neglect or failure to take reasonable precautions against the relevant Force Majeure Event. 18.3 The Supplier cannot claim relief from a Force Majeure Event to the extent that it is required to comply with the BCDR Plan but has failed to do so. 18.4 An Affected Party cannot claim relief as a result of a failure or delay by any other person in the performance of that other person's obligations under a contract with the Affected Party (unless that other person is itself prevented from or delayed in complying with its obligations as a result of a Force Majeure Event). 18.5 The Affected Party shall immediately give the other party written notice of the Force Majeure Event. The notification shall include details of the Force Majeure Event together with evidence of its effect on the obligations of the Affected Party, and any action the Affected Party proposes to take to mitigate its effect. 10-404788-3 12 18.6 As soon as practicable following after the Affected Party's notification, the parties shall consult with each other in good faith and use all reasonable endeavours to agree appropriate terms to mitigate the effects of the Force Majeure Event and to facilitate the continued performance of this Agreement. Where the Supplier is the Affected Party, it shall comply with its obligations in the BCDR Plan, schedule 3 (Services) and schedule 13 (Solutions), and shall take all steps in accordance with Good Industry Practice to overcome or minimise the consequences of the Force Majeure Event. 18.7 The Affected Party shall notify the other party as soon as practicable after the Force Majeure Event ceases or no longer causes the Affected Party to be unable to comply with its obligations under this Agreement. Following such notification, this Agreement shall continue to be performed on the terms existing immediately before the occurrence of the Force Majeure Event unless agreed otherwise by the parties. 19 Warranties and representations 19.1 The Supplier warrants and represents that: (a) it has full capacity and authority and all necessary consents (including, where its procedures so require, the consent of its Parent Company) to enter into and to perform this Framework Agreement and that this Framework Agreement is executed by a duly authorised representative of the Supplier; (b) as at the date hereof, all information contained in its tender for the Services remains true, accurate, and not misleading save as may have been specifically disclosed in writing to the Authority prior to the execution of this Framework Agreement; (c) this Framework Agreement shall be performed in compliance with all applicable laws, enactments, orders, regulations and other similar instruments as amended from time to time; (d) the Services shall be provided and carried out by appropriately experienced, qualified and trained personnel with all due skill, care and diligence; (e) it shall discharge its obligations hereunder with all due skill, care and diligence including good industry practice and (without limiting the generality of this clause 19 in accordance with its own established internal procedures; (f) it owns, has obtained or shall obtain valid licences for all Intellectual Property Rights that are necessary for the performance of this Framework Agreement and the use of the Services by Customers; (g) it has taken and shall continue to take all steps, in accordance with good industry practice, to prevent the introduction, creation or propagation of any disruptive element (including any virus, worm and/or trojan horse) into systems, data, software or Confidential Information (held in electronic form) owned by or under the control of, or used by, Customers and/or the Authority; (h) on behalf of itself and its Affiliates or Parent Company, in the three (3) years prior to the date of this Framework Agreement and continuing throughout the Term: (i) 10-404788-3 it has conducted all financial accounting and reporting activities in compliance in all material respects with the generally accepted accounting principles that apply to it in any country where it files accounts; 13 (i) 19.2 (ii) it has been in full compliance with all applicable securities laws and regulations in the jurisdiction in which it is established; and (iii) it has not performed any act or omission with respect to its financial accounting or reporting which could have an adverse effect on the Supplier's position as an ongoing business concern or its ability to fulfil its obligations under this Framework Agreement; in its acceptance of an Order, it will enter into a contract with a Customer on the terms and conditions of the Model Contract without amendment thereto save for the necessary information to complete the Model Contract as specified in the Order. The Supplier acknowledges that: (a) any breach of the warranties in clause 19.1 (other than a breach of clause 19.1(h)) shall be remedied as a matter of urgency at no cost to the Authority. Failure to remedy (if capable of remedy) such to comply with clause 19.1 within five (5) Working Days of notification by the Authority shall constitute a breach of this Framework Agreement entitling the Authority to terminate in accordance with clause 16.7; and (b) a breach by the Supplier of its obligations in clause 19.1(h) shall afford the Authority the right to immediately terminate this Framework Agreement without liability or payment of any charges or costs whatsoever. 19.3 Except as expressly stated in this Framework Agreement, all warranties and conditions, whether express or implied by statute, common law or otherwise (including fitness for purpose) are hereby excluded to the extent permitted by law. 20 Limitation of liability 20.1 Neither the Authority nor the Supplier excludes nor limits liability to the other for: (a) death or personal injury; or (b) for fraud or fraudulent misrepresentation. 20.2 Nothing in this clause 20 shall be taken as limiting the liability of the Supplier in respect of clause 23 (Data Protection), clause 25 (IPR), clause 26 (Confidentiality) and Part 2 of Schedule 16 (Staff Transfer). 20.3 Subject always to the provisions of clauses 20.1 and 20.2, the aggregate liability of the Supplier for each year of this Framework Agreement for all matters for which the Supplier is required to maintain insurance under this Framework Agreement, where the liability arises under contract, tort (including negligence) or otherwise in connection with this Framework Agreement (but excluding any liability governed by any Contracts, these being subject to the limitation of liability as set out in the Contracts) shall in no event exceed the level of insurance cover required to be maintained in accordance with this Framework Agreement in respect of claims relating to a failure by the Supplier to implement or maintain the Solution and in respect of all other claims one million pounds (£1,000,000) in the aggregate for each year of this Framework Agreement. Subject to clause 20.1, the aggregate liability of the Authority, in addition to its obligation to pay any Charges for each year of this Framework Agreement, shall not exceed a sum equal to the level of insurance cover required to be maintained by the Supplier under this Framework Agreement for claims which would be claimable under such 10-404788-3 14 insurances were the Authority to take out such insurances and in respect of all other claims one million pounds (£1,000,000). 20.4 20.5 Subject always to the provisions of clauses 20.1 and 20.2, in no event shall either the Authority or the Supplier be liable to the other for: (a) indirect or consequential loss or damage; and/or (b) loss of profits, business opportunities, revenue, goodwill or anticipated savings provided that nothing in this clause 20.4 shall prevent the Supplier from recovering the Charges where these are payable by the Authority. Subject always to the provisions of clauses 20.1 and 20.2, the provisions of clause 20.4 shall not be taken as limiting the right of either the Authority or the Supplier to claim from the other for: (a) additional operational and administrative costs and expenses; (b) any costs or expenses rendered nugatory; and (c) damage due to the loss of data, but only to the extent that such losses relate to the costs of working around any loss of data and the direct costs of recovering or reconstructing such data, resulting directly from the Default of the other party. 20.6 For the purposes of clause 20.3, "a year of this Framework Agreement" shall mean a period of twelve (12) Months commencing on the date hereof or on any anniversary of that date thereafter. 20.7 Nothing in this Framework Agreement shall limit the right of the Authority to claim from the Supplier any Management Charge properly due to the Authority in accordance with the terms of this Framework Agreement. Any such sum shall not be included within the Supplier's limitation of liability as set out in clause 20.3. 20.8 Neither party shall be entitled to recover compensation, or make a claim under this Framework Agreement, in respect of any loss incurred where it has already been compensated for that loss under a Contract. 20.9 The Supplier acknowledges that the Authority can enforce the provisions of the Framework Agreement as agent for each Customer, or in the Authority's name in respect of recoverable losses incurred by a Customer. 20.10 The liability of the Supplier pursuant to, or in relation with the Framework Agreement arising out of the performance or non-performance of the Services shall be specified in each Contract. 20.11 The Authority and the Supplier expressly agree that should any limitation or provision contained in this clause 20 be held to be invalid under any applicable statute or rule of law, it shall to that extent be deemed omitted, but if either of them thereby becomes liable for loss or damage which would otherwise have been excluded, such liability shall be subject to the other limitations and provisions set out herein. 20.12 Subject to clauses 20.1 and 20.2 neither party shall be liable to the other (the claiming party) to the extent that any action, proceeding, liability, tort, claim, loss, expense and/or demand 10-404788-3 15 arises as a result of the claiming party’s negligence, wilful default or failure to comply with its obligations under this Framework Agreement. 21 Complaints handling 21.1 Subject to the provisions of clause 9 (Governance), the Supplier shall inform the Authority of any Complaint within five (5) Working Days of becoming aware of that Complaint. 21.2 Without prejudice to any rights and remedies that a complainant may have at law, including under this Framework Agreement or a Contract, and without prejudice to any obligation of the Supplier to take remedial action under the provisions of this Framework Agreement or a Contract, the Supplier shall use all reasonable endeavours to resolve the Complaint and in so doing, shall deal with the Complaint fully, expeditiously and fairly. 21.3 Within three (3) Working Days of a request by the Authority, the Supplier shall provide full details of a Complaint to the Authority, including details of steps taken to its resolution. 22 Authority Data 22.1 The Supplier shall not delete or remove any proprietary notices contained within or relating to the Authority Data. 22.2 The Supplier shall not store, copy, disclose, or use the Authority Data except as necessary for the performance by the Supplier of its obligations under this Framework Agreement or as otherwise expressly authorised in writing by the Authority. 22.3 To the extent that Authority Data is held and/or processed by the Supplier, the Supplier shall supply that Authority Data to the Authority as requested by the Authority in the format specified in schedule 3 (Services) and/or in part 1 of schedule 16 (Exit Assistance). 22.4 Upon receipt or creation by the Supplier of any Authority Data and during any collection, processing, storage and transmission by the Supplier of any Authority Data, the Supplier shall take all precautions necessary to preserve the integrity of the Authority Data and to prevent any corruption or loss of the Authority Data, in accordance with the Security Policy. 22.5 The Supplier shall perform secure back-ups of all Authority Data and shall ensure that up-todate back-ups are stored off-site in accordance with the Business Continuity Plan. The Supplier shall ensure that such back-ups are available to the Authority at all times upon request and are delivered to the Authority at no less than 3 month intervals. 22.6 The Supplier shall ensure that any system on which the Supplier holds any Authority Data, including back-up data, is a secure system that complies with the Security Policy, and that security is maintained to the level required by schedule 14 (Security Policy) and is subject to the audit rights at clause 38 (Audit). 22.7 If the Authority Data is corrupted, lost or sufficiently degraded as a result of the Supplier's Default so as to be unusable, the Authority may: 10-404788-3 (a) require the Supplier (at the Supplier's expense) to restore or procure the restoration of the Authority Data and the Supplier shall do so as soon as practicable but not later than 20 Working Days; and/or (b) itself restore or procure the restoration of the Authority Data, and shall be repaid by the Supplier any reasonable expenses incurred in doing so. 16 22.8 If at any time the Supplier suspects or has reason to believe that Authority Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Supplier shall notify the Authority immediately and inform the Authority of the remedial action the Supplier proposes to take. 23 Data Protection 23.1 With respect to the parties' rights and obligations under this Framework Agreement, the parties agree that the Authority is the Data Controller and that the Supplier is the Data Processor. 23.2 The Supplier shall: (a) Process the Personal Data only in accordance with instructions from the Authority (which may be specific instructions or instructions of a general nature as set out in this Framework Agreement or as otherwise notified by the Authority to the Supplier during the Term); (b) Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; (c) implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; (d) take reasonable steps to ensure the reliability of any Supplier Personnel who have access to the Personal Data; (e) obtain prior written consent from the Authority in order to transfer the Personal Data to any Sub-contractors or Affiliates for the provision of the Services; (f) ensure that all Supplier Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 23; (g) ensure that none of Supplier Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Authority; (h) notify the Authority (within five Working Days) if it receives: (i) (i) a request from a Data Subject to have access to that person's Personal Data; or (ii) a complaint or request relating to the Authority's obligations under the Data Protection Legislation; provide the Authority with full cooperation and assistance in relation to any complaint or request made, including by: (i) 10-404788-3 providing the Authority with full details of the complaint or request; 17 (ii) complying with a data access request within the relevant timescales set out in the Data Protection Requirements and in accordance with the Authority's instructions; (iii) providing the Authority with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Authority); and (iv) providing the Authority with any information requested by the Authority; (j) permit the Authority or the Authority Representative (subject to reasonable and appropriate confidentiality undertakings), to inspect and audit, in accordance with clause 21 (Audit), the Supplier's data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by the Authority to enable the Authority to verify and/or procure that the Supplier is in full compliance with its obligations under this Framework Agreement; (k) provide a written description of the technical and organisational methods employed by the Supplier for processing Personal Data (within the timescales required by the Authority); and (l) not Process Personal Data outside the European Economic Area without the prior written consent of the Authority and, where the Authority consents to a transfer, to comply with: (i) the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and (ii) any reasonable instructions notified to it by the Authority. 23.3 The Supplier shall comply at all times with the Data Protection Requirements and shall not perform its obligations under this Framework Agreement in such a way as to cause the Authority to breach any of its applicable obligations under the Data Protection Requirements. The Supplier's attention is hereby drawn to the Data Protection Requirements. 23.4 The Supplier shall observe the terms of each agreement relating to the safeguarding and processing of Personal Data. 23.5 The Authority may from time to time serve on the Supplier an information notice requiring the Supplier within such time and in such form as is specified in the information notice, to furnish to the Authority such information as the Authority may reasonably require relating to: (a) compliance by the Supplier with the Supplier's obligations under this Framework Agreement or any Contract in connection with the processing of Personal Data; and/or (b) the rights of data subjects, including but not limited to subject access rights. 23.6 The Supplier will allow its data processing facilities, procedures and documentation to be submitted for scrutiny by the Authority or its auditors in order to ascertain compliance with the relevant laws of the United Kingdom and the terms of this Framework Agreement. 23.7 Save as set out in this clause 23, any unauthorised processing, use or disclosure of Personal Data by the Supplier is strictly prohibited. 10-404788-3 18 23.8 The Supplier shall be liable for and shall indemnify (and keep indemnified) the Authority against each and every action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and disbursements on a solicitor and client basis) and demands incurred by the Authority which arise directly or in connection with the Supplier's data processing activities under this Framework Agreement, including without limitation those arising out of any third party demand, claim or action, or any breach of contract, negligence, fraud, wilful misconduct, breach of statutory duty or non-compliance with any part of the Data Protection Requirements by the Supplier or its employees, servants, agents or SubContractors other than those arising directly as a result of the Supplier complying with the Authority’s instructions. 24 Personnel Security 24.1 The Supplier shall comply with the Personnel Vetting Procedures in respect of all Supplier Personnel employed or engaged in the provision of the Services. The Supplier confirms that all Supplier Personnel employed or engaged by the Supplier at the date hereof were vetted and recruited on a basis that is equivalent to and no less strict than the Personnel Vetting Procedures. 24.2 The Supplier shall provide training on a continuing basis for all Supplier Personnel employed or engaged in the provision of the Services in compliance with the Security Policy and Security Plan. 25 Intellectual Property Rights 25.1 Save as granted under this Framework Agreement, neither the Authority nor the Supplier shall acquire any right, title or interest in the other's pre-existing Intellectual Property Rights. 25.2 The Supplier hereby grants to the Authority, or shall procure the grant to the Authority of: (a) a royalty-free, irrevocable, non-exclusive licence in or in relation to such of the Supplier’s or any third party’s Intellectual Property Rights as are necessary for the sole purpose of enabling the Authority to use the Devices and Services in accordance with this Framework Agreement and such licence shall expire upon termination or expiry of this Framework Agreement; and (b) a royalty-free, perpetual, irrevocable, non-exclusive licence in relation to any Project Specific IPR, as are necessary for the purpose of enabling the Authority to use the Solution in accordance with this Framework Agreement, and to enable the transfer of the Solution to an alternative provider. 25.3 The Authority hereby grants to the Supplier a royalty-free, non-exclusive, non-transferable licence during the Term to use such of the Authority's Intellectual Property Rights and/or Authority Data, as is necessary for the sole purpose of performing the Supplier's obligations under this Framework Agreement and the Contracts. 25.4 All title, interest and Intellectual Property Rights in any Materials developed by, for or on behalf of the Supplier (excluding for the avoidance of doubt any third party Intellectual Property Rights) in anticipation of, in connection with and/or in the course of performance, provision or receipt of the Services shall belong to and vest in the Authority. 25.5 The Supplier hereby assigns absolutely (and shall procure that all representatives, employees, Sub-Contractors, contractors and agents assign absolutely) to the Authority, by way of present assignment of existing and all future property, rights, title and interest and all 10-404788-3 19 Intellectual Property Rights in Materials, all of which shall vest in the Authority immediately upon creation of the same with full title guarantee and free from all encumbrances and other rights of whatever nature exercisable by any third party, together with the right to take action for any past, present and future damages and other remedies in respect of any infringement or alleged infringement of such Intellectual Property Rights. 25.6 The Supplier warrants that the provision of the Services and the performance of the Supplier's responsibilities hereunder shall not infringe any Intellectual Property Rights of any third party. 25.7 The Supplier shall indemnify the Authority against all claims, demands, actions, costs, expenses (including legal costs and disbursements on a solicitor and client basis), losses and damages arising from or incurred by reason of any infringement or alleged infringement (including the defence of such alleged infringement) of any Intellectual Property Right by the availability of the Services or the performance of the Supplier's or the Authority's responsibilities hereunder, except to the extent that such liabilities have resulted directly from the Authority's failure properly to observe its obligations under this clause 25. 25.8 The Supplier shall promptly notify the Authority if any claim or demand is made or action brought against the Supplier for infringement or alleged infringement of any Intellectual Property Right that may affect the availability of the Services hereunder. 25.9 If a claim or demand is made or action brought to which clause 25.3 may apply, or in the reasonable opinion of the Supplier is likely to be made or brought, the Supplier may at its own expense and within a reasonable time either: (a) modify any or all of Available Services without reducing the performance and functionality of the same, or substitute alternative services of equivalent performance and functionality for any or all of the Available Services, so as to avoid the infringement or the alleged infringement, provided that the terms herein shall apply mutatis mutandis to such modified or substituted items or services and such substitution shall not increase the burden on Customers party to a Contract; or (b) procure a licence to use relevant Intellectual Property Rights on terms that are reasonably acceptable to the Authority. 25.10 If the Supplier elects to modify or replace an item pursuant to clause 25.9(a) or to procure a licence in accordance with clause 25.9(b), but this has not avoided or resolved such claim, then the Authority may terminate this Framework Agreement by written notice with immediate effect and, without prejudice to the indemnity set out in clause 25.7, the Supplier shall be liable for all reasonable and unavoidable costs of the substitute items and/or services including the additional costs in procuring, implementing and maintaining the substitute items. 26 Confidentiality 26.1 The Authority and the Supplier acknowledge that any Confidential Information originating from: 26.2 10-404788-3 (a) the Authority, its servants or agents is the property of the Authority; and (b) each Customer, its servants or agents is the property of the Customer; and (c) the Supplier, its employees, servants or agents is the property of the Supplier. The Supplier and the Authority shall procure that: 20 26.3 26.4 26.5 10-404788-3 (a) any person employed or engaged by them shall only use Confidential Information for the purposes of this Framework Agreement; (b) any person employed or engaged by them in connection with this Framework Agreement shall not, in the course of such employment or engagement, disclose any Confidential Information to any third party without the express prior written consent of the originator of that Confidential Information; (c) they shall take all necessary precautions to ensure that all Confidential Information is treated as confidential and not disclosed (save as aforesaid) or used other than for the purposes of this Framework Agreement by their employees, servants, agents or sub-contractors; and (d) without prejudice to the generality of the foregoing neither they nor any person engaged by them whether as a servant or a consultant or otherwise shall use the Confidential Information for the solicitation of business from the other or from a Customer or from any third party. The provisions of clause 26.1 and clause 26.2 shall not apply to any information which: (a) is or becomes public knowledge other than by breach of this clause 26; or (b) is in the possession of the recipient without restriction in relation to disclosure before the date of receipt from the disclosing party; or (c) is received from a third party who lawfully acquired it and who is under no obligation restricting its disclosure; or (d) is independently developed without access to the Confidential Information; or (e) must be disclosed pursuant to a statutory, legal or parliamentary obligation placed upon the party making the disclosure, including any requirements for disclosure under the Freedom of Information Act 2000 or the Environmental Information Regulations 2004. Nothing in this clause 26 shall be deemed or construed to prevent the Authority from disclosing any Confidential Information obtained from the Supplier: (a) to any other Health Service Body, or a Contracting Authority, provided that the Authority has required that such information is treated as confidential by such bodies; (b) to any Customer, insofar as is reasonably necessary for the Customer to procure and make best use of the Services, provided that the Authority shall have required that such information be treated as confidential by such Customer and its servants; and (c) to any consultant, contractor or other person engaged by the Authority in connection herewith, provided that the Authority shall have required that such information be treated as confidential by such consultant, contractor or other person, together with their servants. Nothing in this clause 26 shall prevent the Supplier or the Authority from using ideas and know-how gained during the performance of this Framework Agreement in the furtherance of its normal business, to the extent that this does not relate to a disclosure of Confidential Information or an infringement by the Authority or the Supplier of any Intellectual Property Rights. 21 27 Publicity 27.1 Subject to clause 13 (Marketing), the Supplier shall not use any Authority Marks in any promotional or marketing material, make any press announcements or publicise this Framework Agreement in any way without the Authority's prior written consent. The Supplier shall ensure the observance of the provisions of this clause 27 by all their employees, servants, agents and Sub-Contractors. 27.2 The Authority shall be entitled to publicise this Framework Agreement in accordance with any legal obligation upon the Authority, including any examination of this Framework Agreement by the National Audit Office pursuant to the National Audit Act 1983 or otherwise. 27.3 Subject to clause 27.1, the Supplier shall work with the Authority to prepare a marketing plan for the delivery of the Lone Worker Protection Programme. 28 Dispute resolution 28.1 Any dispute arising under, or in connection with this Framework Agreement shall be dealt with in accordance with the terms set out in clause 25 of the Model Contract and schedule 2-8 (Dispute Resolution Procedure) of the Model Contract which shall apply mutatis mutandis to the Framework Agreement as if set out fully in the body of this Framework Agreement. 28.2 Each party agrees that the other shall, where relevant to the subject matter of the dispute, be entitled to join any Customer in any mediation, arbitration or litigation between the Authority and the Supplier and shall be entitled to keep any Customer informed of all disputes between the Authority and the Supplier. 29 Insurance The Supplier shall take out and maintain, or procure the maintenance of insurances, in accordance with the provisions of schedule 18 (Insurance Requirements). 30 Recovery of sums due If any sum of money shall be due from the Supplier, the same may be deducted from any sum then due or which at any time thereafter may become due to the Supplier under this Framework Agreement and any Contract. 31 Statutory requirements 31.1 The Supplier shall observe all statutory provisions and approved safety standards applicable to the Services and their provision, including the Authority's Security Policy at schedule 14 (Security Policy), and shall be responsible for obtaining all licences, consents or permits required for the performance of this Framework Agreement and the Contracts. 31.2 The Supplier shall inform the Authority and Customers if the Services are hazardous to health or safety and of the precautions that should be taken in respect thereto. 31.3 The Supplier shall take all measures necessary to comply with the requirements of the Health and Safety at Work etc. Act 1974 and any other acts, orders, regulations and codes of practice relating to health and safety, which may apply to staff in the performance of this Framework Agreement and Contracts. 10-404788-3 22 32 Environmental requirements 32.1 The Supplier shall comply in all material respects with all applicable environmental laws and regulations in force from time to time in relation to the Services, including the Waste Electric and Electronic Equipment Regulations Act 2006. Without prejudice to the generality of the foregoing, the Supplier shall promptly provide all such information regarding the environmental impact of the Services as may reasonably be requested by the Authority. 32.2 The Supplier shall meet all reasonable requests by Customers for information evidencing compliance with the provisions of this clause 32 by the Supplier. 32.3 The Supplier shall complete an Environmental Questionnaire within five (5) Working Days of execution of this Framework Agreement. 32.4 In the event that circumstances or practices change such that any responses given by the Supplier in the Environmental Questionnaire are no longer current, the Supplier shall notify the Authority in accordance with the provisions of clause 14 (Communications). 33 Discrimination 33.1 The Supplier shall not unlawfully discriminate within the meaning and scope of the provisions of the Sex Discrimination Act 1975, the Race Relations Act 1976, the Disability Discrimination Act 1995, the Employment Equality (Religion or Belief) Regulations 2003, the Employment Equality (Sexual Orientation) Regulations 2003, the Employment Equality (Age) Regulations 2006 or any statutory modification or re-enactment thereof or any other Law relating to discrimination in employment. 33.2 The Supplier shall take all reasonable steps to secure the observance of the provisions of clause 33.1 by the Sub-Contractors employed in the execution of this Framework Agreement. 34 Corrupt gifts and payments of commission 34.1 The Supplier shall not: 34.2 10-404788-3 (a) offer or give or agree to give any person employed by or on behalf of the Authority, a Customer or any other public body ("Relevant Person") or any person acting for and on behalf of a Customer or the Authority any gift or consideration of any kind as an inducement or reward for doing, forbearing to do, or for having done or forborne to do any act in relation to the obtaining or execution of this Framework Agreement or Contracts or any other contract with a Relevant Person or for showing favour or disfavour to any person in relation to this or any other contract with a Relevant Person; (b) enter into this Framework Agreement or Contracts or any other contract with a Relevant Person or any person acting for and on behalf of a Customer or the Authority in connection with which commission has been paid or agreed to be paid by him or on his behalf, or to his knowledge, unless before this Framework Agreement and/or any Contract is made particulars of any such commission and of the terms and conditions of any agreement for the payment thereof have been disclosed in writing to the Authority. Any breach of clause 34.1 by the Supplier or by anyone employed by him or acting on his behalf (whether with or without the knowledge of the Supplier) or the commission of any offence by the Supplier or by anyone employed by him or acting on his behalf under the 23 Prevention of Corruption Acts 1889 to 1916, in relation to this Framework Agreement or the Contracts or any other contract with a Relevant Person, Customer, the Authority or any other public body, shall entitle the Authority to terminate this Framework Agreement with immediate effect and recover from the Supplier the amount of any loss resulting from such termination and/or to recover from the Supplier the amount or value of any such gift, consideration or commission. 34.3 Any dispute, difference or question arising in respect of the interpretation of this clause 34, the right of the Authority to terminate this Framework Agreement or the amount or value of any such gift, consideration or commission shall be decided by the Authority, whose decision shall be final and conclusive. 35 Granting of Trade Marks 35.1 The Supplier shall not apply for a Trade Mark in any part of the world in respect of the Authority Marks or any derivative of either nor any mark so nearly resembling them as to be likely to deceive or cause confusion, either during the Term or at any time thereafter except with the express approval of the Authority. 35.2 The Supplier shall ensure that the provisions of this clause 35 shall apply to its SubContractors. 35.3 The Supplier hereby acknowledges that title to and goodwill in Intellectual Property Rights in the Authority Marks vests with the Authority and its licensors. The Authority hereby grants to the Supplier a non-exclusive, non-transferable, revocable licence to use, copy and broadcast the Authority Marks solely to the extent necessary for the performance of the Supplier's responsibilities hereunder during the Term. 35.4 The Supplier shall not use the Authority Marks in any way which would allow them to become generic, lose their distinctiveness, become liable to mislead the public in particular as to their quality, nature or geographic origin, or be materially detrimental to or inconsistent with the good name, goodwill, reputation and image of the Authority. 35.5 Unless otherwise specified, nothing contained in this Framework Agreement shall entitle the Supplier to use the Authority Marks as part of any corporate business or trading name or style of the Supplier either during or after termination of this Framework Agreement. 36 Transfer and sub-contracting 36.1 This Framework Agreement is personal to the Supplier. Subject to the provisions of clause 36.5, the Supplier shall not assign, novate, sub-contract or otherwise dispose of this Framework Agreement or any part thereof without the previous consent in writing of the Authority. 36.2 Subject to the provisions of clause 36.4, the Authority shall be entitled to: (a) assign, novate or otherwise dispose of its rights and obligations under this Framework Agreement or any part thereof to any Contracting Authority; or (b) novate this Framework Agreement to any other body (including any private sector body) which substantially performs any of the functions that previously had been performed by the Authority, provided that where such assignment, novation or other disposal increases the burden of the Supplier's obligations pursuant to this Framework Agreement, the Supplier shall be entitled to 10-404788-3 24 such charges as may be agreed between the Authority and the Supplier to compensate for such additional burdens. 36.3 Subject to the provisions of clause 36.4, any change in the legal status of the Authority such that it ceases to be a Contracting Authority shall not affect the validity of this Framework Agreement. In such circumstances, this Framework Agreement shall bind and inure to the benefit of any successor body to the Authority. 36.4 If this Framework Agreement is novated to a body which is not a Contracting Authority pursuant to clause 36.2(b), or if a successor body which is not a Contracting Authority becomes the Authority pursuant to clause 36.3 (in the remainder of this clause 36 both such bodies are referred to as the transferee): (a) the rights of termination of the Authority in clause 16.3 and clause 16.7 shall be available, mutatis mutandis, to the Supplier in the event of the bankruptcy, insolvency or Default of the transferee; (b) the transferee shall only be able to assign, novate or otherwise dispose of its rights and obligations under this Framework Agreement or any part thereof with the previous consent in writing of the Supplier; and (c) the following clause shall be varied from the date of the novation or the date of the change of status (as appropriate) as set out below as if this Framework Agreement had been amended by the Authority and the Supplier in accordance with clause 12, Amendments: (i) clause 30 shall be deleted. 36.5 Notwithstanding the provisions of clause 36.1, the Supplier shall be entitled to Sub-Contract its obligations under Contracts in accordance with the provisions of this clause 36 and schedule 10 (Sub-Contractors). 36.6 In selecting, appointing and managing sub-contractors, the Supplier shall comply with the procedures specified in schedule 10 (Sub-Contractors). 36.7 The Supplier shall not enter into any Sub-Contract for the fulfilment of such responsibilities and obligations as are fulfilled by the principal Sub-Contractors listed in schedule 10 (SubContractors) by any sub-contractor not listed in schedule 10 (Sub-Contractors) without the prior written approval of the Authority in accordance with the provisions of the Agreement Change Procedures. 36.8 The Supplier shall, immediately by notice in writing, inform the Authority if it exercises the rights available to it in accordance with the safeguards/ protection provisions detailed in the table in paragraph 2 of schedule 10 (Sub-Contractors). 36.9 The Supplier shall not remove or change any Sub-Contractor, or the safeguards/protections in respect of any Sub-Contractor without giving prior written notice to, and receiving the approval of, the Authority in accordance with the provisions of the Agreement Change Procedures. 36.10 The Authority reserves the right to veto or withdraw the approval of the use of any SubContractor or partner in the provision of the Services. Such right shall not be exercised unreasonably, frivolously or vexatiously. 36.11 In the event that the Authority exercises its right pursuant to clause 36.10 the Supplier shall use all reasonable endeavours to maintain the provision of the Services and the Authority and 10-404788-3 25 the Supplier shall enter into good faith negotiations to agree the impact of the situation on the provisions of this Framework Agreement. 36.12 The use of Sub-Contractors as set out in schedule 10 (Sub-Contractors) and any subsequent approval of other sub-contractors by the Authority under this clause 36 shall not in any way constitute any form of recommendation by the Authority of the Sub-Contractor, whether implied or otherwise. 36.13 Unless otherwise stated to the contrary, any reference to the Supplier's personnel within this Framework Agreement shall include the Sub-Contractor's personnel, and where applicable any reference to the Supplier shall include the Sub-Contractor. Notwithstanding any SubContracting permitted hereunder, the Supplier shall remain primarily responsible for the acts and omissions of its Sub-Contractors as though they were its own. 36.14 In the event that the Supplier, in accordance with the terms of this Framework Agreement, enters into a Sub-Contract in connection with this Framework Agreement, the Supplier shall ensure that a term is included in the Sub-Contract which requires the Supplier to pay all sums due thereunder to the Sub-Contractor within a specified period, not to exceed thirty (30) days, from the date of receipt of a valid invoice as defined by the terms of the Sub-Contract. 36.15 The Authority shall not be liable for any payment whatsoever to Sub-Contractors, the burden of which shall be solely with the Supplier. 37 Rights of Third Parties 37.1 This Framework Agreement shall not create any rights, under the Contracts (Rights of Third Parties) Act 1999 or otherwise, that shall be enforceable by anyone other than the Authority and/or the Supplier, except that the rights specified in the following clauses may be enforced by the following third party beneficiaries: 37.2 10-404788-3 Reference Third Party Beneficiaries Clause 2.1 Customers Clause 4.1 Customers Clause 4.3 Customers Clause 5.1 Customers Clause 6 Customers Paragraph 4 of Schedule 17 Part 2 (Staff Transfer) Replacement Contractors Paragraph 5 of Schedule 17 Part 2 (Staff Transfer) Replacement Contractors Paragraph 6 of Schedule 17 Part 2 (Staff Transfer) Replacement Contractors Paragraph 7of Schedule 17 Part 2 (Staff Transfer); and Replacement Contractors Paragraph 10 of Schedule 17 Part 2 (Staff Transfer) Replacement Contractors The Authority shall have the right to act as agent for any Customer to enforce on their behalf any term of this Framework Agreement, intended for their benefit. 26 37.3 The parties to this Framework Agreement reserve the right to rescind or vary this Framework Agreement without the consent of any third party who is expressly entitled to enforce this Framework Agreement in accordance with clause 37.1. 38 Audit 38.1 The Supplier shall document, implement and comply with processes, and keep or cause to be kept full and accurate Records, such that the Authority (or its statutory auditors or authorised agents) may verify that the Supplier has complied and is complying with its obligations under this Framework Agreement and any Contracts, during the Term and for a period of six (6) years thereafter. 38.2 The Supplier shall provide the Authority with a completed Self Audit Certificate in respect of each financial year of this Framework Agreement and any Contract. The Self Audit Certificate shall be completed by the Supplier's auditor and provided to the Authority no later than two (2) Months after the end of the relevant financial year. 38.3 Without prejudice to the generality of the foregoing, the Supplier shall document, implement and comply with processes, and keep or cause to be kept full and accurate Records, such that (and such that the Authority or its statutory auditors or authorised agents may verify that): 10-404788-3 (a) all Contracts made under this Framework Agreement are ascribed hereto and included in the Management Information, thus enabling the Authority to verify the Management Charge; (b) Management Information is checked and signed off by a senior officer, other than the Framework Manager, who understands the obligations and requirements of this Framework Agreement; (c) books of account kept by the Supplier in connection with the provision of the Services are on an open basis to provide clarity on the breakdown of Charges between Device, network services and alarm centre costs; (d) quotations for the provision of Services under this Framework Agreement accurately reflect the Charges and content of the Catalogue; (e) records are kept of all Contracts entered into; (f) Orders are promptly and systematically actioned; (g) sales invoices are correct and issued in a timely manner; (h) Service Levels are monitored, corrective action is taken where necessary, and Customers are credited with Service Credits to which they are entitled; (i) the service desk has undertaken all of its functions (as outlined in schedule 3 (Services)); (j) complaints are recorded, investigated and resolved; (k) Management Information is accurate and provided promptly to the Authority; (l) the Security of Authority Data and Customer Data is maintained; (m) quality procedures are complied with; and 27 (n) external security, quality, environmental management and similar accreditations are maintained. 38.4 The Supplier shall grant to the Authority, any statutory auditors of the Authority and any authorised agents of the Authority or of its statutory auditors, the right of reasonable access to any premises of the Supplier which are used in connection with the performance of the Supplier's responsibilities and obligations under this Framework Agreement and in relation to any Contract, together with a right to reasonable access to all computer systems, personnel and Records. For the avoidance of doubt, the Authority shall be entitled to carry out audits to determine whether the Supplier has performed its obligations under any Contract. 38.5 Further to the provisions of clause 38.4, the Supplier shall provide, or procure the provision of, all co-operation and reasonable assistance at all times for the purposes of carrying out an audit of the Supplier's compliance with this Framework Agreement or any Contract as well as an audit of all activities, performance, security and integrity in connection therewith. 38.6 Without prejudice to the foregoing, in the event of an investigation into suspected fraudulent activity or other impropriety by the Supplier or any third party, the Authority reserves for itself, any statutory auditor of the Authority or of its statutory auditors, or any Crown Body, the right of immediate access to the premises and documents described in clauses 33.1, 33.2 and 33.3 and the Supplier agrees to render all necessary assistance to the conduct of such investigation. 38.7 The Authority shall use all reasonable endeavours to ensure that its auditors cause the minimum amount of disruption to the business of the Supplier, and shall comply with the building regulations and security requirements of the Supplier while on the Supplier's premises. 38.8 The Authority reserves the right to publish the results of any audit exercise undertaken pursuant to this clause 38: (a) to Customers and to Potential Customers; and (b) as required to enable the Authority to fulfill its obligations to supply information for parliamentary, governmental, judicial or other administrative purposes. The Authority will invite the Supplier to comment on the results of the audit exercise and the proposed publicity material and will take account of those comments to the extent that it deems fit in any publication. In this respect, the Supplier shall provide comments to the Authority within five (5) Working Days. 39 Freedom of information 39.1 The Supplier acknowledges that the Authority is subject to the requirements of the Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and cooperate with the Authority to enable the Authority to comply with its Information disclosure obligations. 39.2 The Supplier shall and shall procure that its Sub-Contractors shall: (a) 10-404788-3 transfer to the Authority all Requests for Information that it receives as soon as practicable and in any event within two (2) Working Days of receiving a Request for Information; 28 (b) provide the Authority with a copy of all Information in its possession, or power in the form that the Authority requires within five (5) Working Days (or such other period as the Authority may specify) of the Authority's request; and (c) provide all necessary assistance as reasonably requested by the Authority to enable the Authority to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. 39.3 The Authority shall be responsible for determining in its absolute discretion whether any Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. 39.4 In no event shall the Supplier respond directly to a Request for Information unless expressly authorised to do so by the Authority. 39.5 The Supplier acknowledges that the Authority may, acting in accordance with the Department of Constitutional Affairs' Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information Act 2000, be obliged to disclose Information, which may include information that is commercially sensitive to the Supplier, without consulting or obtaining consent from the Supplier, or despite having taken the Supplier's views into account. 39.6 The Supplier shall ensure that all Information is retained for disclosure and shall permit the Authority to inspect such records as requested from time to time. 40 Customer satisfaction monitoring 40.1 The Authority may undertake monitoring of Customer satisfaction with the Services. 40.2 The Authority shall adopt such mechanisms as it may deem appropriate for monitoring Customer satisfaction. 40.3 The Authority reserves the right to advise Customers and Potential Customers of the findings of its Customer satisfaction monitoring, which shall include the right to make available, in paper or electronic form, statistical information derived from any Customer satisfaction questionnaires issued by the Authority to Customers. 41 Legislative change 41.1 The Supplier shall bear the cost of ensuring that the Services shall comply with all applicable statutes, enactments, orders, regulations or other similar instruments (Laws) and any amendments thereto or any additional Laws brought into force, except where any such amendments to Laws or additional Laws: 41.2 10-404788-3 (a) necessitates a change to the Available Services; and (b) is neither contemplated by the Catalogue nor could reasonably have been foreseen by the Supplier at the date hereof. In the event that the provisions of clauses 41.1(a) and 41.1(b) apply, the Authority and the Supplier shall use all reasonable endeavours to agree that the Supplier is entitled to relief, or such reasonable adjustments to the Charges as may be necessary to compensate the Supplier for such additional costs as are both reasonably and necessarily incurred by the Supplier in accommodating such amendments to Laws or additional Laws. 29 42 Statutory invalidity The Authority and the Supplier expressly agree that should any limitation or provision contained in this Framework Agreement or a Contract be held to be invalid under any particular statute or law, or any rule, regulation or bye-law having the force of law, it shall to that extent be deemed to be omitted but, if the Authority or the Supplier thereby becomes liable for loss or damage which would have otherwise been excluded, such liability shall be subject to the other limitations and provisions set out herein. 43 Severability Subject to the provisions of clause 42 (Statutory Invalidity), if any provision of this Framework Agreement is held invalid, illegal or unenforceable for any reason, such provision shall be severed and the remainder of the provisions hereof shall continue in full force and effect as if this Framework Agreement had been executed with the invalid provision eliminated. In the event of a holding of invalidity so fundamental as to prevent the accomplishment of the purpose of this Framework Agreement, the Authority and the Supplier shall immediately commence good faith negotiations to remedy such invalidity. 44 Waiver 44.1 The failure of the Supplier or the Authority to insist upon strict performance of any provision of this Framework Agreement or to exercise any right or remedy to which it is entitled hereunder, shall not constitute a waiver thereof and shall not cause a diminution of the obligations established by this Framework Agreement. 44.2 A waiver of any default shall not constitute a waiver of any other default. 44.3 No waiver of any of the provisions of this Framework Agreement shall be effective unless it is expressed to be a waiver communicated by notice, in accordance with the provisions of clause 14, Communications. 45 Non-exclusivity 45.1 For the purposes of this Framework Agreement, the Authority shall: (a) at all times be entitled to enter into separate contracts with separate Suppliers for the provision of any or all services the same as or similar to the Services; and (b) not be deemed, unless expressly stated to the contrary by the Authority, to make any representation or warranty to the Supplier in respect of any Customer other than where the Authority is itself the Customer and enters into any Contract as principal; (c) not be deemed to be an agent of any Customer unless expressly stated to the contrary in this Framework Agreement or by the Authority in an Order. 45.2 No guarantee or representation shall be deemed to have been made by the Authority in respect of the total quantities or values of the Services to be ordered by any or all Customers. Further, the Supplier acknowledges and agrees that it has not entered into this Framework Agreement on the basis of any such guarantee or representation. 45.3 For the avoidance of doubt, nothing in this Framework Agreement shall create an exclusive relationship between the Supplier and any Customer for the provision of services. 10-404788-3 30 46 Law and Jurisdiction Subject to the provisions of clause 28, Dispute Resolution, the Authority and the Supplier accept the exclusive jurisdiction of the English courts and agree that this Framework Agreement is to be governed by and construed according to English law. 47 Entire agreement 47.1 This Framework Agreement constitutes the entire understanding between the Authority and the Supplier relating to the subject matter. 47.2 Neither the Authority nor the Supplier has relied upon any representation or promise except as expressly set out in this Framework Agreement. 47.3 Both the Authority and the Supplier unconditionally waives any rights it may have to claim damages against the other on the basis of any statement made by the other (whether made carelessly or not) not set out or referred to in this Framework Agreement (or for breach of any warranty given by the other not so set out or referred to) unless such statement or warranty was made or given fraudulently. 47.4 Both the Authority and the Supplier unconditionally waives any rights it may have to seek to rescind this Framework Agreement on the basis of any statement made by the other (whether made carelessly or not) whether or not such statement is set out or referred to in this Framework Agreement unless such statement was made fraudulently. 10-404788-3 31 Signed by duly authorised for and on behalf of the Authority ) ) ) ............................................................................. Signed by duly authorised for and on behalf of the Supplier ) ) ) ............................................................................. 10-404788-3 ............................................................................. ............................................................................. 32 Schedule 1 Definitions Affected Party means the party seeking to claim relief in respect of a Force Majeure Event Affiliate means any person, partnership, joint venture, corporation or other form of enterprise, domestic or foreign, including but not limited to subsidiaries, that directly or indirectly are controlled by, or are under common control with the Supplier or a Parent Company Agreement Change Note (ACN) means the agreement change note specified in schedule 8 (Agreement Change Procedure) Agreement Change Procedures means the procedures specified in schedule 8 (Agreement Change Procedure) for making changes to this Framework Agreement Alarm Handling Software means Supplier software used to manage alarm handling in the Alarm Receiving Centre (ARC) Amber Alert means an alert to the ARC from a Device recording User details, location, tasks and potential risks ARC means the alarm receiving centre Authorised Customer Representative means the authorised Customer representative(s) referred to in schedule 12 (Governance) Authority Cause means any breach by the Authority of its obligations under this Framework Agreement Authority Data means: (a) (b) the data, text, drawings, diagrams, images or sounds (together with any database made up of any of these) which are embodied in any electronic, magnetic, optical or tangible media, and which are: (i) supplied to the Suppler by or on behalf of the Authority; or (ii) generated, processed, stored or transmitted by the Supplier pursuant to this Framework Agreement; or any Personal Data for which the Authority is the Data Controller Authority Marks means the NHS' and the Authority’s (or its licensor’s) trade marks (whether registered or not), logos and brands pertinent to this Framework Agreement Available Service means any of the Services listed in schedule 3 (Services) BCDR Plans means the business continuity and disaster recovery plans set out or referred to in schedule 13 (Solution) as may be amended from time to time Business Continuity Plan means the plan set out in schedule 13 (Solution), as may be amended from time to time 10-404788-3 33 Catalogue means the catalogue of Services that shall be made available to the Authority by the Supplier in electronic format. The Catalogue shall specify the Catalogue Entries Catalogue Entry means a listing of a Service in the Catalogue Change has the meaning given in clause 12.2 Change of Control means a change of control as defined by Section 416 of the Income and Corporation Taxes Act 1988 in the Supplier or its Parent Company Charges means in relation to any Contract, the charges set out in schedule 2-2 (Services) and 2-3 (Charges) of that Contract Charges Variation Procedure means the procedure for varying the Charges specified in a Contract specified in schedule 2-2 (Services) and 2-3 (Charges) of the relevant Contract Complaint means any complaint made by a Customer in respect of the Supplier not fulfilling its obligations under the terms of a Contract, other than not meeting any applicable Service Levels Confidential Information means any information, however it is conveyed, that relates to the business, affairs, developments, trade secrets, know-how, personnel and Suppliers of either party, including Intellectual Property Rights, together with all information derived from the above in relation to the Framework Agreement or the Contracts, any information related to the Services, Users of the Device and/or Red Alerts and Amber Alerts, and any other information clearly designated as being confidential (whether or not it is marked as confidential) or which ought reasonably to be considered to be confidential Contract means the binding agreement for the provision of Ordered Services entered into by the Supplier and a Customer (and where relevant the Authority) in accordance with the provisions of this Framework Agreement. Each Contract shall be constructed by the Supplier, using the relevant Model Contract in schedule 2 (Model Contract) Contract Change Procedure means the contract change procedure, specified in clause 6 (Amendments to this Contract) of any Contract, for making changes to a Contract Contracting Authority means a contracting Authority as defined in Regulation 5(2) of the Public Contracts Works Services and Supply (Amendment) Regulations 2000 Customer means a Potential Customer that has entered into Contract or has made an Order Data Controller shall have the same meaning as set out in the Data Protection Act 1998 Data Protection Requirements mean the Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner Days means calendar days 10-404788-3 34 Default means any breach of the obligations of any party (including fundamental breach or breach of a fundamental term) or any default, act, omission, negligence or negligent statement of any party, its employees, agents or sub-contractors in connection with or in relation to the subject matter of this Framework Agreement, including Contracts arising hereunder, and in respect of which such party is liable to the other Default Service Level means the threshold level of service performance identified as such in the table in part 3.10 of schedule 3 (Services) Device means a lone worker device as specified in schedule 3 (Services) including any accessories or peripheral items supplied by the Supplier pursuant to this Framework Agreement or a Contract Device Refresh means refresh of device on replacement and shall include one or more of firmware upgrade, battery and casing Environmental Information Regulations mean the Environmental Information Regulations 2004 and any guidance and/or codes of practice issued by the Information Commissioner in relation to such regulations Environmental Questionnaire means the environmental questionnaire that can be accessed directly via the dedicated website: http://seq.ogcbuyingsolutions.gov.uk/Suppliers/ Escalation Contact is the escalation point(s) that the ARC will contact in the event of a Red Alert False Alarm is a Red Alert signal that is accidentally or unintentionally activated Force Majeure Event means the occurrence after the date of this Framework Agreement of: (a) war, civil war, armed conflict or terrorism; or (b) nuclear, chemical or biological contamination unless the source or the cause of the contamination is the result of the actions of or the breach by the Supplier or its SubContractors; or (c) pressure waves caused by devices travelling at supersonic speeds, which directly causes either party (the Affected Party) to be able to comply with all or a material part of its obligations under this Framework Agreement Framework Agreement means this Framework Agreement, comprised of the clauses and schedules Framework Manager means a representative of either party responsible for ensuring the parties are performing their obligations under this Framework Agreement FOIA means the Freedom of Information Act 2000 and any subordinate legislation made under this Act from time to time together with any guidance and/or codes of practice issued by the Information Commissioner in relation to such legislation Genuine Alarm means a Device activated due to User's perceived personal safety risk Genuine Alarm Escalated to the Emergency Services means an Alarm raised by a User and escalated to the Emergency Services 10-404788-3 35 Genuine Alarm Closed Safely means an Alarm raised by a User due to a perception of risk where the alarm is subsequently closed by the User due to risk disappearing Good Industry Practice means the exercise of that degree of skill, care, prudence, efficiency, foresight and timeliness as would be expected from a leading company within the relevant industry or business sector Guidance Notes means the guidance notes that advise Potential Customers on the appropriate use of this Framework Agreement to be provided by the Authority Health Service Body means a health service body as defined in Section 9(4) National Health Service Act 2006 and any foundation trust. Implementation Plan means the plan for the implementation of the Solution attached at part 2 of schedule 4 (Implementation Plan) Indexing has the meaning ascribed to it in schedule 9 (Charges Variation Procedure) Information has the meaning given under section 84 of the Freedom of Information Act 2000 Intellectual Property Rights means patents, trade marks, service marks, design rights (whether registrable or otherwise), applications for any of the foregoing, copyright, database rights, trade or business names and other similar rights or obligations whether registrable or not in any country (including but not limited to the United Kingdom) Invoicing Procedure means the procedure by which the Supplier invoices the Customer, as set out in schedule 2-2 (Services) and 2-4 (Invoicing Procedure) of each Contract Law means any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements of any Regulatory Body, delegated or subordinate legislation or notice of any Regulatory Body Location Fix means last known good position obtained either by an Amber Alert, location based tracking service or GPS unit Lone Worker Guidance is Guidance provided by the Authority to NHS healthcare organizations and their staff to assist them to develop, implement and disseminate local policies and procedures that address the needs of, and minimise the risks faced by lone workers and to meet their legislative responsibilities under the Health and Safety at Work Act (1974) Materials means all training materials, protocols, alarm receiving centre scripts and documentation produced by the Supplier for the provision of the Services including the User Information form Management Information means information supplied by the Supplier to the Authority in accordance with the provisions of schedule 7 (Management Information) Maximum Charges means the maximum charges set out in schedule 5 (Charges) as the same may be varied from time to time in accordance with schedule 9 (Maximum Charges Variation Procedure). Maximum Charges Variation Procedure means the procedure for varying the Maximum Charges specified in schedule 9 (Maximum Charges Variation Procedure). 10-404788-3 36 Milestone means the milestones set out in part 2 of schedule 4 (Implementation Plan) Milestone Date means the date for achievement of the relevant Milestone set out in part 2 of schedule 4 Minimum Service Levels means the minimum levels of service set out in schedule 3 (Services) Model Contract means each of the model contracts in schedule 2 (Model Contract) which specifies the terms and conditions for Contracts Month means a calendar month and “Monthly” shall be similarly construed NHS means the National Health Service in England OJEU Notice means contract notice dated 27 May 2008, reference 2008/5 101-135947 placed by the Authority in the Official Journal of the European Union Operational Change means any change, decision or item specifically identified as such in this Framework Agreement Operational Change Procedure means the procedures specified in schedule 8 (Agreement Change Procedure) for making operational changes Order means an order for Services served by the Customer on the Supplier in accordance with the Ordering Procedures Ordered Service means an Available Service selected by a Customer and included in schedule 2-2 (Services) of a Contract following the placing of an Order Ordering Procedures means the ordering procedures specified in schedule 6 (Ordering) Parent Company means any company which is the ultimate Holding Company of the Supplier or any other company of which the ultimate Holding Company of the Supplier is also the ultimate Holding Company and which is either responsible directly or indirectly for the business activities of the Supplier or which is engaged in the same or similar business to the Supplier. The term “Holding Company” shall have the meaning ascribed by Section 1159 of the Companies Act 2006 or any statutory re-enactment or amendment thereto Personnel Vetting Procedures means the Authority's procedures and departmental policies for the vetting of personnel whose role will involve the handling of information of a sensitive or confidential nature or the handling of information which is subject to any relevant security measures Potential Customer means any of the bodies referred to in the OJEU Notice as being customers or potential customers of the services to be provided under this Framework Agreement Process shall have the same meaning as under the Data Protection Act 1998 Project Specific IPR means IPR in items created by the Supplier (or by a third party on behalf of the Supplier) specifically for the purposes of this Framework Agreement Quarter means a three (3) Month period beginning on 1 January, 1 April, 1 July or 1 October. The term “Quarterly” shall be similarly construed 10-404788-3 37 Records means such full and accurate records as are required to be kept by the Supplier to satisfy the requirements of clause 38, Audit Red Alert means an alarm activation to the ARC from a Device which is listened to and recorded by the ARC Regulatory Bodies means those government departments and regulatory, statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence the matters dealt with in this Framework Agreement or any other affairs of the Authority and “Regulatory Body” shall be construed accordingly Relevant Person has the meaning given in clause 34.1(a). Reports means reports submitted by the Supplier to the Customer as specified in schedule 22 (Services) and 2-5 (Contract and Service Management) Requests for Information means a request for information or an apparent request under the Code of Practice on Access to Government Information, FOIA or the Environmental Information Regulations Security Policy means the security policy in schedule 14 (Security Policy) Self Audit Certificate means the certificate, a model of which is in schedule 11 (Model Form of Audit Certificate), to be completed by the Supplier’s auditor and provided to the Authority in accordance with the provisions of clause 38, Audit Service Commencement Date means the date of commencement of the provision of the Ordered Services by the Supplier in accordance with the Order Service Credits means the service credits specified in part 3.9 and 3.10 of schedule 3 (Services) which shall be payable to the Authority by the Supplier in the event that the Service Levels are not met in respect of Ordered Services Service Desk means Supplier second line technical support team/function that deal with technical failures or issues with Devices Service Incident is an event which results in disruption to the Services Service Level Failure means a failure on the part of the Supplier to deliver the Services to a User in accordance with the terms of a Contract Service Levels means the levels of service defined in part 3.9 and 3.10 of schedule 3 (Services) Service Maintenance means Supplier second line technical support team/function that deal with technical failures or issues with Devices Services means the services to be provided under this Framework Agreement and “Service” shall be construed accordingly Solution means the organisational and technical framework, including the alarm receiving centre necessary to provide the Services to Customers as set out in schedule 13 (Solution) 10-404788-3 38 Standard Operating Procedures or SOP's means the drilled down day to day operational procedures and process maps that describe, in detail, each activity carried out to deliver the Services Standards and Regulations means the standards and regulations as set out in schedule 17 (Standards and Regulations) which the Supplier shall comply in the provision of Ordered Services and in relation to its responsibilities and obligations hereunder Status Check is the process by which a Device is checked for battery charge level and strength of network Sub-Contractor means any supplier and/or key third party selected, appointed and managed by the Supplier, subject to the Authority’s consent pursuant to the provisions of clause 36.1, in accordance with the provisions of schedule 10 (Sub-contractors), including the SubContractors specified in schedule 10 (Sub-contractors). The terms “Sub-Contract” and “SubContracting” shall be similarly construed Supplier Personnel means all employees, agents, consultants and contractors of the Supplier and/or of any Sub-contractor Technology Refresh means full Device repair and refurbishment, battery replacement, and software upgrade (if applicable), testing and repackaging in new plastics Term means the term of this Framework Agreement as set out in clause 16.1 (Term, Suspension and Termination), subject to an early termination pursuant to clause 16.3 (Term, Suspension and Termination), Termination Events means each of the events specified in clause 16.5 (Term, Suspension and Termination), Trade Mark means a sign, including words, logos, pictures or a combination of these, which distinguishes the Services of one Supplier from those of another, or as otherwise set out in the Trade Marks Act 1994 User means an individual whom the Customer permits to use the Ordered Services in accordance with the terms of a Contract User Information means personal data provided to the Supplier by the User which is captured by the User Information form User Information Form means the form issued to all Users to capture User, contact and work details, and personal information which shall include a signed agreement of the User's consent for the Supplier to obtain an approximate location fix in the event of a Genuine Red Alert, and the consent for the Supplier to hold the information contained on the form in accordance with the Data Protection Act 1998 Working Days means Monday to Friday inclusive, excluding English public and bank holidays Year means a calendar year 10-404788-3 39 Schedule 2 Model Contracts Part 1- Model Contract (Customer funded) 10-404788-3 40 10-404788-3 41 Part 2- Model Contract (Authority part funded) 10-404788-3 42 10-404788-3 43 Schedule 3 The Available Services, Service Management, Minimum Service Levels and Standard Service Credits 1 Introduction 1.1 This schedule 3 specifies: 2 (a) each of the Services that the Supplier shall make available to Potential Customers; (b) the Service Management provisions; (c) the Minimum Service Levels applicable to each of the Services; and (d) the Standard Service Credits applicable where Service Levels are not met. The Services - Implementation and Mobilisation The Services that will be supplied by the Supplier in respect of implementation and mobilisation are as set out in schedule 4 (Delays and Implementation). Part 3.1 - Service Management 1 Service Desk 1.1 The Service Desk shall operate as a managed service with a single point of contact for all Service interactions with the Supplier, irrespective of whether this is in relation to order and fulfilment, queries, faulty or damaged Devices, lost or stolen Devices, or request for change (RFC). The Supplier shall process Orders for the Services that are in written format, in accordance with schedule 6 (Ordering Procedure,) from the Authorised Customer Representative. 1.2 The Supplier shall provide a dedicated freephone number for Users to contact the Service Desk. The Service Desk, provided by the Supplier to support the Services, is accessed through a non geographical, non premium number: 0800 8407121. The Customer should ensure that this number is not blocked on their telephone systems so as to ensure Users have access to adequate ongoing information and support. 1.3 Should calls to the Service Desk be recorded for training purposes, the Supplier shall notify the caller either by automated message before being connected to the Service Desk Supplier Personnel, or the Service Desk Supplier Personnel shall inform the caller verbally on answering the call. 1.4 The Authority, Users, Customers, and Authorised Customer Representatives shall be able to communicate with the Service Desk via: 10-404788-3 (a) Telephone (b) Email (c) Fax (d) Web portal 44 (e) 1.5 Letter Location The Service Desk shall be co-located in Pontefract within the Alarm Response Centre (ARC). (a) Primary Site: Reliance Security Group Limited PO Box 159 Pontefract West Yorkshire WF8 1NB (b) Disaster Recovery (DR) Location: Reliance Security Group Limited PO Box [ ] Manchester M22 55QZ 1.6 1.7 Service Desk Hours of Operation (a) The Service Desk shall be available between 6am and 8pm, Monday to Friday, excluding weekends and Bank Holidays. (b) There shall be an overlap of Service Desk Supplier Personnel in which a full handover of activity and events shall occur within the Service Desk Working Day. Out of Hours Service Desk Operation (a) (b) 10-404788-3 Between the hours of 8pm and 6am, weekends/bank holidays shall be covered by the ARC Supplier Personnel. The ARC Supplier Personnel shall: (i) Take all out of hours Service Desk calls; (ii) Log all RFC’s for Services on the customer relationship management system (CRM); (iii) Provide User advice; (iv) Carryout first level diagnostic for technical questions or faulty/damaged Devices; (v) Carry out a Location Fix via the location tracking software for lost/stolen Devices and log requests for replacement Devices; (vi) Advise response time with the User; (vii) Provide CRM reference numbers; Out of hours requests for further action, process and follow up shall be logged at the time of the call and passed to the Service Desk Supplier Personnel via CRM. The Service Desk Supplier Personnel shall action, process and follow up on the calls during core hours of operation. 45 1.8 Use of dedicated/non dedicated staff The facility at Pontefract and the Service Desk Supplier Personnel shall be dedicated to the Services, with Supplier Personnel performing all administration tasks relating to implementing new Users and ongoing support for existing Users. The Service Desk Supplier Personnel shall be able to access all associated systems to ensure quick and effective resolution of all issues, managing all enquiries and queries through to resolution, engaging with the ARC and Service Maintenance functions as necessary. 1.9 Resource Levels The Supplier shall provide sufficient Supplier Personnel to ensure it can perform the Services to the agreed Service Levels. 1.10 Managing peaks and troughs in Service Desk workload including absences The Supplier shall manage peaks and troughs, including absences, to ensure it can perform the Services to the agreed Service Levels. 1.11 Managing Attrition (a) (b) Attrition for the Service Desk Supplier Personnel shall be managed by actively engaging staff in the following ways: (i) Monthly 1-2-1 performance sessions where goals related to performance against KPI’s shall be discussed; (ii) Quarterly Individual Development Plan (IDP) sessions that agree plans for achieving career goals, e.g. gaining leadership experience; (iii) Monthly Supplier Personnel team briefings to improve communication and encourage participation; (iv) Continuous improvement scheme to reward Supplier Personnel for making suggestions to improve the way Supplier Personnel work; (v) Regular team building events; (vi) A staff forum where Service Desk Supplier Personnel shall be given the opportunity to raise areas of concern or make suggestions; (vii) Provide leadership and training opportunities for Supplier Personnel; and (viii) Investing in, and implementing technical solutions to improve operating efficiency. Given the sensitive nature of the Services, the Supplier shall use reasonable endeavours to maintain annual attrition levels below 15%. Where yearly attrition exceeds 15%, or the Supplier anticipates that the 15% threshold may be exceeded, the Supplier shall notify the Authority and discuss and agree an action plan to stabilise the attrition rate. The Supplier shall form a project team whose primary task shall be to look at possible reasons for higher than anticipated attrition. The project team shall look at: (i) 10-404788-3 Local competition, e.g. new ARC established; 46 1.12 (ii) Supplier Personnel pay and conditions versus other local employers; and (iii) Service Desk related issues contributing to higher attrition. Recruitment, training and accreditation of Service Desk Supplier Personnel (a) All vetting and recruitment of Service Desk Supplier Personnel shall be in accordance with clause 24 (Personnel Security). (b) Selection shall be by way of competency based interviews and satisfactory results of computer literacy tests. All recruits shall undergo a comprehensive induction process to introduce employees to the Service Desk, ARC and Devices. This includes health and safety information as well as fire evacuation procedures. (c) The Supplier Personnel shall be trained in the following: (i) (A) Service Desk processes and protocols; (B) Risks/dangers faced by NHS lone workers; (C) Difference to traditional alarms; (D) Device use and maintenance; (E) User Service needs; and (F) Examples of good/bad Red/Amber Alerts. (ii) Conducting Dynamic Risk Assessments (iii) Delivering Excellent Customer Service (iv) 10-404788-3 The Services - An Introduction (A) Dealing with difficult customers; (B) Dealing with difficult situations; (C) Working within time bound parameters; (D) Working with stressful situations; and (E) Taking objective decisions. Understanding the Customer (A) NHS organisational structure; (B) NHS Users and their situations; (C) NHS acronyms and definitions; (D) NHS User work profiles; (E) NHS User environmental knowledge; and 47 (F) 1.13 1.14 (v) Use of CRM; (vi) Use of Alarm Handling Software; (vii) Telephone techniques; (viii) Email etiquette; and (ix) Soft skills. (d) All Supplied Personnel shall have individual training records that keep a record of all training received and shall be reviewed regularly. (e) All Service Desk Supplier Personnel shall undergo training and competency assessment before inclusion in the rota. They shall be continually assessed and receive ongoing and annual refreshment training in accordance with contract and service needs, and in accordance with development reviews and individual assessment. (f) The Authority will accept and test the training material in accordance with the Operational Change Procedure with any further amendments being in accordance with the same procedure. Vetting of Service Desk Supplier Personnel (a) All vetting and recruitment of Service Desk Supplier Personnel shall be in accordance with clause 24 (Personnel Security). (b) The Supplier shall employ a series of rigorous checks on all candidates for employment. These include: (i) Five year employment and education screening check; (ii) Mandatory take up of character references; (iii) Credit check; and (iv) Criminal Records Bureau (CRB) check. Service Maintenance (second line support) (a) The Supplier shall provide a second line support function as an extension to the Service Desk. The Service Maintenance Supplier Personnel shall be co-located in Pontefract within the Service Desk and Alarm Receiving Centre. (b) Service Maintenance shall be available between 9am and 5pm Monday to Friday and will provide sufficient Supplier Personnel to ensure it can perform the Services to the agreed Service Levels. (c) Service Maintenance shall provide the following functions: (i) 10-404788-3 NHS working Conditions. Configuration of all Devices with SIM cards, logging details on the Alarm Handling Software; 48 1.15 (ii) Re-configuration of Devices and logging any change on the Alarm Handling Software; (iii) Second line technical support to all Users on problem solving, usability issues, SIM issues; (iv) Shipping and receipt of any faulty, damaged, lost or stolen Devices and/or their replacements in line with agreed service levels; and (v) Managing the Technology Refresh of any Device returned. Ordering and Fulfilment process The Supplier shall adhere to the Ordering Procedures set out in schedule 6 (Ordinary Procedures). 1.16 Production and Authority acceptance (in accordance with the Operational Change Procedure) of Service Desk Standard Operating Procedures, scripts and process flows. (a) 1.17 The Supplier shall design a set of bespoke process maps, protocols and scripts to deal with the range of Service Desk transactions. The Authority will accept and test the SOP’s, scripts and process flows as defined in the Implementation Plan in accordance with the Operational Change Procedure. The Supplier shall conduct reviews with the Authority in order to modify, expand or amend existing process maps, protocols and scripts to conform to the needs of the Authority. These reviews shall be conducted by the Supplier, in the form of Supplier operational and account management staff, as required. Any further amendments will be in accordance with the Operational Change Procedure. Capture and Collation of User Data (c) The Supplier shall capture and collate data for all Users. Every User shall complete and sign a User Information Form, which provides information specific to individual Users, an example of which is attached at Appendix 1. The minimum/mandatory data set required for setting up a User is: 10-404788-3 (i) First Name; (ii) Surname; (iii) Date of birth; (iv) Job role; (v) Customer; (vi) Department; (vii) Work mobile (if issued); (viii) Site contact telephone number (if available); (ix) Password (for example: mother’s maiden name); 49 (x) 2 x escalation contacts (in hours): name, position and contact number(s); (xi) 1 x escalation contact (out of hours): name, position and contact numbers; and (xii) Sex. The additional (desirable) information required for setting up a User is: (b) 1.18 Title (Mr/Mrs/Miss/Ms/Other); (xiv) Known as/nickname; (xv) Work email; (xvi) Personal mobile; (xvii) Normal working pattern; (xviii) Hair colour; (xix) Ethnic origin; (xx) Height; (xxi) Weight; (xxii) Car details (make/model/registration/colour; and (xxiii) Medical conditions. All Users must complete and sign a User Information Form which includes consent for the use of the Location Fix in the event of a Genuine Alarm and accepts terms relating to data security. The Supplier shall only perform a Location Fix on a Device if: (i) Requested by the User; (ii) Genuine Alarm activated; and (iii) Device reported lost or stolen. (c) The minimum/mandatory and additional (desirable) data set shall be used to populate the CRM/Alarm Handling Software User record. (d) Escalation details for each User shall be obtained from the Authorised Customer Representatives prior to ‘go live’. (e) Users must have completed and signed a User Information Form, and successfully completed the lone worker training programme before they can utilise the Device and Services. Integrity and security of data (a) 10-404788-3 (xiii) All data relating to the Device (e.g. serial number, software version number, commission date) SIM (e.g. phone number and serial number), and User, shall be 50 kept secure within a dedicated CRM system. All of this data shall be kept up to date in real time, with a time/date stamp audit trail. 1.19 1.20 10-404788-3 (b) All Supplier users of the CRM application shall need to supply a username and password to gain access. Remote CRM users (i.e. Supplier Account Managers, Supplier Trainers, Supplier Service Maintenance) shall only be able to access the CRM system from the Supplier’s PCs which are part of the Supplier domain. The CRM application shall not be available across the Internet. (c) The CRM application will be available to Supplier’s remote CRM users across a Virtual Private Network (VPN). (d) The Supplier shall comply with ISO/IEC 27001 accreditation in relation to data security, as detailed in schedule 14 (Security Policy). Customer Surveys (a) The Service Desk shall monitor User feedback on satisfaction levels via all communication channels (telephone, e-mail and letters on a monthly basis and produce result and trend analysis with recommendations and actions to enable the Supplier continuously to improve the quality of the Service. The Supplier shall provide the results of this feedback to the Authority within 5 Working Days of the end of each reporting period. The Service Desk’s User feedback monitoring each month shall target 1% of all Users. If less than 30% of Users engaged in this process are willing to provide feedback, an alternative means of communication to that initially employed shall be used, so as to increase the level and quality of feedback received. (b) The User feedback shall contain, but not be limited to, considerations of the quality of: (i) The Service; (ii) The Device; (iii) Training; (iv) Service maintenance; (v) Service Desk support; (vi) ARC support; and (vii) Publicity and communication, including the website. (c) In addition, the Supplier shall conduct a more detailed annual survey targeting all registered Users. This survey shall secure a response of at least 25% of Users and the results shall be made available to the Authority within one month of the closing date of returns. (d) The Supplier shall ensure that the content of User feedback and User Satisfaction Surveys are accepted and tested by the Authority in accordance with the Operational Change Procedure, with any further amendments being in accordance with the same procedure. Dealing with Service Desk Queries: 51 1.21 (a) The CRM application to be used by the Service Desk Supplier Personnel shall be fully auditable and transparent to Supplier Authorised Personnel, logging and tracking all enquiries and interactions with clients, regardless of nature. This is supported by the Return Merchandise Authorisation (RMA) process and RFC processes, which are fully transparent and auditable to Supplier Authorised Personnel. (b) Users shall be informed of resolution timescales at the outset of each enquiry. (c) The Service Desk shall validate the authenticity of Users making service changes through standard identification questions (name, Device details etc), in line with the Security Policy. (d) The Supplier shall obtain verbal agreement from Users before any call is closed down. This shall be supported by confirmation of actions/resolutions, typically by email or text. Where the Supplier is unable to contact the User for verbal agreement to close a call, or where the User is not satisfied with the resolution and that appropriate action has been taken by the Service Desk to resolve the issue, the Service Desk Supplier Personnel shall contact the appropriate Authorised Customer Representative to agree call closure or appropriate action. (e) The Service Desk Supplier Personnel shall attempt to contact the User two times on consecutive days and then escalate to the Users Escalation Contact, with the Service Desk attempting to contact the Escalation Contact two times on consecutive days, after which the Service Desk will close the communication. User Refresher Training As detailed in Part 3.2 (User Training), the Service Desk Supplier Personnel shall, at the request of the User, either provide telephone refresher training at the time of the request, or arrange refresher training via the Supplier trainer. The Service Desk Supplier Personnel shall confirm training arrangements, made with the Supplier trainer, to the User via email. 1.22 Services Disruption As described in Part 3.5 (Networks), the Service Desk shall notify any Users and Authorised Customer Representative, in the affected area, of an unplanned network outage via email or text, within a maximum of 8 minutes of notification from the Network Operator. The Supplier shall notify Users of the outage and that for an estimated period of time they should not rely on their Device. Any communication to Users and Authorised Customer Representatives shall provide a clear indication of the estimated time of the outage and the start time of the outage, if it is planned. The communication shall also include the Service Desk telephone number for any User or Authorised Customer Representative to call should they have any questions. 1.23 Escalation Contact Audit Process In addition to specific requests from Users and Authorised Customer Representatives to change escalation details, the Service Desk shall carry out an audit of escalation details kept on record to ensure that Escalation Contacts are kept up to date. The Service Desk shall carryout an audit of 5% of Users, on a quarterly basis. 1.24 Dealing with faulty Devices, User damage and stolen Devices: (a) 10-404788-3 Faulty/Damaged Device Process 52 (b) 10-404788-3 (i) Users shall either telephone the Service Desk to report a faulty/damaged Device, or log a CRM case via the web portal; (ii) The User shall be given a reference number generated by the CRM system to enable them to track progress via the Service Desk; (iii) The Service Desk shall carry out an initial diagnostic to establish the cause of the fault. Where User error is identified as the cause, the Service Desk Supplier Personnel shall provide advice on the correct use and provide details of refresher training, should it be required; (iv) Where the Device has no signal or is diagnosed as faulty or damaged as a result of the initial diagnostic carried out by the Service Desk Supplier Personnel, the User shall be advised to put the Device on charge to enable Service Maintenance to carry out further diagnostic and resolution; (v) Where faults cannot be remedied remotely, the Service Desk Supplier Personnel shall contact the User to arrange a next Working Day delivery of a replacement Device/SIM. The Supplier shall agree with the User the most appropriate delivery address for them; this must take account of their working pattern and where they expect to be during the agreed date for delivery. Any replacement Device/SIM sent to the User shall also include prepaid packaging for the User to return any faulty Device or SIM, once they have completed the movement of SIM card from faulty Device to new Device. The Service Desk Supplier Personnel shall contact the User to ensure that the replacement Device/SIM has been received before the call is closed on the CRM system; (vi) The User shall return the faulty Device/SIM to the Supplier via the prepaid packaging. The Supplier accepts any risk associated with non-returned Devices. Lost/Stolen Device Process (i) Users shall contact the Police to report the loss or theft of the Device and obtain a crime/incident reference number. The User shall then telephone the Service Desk to report a lost or stolen Device; (ii) The User shall be given a reference number generated by the CRM system to enable the progress of the request to be tracked via the Service Desk or the web portal; (iii) The Service Desk shall arrange a next Working Day delivery of a replacement Device. The Supplier shall agree with the User the most appropriate delivery address for them; this must take account of their working pattern and where they expect to be during the agreed date for delivery. Any replacement Device sent to the User shall also include prepaid packaging for the User to return any retrieved Device, which shall then be posted back to the Supplier; and (iv) The User shall be transferred to the ARC Supplier Personnel who shall attempt to find the location of the lost or stolen Device via the location tracking software. The Device location, if found, shall be given to the User to either report to the Police (if stolen), or to attempt to retrieve the Device (if 53 lost, and safe to do so). If the Device is located the User shall send the Device to the Supplier for reallocation at a later date. The Supplier accepts any risk associated to non-returned Devices. The Service Desk Supplier Personnel shall contact the User to ensure that the replacement Device/SIM has been received before the call is closed on the CRM system; 1.25 Requests for change (a) (b) (c) User/Customer Details (i) Users/Customers shall telephone, email or fax the Service Desk, or log a request via the web portal; (ii) The Supplier Service Desk Personnel shall give the request a reference number generated by the CRM system to enable the progress of the request to be tracked via the Service Desk; (iii) Where Service Desk Supplier Personnel change User/Customer details on the CRM system or the Alarm Handling Software, all changes shall be recorded and time and date stamped, right through to each key stroke made by the individual; (iv) Once changes to User/Customer details have been made in the CRM system and Alarm Handling Software by the Service Desk Supplier Personnel, the User/Customer shall receive notification, via email or text, to confirm those changes. The email or text message shall include the new details entered in the CRM system; and (v) In addition to specific requests from Users to change User details, the Service Desk shall take a proactive approach to ensure that details are kept up to date, by periodically prompting 100% of Users to check/update their details, typically by email or text, a minimum of once a year. Device Reallocation (i) Authorised Customer Representatives shall telephone, email or fax the Service Desk, or log a request via the web portal; (ii) The request shall be given a reference number generated by the CRM system to enable the progress of the request to be tracked via the Service Desk; (iii) The Service Desk shall obtain a completed and signed User Information Form from the new User and immediately update the CRM system, the Alarm Handling Software, and the location tracking software with the new User details. The Service Desk Supplier Personnel shall arrange training for the new User. The new User CRM record shall be suspended until training has taken place; and (iv) Details of the old User will be deleted or marked as old as requested. Device Configuration (i) 10-404788-3 Users and Authorised Customer Representatives shall telephone, email or fax the Service Desk, or log a request via the web portal; 54 (d) 1.26 (ii) The request shall be given a reference number generated by the CRM system to enable the progress of the request to be tracked via the Service Desk. The User will be told to put the Device on charge and confirm this; (iii) Configuration requirements shall be recorded by the Service Desk and passed directly via CRM to Service Maintenance, second tier support, for remote configuration; (iv) Configuration requests shall be carried out by Service Maintenance within 8 Working Hours from the time the Device is placed on charge by the User. On completion, Service Maintenance will inform the Service Desk via the CRM system; and (v) The Service Desk shall notify the User of changes via e-mail or text, immediately following configuration changes. Device Cancellation/Termination/Suspension (i) Authorised Customer Representatives shall contact the Supplier Account Manager, who shall log the request with the Service Desk via telephone or the web portals; (ii) Cancellation is defined as those instances where the Customer has signed the Contract but subsequently decides to cancel the Contract or User(s) from the Contract before commencement of the Services. If the Customer provides written (to include email) notification to the Service Desk of the Cancellation within 10 Days of all parties signing the Contract as set out in clause 15.1(a) (Termination and Cancellation) of the Contract then no Charges shall be applied as detailed in schedule 5 (Maximum Charges); (iii) For termination, the Service Desk shall arrange the return of the Device for future allocation, termination of the SIM, update the CRM system, and remove the existing User from the location tracking software. Early termination fees will apply as detailed in schedule 5 (Maximum Charges); and (iv) For suspensions, the Authorised Customer Representative shall have the ability to suspend Devices for a minimum of `1 month and a maximum of 3 months, as outlined in schedule 5 (Maximum Charges). For periods over 12 weeks the responsibility shall be for the Authorised Customer Representative to redeploy the Device. The Authorised Customer Representative shall inform the Supplier of the expected duration of the suspension, and the Supplier shall notify the Authorised Customer Representative a week before the end of the suspension period. Interface with the ARC The CRM system shall be accessible to authorised Supplier Personnel in both the Service Desk and the ARC. The CRM system shall be used for recording and updating User details, User history, Device details, RFCs, and caller interaction logging. 1.27 10-404788-3 User Information Resources for different categories of NHS staff e.g. User, LSMS, Customer etc and to include Information website 55 (a) (b) (c) 1.28 10-404788-3 The Service Desk shall provide the following information to Users, Authorised Customer Representatives and Customers: (i) Frequently asked questions (FAQs) relating to both Device (for example, how to use, when to use, network coverage issues); (ii) Queries relating to the Services (for example, "how do I change personal details, reallocate Devices, book training or refresher training"); (iii) On-the-phone User refresher training; and (iv) Authorised Customer Representative contact details for Users. The Supplier shall also develop a web portal for Users, Authorised Customer Representatives and Customers to provide the following information: (i) Service Desk contact details; (ii) FAQs; (iii) General information - Services and Device; (iv) On-line training for Users; (v) On-line queries logging; and (vi) RFC logging. Through dialogue with the Authority and Customers, the Supplier shall ensure the online support to Users is continuously developed. Any amendments shall be updated in accordance with the Operational Change Procedure. Complaint Handling (a) Users, Customers, Authorities, and Authorised Customer Representatives shall telephone, email, fax or write to the Service Desk, or log a complaint via the web portal. All complaints shall be acknowledged by the Supplier by e-mail within 2 Working Hours of receipt, including resolution timescale. (b) Complaints shall be logged on the CRM system and given a reference number to enable the progress of the complaint to be tracked via the Service Desk. (c) Complaints shall be categorised as follows: (i) Service; and (ii) Technology. (d) All first stage complaints shall be sent to the Service Desk Supplier Personnel (Supervisor), who shall investigate the complaint and respond within 5 Working Days. (e) In the event that the complaint is not resolved to the complainant’s satisfaction, the Service Desk Supplier Personnel (Supervisor) shall escalate the complaint to a second stage, and confirm the resolution timescale to the complainant. The complaint shall be escalated to the Supplier Personnel (Operations Manager) and the 56 Supplier Personnel (Account Manager). Both the Supplier Personnel (Operations Manager) and the Supplier Personnel (Account Manager) shall investigate the complaint, liaising directly with the Authorised Customer Representative and respond within 5 Working Days of receipt from the Service Desk Supplier Personnel (Supervisor) (maximum of 10 Working Days from the initial complaint). (f) Information surrounding each complaint shall be provided to the Authority as set out in schedule 7 (Management Information). Part 3.2 - User Training 1 User Training 1.1 The Service shall comprise of an integral training model to ensure that every User receives comprehensive training in order to understand how and when to operate the Device, and the support provided by the Supplier to the User. The Supplier shall ensure that face-to-face training shall be the primary format for the Service. The User training provided by the Supplier shall conform with the Authority’s lone worker Guidance 1.2 Scheduling User Training (a) Implementation-Roll Out Once an Order has been obtained, and if deemed necessary (scale of Order), the Supplier account manager shall be responsible for setting up a project team made up of the following: (b) 10-404788-3 (i) Supplier account manager; (ii) Authorised Customer Representative(s); (iii) Representative bodies (at Customer’s discretion); and (iv) Department managers (at Customer’s discretion). The project team shall, based on the Order, agree: (i) Number of Devices versus Users (pooled Devices); (ii) Local knowledge on most suitable Network Operator; (iii) The Authorised Customer Representative and a deputy; (iv) Department managers contact details; (v) Escalation Contact points; (vi) Customer lone worker Policy and Procedure; (vii) Police contact – Crime Reduction Officer (CRO); (viii) Suitable training course locations to cope with the User numbers; (ix) Training course roll out; and 57 (x) 1.3 Go live roll out. (c) The training course and go live roll out shall take into account User holiday and seasonal availability trends. (d) The Service Desk shall use the CRM system to create a framework of training course times, dates and locations. (e) The Service Desk shall contact the Authorised Customer Representative by telephone or email and agree allocation of each User to a specific training course. Where User emails are provided by the Authorised Customer Representative, the Service Desk Supplier Personnel shall confirm details of the schedule training via email to the User. The Supplier shall provide the schedule of User training to the Authorised Customer Representative. (f) The Supplier shall work closely with the Authorised Customer Representative to maximise attendance for each training course. (g) Individual Training (i) Where individual training is required by the User post implementation/roll out, the User shall be able to join one of the daily courses delivered by the local Supplier trainer. In addition, the Supplier shall provide a monthly face to face training course, organised by Customer or by region. Each course shall be limited to 15 Users and shall last no longer than 2 hours; (ii) The Supplier shall also run web training courses on Friday of each week for Users who request further training via the web portal or the Service Desk. The training courses shall typically last 1 to 1.5 hours. Type of training The Supplier shall agree with the Authorised Customer Representative the appropriate timescale for training. For urgent training requests, the Supplier shall provide training within 2 Working Days. (a) Face to face The Supplier shall provide face to face training for Users in courses for a maximum of 15 persons, each course lasting no more than 2 hours. Where Users do not return completed User Information Forms prior to training, the Supplier trainer shall provide the User with a User Information Form for completion at the training course. Devices shall be handed out to individuals at the time of training. Device go-live shall normally commence 5 Working Days post training to allow Users to become accustomed to the Device in test mode and for User details to be set up on the Alarm Handling Software. With the agreement of the User, this period can be shortened to no less than 2 Working Days. (b) Web training The Supplier shall provide web-based training for: (i) 10-404788-3 Users who are unable to attend face to face training; 58 (ii) Users who require refresher training, and are unable to attend face to face training; and (iii) Urgent training requests where face to face training is not practical. The User shall log on to the web application and shall view training slides (controlled by the trainer) and also join a teleconference call. Users shall receive an email ‘invitation’ to the course which shall include the relevant information to access the web portal. The Supplier shall post the pre-configured Device to the User prior to web-based training. The Supplier shall agree with the User the most appropriate delivery address for them; this must take account of their working pattern and where they expect to be during the agreed date for delivery. Users shall be required to have their Devices with them during the training course. (c) Training for grouped and/or pooled Devices The Supplier shall deliver training via face to face and web training methods as described 1.3(a) and (b) above. The training shall be tailored for Users of pooled Devices and shall inform the User of the importance of leaving their full name as part of any Amber Alert message to enable the ARC Supplier Personnel to identify the User in the event of a Red Alert. Failure to leave name details shall not result in a drop in ARC response times, but it may inhibit a fully effective response from the emergency services. (d) Other training (e.g. webex) The Supplier shall provide administrator training to the Authorised Customer Representative. The training shall cover the administration processes during implementation, and ongoing day-to-day User support processes. Training courses shall last 1.5 hours. The Supplier shall provide Administrator training via the following methods: (e) (i) Face to face training at the Customer premises; (ii) Web-based training; and (iii) Face to face courses held regionally. Refresher training Refresher training content shall be tailored to the requirements of the Users attending the course, and shall also include some/all of the content mentioned in (f)(i) to (x). (i) 10-404788-3 The Supplier shall provide self-help online support where Users shall be able to access: (A) Frequently Asked Questions (FAQs); (B) Video clips to show the ARC and Service Desk operation; (C) Descriptions and commentary of the key functions of the Devices; (D) Downloadable training literature; and (E) Request for further assistance. 59 (f) (ii) The Supplier shall run web training courses on Friday of each week for Users who request further training via the web portal or the Service Desk. The training courses shall typically last 1 – 1.5 hours. (iii) The Supplier shall provide telephone refresher training for Users as required. (iv) The Supplier shall provide a monthly refresher face to face training course, organised by Customer or by region. Each course shall be limited to 15 Users and shall last no longer than 2 hours. Course content objectives The Supplier shall include the following content in User training via face to face or web based formats: (g) 1.4 (i) The rationale for the Department of Health’s objective for the protection of NHS staff together with the User's responsibilities for their own safety and the use of the Service; (ii) Key Services Maintenance); (iii) How to the use the Device; (iv) When to use the Device; (v) Alarm handling process and escalation through to the emergency services; (vi) Dynamic risk assessment process linking the Customer’s lone worker Risk Assessment with the Supplier’s Solution; (vii) Customer responsibilities; (viii) User responsibilities; (ix) Go live process; and (x) Ongoing User support (post training) constituents (Devices, ARC, Service Desk, Service The Supplier shall provide Users with their own individual Device or a test Device to use during the training course. A test Device shall only be used when: (i) The training is for a pooled Device: the trainer shall ensure that test Devices are available for all Users to practice with (Devices shall be returned at the end of the training session); (ii) Additional Users attend the course – (Devices shall be returned at the end of the training session). Administrator Training The Supplier shall include the following content in Administrator training: (a) 10-404788-3 Key Services constituents (Devices, ARC, Service Desk, Service Maintenance); 60 1.5 1.6 1.7 (b) Process of setting Users up on the CRM system and the Alarm Handling System (User information forms and Escalation Contacts); (c) Request for change (RFC) and Return of Merchandise Authorisation (RMA) processes; (d) Ongoing User support (post training). Location of training (a) Face to face and administrator training shall be conducted at the Customer’s own premises, as agreed by the customer project team. These Customer locations shall be the primary location for training sessions for ease of User attendance and administration. The secondary option shall be regional Customer sites. The Supplier shall also offer their own national training locations as a tertiary option, at no cost to the Customer. (b) Training locations shall be recommended by the customer project team and assessed for suitability by the Supplier trainer. Customer training locations shall accommodate a minimum of 20 persons (Users/Trainers/Authorised Customer Representatives) and have the necessary power sockets to enable laptop/projectors to be utilised. Storage of Devices on Trust Premises (a) The Supplier may, at the discretion of the Customer, store Devices on Customer premises for the purposes of User training, at no cost to the Customer. (b) The full risk and liability in the devices will remain with the Supplier. (c) The Customer retains the right to refuse such storage of Devices or to require the Supplier to remove any stored Devices from its premises with reasonable notice and at no cost to the Customer. Creation and Authority acceptance (in accordance with Operational Change Procedure) of course material and documentation (a) Creation The Supplier shall, prior to delivery of any training courses, create and provide the Authority with all course material and documentation that shall be issued in all forms of training for the Service. This material shall be in the form of a Supplier controlled document. (b) Acceptance in accordance with the Operational Change Procedure. The Authority will accept and test the training material in accordance with the Operational Change Procedure. The Authority shall provide, in writing, to the Supplier any requests for amendments and the amendments accepted shall be included on the amendment record associated with the specific Supplier controlled document. Any further amendments shall be accepted in accordance with the Operational Change Procedure. 1.8 Supplier provision of Training Materials and Documentation The Supplier shall ensure that: 10-404788-3 61 1.9 (a) A comprehensive User guide is included with each Device; (b) A brief User guide is included with each Device; (c) Each User is given a Device at the point of face to face User training; (d) Hard copies of the training presentation, in a note-taking format, provided to the User during face to face training; (e) Administrator training is supported by hard copies of the training presentation in a note-taking format, and shall also include controlled documents associated with all procedures (flow charts, procedures, forms); and (f) All training materials and documents are controlled documents, and are available to download from the web portal. Production and Authority acceptance (in accordance with the Operational Change Procedure) of User training Standard Operating Procedures, scripts and process flows. All materials and documentation described in paragraph 1.6 above shall be developed by Supplier in close partnership with the Authority. The Authority will accept and test materials in accordance with the Operational Change Procedure. This shall include both development of initial materials and the ongoing development during the course of Framework Agreement. Any further amendments shall be accepted in accordance with Operational Change Procedure. 1.10 the the the the the Capture and Collation of User Training Data The Supplier shall record scheduled training dates and venues against each User via the CRM system. Following scheduled training, and confirmation from the Supplier trainer of the User’s attendance, the Service Desk Supplier Personnel shall update the CRM system with actual training details. 1.11 Mechanism for identifying refresher training (a) (b) 1.12 10-404788-3 Users shall be able to request refresher training via: (i) The Authorised Customer Representative; (ii) The Supplier account manager; (iii) The Service Desk; and (iv) The web portal. The Service Desk shall proactively identify/recommend/suggest refresher training based on: (i) Contact with Users following False Alarms; and (ii) The analysis of User activity as part of the compilation of monthly reports into the Authorised Customer Representative. Training Record keeping process 62 The Supplier shall retain training records via the CRM system for the duration of each contact. 1.13 User Accreditation Users who attend and complete the User training, to the satisfaction of the Supplier trainer, shall be accredited as having completed the User training. Trainers shall confirm which Users attended each course by completing the attendance record, and the Service Desk shall produce a monthly report of attendees to the Authorised Customer Representative. 1.14 Vetting of Trainers The vetting of trainers shall be in accordance with clause 24 (Personnel Security). The Supplier shall provide trainers who: (a) Have been Security Check (SC) cleared, in accordance with HM Government’s Vetting Policy, as a minimum; and (b) Have completed and conformed with the Supplier 10 year employment history check, in accordance with the BS7858 standard 1.15 10-404788-3 Recruitment, training and accreditation of Trainers (a) The recruitment of all trainers shall be in accordance with clause 24 (Personnel Security). The Supplier shall maintain an effective recruitment process to ensure there are sufficiently trained and accredited trainers to meet the Services to the agreed Service Levels. Trainers shall complete the Supplier’s induction programme prior to delivering User training. (b) Trainers shall complete the Supplier’s train the trainer programme and shall be accredited accordingly. (c) Trainers shall complete a lone worker induction programme to include: (i) User training; (ii) Alarm Handling; (iii) Nature of risks and environments of Users; (iv) Service Desk processes; (v) CRM - call handling; and (vi) Shadowing existing Trainers. (d) The Supplier will provide refresher training for the trainers based on amendments to the lone worker Service. (e) Users shall be given the opportunity to complete a training feedback form for every training course attended. The feedback form shall cover: (i) Trainer delivery; (ii) Appropriateness of course content; 63 (iii) Training materials; and (iv) Course facilities. (f) The Supplier account manager shall review all training feedback forms on a monthly basis. Negative and positive comments regarding the training delivery shall be investigated / discussed with the Supplier trainer and, as required, the Supplier Account Manager shall implement a corrective action plan which shall be made available for discussion with the Authorised Customer Representative(s) and/or the Authority as appropriate. (g) Supplier trainers shall be continually assessed and receive ongoing and annual refresher training in accordance with contract and service needs, and in accordance with development reviews and individual assessment. Part 3.3 - Alarm Receiving Centre (ARC) 1 ARC Description and Introduction 1.1 The Supplier shall provide an Alarm Receiving Centre (ARC) capable of monitoring Users Red Alerts, Amber Alerts and Status Checks covering every geographical location where NHS lone workers need to operate within England. The ARC shall be accredited to BS5979 Cat II. The Services provided shall support a range of User profiles to support the differing needs of the diverse User groups. The User profiles shall allow bespoke escalation procedures and direct communications with the emergency services. The Services shall facilitate Status Checks, support a wide range of User Devices and a variety of tracking options (from basic tracking to more accurate tracking). The ARC shall record audio in the event of a Red Alert or Amber Alert activated by the User and the Supplier Personnel shall monitor and record events in a way that is legally admissible in prosecution cases that arise. 1.2 The Supplier will submit for review and acceptance by the Authority, ARC Standard Operating Procedures (SOP’s). The Authority will accept and test the SOPs in accordance with the Operational Change Procedure any further amendments being in accordance with the same procedure. 1.3 Location The ARC shall be located in the British Telecom exchange in Pontefract, West Yorkshire and shall be accredited to BS5979 Cat II. This governs its technical specification and the procedures by which it shall operate. (a) ARC Location: Reliance Security Group Limited PO Box 159 Pontefract West Yorkshire WF8 1NB (b) Disaster Recovery (DR) Location: Reliance Security Group Limited PO Box [ ] Manchester M22 55QZ 10-404788-3 64 1.4 Hours of operation The Supplier shall provide ARC Services 24 hours per day, 365 days per year. 1.5 Use of dedicated/non dedicated staff The ARC shall utilise Supplier Personnel that are dedicated to the Services. 1.6 Resource levels The Supplier shall provide sufficient Supplier Personnel to ensure it can perform the Services to the agreed Service Levels. 1.7 1.8 Managing peaks and troughs in ARC workload including absences (a) The Supplier shall manage peaks and troughs, including absences, to ensure it can perform the Services to the agreed Service Levels. (b) To ensure Service Levels are achieved during periods of alarm volume peaks, the Supplier shall: construct resource requirement schedules and shift detail, to respond to any anticipated alarm peak; (ii) dedicate ARC Supplier Personnel to the Services. In addition there will be an additional 30% of trained ARC Supplier Personnel, made available to support the dedicated team during peak periods; and (iii) train All ARC Supplier Personnel to the standards detailed in paragraph 1.9(e) below. Managing Attrition (a) 10-404788-3 (i) Attrition for the ARC Supplier Personnel shall be managed by actively engaging staff through the following: (i) Monthly 1-2-1 performance sessions where goals related to performance against KPIs shall be discussed; (ii) Quarterly Individual Development Plan (IDP) sessions that agree plans for achieving career goals, e.g. gaining leadership experience; (iii) Monthly team briefings for Supplier Personnel to improve communication and encourage participation; (iv) Continuous improvement scheme to reward Supplier Personnel for making suggestions to improve the way Supplier Personnel work; (v) Regular team building events; (vi) A staff forum where ARC Supplier Personnel shall be given the opportunity to raise areas of concern or make suggestions; (vii) Provide leadership and training opportunities for Supplier Personnel; and 65 (viii) (b) 1.9 Given the sensitive nature of the Services, the Supplier shall use reasonable endeavours to maintain annual attrition levels below 15%. Where yearly attrition exceeds 15%, or the Supplier anticipates that the 15% threshold may be exceeded, the Supplier shall notify the Authority and discuss and agree an action plan to stabilise the attrition rate. The Supplier shall form a project team whose primary task shall be to look at possible reasons for higher than anticipated attrition. The project team shall look at: (i) Local competition, i.e. new ARC established; (ii) Staff pay and conditions versus local employers; and (iii) ARC related issues contributing to higher attrition. Recruitment, training and accreditation of ARC Supplier Personnel. (a) The vetting and recruitment of all ARC Supplier Personnel shall be in accordance with clause 24 (Personnel Security). (b) Selection shall be by way of competency based interviews and satisfactory results of computer literacy tests. All recruits shall undergo a comprehensive induction process to introduce new Supplier Personnel to the ARC, Service Desk, and Devices. This includes health and safety information as well as fire evacuation procedures. (c) The ARC Supplier Personnel shall be trained in the following: (i) (ii) 10-404788-3 Investing in, and implementing technical solutions to improve operating efficiency. The Services - An Introduction. To cover: (A) ARC processes and protocols; (B) Risks/dangers faced by lone workers; (C) Difference to traditional alarms; (D) Device use and maintenance; (E) User Service needs; (F) Examples of good/bad Red/Amber Alerts; (G) Escalation procedures; and (H) Types of Device. Lone worker Operating Procedures (A) Technical competence training and test to include training to establish a Location Fix; and (B) Side-by-side evaluation (minimum of 24 hours). 66 (iii) Conducting dynamic risk assessments (a continuous process of identifying hazards and risks and taking steps to eliminate or reduce them in the rapidly changing circumstances of an incident). (iv) Delivering excellent customer service, though: (v) 10-404788-3 (A) Dealing with difficult customers; (B) Dealing with difficult situations; (C) Working within time bound parameters; (D) Working with stressful situations; and (E) Taking objective decisions. Understanding the Customer (A) NHS organisational structure; (B) NHS Users and their situations; (C) NHS acronyms and definitions; (D) NHS User work profiles; (E) NHS User environmental knowledge; and (F) NHS working conditions. (vi) Use of CRM (vii) Use of Alarm Handling Software (viii) Use of location tracking software (ix) Telephone techniques (x) Email etiquette (xi) Soft skills (xii) Required process for the provision of evidence (d) All ARC Supplier Personnel shall have individual training records that keep a record of all training received and shall be reviewed regularly. (e) All ARC Supplier Personnel shall undergo training and competency assessment before inclusion in the rota. They shall be continually assessed and receive ongoing and annual refreshment training in accordance with contract, service needs, and any changes to Services in accordance with development reviews and individual assessment. (f) The Authority will accept and test the training material in accordance with the Operational Change Procedure, with any further amendments being in accordance with the same procedure. 67 1.10 Vetting of ARC Supplier Personnel The vetting and recruitment of all ARC Supplier Personnel shall be in accordance with clause 24 (Personnel Security). The Supplier shall employ a series of rigorous checks on all candidates for employment. These include: 1.11 (a) Five year employment and education screening check; (b) Mandatory take up of character references; (c) Credit checks of all staff; and (d) CRB checks. ARC Supplier Personnel performance The Supplier shall ensure that the ARC Supplier Personnel meet the performance requirements to deliver the Services as follows: (a) ARC Supplier Personnel response to an incoming Red Alert shall be within 10 seconds; (b) The Supplier shall monitor, review and assess, on a monthly basis, 10% of Red Alerts taken by each ARC Supplier Personnel to ensure processes and protocols are followed; (c) The Supplier shall monitor, review and assess, on a monthly basis, 10% of all notes taken by each ARC Supplier Personnel to ensure Service Levels are met with respect to management information reports; (d) As detailed in Part 3.1 (Service Management), the Supplier shall monitor User feedback on satisfaction levels via all communication channels (telephone, e-mail and letter) on a monthly basis and produce result and trend analysis with recommendations and actions to enable the Supplier to continuously improve the quality of the Service. The Supplier shall provide the results of this feedback to the Authority within 5 Working Days of the end of each reporting period. 2 ARC processes and response to Alerts 2.1 Amber Alerts shall be recorded by the Alarm Handling Software and shall only be listened to by ARC Supplier Personnel during quality audits, and in the event of a Red Alert. 2.2 All Amber Alert audio that is not related to a Red Alert shall be deleted by the Supplier after 3 months. 2.3 Recording shall commence on receipt of a Red Alert and shall be automatically prioritised by the Alarm Handling Software. The ARC Supplier Personnel shall commence monitoring the voice channel within 10 seconds, and monitor and assess the situation to determine whether it is a False Alarm or a Genuine Alarm. 2.4 For False Alarms. In the first instance, the Supplier shall contact the User, via the telephone number provided on the User Profile Form and ask them to manually reset the Device; 10-404788-3 68 2.5 (a) In the event that the ARC Supplier Personnel cannot contact the User, the recording shall continue, and the Supplier shall follow the escalation procedure and telephone the contact(s) provided by the Authorised Customer Representative; (b) In the event that the ARC Supplier Personnel cannot contact either the User, or the Escalation Contact, recording shall continue and voicemails shall be left for the User and the Escalation Contacts every 20 minutes, to advise them to contact the ARC. The recording shall continue until the Device battery expires. Genuine Alarms. The ARC Supplier Personnel shall listen to the live audio, perform a Location Fix on the User, cross- reference the location with the message left on the Amber Alert audio recording, and conduct dynamic risk assessments. Where the ARC Supplier Personnel deems it appropriate further Location Fixes can be acquired. As a result the Genuine Alarm will be classified either: (a) Genuine Alarm Closed Safely (i) (b) 10-404788-3 This occurs when the Red Alert is cancelled by the User because they are no longer at risk. The Supplier Personnel shall then contact the User by telephone to: (A) confirm the situation is satisfactorily closed (B) ensure that the Supplier understands the reasons for the User activating the Alarm (C) provide User reassurance that (ii) In the event that the ARC Supplier Personnel cannot contact the User the Supplier shall follow the escalation procedure and telephone the contact(s) provided by the Authorised Customer Representative. (iii) In the event that the ARC Supplier Personnel cannot contact either the User, or the Escalation Contact, voicemails shall be left for the User and the Escalation Contacts every 20 minutes, to advise them to contact the ARC. Genuine Alarm Escalated to the Emergency Services (i) The ARC Supplier Personnel shall listen to the live audio, perform a Location Fix on the User, cross- reference the location with the message left on the Amber Alert audio recording, (where available) and conduct dynamic risk assessments until the situation requires the escalation procedure to be followed. (ii) The Supplier Personnel shall escalate the alarm to the Police or the appropriate emergency services, and also contact the specified Escalation Contact, should the outcome of the audio assessment meet any of the following criteria: (A) Physical/verbal assault/robbery; (B) Potential assault about to take place; 69 (iii) 2.6 2.7 (C) User in distress and/or asks for assistance; and (D) User asks for the Police or other Emergency Services. In the event that the ARC Supplier Personnel cannot contact the Escalation Contacts, voicemails shall be left for the Escalation Contacts every 20 minutes, to advise them to contact the ARC. Liaison & Co-ordination with Emergency Services (a) The ARC shall utilise the Unique Reference Number (URN) process developed by the Association of Chief Police Officers (ACPO). When dealing with Emergency Services that do not use the URN process, the ARC Supplier Personnel shall dial 999, and ask to be put through to the emergency services local to the Device location; (b) The last known Location Fix and all User Information shall be made available to the emergency services, including known user medical conditions; (c) The ARC Supplier Personnel shall listen until the User confirms they are safe. Escalation User Escalation Contact details shall be stored in the Alarm Handling Software and shall be referred to by the ARC Supplier Personnel when escalation is required. 2.8 2.9 Poor coverage (a) The Supplier shall provide management information, via the Alarm Handling Software, relating to poor GSM network coverage at the end of each reporting period to the Authorised Customer Representative. Users who have issues with network coverage will be highlighted in this report. (b) As outlined in Part 3.5 (Networks), where inadequate coverage for a User is identified the Supplier shall contact the User and instigate a proactive discussion. If the User could achieve better coverage on another network the Supplier shall arrange a ‘SIM swap’ onto that network. (c) In the event that poor or no coverage is the result of network outages the process outlined in Part 3.5 (Networks) shall be followed by the Supplier. Inactivity Checks The Supplier shall provide management information, via the Alarm Handling Software, relating to low (less than 10% of the average monthly Amber Alerts) or no Device activity. This report shall be supplied to the Authorised Customer Representative on a monthly basis and the threshold of checks shall be reviewed, and any amendments shall be updated in accordance with the Operational Change Procedure on a quarterly basis. 2.10 (Quality checks on Amber Alerts and Red Alerts The Supplier shall complete quality checks on all Red Alerts, all Amber Alert messages associated with Red Alerts, and 1% of all other Amber Alerts. Particular focus shall be applied to new Users. The quality checks shall involve: (a) 10-404788-3 Audibility 70 (b) Timing (c) Fullness of information (i.e. postcode, house number) and (d) Quality of risk evaluation and this assessment and feedback shall form part of the Management Information reports to the Customer and Authorised Customer Representative. 2.11 Production and Authority acceptance (in accordance with the Operational Change Procedure) of Standard Operating Procedures, Scripts and Process Flows: (a) The Supplier shall design a set of bespoke Standard Operating Procedures, scripts and process maps, to deal with the range of ARC functions. The Authority will accept and test the SOPs in accordance with the Operational Change Procedure. (b) The Supplier shall conduct reviews with the Authority in order to modify, expand or amend existing Standard Operating Procedures, scripts, and process maps to conform to the needs of the Authority. These reviews shall be conducted by the Supplier, in the form of Supplier operational and account management staff, as required. Any further amendments shall be accepted in accordance with the Operational Change Procedure. 3 Capture and Collation of User Data 3.1 Recording of evidence and provision of evidence The Supplier shall record Red Alerts and Amber Alerts, via the Alarm Handling Software, in a format that can be used in a court as evidence. Where incidents occur that may require provision of evidence, the Supplier shall adhere to the following: 10-404788-3 (a) The Supplier shall report Red Alerts to the Authorised Customer Representative within 15 minutes of the Red Alert closure; (b) At the conclusion of a Genuine Alarm, and where evidence is required by the Police or the Authorised Customer Representative/LSMS, the associated data shall be downloaded from the appropriate server i.e. Alarm Handling Software/telephone system, to an encrypted copy disc. The quality of the storage data shall be comparable to that of the original. The copy data shall be placed in secure storage inside the BS5979 CAT II Centre; (c) The Authorised Customer Representatives/LSMS shall be sent within one hour of the closure of an incident, an email containing unique incident details of all Genuine Alarms, Genuine Alarms closed safely and False Alarms where the ARC Supplier Personnel believe and incident has taken place, together with a link to a secure password protected website location. The Authorised Customer RepresentativeLSMS shall be able to access, and listen to, the associated audio via the secure password protected website location. The audio clips will be removed from the unique secure location after a period of 30 days, unless a request is made to extend the period; (d) The ARC Supplier Personnel shall sign a witness statement and retain a copy for Supplier records; 71 3.2 (e) Where the Police or Authorised Customer Representative/LSMS review a recording, the Supplier shall enter the details in the recorded material register; (f) The Supplier shall record Police visits in the daily occurrence book; (g) Audio discs shall be placed in an evidence bag with the ARC Supplier Personnel witness statement, sealed and labelled. Details of which shall be recorded in the recorded material register; and (h) Either the Police or the Authority shall collect and sign for the evidence bag. Archiving Requirement The Supplier shall adhere to the following archiving requirements: (a) Recordings of Genuine Alarms shall be retained by the ARC for the Police and the Authorised Customer Representative (LSMS) to access for 12 months and shall be securely disposed by the Supplier at the end of the retention period; (b) In exceptional circumstances, on the request of the Authorised Customer Representative (LSMS), the Supplier shall retain recordings of Genuine Alarms in support of criminal, civil or local action against an offender by the Customer for an agreed period of time. Recordings shall be securely disposed of by the Supplier to the timescales outlined by the Customer; (c) Where a Genuine Alarm is activated but closed safely by the User, without the Police being called, the recording of the Genuine Alarm shall be retained by the ARC for the Police and Authorised Customer Representative to access for 12 months; (d) False Alarm recordings shall be deleted from the Suppliers ARC operating software within 24 hours. Where the ARC Supplier Personnel (LSMS) believe that an incident has taken place even though the User has agreed to close the Alarm, the ARC shall notify the Authorised Customer Representative who shall listen to the recording to ascertain if any further action is required before the recording is deleted; (e) The Supplier will provide recordings to the Authorised Customer Representative (LSMS) if requested to do so in order to fulfil any legal obligation on part of the Customer; (f) Amber Alerts associated with Red Alerts shall be retained for 12 months; and (g) Amber Alerts not associated with Red Alerts shall be retained for three months for User safety development purposes, quality control and in anonymised form for training of ARC Supplier Personnel. Part 3.4 - User Devices 1 User Devices 1.1 Devices issued are safety equipment, and provided to Users by the Customer and Supplier in support of providing a safe working environment, as required under Health and Safety 10-404788-3 72 legislation. Users shall be encouraged to take all due care to maintain the Device in good working order. 1.2 Authorised Devices at the date of signing the Agreement are: Identicom i750 Discreet GSM based Device for Users whose primary risk is verbal abuse or physical attack Identicom i757 Discreet GSM based Device for Users whose primary risk is verbal abuse or physical attack, with added benefit of GPS location for Users operating in more rural locations or where Amber Alerts are not always possible Identicom i770 Discreet GSM based Device with ‘man down’ functionality for Users who also have working environment risks (e.g. slips, falls, chemicals, travel in rural locations) Identicom i777 Discreet GSM based Device with ‘man down’ and GPS location for Users with environmental risks and where more accurate location is required User/Trust supplied Mobile Phone Any mobile phone capable of having speed dials set up on keys 5 & 8. Mobile phones with touch-screens, auto key-locks or flip phone mechanisms are excluded 1.3 In addition to the above, the Supplier will make available other authorised Devices, additional to the Identicom range, subsequent to the initial roll out. These Devices will meet in all respects the full functionality required by the Authority and will provide Customers with flexibility and choice in their buying options in order to meet the diverse requirements of Users. 1.4 The Supplier will also support User provided mobile phone handsets where the mobile technology is of a standard supportable by the ARC, the recording requirement, and meets the mandatory requirements listed in Appendix 2 for acceptable mobile phone specification. If the SIM card is provided by the User, the User shall bear the network costs associated with that SIM card. The Supplier shall not warrant either a mobile or a SIM card not provided by the Supplier. 1.5 The Supplier shall also support existing Devices in use by Customers where those Devices are deemed fit for purpose by the Supplier and therefore suitable for inclusion in this Framework Agreement. The Supplier shall not provide any additional warranty over and above that which might already exist on transfer of the existing Device, but shall accept all warranties that exist on transfer. The mandatory requirements for a Device to be listed on an Order are that the Device will need to be less than 36 months old, with the option to retain the existing customer SIM card, or the existing customer SIM card being exchanged for a Supplier SIM card. 1.6 Authorised Device specifications The authorised Device minimum specifications are detailed in Appendix 2. 1.7 10-404788-3 Ongoing Device review 73 The Supplier shall undertake a product review in line with clauses 4.5 and 4.6 (Available Services) of this Framework Agreement. 1.8 Faulty Devices shall be dealt with in accordance with Part 3.1 (Service Management) paragraph 1.24. 1.9 Requests for change shall be managed by the Supplier via the Service Desk as detailed in Part 3.1 (Service Management) paragraph 1.25. 1.10 Device Pooling and Device Sharing 1.11 10-404788-3 (a) The Customer may ask the Supplier to make Devices available, for both pooling and sharing. In these circumstances, no more than 10 Users shall be allocated to a Device, and the Escalation Contact shall remain the same for all Users. (b) Sharing is when more than one User shares the same Device on a regular or programmed basis (for instance, in a job share). (c) Pooling is when there exist a number of Devices held in common use by a group of (nor more than ten) Users. (d) The quality of the Service shall remain the same for individual Users as for sharing and pooled Users. (e) The ARC shall handle pool and shared Devices as per an individually issued Device. However to close an Alarm safely it is important that all pooled and shared Device Users leave their name on every Amber Alert in order that the correct User is contacted by the ARC Supplier Personnel to close an Alarm down. (f) The Supplier shall train all pooled Device Users. During User training, the Supplier shall train Users in the correct use of a pooled Device. The User shall leave their full name as part of any Amber Alert message to enable the ARC Supplier Personnel to identify the User in the event of a Red Alert. Failure to leave name details will not result in a drop in ARC response times but it may inhibit a fully effective response from Emergency Services. Device Pooling Reallocation Process (a) Where pooled Devices need to be reallocated, for example, to another department, the Authorised Customer Representative shall raise a RFC via the Service Desk. This process is detailed in Part 3.1 paragraph 1 (Service Desk). The request shall be given a reference number generated by the CRM system to enable the progress of the request to be tracked via the Service Desk. (b) The Service Desk shall obtain a completed and signed User Information Form from the new Users and immediately update the CRM system, the Alarm Handling Software, and the location tracking software with the new User details. The Service Desk Supplier Personnel shall arrange training for the new Users. The new User CRM records shall be suspended until training has taken place. (c) Where the Users have previously completed training, the Device shall be activated on receipt. (d) Details of the old Users shall be deleted or marked as old as requested. 74 (e) The RFC shall be closed by the Supplier on confirmation of (i) Completion of training course; and (ii) Receipt of Device. 2 Supplier Management and control of the process of linking Device, SIM and User Information 2.1 The linking of Device, SIM and User Information shall be managed as a two stage process by the Supplier: (a) (b) 2.2 2.3 (i) The unique serial numbers of the Device and the SIM as well as the SIM mobile number shall be recorded by Service Maintenance directly to the Alarm Handling Software by way of a web based portal. (ii) The Device at this point shall be given a unique identifying number by the Alarm Handling Software which shall serve to track the relationship between Device and SIM thereafter. The Device shall be labelled clearly with the Device type, serial number, SIM phone number and the unique identifying number. SIMs shall be made live and Devices shall then be tested directly with the Alarm Handling Software, charged, turned off and posted to the Trainer/User. Stage two, allocation Device and SIM to the User: (i) This function shall be carried out at the point of training or at a point previous where the User’s information is gathered in full on the User information form. (ii) The unique identifying number shall be allocated to the User and all User data fields completed on the Alarm Handling Software. This function shall be carried out by the Service Desk. The Service Desk shall also check all data entered, and ready the system for the agreed go-live date. Technology Refresh (a) Where a Device is returned to the Supplier (e.g. faulty, damaged, termination of service, or a recovered lost or stolen Device), the Supplier shall perform a Device Refresh where applicable. (b) The Device Refresh shall include full Device repair and refurbishment, battery replacement, and software upgrade (if applicable). The Device shall be tested and repackaged in new plastics. Any device judged to be beyond economical repair shall be scrapped. (c) The Supplier shall undertake root cause analysis on returned Devices and report the results to the Authority. (d) The Supplier shall not be responsible for Technology Refresh of existing Devices in use by Customers. Mandatory and Optional Accessories (a) 10-404788-3 Stage one Device and the SIM: Each Device shall come with a mandatory accessory list, included within the price of providing the Services to each User (including pooled Device Users), and is detailed in the Maximum Charges. 75 (b) The mandatory accessories shall be provided to each User at the time that the Device is issued, and will be provided, including if lost or damaged, by the Supplier for the duration of the Contract. (c) Mandatory Accessories: Part number (d) EXT1001 Identicom power supply EXT1002 UK plug adapter for power supply EXT1007 Identicom lanyard (blue) EXT1008 Identicom plastic lapel clip PLA1005 Identicom lanyard plug (x3) QRG001 Quick Reference Guide PLA1004 Identicom SIM door Optional Device Accessories. which shall be available at additional cost to the Customer: Part number 2.4 Description Description EXT1001 Identicom additional power supply EXT1013 Identicom Manual (E/F/G) EXT1017 Identicom in-car charger EXT1012 Identicom silicon rubber case Device Manufacture The Devices shall be manufactured in the United Kingdom. In the event that the Supplier wishes to change the location of manufacture the Supplier shall make such request via the Agreement Change Procedure. Any reduction in manufacturing costs, achieved as a result of industrialisation and/or new location, will be reflected into the Maximum Charges in the form of reduced pricing. 2.5 10-404788-3 Short-term Rental Pool (a) The Supplier shall provide a facility for Customers’ to procure a Contract for the Service for periods of time not less than six months and not more than twelve for the purposes of short term operational requirements, where a longer contract term is not appropriate. (b) The Supplier will provide the Customer with a Device or Devices taken from a central pool established for this purpose, and will allocate these to Users following the process outlined in Part 3.1, paragraph 1 (Service Desk). (c) Sharing of such Devices between Users is permitted. 76 Part 3.5 - Networks 1 Network Operators 1.1 The Supplier shall utilise its and the NHS’ existing relationships with Vodafone (the “Network Operator”) to provide the GSM network component of the Services. The Supplier shall also maintain relationships with O2 and Orange to ensure that competativeness in the supply of network services is maintained. 1.2 The Supplier is responsible for procuring the related Services and the Network Operators compliance with the Service Levels. The Supplier shall manage the Network Operator to ensure that related Services meet the Service Levels detailed in this Framework Agreement. 1.3 The Supplier shall ensure that the Network Operator has the ability to provide Services to all Users in order to ensure best network coverage is provided. 1.4 To achieve best value, the Supplier shall award the contract to provide network services to one Network Operator, but have the ability to switch to another Network Operator to improve Service Levels and/or improve pricing if at any time during the contract period this may be required. In the event that the Supplier wishes to change the Network Operator it shall notify the Authority who shall not unreasonably refuse a request in the event that the Supplier can demonstrate that Service Levels and/or User experience will not deteriorate. 1.5 Where possible the Supplier shall ensure that all SIM cards used shall be limited in the numbers they can dial or text to ensure risk of SIM misuse is minimised. 2 Network Services Provided The Network Operator delivers an estimated minimum ‘outdoor’ coverage of 99% of UK population for its 2G (voice and text messaging) services. The Services shall utilise 2G services and shall not be reliant in any way on more recent 2.5G (GPRS) or 3G services which have lower quoted coverage levels. 3 Coverage Mapping & SIM Swapping 3.1 As part of any initial implementation carried out, the Supplier shall make an active assessment of the mobile coverage in the areas where Users shall be operating. As well as relying on coverage maps from the Network Operator the Supplier shall also seek known opinions regarding coverage from Users and managers (local knowledge) and in some cases, where appropriate, the Supplier shall actively go out and test coverage in certain areas of concern. Such testing shall deliver back to the Service Desk an actual measured value from test Devices, showing the coverage level achieved. A record of these tests and their results shall be maintained by the Supplier. From this test data, the Supplier’s implementation team can make an informed judgement about which network is best to use. In areas where there are existing black spots and/or poor network availability the Supplier shall utilise the network that offers best coverage. 3.2 Following implementation and rollout the Supplier Service Desk Personnel shall proactively monitor the coverage of Devices deployed by looking at Status Check signals returned from Devices. If any are identified as providing inadequate coverage for that User then the Service Desk shall contact the User and instigate a proactive discussion and if the User could achieve better coverage on another network the Service Desk shall arrange a ‘SIM swap’ onto that network. 10-404788-3 77 3.3 The ‘SIM swap’ procedure will be carried out from the Service Desk and with the full knowledge of the User involved. A live SIM from an alternative network shall be dispatched directly to the User. The replacement SIM shall be accompanied by clear instruction for the User to contact the Service Desk on receipt to undertake a ten minute SIM swap procedure. The Service Desk Supplier Personnel shall walk the User through the SIM swap and then ask the User to place the unit on charge. Once confirmed as being on charge the Service Desk Supplier Personnel shall then initiate configuration of the SIM over the air. 3.4 The Service Desk will then confirm to the User when this process has been completed. The User shall then be instructed to return the original SIM in a prepaid envelope that has been provided. 3.5 The SIM swap process shall not be available to Users where their own mobile phone is being utilised as the lone worker device. 4 Network Availability 4.1 The Network Operator shall report monthly and the Supplier shall undertake a formal quarterly review process against the following primary service levels relating to availability and quality of service: (a) Call completion success rate; (b) Dropped call rate; (c) Call set up success rate; (d) Cell availability; (e) SMS ‘end to end’ transaction success rate within 90 seconds; and (f) Average SMS transaction time. 4.2 If, during a Red Alert activation, the call is dropped by the network, the ARC Supplier Personnel shall dial back into the Device and pick the call back up discreetly. The ARC Supplier Personnel shall be able to do this as one of the authorised numbers configured into the Device. 4.3 The Network Operator shall be required to provide a monthly summary of its performance against each of these Service Levels within 10 Working Days of the end of the calendar month. The Network Operator shall also commit to meeting with the Supplier on a quarterly basis to review performance. A summary of all Network Operator Service Levels shall be included in the regular reporting to the Authority. 4.4 Any failure of any individual Service Level shall be highlighted by the Network Operator in their monthly report and shall require the Network Operator to detail remedial action taken to ensure correction of the issue(s) that has caused the drop in Service Level. All communication of these incidents shall be between the Supplier’s Contract Manager and the nominated Service Manager at the Network Operator. 4.5 If the same Service Level is missed two months in a row or two months in every four, then escalation of the issue shall be expected from the Network Operator. A formal request for rectification shall be made by the Supplier to an escalated senior management point of contact at the Network Operator. A formal response shall be provided by the Network Operator within 10 Working Days. Failure to provide a suitable corrective action shall result in 10-404788-3 78 new connections to the Network Operator being temporarily suspended pending further investigation and rectification. Devices returned for Technology Refresh shall also be swapped to an alternative Network Operator. 4.6 Continued failure to meet agreed Service Levels with the Network Operator shall result in discussion taking place between the Supplier, Network Operator and the Authority (where appropriate). If the Service Level failure is deemed critical by the Supplier, and accepted by the Authority and the Network Operator is unable or unwilling to provide resolution within an acceptable timeframe, then the Network Operator shall be given notice of the Supplier’s intent to move existing and all new connections to an alternative Network Operator. 4.7 If a mass SIM swap is required then the Supplier shall manage this in a structured and deliberate way so as to minimise disruption to Services. This shall in the first instance entail an analysis of the existing Network Operator Service Levels and applying these at the level of the Customer. If the existing Network Operator Service Levels are consistently being met at Customer level then these SIMs shall not be subject to a SIM swap. Instead, focus shall be applied to those Customer areas where the Service Levels is not being met. Once identified, the Supplier shall provide a pool of replacement Devices configured with an alternative Network Operator SIM. These shall be used to replace Devices identified as needing to be swapped. The Supplier shall terminate SIMs associated with returned Devices. The Supplier shall carryout a Technology Refresh on the returned Devices, which shall then be used to swap out the next batch of Devices identified as needing to be swapped. This process shall be managed several times over during the course of an agreed period until all Devices affected by the existing Network Operator are swapped. 5 Communication of Outage 5.1 The Service Desk shall notify Users and Authorised Customer Representative of an unplanned network outage. 5.2 The CRM system used by the Supplier shall enable a report to be run that shall identify all Users by location (based on Trust address). This report shall be run from notification of an unplanned outage from the Network Operator. This shall identify all Users and Authorised Customer Representatives in the affected area. 5.3 An automated email and text message shall be sent from the CRM system within the following 8 minutes to notify Users of the outage, and that for an estimated period of time they should not rely on their Device to perform. 5.4 Any communication to Users and Authorised Customer Representatives shall provide a clear indication of the estimated time of the outage. The communication shall also include the Service Desk phone number for any User or Authorised Customer Representative to call should they have questions. 6 Dealing with Planned and Unplanned Outages 6.1 Local planned and unplanned outages. The Network Operator shall manage a rolling program of planned local cell outages. These are required to maintain software, firmware and to carry out any required hardware maintenance. All planned outages shall be carried out during 10pm to 4am as this is the least busy period for the Network Operator. All planned outages shall be managed cell by cell and never involve neighbouring cells. This shall ensure that coverage is least effected as neighbouring cells provide coverage to that cell effected. 10-404788-3 79 6.2 The Network Operator shall provide the Supplier with between two and five Days notice of a planned outage. Whilst the Supplier shall maintain a note of these planned outages to assist with any incoming technical support questions, planned outages shall not be communicated given their unlikely effect on the Services. 6.3 Unplanned outages shall be graded according to their severity level, all Network Operators adopt the same logic summarised as follows: (a) P0 – Catastrophic outage of the Network Operator’s regional service centre causing significant disruption to a wide range of clients across a whole region. (b) P1 – Thousands of Users effected or multiple cell sites affected (c) P2 – Multiple sites effected but up to an estimated 1000 Users affected (d) P3 – Single cell site outage but coverage not likely to be affected 6.4 The Supplier shall be notified by e-mail of any P0, P1 and P2 level outages, normally within 2 hours of the occurrence. Any such occurrence shall be communicated by the Supplier as described in e) above. The Supplier shall also communicate any extension to the unplanned outage if it is not rectified within the original quoted timescale. P3 outages shall only be communicated to the Supplier once they become a planned maintenance outage (if required). It should be noted that the Network Operator’s board level operations staff are automatically notified of any P0 and P1 unplanned outages to ensure all actions are taken to rectify the issue. 6.5 Regional planned and unplanned outages No regional planned outages are undertaken by the Network Operator. Unplanned outages shall be handled as described at paragraph 6.3 above. 6.6 National planned and unplanned outages No national planned outages are undertaken by the Network Operator. Unplanned outages shall be handled as described at paragraph 6.3 above. Part 3.6 - Account Management 1 Initial Account Management 1.1 Framework Agreement (a) Partnership Board (i) (b) Account Management (i) 10-404788-3 The Supplier shall appoint senior executives to the Partnership Board and they shall carry out their role as indicated in schedule 12 (Governance) paragraph 3.2 and 3.3. The Supplier shall ensure that the Partnership Board meet in accordance with the Governance Meeting plan at schedule 12 (Governance) paragraph 5.3. The Supplier shall provide a dedicated Contract Management team with sufficient capacity to manage the contract to the full satisfaction of the Authority. These roles and responsibilities are detailed in schedule 12 80 (Governance) paragraph 4.1. The Supplier Contract Management team shall include the following roles: (c) 1.2 1.3 Supplier Framework Manager / Contract Director (B) Service Maintenance Manager (C) User Training Manager (D) Service Desk Supervisor (E) National Account Manager (F) ARC Manager The Supplier shall manage the Service as a coherent, single entity, joining together the elements of Service Desk, Device, Network, Training, Service Maintenance and ARC. Call off Contract level (a) The Supplier shall provide an Account Management structure that shall be responsible for delivering front-line relationship management to Customers and Authorised Customer Representatives. Each Customer shall be allocated a named Supplier Account Manager, who shall be responsible for liaising with the Authorised Customer Representative. The Supplier Account Manager shall ensure the rapid resolution of any issues raised by the Customer or Authorised Customer Representative and provide accurate and timely Management Information and manage the implementation/mobilisation of all Devices for that Customer. (b) The Supplier Account Manager shall be responsible for acting as the single point of contact for all Customer issues and coordinating all internal Supplier teams (Training, Service Desk, ARC, and Service Maintenance). (c) The Supplier Account Manager shall be available for regular meetings with each Customer. These meetings shall be agreed between the Supplier and the Customer according to the Customer’s needs, but shall be at least monthly initially, in accordance with the schedule 12 (Governance) paragraph 5.3. (d) The Supplier shall provide each Supplier Account Manager with a mobile telephone and e-mail address to enable Customers to contact them directly. (e) The Supplier shall ensure that each Supplier Account Manager is appropriately trained. This shall include internal training and NHS induction training, followed by annual ongoing training. (f) Supplier Account Managers shall report to the Supplier National Account Manager. Supplier Account Managers shall be responsible for: (a) New Orders (i) 10-404788-3 (A) The Supplier Account Manager shall liaise with the Customer and obtain an Order in accordance with the Ordering Procedures. The Account Manager 81 shall also set up a joint project team to manage the implementation. The project team shall include the following personnel: (ii) (b) (c) (A) Supplier account manager; (B) Authorised Customer Representative; (C) Customer Associate Director; (D) Union Representatives (at Customer’s discretion); (E) Department Managers (at Customer’s discretion); and (F) Customer Administration Representative. The project team shall be responsible for agreeing/obtaining the following: (A) Number of Devices versus Users (pooled Devices); (B) Local knowledge on preferred network if available; (C) Name & contact details for the Authorised Customer Representative; (D) Users by department; (E) Escalation point of contact by department, by User; (F) Lone Worker Policy & Procedure; (G) Police contact – Crime Reduction Officer (CRO); and (H) Go-live time frame following training. Pre-mobilisation which shall include the following: (A) Oversee all the implementation tasks; (B) Review the lone worker policies and procedures for each Customer; (C) Identify Quarterly Business Reporting dates and attendees for each Customer; (D) Identify and meet the appropriate contact in the Customer’s Accounts department; and (E) Communicate project progress Customer Representative. Customer and Authorised Implementation/Mobilisation (i) The Supplier Account Manager shall manage and deliver the implementation for each Customer: (A) 10-404788-3 to Agreeing deliverables with the Customer; 82 (B) Establishing project timetable with Customer and Authorised Customer Representative; (C) Briefing the Supplier Training manager on requirements; (D) Briefing the Supplier Service Desk on requirements; (E) Overseeing deployment of Devices; (F) Overseeing training of Users; and (G) Distributing publicity information to the Authorised Customer Representative throughout the term of the Framework and each contract. 2 Ongoing Account Management 2.1 Framework Agreement Will be as described in paragraph 1.1 of part 3.6, above. 2.2 Call off contract level Post-Implementation the Supplier Account Manager shall: (a) Carry out Monthly Supplier/Customer meetings with each Authorised Customer Representative that they are responsible for and discuss progress in respect of the contract(s) and performance, management and information provided via the Management Information monthly reporting process; (b) Review Management Information requirements; (c) Identify additional training needs; (d) Manage deployment for Devices for new starters/leavers; (e) Conduct incident reviews; (f) Confirm invoice details monthly; (g) Oversee resolution of any issues raised through the Service Desk; (h) Support any specific marketing tasks identified; and (i) Meet with Customer Service Representative to allow access to, and review of, regular recordings when incidents occur and may require provision of evidence. Part 3.7 - Supplier Innovation and Continuous Improvement 1 Innovation 1.1 The Supplier shall be innovative in their internal, Authority and Customer facing processes by harnessing new technology, new processes, good ideas and the latest market best practice. 1.2 The Supplier shall focus on sound communication in delivery of Services with the Authority and Customers and shall actively encourage Customer feedback from all meetings and 10-404788-3 83 correspondence to enable improvement of Service provision in any way feasible. The Supplier shall use this feedback to improve on existing delivery processes or adopt new ones, incorporate new ideas into practices and look to incorporating new, or develop existing technologies (for example adding additional components to our database), to deliver improvements in the quality and delivery of Services. This shall assist in achieving better long-term value for money for the duration of the Contract. 2 Continuous Improvements 2.1 The Supplier shall demonstrate an ingrained ethos of continuous improvement, both in internal management and Customer facing activities. By maintaining open communication with the Authority and Customers, including actively using management information, the Supplier shall be able to measure experiences and outcomes of all Service activities. The Supplier shall work alongside the Authority and Customers to maintain a process of continuous improvement of the Services, by using the User survey and satisfaction process as outlined in part 3.1. This shall enable the Supplier to objectively assess and modify the Services processes as well as to monitor the quality of the provision to maintain best practice and achieve continuous improvements for the benefit of the Authority, the Customers and the Users. 2.2 Additionally, the Supplier’s internal "Management Development Programme" and "Academy" serves to ensure that best practice is adopted by those engaged in management activities, both in Service delivery and internal process frameworks. This forms a key component of the Suppliers ethos of delivering added value and continuous improvement not only as an employer but also as a Service provider to the Authority, Customers and Users. 2.3 Best Value Improvements – To ensure that the Authority and Customers receives the fundamental underpinnings of best value (economy, efficiency and effectiveness) in Services, Supplier innovation and improvement will be an agenda item at all Authority review meetings with the Supplier presenting Management Information, as per schedule 7 (Management Information) to the Authority and Customers on the agreed basis as per schedule 12 (Governance). The Supplier shall use the information to review with the Authority and the Customers the methodology and outcomes of the Services, and to assess the efficiency of supply in order to agree what best value improvements shall be implemented in the Services provision. The Supplier shall also assess whether additional forms of Management Information should be provided to the Authority or Customers which would enable further analysis and consequent improvements to the value of the Services. 2.4 Innovation and improvements would be implemented to either improve service quality and/or enable the Supplier to generate efficiencies that enable a reduction in operating/subcontractor costs that can be passed back to the Authority and Customers in reducing the Maximum Charges. Part 3.8 - Invoicing Mechanism 1 Invoicing 1.1 The Supplier shall be entitled to raise an invoice in respect of any payment which falls payable to the Supplier pursuant to each Contract/Order. 1.2 Invoicing and charges relating to the Services for a Device subscription, will only commence after the respective User is in receipt of an active Device and has received and passed their training. 10-404788-3 84 1.3 The Supplier shall submit invoices directly to the invoice address as specified in each Contract/Order. 1.4 Invoices shall specify: (a) the invoice number; (b) the date of the invoice; (c) the unique (Order) reference; (d) the Service Period or other period(s) to which the relevant Charge(s) relate; (e) any service credits due (these will be those applicable if incurred at Framework Agreement level); (f) a contact name and telephone number of a responsible person in the relevant party’s finance department in the event of administrative queries; and (g) total value excluding Value Added Tax (VAT); (h) the VAT percentage; (i) the total value including VAT; (j) the tax point date relating to the rate of VAT shown; and (k) the banking details for payment to the relevant party via electronic transfer of funds (i.e. name and address of bank, sort code, account name and number). 1.5 The Customer (or Authority for Model 1 – Jointly Funded Devices as detailed in schedule 6 (Ordering Procedure) shall pay all valid invoices submitted in accordance with the provisions of the Contract/Order. 1.6 Each invoice shall at all times be accompanied by sufficient information to enable the Customer or Authority to reasonably assess whether the Charges detailed thereon are properly payable. Any such assessment by the Customer shall not be conclusive. The Supplier undertakes to provide to the Customer any other documentation reasonably required by the Customer from time to time to substantiate an invoice. 1.7 All Supplier invoices shall be expressed in sterling or such other currency as shall be permitted by the Authority in writing. 1.8 The Supplier’s contact details for invoicing queries is: Finance Department Reliance Secure Task Management Ltd 18 Concorde Road Patchway Bristol BS34 5TB 01179336600 10-404788-3 85 2 Management Fee 2.1 The Supplier shall pay a management fee of 3% of spend to the Authority. This management fee shall be 3% of the total monthly invoice fee arising from all Contracts spend and will be invoiced as follows: 10-404788-3 (a) Within 5 Working Days at the end of each invoice month, the Supplier will submit a statement to the Authority of invoices to the Customers and Authority (where appropriate) in aggregate, against all related Contracts; stating the total amount of the fee payable to the Authority; (b) The Authority will submit to the Supplier an invoice payable within 30 days for the fee detailed in the statement provided; (c) The Supplier will submit fees to the Authority in accordance with the invoice; and (d) The Customer and or the Authority shall have the option of BACS or Direct Debit to make payment of invoices. 86 Part 3.9 1 Service Levels and Service Credits 1.1 The performance management regime for this Agreement and related Contracts ensures that the Supplier maintains the standard of delivery at the contracted level, in addition it provides the Authority with the means to get the Supplier to restore service should service delivery drop below the agreed level. 1.2 Performance management will be managed using three approaches; (a) Level 1; Performance management utilising Service Levels. Where Required Service Levels (as detailed below) are not met, then Service Credits will be applicable using the process outlined in this schedule. The Supplier will be required to design, deliver and implement a rectification plan outlining the reason for the failure, analysis of the causes of the failure, actions required to restore the Service Level, timeline for the implementation of the plan, including the expected date by which the Service Level will be restored, resources needed to complete the plan, any dependencies outside the control of the Supplier having a direct impact on delivery of the plan, key risks and issues. It will be the responsibility of the Supplier to demonstrate that the scope of the plan is sufficient to deliver the expected output (the “Rectification Plan”). (b) Level 2; Performance management, utilising Service Levels. The Supplier will be required to design, deliver and implement a Rectification Plan as detailed above. (c) Level 3; in respect of Management Information supplied, the Authority may require the Supplier to produce and deliver an explanatory report detailing the causes and circumstances that have resulted in a deterioration or significant change in the delivery of a particular aspect of the Services. The Supplier shall provide the report for the Authority’s consideration. Where the Authority, acting reasonably, believes that a Rectification Plan is required the Supplier shall provide a Rectification Plan to resolve the performance management issue. Level 3 performance Management Information will be provided as detailed in schedule 7 (Management Information). 1.3 The table below sets out the Service Levels and Service Credits applicable to the Services covered by this Agreement, with the Services mainly being provided to Customers under Contract(s). 1.4 The Supplier’s performance against Service Levels will be calculated and reported through the Management Information process detailed in schedule 7 (Management Information). Supplier Service Level performance will be monitored and assessed under the Agreement, although performance is being measured against the Services being provided across all Contracts nationally. 1.5 Service Levels will be reported, managed and calculated at the Agreement level on a monthly basis unless stated otherwise in the table (the “Measurement Period”). Where Level 1 Service Levels fall below the Required Service Level, the Supplier shall provide Service Credits to all Customers with Contracts within that given Measurement Period, and calculated as a cash amount on a pro rated basis dependant on the number of Users that received Services in that Measurement Period. Service Credits are generated through the mechanism set out in below. 1.6 Other than in paragraph 1.7, where Service Credits are due these shall be payable to Customers by means of a credit on the Customer's next monthly invoice. 10-404788-3 87 1.7 In relation to centrally funded Services, where the Authority is responsible for payment of Services the Service Credits shall be payable by means of a credit on the Authority's next monthly invoice. 1.8 The Total At Risk amount = 2% of the total Charges invoiced in the given calendar month of measurement. There are a total of 800 points available for distribution across all Service Levels (the "Allocated Points”). Each Service Level has a number of Allocated Points attributed to it, as demonstrated in the Allocate Points column. Allocated Points will accrue in relation to the Supplier's actual performance, where that actual performance is below the Required Service Level as specified in paragraph 1.9(b). The Allocated Points accrue as described below. An accrual multiplier operates once a Required Service Level has been breached, by reference to the Supplier's actual performance. 1.9 The Service Level mechanism will apply to all Level 1 Service Levels detailed in the table below and will be applied as follows: (d) Each Level 1 Service Level has a number of Allocated Points attributed to it, as demonstrated in the Allocated Points column. (e) The first Service Credit applies when the actual Service Level percentage falls below the Required Service Level by the accrual multiplier percentage e.g. if Required Service Level is 100% and accrual multiplier for that Service Level is 1% then if the Suppliers performance for that Service Level is 99.0% or lower then a Service Credit will be payable. (f) If the Required Service Level is 100%, the accrual multiplier is 1% and the Suppliers actual Service Level is 98%, then the service is 2.0% below the Required Service Level. If the accrual multiplier is 1% then the Allocated Points will be doubled for that Service Level. (g) The Supplier shall report Service Level performance to two decimal places and mathematical rounding shall apply, that is, the Supplier rounds the third decimal place so that any figure up to 0.5 is rounded down and any figure from 0.5 and above is rounded up. (h) For the avoidance of doubt, the maximum number of points that can be converted to Service Credits in any one month is 800, even if the number of points exceeds 800. The maximum at risk amount is 2% as detailed in paragraph 1.8 above. 1.10 At the end of each Month the accrued number of Allocated Points will be converted into Service Credits. Each Allocated Point is worth the Total At Risk amount divided by 800. 1.11 Twice per Year the Authority has the right to request of the Supplier that up to two Service Levels be changed, with not less than two (2) months written notice. The Service Levels shall be amended according to the procedures outlined in schedule 8 (Agreement Change Procedure). 1.12 Twice per Year the Authority may request of the Supplier to adjust the Allocated Points across the Service Levels. The Service Levels, shall be amended according to the procedures outlined in schedule 8 (Agreement Change Procedure). 1.13 For all Service Levels that are designated a Default Service Level the Authority shall have the right to terminate the Agreement for Supplier breach pursuant to clause 16.5(f) when the Supplier fails to meet any Default Service Level on three occasions within any consecutive 12 10-404788-3 88 month period. For the avoidance of doubt, each occasion that the Supplier fails to meet a Default Service Level shall be classified as one instance. Any combination of three Default Service Levels will result in the ability of the Authority to terminate the Agreement for Supplier breach. 1.14 10-404788-3 With respect to the Default Service Level, any references to percentage amounts below the Required Service Level refer to absolute percentages (e.g. 2% below 98% is 96%). 89 Part 3.10 – Service Levels and Service Credits Number 1 Service Level Title Availability – Service Desk Availability Required Service Level Measurement Period/Commentary Monthly. Service Desk to be available for the required opening hours being 6am to 8pm Monday to Friday, excluding weekends and Bank Holidays. Available in this regard means that Supplier Personnel are available to answer the telephone or deal with other forms of communication. Measures the time the Supplier’s Service Desk is available (as described above). ⎛ ⎞ Total Hours Available ⎜⎜ ⎟⎟ × 100% ⎝ Total Hours Contractually Specified ⎠ 10-404788-3 90 100% availability across the required Service Desk opening hours Accrual Multiplier 0.5% Allocated Points Level 1; Allocated Points 60 Default Service Level Yes – 3% below Required Service Level Number 2 Service Level Title Required Service Level Measurement Period/Commentary Availability – ARC Availability Monthly ARC available 24 x 7 x 365. Available in this regard means that Supplier Personnel are available to deal with Red Alerts, Amber Alerts or undertake their other duties e.g. quality checks. Measures the time the Supplier’s ARC is available (as described above). Accrual Multiplier Allocated Points Default Service Level 100% availability within the measurement period 0.25% Level 1; Allocated Points 100 Yes – 3% below Required Service Level 99% availability within the Measurement Period 1% Level 1; Allocated Points 90 Yes – 3% below Required Service Level ⎛ ⎞ Total Hours Available ⎜⎜ ⎟⎟ × 100% ⎝ Total Hours Contractually Specified ⎠ 3 Availability Networks – Monthly. Availability of the GSM network measured nationwide across the Services ⎛ Total HoursNetwork Available ⎞ ⎜⎜ ⎟⎟ ×100% Total Hours ⎝ ⎠ 10-404788-3 91 Number 4 Service Level Title Availability Information website and elearning availability Required Service Level Measurement Period/Commentary Monthly. Information website and e-learning to be available 24 hours a day. Measures the time the information website and e-learning facility for new Users and refresher training for existing Users is available Accrual Multiplier Allocated Points Default Service Level 99% availability within the measurement period 1% Level 1; Allocated Points 20 Yes – 2% below Required Service Level 98% within 30 Seconds 1% Level 1; Allocated Points 40 Yes – 3% below Required Service Level 100% within 75 Seconds Not applicable Level 2; No Service Credits. Yes – 3% below Required Service Level ⎛ ⎞ Total Hours Available ⎜⎜ ⎟⎟ × 100% ⎝ Total Hours Contractually Specified ⎠ 1A Service Desk 1A - Call Answer Timeliness – answer within 30 seconds Monthly. Average speed of answer of calls into the Service Desk, to be answered within 30 seconds. This time frame includes the pre recorded message that informs the caller that the call may be recorded for training purposes. Measures the percentage of telephone calls answered by Supplier Personnel within the Service Desk within the allowable time period ⎛ Total Number Of Calls Answered Within 30 Seconds ⎞ ⎜⎜ ⎟⎟ × 100 % Total Number of Calls Answered ⎝ ⎠ 1B 10-404788-3 Service Desk Call Answer Timeliness – answer within 75 seconds Monthly. Average speed of answer of calls into the Service Desk, to be answered within 75 seconds. This time frame includes the pre recorded message that informs the caller that the call may be recorded for training purposes. 92 Number Service Level Title Required Service Level Measurement Period/Commentary Accrual Multiplier Allocated Points Default Service Level Measures the percentage of telephone calls answered by Supplier Personnel within the Service Desk within the allowable time period This measure to include those calls that are included in Service Desk 1A. ⎛ Total Number Of Calls Answered Within 75 Seconds ⎞ ⎜⎜ ⎟⎟ × 100% Total Number of Calls Answered ⎝ ⎠ 2 Service Desk Abandoned Calls Monthly. No more than 2% Measures the number of calls at the Service Desk which are either abandoned or dropped. ⎛ Total Number Of Calls Abandoned / Dropped ⎞ ⎜⎜ ⎟⎟ ×100% Total Number of Calls ⎝ ⎠ 10-404788-3 93 Not Applicable Level 2; No Service Credits No Number 3 Service Level Title Service Desk Immediate Call Resolution Required Service Level Measurement Period/Commentary Monthly. Measures the ability of Service Desk to achieve call resolution when the User first contacts the Service Desk. ⎛ Total Number Of Calls Resolved During the ⎜ Initial Contact ⎜ ⎜ Total Number of Calls ⎜ ⎝ 40% for Month 1 from the date of signing the Framework Agreement 45% for Month 2 from the date of signing the Framework Agreement ⎞ ⎟ ⎟ ×100% ⎟ ⎟ ⎠ 50% for Month 3 from the date of signing the Framework Agreement 65% for Month 4 from the date of signing the Framework Agreement With a further review after 12 months. 10-404788-3 94 Accrual Multiplier Not Applicable Allocated Points Level 2; No Service Credits. Default Service Level No Number 4A Service Level Title Service Desk Service Desk Communication Resolutions within 1 Working Day Required Service Level Measurement Period/Commentary Monthly. 10-404788-3 Service Desk Service Desk Remaining Communication Resolutions within 1-2 working days Default Service Level 1% Level 1; Allocated Points 40 Yes – 10% below Required Service Level 100% within 2 Working Days 1% Level 1; Allocated Points 30 No ⎞ ⎟ ⎟ ⎟ × 100% ⎟ ⎟ ⎠ Monthly. In the event that the Supplier cannot resolve a communication raised with the Service Desk within 1 Working Day (the timescales detailed in Service Desk 4A), this metric will measure the time taken to resolve outstanding cases within 2 Working Days. 95 Allocated Points 95% within 1 Working Day Measures the time taken to resolve a communication raised with the Service Desk. This measure to include those calls not resolved during initial contact as detailed in Service Desk 3 above, but to exclude those cases resolved within the Required Service Level specified in Service Desk 3 above. ⎛ Total Number Of Email , Fax, Letter and Calls Resolved Within 1 Working ⎜ Day (−) Total Number of Calls Re solved During First Contact ⎜ ⎜ Total Number of Email , Fax, Letter and Calls (−) Total Number of ⎜ ⎜ Emails , Fax, Letter and Calls Resolved During First Contact ⎝ 4B Accrual Multiplier Number Service Level Title Required Service Level Measurement Period/Commentary ⎛ Total Number Of Email , Fax, Letter and Calls Resolved Within 2 ⎜ ⎜ Working Days (−) Total Number of Emails, Calls , Fax and ⎜ Letter Resolved Within 1 Working Day ⎜ ⎜ Total Number of Email , Fax, Letter and Calls (−) Total Number of ⎜ Emails, Fax, Leters and Calls Resolved Within 1 Working Day ⎜⎜ ⎝ 5A Service Desk – Update information/ systems updated within 1 Working Day Monthly. 98% within 1 Working Day Measures the time taken for the Service Desk Supplier Personnel to update information and systems following a communication from a Customer, User or Authorised Customer Representative. 96 Allocated Points Default Service Level ⎞ ⎟ ⎟ ⎟ ⎟ × 100% ⎟ ⎟ ⎟⎟ ⎠ ⎞ ⎛ Total Number Of Communicat ions that Require Inf ormation / ⎟ ⎜ 1 Systems to be Updated Within Working Day ⎟ ⎜ ⎜ Total Number of Communicat ions that Require Informatio n / Systems ⎟ × 100 % ⎟ ⎜ ⎟ ⎜ to be Updated ⎠ ⎝ 10-404788-3 Accrual Multiplier 1% Level 1; Allocated Points 30 Yes – 5% below Required Service Level Number 5B Service Level Title Service Desk – Update information/ systems updated within 2 Working Days Required Service Level Measurement Period/Commentary Monthly 100% within 2 Working Days In the event that the Supplier cannot update information/systems in 1 Working day as detailed in Service Desk 5A, this measure will apply to measure the time taken to resolve outstanding cases. This measure excludes those cases resolved within 1 Working Day as detailed in Service Desk 5A above. ⎛ Total Number Of Communicat ions that Require Inf ormation / ⎜ Systems to be Updated Within 2 Working Days ( −) Total No. of ⎜ ⎜ Communicat ionsUpdate d Within 1 Working Day ⎜ ⎜ Total Number of Communicat ions that Require Informatio n / Systems ⎜ to be Updated ( −) Total No. of Communicat ions Updated ⎜ ⎜ Within 1 Working Day ⎝ 10-404788-3 97 ⎞ ⎟ ⎟ ⎟ ⎟ × 100 % ⎟ ⎟ ⎟ ⎟ ⎠ Accrual Multiplier 0.5% Allocated Points Level 1; Allocated Points 30 Default Service Level No Number 6 Service Level Title Service Desk – Order Fulfilment Required Service Level Measurement Period/Commentary Accrual Multiplier 98% Monthly. Allocated Points Default Service Level Level 2; No Service Credits Yes – 5% below Required Service Level Level 2; No Service Credits No Based on the agreed delivery date between the Customer and Supplier, this measures the order fulfilment timescale as to when the User actually receives the Device and training. In 98% of all cases the User shall have received the configured Device and have been trained by the agreed delivery date. ⎛ Number Of Cases where Configured Device and Training Received ⎜ by User to Agreed Delivery Date in the Measuremen t Period ⎜ ⎜ Number of Cases where Customer and Supplier had agreed that Configured ⎜ ⎜ Device and Training was Due to be Delivered in the Measuremen t Period ⎝ 7A 10-404788-3 Service Desk – Complaints resolved within ⎞ ⎟ ⎟ ⎟ × 100 % ⎟ ⎟ ⎠ Monthly. Measures the percentage of complaints that are resolved within an agreed 98 95% of all complaints received to be Not Applicable Number Service Level Title 5 Working Days Required Service Level Measurement Period/Commentary timeframe. 95% of all complaints to be resolved within 5 Working Days. Accrual Multiplier Allocated Points Default Service Level resolved within 5 Working Days Resolved is defined as complaint investigated and communicated back to the User, Authorised Customer Representative or Customer and they agree that they are satisfied with the response. ⎛ Total Number Of Complaints Answered Within 5 Working Days ⎞ ⎜⎜ ⎟⎟ × 100% Total Number of Complaints ⎝ ⎠ 7B Service Desk – Complaints resolved within 10 Working Days Monthly. Measures the percentage of complaints that are resolved within an agreed timeframe 100% of all complaints to be resolved within 10 Working Days Resolved is defined as complaint investigated and communicated back to the User, Authorised Customer Representative or Customer they agree that they are satisfied with the response. This measure includes those complaints resolved within 5 Working Days (Service Desk 7A). ⎛ Total Number Of Compla int s Re solved Within 10 Working Days ⎞ ⎜⎜ ⎟⎟ × 100% Total Number of Compla ints ⎝ ⎠ 10-404788-3 99 100% of all complaints received to be resolved within 10 Working Days 1% Level 1; Allocated Points 40 No Number Service Level Title Required Service Level Measurement Period/Commentary Accrual Multiplier Allocated Points Default Service Level In addition, the Supplier shall report on the total number of complaints received in month as detailed in schedule 7 (Management Information) 8 Service Desk 8 – Notification of a Service Incident Monthly 100% within 8 mins 0.5% Level 1; Allocated Points 30 No 100% 0.5% Level 1; Allocated Points 100 Yes – 3% below Required Service Measures the time taken for the Supplier to notify Customers/Users/Authorised Customer Representatives in respect of Service Incidents. Supplier to notify Customers/Users/Authorised Customer Representatives via SMS of Service Incident within 8 minutes being known followed by updates via email until Service Incident resolved in all cases. ⎛ Number Of Notifications Within 8 min ⎞ ⎜⎜ ⎟⎟ ×100% Total Number of Notifications ⎝ ⎠ 1 ARC - Response to Red Alerts Monthly. Measures the time taken for an ARC Supplier Personnel to listen into a Red Alert 10-404788-3 100 Number Service Level Title Required Service Level Measurement Period/Commentary Accrual Multiplier Allocated Points Default Service Level Level ⎛ Total Number Of Red Alerts Actively listened to By ⎞ ⎜ ⎟ Supplier Personnel Within 10 Seconds ⎜ ⎟ × 100 % ⎜ ⎟ Total Number of Red Alerts ⎜ ⎟ ⎝ ⎠ 2 10-404788-3 ARC – Genuine Alarm Alerts Incident Reports to be Passed to Authorised Customer Representative Monthly 100% Measures the time taken for Genuine Alarm Alerts to be emailed to the Authorised Customer Representative within 15 minutes of the Genuine Alarm being completed. ⎛ Total Number Of Genuine Alarms Emailed to ⎞ ⎟ ⎜ ⎜ Authorised Customer Re p resentativ e Within 15 ⎟ ⎟ ⎜ Minutes of G enuine Alarm being C ompleted ⎟ × 100 % ⎜ Total Number of Genuine Alarms Within ⎟ ⎜ ⎟ ⎜ the Measuremen t Period ⎟⎟ ⎜⎜ ⎠ ⎝ 101 0.5% Level 1; Allocated Points 30 Yes – 5% below Required Service Level Number 3 Service Level Title ARC 3 – Close down of False Alerts Monthly Device Failure Accrual Multiplier 1% Level 1; Allocated Points 20 Yes – 5% below Required Service Level 95% within 1 Working Day 2% Level 1; Allocated Points 70 No 100% within 2 Working Days -N/A Level 2; No Service Credits No Measures how quickly requests for replacement Devices are actioned and Device replaced. Replaced means dispatched for receipt by User within 1 Working Day. 1B Device Failure ⎞ ⎟ ⎟ ⎟ ×100% ⎟ ⎟ ⎠ Monthly. Measures how quickly Requests for replacement Devices are actioned and Device replaced. Replaced means dispatched for receipt by User within 2 10-404788-3 Default Service Level ⎞ ⎟ ⎟ ⎟ ⎟ × 100 % ⎟ ⎟ ⎟⎟ ⎠ Monthly ⎛ ⎜ ⎜ Number of Devices Replaced Within 1 Working Day ⎜ Total Number of Requests for Re placement Devices ⎜ ⎜ Within the Measurement Period ⎝ Allocated Points 97% Measures the telephone contact with Users or Escalation Contact to confirm close down within 1 hour of the False Alert being completed. ⎛ Total Number Of False Alarms Cases Closed Down ⎜ Following Telephone Contact With the User ⎜ ⎜ or Escalation Contact Within 1 Hour ⎜ Total Number of False Alarms Within ⎜ ⎜ the Measuremen t Period ⎜⎜ ⎝ 1A Required Service Level Measurement Period/Commentary 102 Number Service Level Title Required Service Level Measurement Period/Commentary Accrual Multiplier Allocated Points Default Service Level Working Days. ⎛ ⎜ Total Number of Devices Replaced Within 2 Working Days − ⎜ ⎜ those Cases that are Re placed Within 1 Day (as Detailed in Figure 1A) ⎜ ⎜ Total Number of Requests for Re placement Devices Within ⎜ the Measurement Period − those Cases that are Re placed ⎜ ⎜ Within 1 Day (as Detailed in Device Failure 1A) ⎝ 2 Device Failure ⎞ ⎟ ⎟ ⎟ ⎟ × 100% ⎟ ⎟ ⎟ ⎟ ⎠ Monthly Measures the number of faulty Devices that require replacement. This measurement includes battery failures ⎞ ⎛ ⎟ ⎜ Total Number of Faulty Devices ⎟ ⎜ ⎜ Total Number of User Devices Covered by Currwent Contracts ⎟ × 100% ⎟ ⎜ ⎟ ⎜ in the Measurement Period ⎠ ⎝ 10-404788-3 103 Device Failure requiring replacement shall not exceed 5% Not Applicable Level 2; No Service Credits No Number 1 1 Service Level Title Required Service Level Measurement Period/Commentary Reporting – Authority & Customer Reporting Completeness Monthly Training – Device configured for trainee Monthly ⎛ Number of Re ports Containing the Agreed Level of Info Pr ovided Within ⎜ ⎜ 10 Working Days at the End of Period in which Re port is Re quired ⎜ Total Number of Re ports Pr ovided in the Period ⎜⎜ ⎝ Default Service Level 2% Level 1; Allocated Points 70 No 98% Not Applicable Level 2; No Service Credits. No ⎞ ⎟ ⎟ × 100 % ⎟ ⎟⎟ ⎠ Measures that the Device is specifically configured to the User and is available for the User to operate at their training event (excludes pooled Device Users) ⎞ ⎟ ⎟ × 100% ⎟ ⎟⎟ ⎠ Note; an initial training intervention is the first training session that a User must undertake in order that they can be certified as having the required skills to successfully operate the Device. Note; test Devices are not classified as meeting the criteria in that they are not specifically configured for the User, unless used in training sessions for pooled Device Users. 104 Allocated Points 98% Measures the provision of accurate reporting to agreed timelines ⎛ Total Number of Initial Training Interventions Where the Device is ⎜ Specifically Configured to the User ⎜ ⎜ Total Number of Initial Training Interventions ⎜⎜ ⎝ 10-404788-3 Accrual Multiplier Number 2 Service Level Title Training – Face to face training ratio Required Service Level Measurement Period/Commentary Monthly. 95% Measures the percentage of face to face initial training interventions compared to other types of initial training/webex. ⎛ Total Number of Initial Training Interventions Where Training ⎜ Delivery Method is Face to Face ⎜ ⎜ Total Number of Initial Training Interventions ⎜⎜ ⎝ ⎞ ⎟ ⎟ × 100% ⎟ ⎟⎟ ⎠ Note; an initial training intervention is the first training session that a User must undertake in order that they can be certified as having the required skills to successfully operate the Device. Each User is calculated separately irrespective of the number of Users attending the session 10-404788-3 105 Accrual Multiplier Allocated Points Not Applicable Level 2; No Service Credits. If the webex ratio materially higher than that costed the Authority will require the Supplier to re-baseline the Maximum Charges to account for reduced Supplier personnel numbers involved in training interventions. Default Service Level No Number 1 Service Level Title User Satisfaction Required Service Level Measurement Period/Commentary Monthly Accrual Multiplier Default Service Level 75% Not Applicable Level 2; No Service Credits. No 15% Not Applicable Level 2; No Service Credits. No Measures levels of User satisfaction to ensure and agreed percentage is rated as good or excellent by User. Relates to Services provided by the ARC, Service Desk, training others e.g. 2nd line support ⎛ Total Number of Users That Respond to User Satisfaction Survey and ⎜ State that their Interaction is Good or Excellent ⎜ ⎜ Total Number of Users that Respond to User Satisfaction Survey ⎜⎜ ⎝ Allocated Points ⎞ ⎟ ⎟ × 100% ⎟ ⎟⎟ ⎠ Note; the total number of Users that respond to User satisfaction surveys must be a minimum of 1% 1 Attrition Yearly This measure assesses Supplier Personnel attrition levels. It looks at the number of Supplier Personnel that work on the Services and either (1) leave the employment of the Supplier; or (2) move to other Supplier activities that are unrelated to the Services; or (3) move to other activities within the Suppliers organisation including its parent company and other related entities. ⎛ Total Number of Supplier Personnel Providing the Services ⎞ ⎟ ⎜ that Leave in a Year ⎟ ⎜ ⎜ Total Number of Supplier Personnel that Provide the Services⎟ ×100% ⎟ ⎜ ⎠ ⎝ 10-404788-3 106 Number Service Level Title Required Service Level Measurement Period/Commentary Total Points Allocated 10-404788-3 Accrual Multiplier Allocated Points 800 107 Default Service Level Part 3.11 - Operational Reporting 1 Reports 1.1 The following reports are all specified in schedule 7 (Management Information): 10-404788-3 (a) SMS (Framework and Drill down of call off contracts); (b) LSMS Reporting; (c) Use of Exception Reporting; and (d) Customer Reporting. 108 Appendix 1 10-404788-3 109 10-404788-3 110 Appendix 2 Authorised Devices Identicom Model number Dimensions Weight (average inc lanyard) Operating temp range Communication system GSM Frequencies GPS Battery life – standard Battery life - talk time Case Minimum Software Version i750 102 x 72 x 12 i757 102 x 72 x 12 i770 102 x 72 x 12 i777 102 x 72 x 12 78g -10C to +40C GSM 900Mhz & 1800Mhz * 60hours 2.5hours ABS Plastic 85g -10C to +40C GSM 900Mhz & 1800Mhz Sirf III 48hours 2.5hours ABS Plastic 78g -10C to +40C GSM 900Mhz & 1800Mhz * 60hours 2.5hours ABS Plastic 85g -10C to +40C GSM 900Mhz & 1800Mhz Sirf III 48hours 2.5hours ABS Plastic v5.10 v5.10 v5.10 v5.10 Additional Devices The Supplier will support User provided mobile phone handsets which meet the mandatory requirements listed below: 10-404788-3 (A) No flip phones (B) No key locks to be deployed (C) No touch screen phones (D) No phones where speed dials cant be easily set up by the User (E) No ‘qwerty keyboard’ based phones 111 Schedule 4 Delays and Implementation Part 1- Delays 1 Introduction This schedule 4 sets out the procedure to be followed in the circumstances that there is any delay in the implementation of the Solution. 2 Delays 2.1 If, at any time, the Supplier becomes aware that it will not (or is unlikely to) achieve any Milestone by the Milestone Date it shall immediately notify the Authority of the fact of the Delay and summarise the reasons for it. 2.2 The Supplier shall, as soon as possible and in any event not later than 10 days after the initial notification under paragraph 2.1, give the Authority full details in writing of: (a) the reasons for the Delay; (b) consequences of the Delay; and (c) if the Supplier claims that the Delay is due to an Authority Cause, the reason for making that claim. 2.3 Whether the Delay is due to an Authority Cause or not, the Supplier shall deploy all additional resources, and take all reasonable steps to eliminate or mitigate the consequences of the Delay. 2.4 Any disputes about or arising out of Delays shall be resolved through the Dispute Resolution Procedure. Pending the resolution of the Dispute both parties shall continue to work to resolve the causes of, and mitigate the effects of, the Delay. 3 Correction Plan 3.1 The Supplier shall submit a draft Correction Plan where: (a) it becomes aware that it will not achieve a Milestone by the Milestone Date; or (b) it has failed to achieve a Milestone by its Milestone Date, for whatever reason. 3.2 The draft Correction Plan shall identify the issues arising out of the Delay and the steps that the Supplier proposes to take to achieve the Milestone in accordance with this Framework Agreement. 3.3 The draft Correction Plan shall be submitted to the Authority for its approval as soon as possible and in any event not later than 10 days (or such other period as the Authority may permit and notify to the Supplier in writing) after the initial notification under paragraph 2.1 or the issue of a Non-conformance Report. 3.4 The Authority shall not withhold its approval of a draft Correction Plan unreasonably. If the Authority does not approve the draft Correction Plan it shall inform the Supplier of its reasons and the Supplier shall take those reasons into account in the preparation of a further draft 10-404788-3 112 Correction Plan, which shall be resubmitted to the Authority within 5 Working Days of the rejection of the first draft. 3.5 The Supplier shall comply with its Correction Plan following its approval by the Authority. 4 Delays to Milestones 4.1 If a Milestone is not achieved other than as a result of an Authority Cause (in which case paragraph 5 applies), the Authority shall issue a Non-conformance Report to the Supplier setting out reasons for the relevant Milestone not being achieved and the consequential impact on any other Milestones. The Authority will then have the options set out in paragraph 4.2. 4.2 The Authority may at its discretion (without waiving any rights in relation to the other options) choose to: (a) issue a Milestone Achievement Certificate conditional on the remediation of the nonconformities in accordance with an agreed Correction Plan; and/or (b) refer the matter to the Escalation Process and if the matter cannot be resolved exercise any right it may have under clause 16 (Termination). 4.3 Where the Authority issues a conditional Milestone Achievement Certificate as specified in paragraph 4.2 (b), it can choose (but does not have to) to revise the failed Milestone Date and any subsequent Milestone Date. 4.4 Any Correction Plan shall be agreed before the issue of a conditional Milestone Achievement Certificate unless the Authority is willing to agree otherwise. In the latter case the Supplier shall submit a Correction Plan for approval by the Authority within 10 Working Days of receipt of the Non-conformance Report. 5 Delays to Milestones Due to Authority Cause 5.1 Without prejudice to paragraph 2.3 and subject to paragraph 4, if the Supplier would have been able to Achieve the Milestone by its Milestone Date but has failed to do so as a result of an Authority Cause the Supplier will have the rights and relief set out in this paragraph 5: 5.2 The Supplier shall: 5.3 10-404788-3 (a) subject to paragraph 6, be allowed an extension of time equal to the Delay caused by that Authority Cause; and (b) not be in breach of this Framework Agreement as a result of the failure to achieve the relevant Milestone by its Milestone Date; The Authority Representative shall: (a) consider the duration of the Delay, the nature of the Authority Cause and the effect of the Delay and the Authority Cause on the Supplier's ability to comply with the Implementation Plan; (b) consult with the Supplier Representative in determining the effect of the Delay; (c) fix a revised Milestone Date; and 113 (d) if appropriate, make any consequential revision to subsequent Milestones in the Implementation Plan. 5.4 Any Change that is required to the Implementation Plan pursuant to paragraph 5.1 or the Charges shall be implemented in accordance with the Contract Change Procedure. If the Supplier's analysis of the effect of the Delay in accordance with paragraph 3.2 permits a number of options, then the Authority shall have the right to select which option shall apply. 5.5 The Authority shall not delay unreasonably when considering and determining the effect of a Delay under this paragraph 5 or in agreeing a Change pursuant to the Contract Change Procedure. 5.6 The Supplier shall and shall procure that each Sub-Contractor shall take and continue to take all reasonable steps to eliminate or mitigate any losses and/or expenses that it incurs as a result of an Authority Cause. 6 Delays not Due to One Party 6.1 Without prejudice to paragraph 2.3 and subject to paragraph 2.4, where a Delay is attributable in part to an Authority Cause and in part is the responsibility of the Supplier the parties shall negotiate in good faith with a view to agreeing a fair and reasonable apportionment of responsibility for the Delay. If necessary, the parties may escalate the matter in accordance with the Dispute Resolution Procedure. Part 2- Implementation Plan 7 Introduction 7.1 The Implementation Plan includes SOP's, process maps, scripts etc to be submitted to the Authority using the Operational Change Procedure. 8 Milestones 8.1 The Supplier shall, in accordance with Part 1 of Schedule 4, use best endeavours to meet the Milestones by the Milestone Dates as indicated below: Ref. 01 02 10-404788-3 Milestone Service Milestone Tasks ARC Finalising the Security Plan based on the ISO27001 accreditation and gap analysis ARC Submission and Acceptance of training materials, SOP’s, scripts and processes, Accreditation of ISO27001/2, Personnel recruitment & training completed and IT systems configured and all other tasks associated with ensuring readiness of the ARC for Service delivery 114 Dependency Supplier Supplier / Authority Milestone Date ISO accreditation due 30 June 2009 (1) Working towards ISO Accreditation, (as above) (2) Training to be complete by 30 April 2009 (3) ARC SOP to be submitted and accepted by 24 April 2009 03 04 05 06 07 10-404788-3 Service Desk Marketing Submission and Acceptance of training materials, SOP’s, scripts and processes. Personnel recruitment & training completed and IT infrastructure configured and all other tasks associated with ensuring readiness of the ARC for Service delivery Submission and Acceptance of Marketing material. Press releases, advertising, editorials and lone worker literature distributed, Web Portal established and all other tasks associated with ensuring readiness of the Marketing strategy Supplier / Authority Supplier / Authority User Training Supplier / Authority Service Maintenance Personnel recruitment and training completed, infrastructure established and all other tasks associated with ensuring readiness to complete Service Maintenance requirements Supplier Account Management 115 Key marketing material accepted. Distribution by 30 April 2009 Web Portal complete by 24 April 2009 Submission and Acceptance of User training material and all other tasks associated with ensuring readiness to complete User Training Personnel recruitment and training completed and all other tasks associated to ensure readiness of the Account Management team to complete Training and final testing complete by 30 April 2009 Supplier Complete Staff training to be completed by 30 April 2009 (1) Staff training to be completed by 30 April 2009 delivery (2) National Account Manager final interviews on 27 April 2009 08 09 10-404788-3 Supply Chain Sufficient and appropriate Devices and SIM stock levels and all other tasks associated to ensure readiness of the Supply Chain to complete delivery Supplier 1 May 2009 ARC Finalising the long term agreement with Jemline Developments as the host site for the DR solution for the ARC & Service Desk Supplier Complete 116 Schedule 5 The Maximum Charges 1 Introduction 1.1 This schedule details the agreed pricing model that will apply to the provision of the Services. It outlines individual rates that will be used as a basis for calculating the Supplier’s Charges for Services as well as creating a basis for calculating Suppliers pricing for proposed new services. This mechanism shall apply for the term of the Framework Agreement and all related Contracts. 1.2 The Maximum Charges shall be subject to the Maximum Charges Variation Procedure. 2 Definitions For the purposes of this schedule the following definitions shall apply: Additional Pooled/Shared User means those Users that share a Device, up to a maximum of 10 Users but excluding the first User. Optional Device Accessories means optional Device accessories which, with the exception of the Identicom manual (E/F/G) which is free, can be purchased by Customer’s at their additional expense as detailed in this schedule. Minimum Required Device Mandatory Accessories means the minimum additional components that will be provided to the Customer, as detailed in Schedule 3 (Services), and as are included within the price of the Services. Volume Discount(s) means the discount that will be applied to the Maximum Charges when certain volume thresholds are achieved as detailed in paragraph 3.8. 3 Calculation of Maximum Charges 3.1 The Maximum Charges for the provision of the Services are detailed in Table 2A and 2B below, and this represents an all inclusive price for the Services that are specified in this Agreement and summarised in Table 1 below. 10-404788-3 117 Table 1 - Service Features New Device - One User Contract Term Option 1 Year 2 Year 3 Year 4 Year 5 Year Less than 1 year Minimum Required Device Mandatory Accessories Identicom Device Identicom Power Supply UK Plug adapter for power supply Identicom lanyard (blue) Identicom plastic lapel clip Identicom lanyard plug (x3) Identicom SIM Door SIM Card Device / User Services Warranty - Damage/Fault Battery Replacement Replacement - Loss / Theft SIM Warranty / Replacement Standard Training Training User Guide & Quick Reference Guide Additional Pooled/Shared User Training Network Services GPS Location GSM Location Auto Man Down Facility SIM Coverage Swap / Return 10-404788-3 i750 – GSM Identicom i770 – GSM Identicom with man down function i757 – GSM Identicom with GPS i777 – GSM Identicom with GPS and man down function ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Managed Services Customer Customer owned Mobile owned Phone Mobile Phone & and SIM Customer Provided by owned Supplier SIM Customer owned Identicom Device & Customer owned SIM Customer owned Identicom Device and SIM Provided by Supplier ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Short Term Rental ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 118 ● ● ● ● ● ● ● ● i757 – GSM Identicom with GPS i777 – GSM Identicom with GPS and man down function ● ● ● i750 – GSM Identicom i770 – GSM Identicom with man down function ● ● ● ● i757 – GSM Identicom with GPS i777 – GSM Identicom with GPS and man down function ● ● ● ● i750 – GSM Identicom i770 – GSM Identicom with man down function Pooled/Shared Usage of Device ● ● ● ● ● ● ● ● ● ● ● ● ● ● Table 1 - Service Features New Device - One User Managed Services Customer Customer owned Mobile owned Phone Mobile Phone & and SIM Customer Provided by owned Supplier SIM ● ● ● ● ● ● Short Term Rental Customer owned Identicom Device & Customer owned SIM ● ● ● ● Customer owned Identicom Device and SIM Provided by Supplier ● ● ● ● Amber Alert Function Red Alert Function Audio Evidence Capture Battery Status Check i750 – GSM Identicom ● ● ● ● i770 – GSM Identicom with man down function ● ● ● ● i757 – GSM Identicom with GPS ● ● ● ● i777 – GSM Identicom with GPS and man down function ● ● ● ● Contract Services Product Review Project Management Free Phone - Service Desk Access Web Portal Access Management Information Sales, marketing & publicity New Device Testing Account Management Billing & Reporting Manned Alarm Response Service Service Desk ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● Billing Options Early Payment Option by Direct Debit– Discounted Payment Terms Standard Payment Terms - 30 Days ● ● ● ● ● ● ● ● ● ● ● ● ● ● Key: Feature included in Service Option Feature excluded from Service Option ● Blank 10-404788-3 119 Pooled/Shared Usage of Device i750 – GSM Identicom ● ● ● ● i770 – GSM Identicom with man down function ● ● ● ● i757 – GSM Identicom with GPS ● ● ● ● i777 – GSM Identicom with GPS and man down function ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● i757 – GSM Identicom with GPS ● ● ● ● i777 – GSM Identicom with GPS and man down function ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● i750 – GSM Identicom ● ● ● ● i770 – GSM Identicom with man down function ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● ● 3.2 The Charges for the Services will be dependant on the Term of the Contract and will be as shown in Table 2A and 2B. The Charges are per month and per User, and the rate shown shall apply to the entire duration of the Term of Contract, subject to Maximum Charge Variation Procedure. Table 2A Maximum Charges - New Device One User i750 – GSM Identicom i770 – GSM Identicom with man down function i757-GSM Identicom with GPS i777– GSM Identicom with GPS and man down function £15.55 £17.07 £19.56 £21.17 £5.41 £7.29 £5.41 £7.29 £11.15 £12.37 £13.76 £15.08 £5.41 £7.29 £5.41 £7.29 £9.68 £10.81 £11.83 £13.05 £5.41 £7.29 £5.41 £7.29 £8.95 £10.03 £10.87 £12.05 £5.41 £7.29 £5.41 £7.29 £8.52 £9.57 £10.30 £11.45 £5.41 £7.29 £5.41 £7.29 £11.15 £12.37 £13.76 £15.08 N/A N/A N/A N/A Contract Term Customer Owned Identicom Device & Customer owned SIM Customer Owned Identicom Device & Supplier provided SIM Customer Owned Mobile phone & Customer owned SIM Customer Owned Mobile Phone Device & Supplier provided SIM 1 Year 2 Year 3 Year 4 Year 5 Year Short Term Rental Monthly Charge (6-12 months) Table 2B Maximum Charges – Additional Pooled/Shared User – One Off Charge – No monthly fee Services as detailed in paragraph 3.6 below Additional Pooled/Shared User Training Charge – Supplier to invoice on receipt of Services 3.3 The only items that are separately chargeable under this Agreement are: (a) 10-404788-3 29.65 per additional Pooled/Shared User Optional Device Accessories as detailed in paragraph 4. 120 (b) Termination assistance in excess of the requirements specified in Part 1 of schedule 16 (Exit Assistance). (c) Early termination charges as detailed in paragraph 5; and (d) User telephone charges that are unrelated to the Services as specified in paragraph 11. 3.4 The Supplier commits to provide the required number of Supplier Personnel to meet the Service Levels and provide the Services detailed in this Agreement. 3.5 All Maximum Charges are inclusive of all Supplier costs and expenses and are shown per calendar month except where expressly stated otherwise, in sterling, and exclusive of VAT where applicable. VAT will be charged and payable at the prevailing rate and shown separately on all invoices. 3.6 In respect of pooled or shared Devices up to a maximum of 10 Users are permitted to share a single Device, and: 3.7 (a) The Maximum Charge for the first User will be for a single User for the Contract Term as shown in Table 2A above; and (b) The Maximum Charges for each Additional Pooled/Shared User will be calculated at the Additional Pooled/Shared User Rate as shown in Table 2B above. Reallocation of Device A Device can be re-allocated from one User to another within a Customer’s organisation at no additional charge. 3.8 10-404788-3 Volume Discounts (a) In respect of Table 2A only the Maximum Charges shall be adjusted by taking into account the following Volume Discount structure. The level of Volume Discount that will be applied to new Contract(s) will be considered on the year anniversary of the Agreement, and each year thereafter. (b) The Maximum Charges relating to existing Contracts will not be impacted by this paragraph 3.8. That is, Maximum Charges for current Services will remain static over the duration of the Contract, other than as amended via the Maximum Charges Variation Procedure. (c) The Volume Discount shall be applicable where the thresholds in Table 3 below have been achieved. Volume Discounts shall be calculated by counting the number of Users that are currently receiving Services under Contracts on the Agreement yearly anniversary date. (d) In respect of new Contracts the Supplier shall apply the lowered pricing and update the Catalogue within 5 Working Days of the Discount Threshold being achieved. (e) For the avoidance of doubt, where Maximum Charges are adjusted as a result of Volume Discount thresholds the new Maximum Charge will be subject to the 121 Maximum Charges Variation Procedure as specified in Schedule 9 (Maximum Charges Variation Procedure). Table 3 Volume Discounts No. of Users receiving Services From No. of Users receiving Services To Discount Applied 102000 141000 4.00% 141001 181100 An additional 1.00% 181101 221100 An additional 1.00% 221101 251000 An additional 1.00% 4 Optional Device Accessories 4.1 The Supplier shall provide the following Optional Device Accessories, at the Maximum Charges stated in Table 4, when requested by the Customer. Optional Device Accessories are on a capital sum basis and become the property of the Customer. Table 4 Optional Device Accessories Accessory Part number Purchase Price Identicom additional power supply EXT1001 Identicom Manual (E/F/G) – PDF Version EXT1013 Identicom In - Car Charger Identicom Silicon Rubber Case EXT1017 EXT1012 £9.27 PDF version Free on request £12.36 £12.36 5 Early Termination Fee 5.1 Where a Customer terminates or purports to terminate the Services relating to a User or Contract/Order prior to the expiry of the relevant initial Term of Contract then, other than on expiry or in the case of termination by the Customer under clause 16.4 and 16.7, the Customer shall pay to the Supplier an early termination fee set out in Table 5. This early termination fee shall be a one off payment and the amount will vary depending on when the Services are terminated e.g. the early termination fee to terminate a 5 year contract in Year 1 is £39.96 but the cost of terminating the same contract in Year 4 is £18.40. 5.2 Where a Customer terminates or purports to terminate the Services relating to a User or Contract/Order during a contract extension period then, other than on expiry or in the case of termination by the Customer under clause 16.4 and 16.7, the Customer shall pay to the Supplier an early termination fee set out in Table 5. This early termination fee shall be a one off payment. 10-404788-3 122 5.3 Where a Customer terminates or purports to terminate a Short Term Rental Contract other than on expiry or in the case of termination by the Customer under clause 16.4 and 16.7 the Customer will be required to pay the full contracted rental Charges that are remaining. 5.4 For the avoidance of doubt where the Customer wishes to cancel a Contract within 10 Working Days of the parties signing the Contract then this shall be treated as Cancellation and the provisions of paragraph 10 shall apply. Table 5 - Early Termination Fee Early Termination Fees – One Off Charge per User Identicom Year of Termination Initial Contract Term 1 Year 2 Year 3 Year 4 Year 5 Year Early Termination during a Contract Extension Managed Services : Own Mobile or Identicom SIM and Customer owned SIM 1 £18.40 £23.79 £29.18 £34.57 £39.96 £13.00 Initial Contract Term 1 Year 2 Year 3 Year 4 Year 5 Year Early Termination during a Contract Extension Customer owned Mobile Phone and SIM Provided by Supplier Initial Contract Term 1 Year 2 Year 3 Year 4 Year 5 Year Early Termination during a Contract Extension 10-404788-3 2 N/A £13.00 £18.40 £23.79 £29.18 £13.00 3 N/A N/A £13.00 £18.40 £23.79 £13.00 4 N/A N/A N/A £13.00 £18.40 £13.00 5 N/A N/A N/A N/A £13.00 £13.00 3 N/A N/A £13.00 £17.55 £22.10 £13.00 4 N/A N/A N/A £13.00 £17.55 £13.00 5 N/A N/A N/A N/A £13.00 £13.00 3 N/A N/A £13.00 £17.55 £22.10 £13.00 4 N/A N/A N/A £13.00 £17.55 £13.00 5 N/A N/A N/A N/A £13.00 £13.00 Year of Termination 1 £17.55 £22.10 £26.64 £31.19 £35.74 £13.00 2 N/A £13.00 £17.55 £22.10 £26.64 £13.00 Year of Termination 1 £17.55 £22.10 £26.64 £31.19 £35.74 £13.00 2 N/A £13.00 £17.55 £22.10 £26.64 £13.00 123 Pooled/Shared Device Usage of Initial Contract Term 1 Year 2 Year 3 Year 4 Year 5 Year Early Termination during a Contract Extension Year of Termination 1 £18.40 £23.79 £29.18 £34.57 £39.96 £13.00 2 N/A £13.00 £18.40 £23.79 £29.18 £13.00 3 N/A N/A £13.00 £18.40 £23.79 £13.00 4 N/A N/A N/A £13.00 £18.40 £13.00 5 N/A N/A N/A N/A £13.00 £13.00 6 Termination Assistance 6.1 Included within the Charges the Supplier shall provide the Termination Assistance as specified in Part 1 of schedule 16 (Exit Assistance). 6.2 If the Authority or Customer require termination assistance in excess of that specified, in line with Part 1 of schedule 16 (Exit Assistance) the Supplier shall provide such assistance, and shall charge on a time and materials basis, using the principles established in paragraph 9. 7 Temporary Suspension 7.1 In the event that the Customer wishes to suspend the Services in respect of a User, and does not wish to re-allocate the Device, the Supplier shall suspend charges for Services for the period of the suspension. 7.2 For charging purposes the Customer is only permitted to suspend the Services for a minimum of 1 month and a maximum of 3 months within a single year of a contract. 7.3 Temporary suspension will not be permitted for Devices contracted on Short Term Rental. 8 Individual User cannot access or make use of the Services due to Geographical Location In the event that an individual User is unable to access or make use of the Services due to geographical location and the inability of any Network Operator to provide network availability in that location, the Customer shall arrange for the User to return the Device to the Supplier within the first two months of the Contract. Any Charges paid in respect of that User will be recredited to the Customer, or the Authority in the case of Authority funded Devices during the centrally funded two year period. 9 New Requirement Not in the Original Scope of Services Mechanism 9.1 Where the Supplier is to provide new or additional services the parties shall agree the Maximum Charges payable by reference to the principles underlying this schedule, and specifically that the contract margin will be no greater than 7%; 9.2 There shall be no margin applied to products and services supplied by the Supplier's Device subcontractors. 10-404788-3 124 Maximum Charges 9.3 In relation to any such new requirement, the Supplier shall provide to the Authority the same level of ‘open book’ price visibility as was provided during the competitive process leading up to contract award. 10 Cancellation 10.1 Cancellation is where the Customer has signed a Contract but subsequently decides to cancel the Contract or User(s) from the Contract before commencement of the Services, in accordance with clause 15.1(a) of the Contract. If the Customer provides written (to include email) notification to the Service Desk of the Cancellation, within 10 Days of all parties signing the Contract then no charges will be applied and the Contract, will be cancelled without any implication to the Customer (no Cancellation charges payable). 10.2 Upon Cancellation, any equipment received by the Customer/User shall be returned to the address specified through the Cancellation process. 10.3 In the event that a Customer wishes to cancel the Contract after more than 10 Days of all parties signing the Contact then early termination fees shall apply as detailed in paragraph 5 of this schedule. 11 Mobile Phones– Call Charges Unrelated to the Provision of Services 11.1 For mobile phones where the Supplier provides the Services and the SIM Card, the Supplier shall recharge to the Customer, through the normal monthly invoicing process, the cost of all calls not associated with the Services. Call charges shall be itemised and shall include the name and mobile number of the User. 11.2 For mobile phones where the User provides the SIM Card, the Supplier has reduced the price of the Services to take account of an assumed volume of network usage to utilise the Services. 12 Gainshare 12.1 Subject to the Agreement, particularly clauses 4.5, 4.6 (the Available Services), schedule 10 (Sub-Contractors) and schedule 12 (Governance), if the Supplier decides to adopt new or revised technology, processes or methods of delivery that, in the reasonable opinion of the Supplier, will materially change the way in which Services are supplied, including revised supply chain, revised Device manufacture location, or any other change in the way the Services are supplied, whether or not that change will result in a material cost saving to the Supplier in providing the Services, the Supplier shall promptly notify the Authority and brief the Authority on the economic or business reasons for the change, and the Supplier and the Authority will use their reasonable endeavours to agree change, and the manner in which the Maximum Charges may, if appropriate, be accordingly revised. 13 Early Payment Option by Direct Debit – Discounted Payment Terms 13.1 The Supplier will offer an early payment by direct debit discount in respect of all fees and charges resulting from this Agreement and/or each Contract. 13.2 Where a direct debit mandate has been completed to facilitate early payment to the Supplier within 5 Working Days of an invoice being issued, a discount will be applicable to each such invoice. 10-404788-3 125 13.3 The applicable early payment discount will be calculated quarterly, on 1st April, 1st July, 1st October and 1 January of each year. 13.4 Where early payment by direct debit has been selected a credit will be shown as an ‘early payment discount adjustment’ on each monthly invoice. The discount will be credited to the invoice in which it applies and will be itemised separately, showing the percentage discount and cash value of the discount. The credit shall be calculated as follows; Discounted Invoice = Standard Terms Invoice Value x D Where: D= i + 2% × 25 365 Where: D = Discount adjustment factor applied to invoices valid for Early Payment Discount. i = London Interbank Offered Rate (LIBOR) at the quarterly date of calculation as stated above. The Catalogue shall be updated with within 5 Working Days to show the latest early payment by direct debit discount. 14 Marketing and Publicity The Supplier is required to market and publicise the Services as detailed in schedule 15 (Marketing), and incorporated into the Maximum Charges. 15 Authority Funding 15.1 For Contracts that are part funded by the Authority with the Authority as a signatory, the Authority shall be responsible for payment of the Services, as outlined in schedule 3 (Services), in Years 1 and 2 of the Contract. The Customer shall be liable for Services in subsequent years. 15.2 The Authority shall not be liable for any other costs that arise in Years 1 and 2 as a result of Customer requests or actions including; (a) Optional Device Accessories as specified in paragraph 4; (b) Non Services-related mobile calls as specified in paragraph 11; (c) Cancellation charges as specified in paragraph 10; (d) Additional termination assistance charges as specified in paragraph 6; and (e) Additional Pooled/Shared User costs as specified in paragraph 3.6; for the avoidance of doubt these additional items will be payable by the Customer directly, where due. 10-404788-3 126 16 Management Fee The Supplier shall pay a management fee of 3% in respect of all sums payable under this Agreement and all Contracts. 17 Contract Extensions In the event that the Customer extends their Contract, then the Maximum Charges that will apply shall be the same monthly Charge as was payable during the initial Term of the Contract. 10-404788-3 127 Schedule 6 Ordering Procedures 1 Introduction 1.1 This schedule specifies the procedures that Customers must follow with the Supplier to place an Order. 1.2 Customers are entitled to place Orders at any time during the Term to order Services. Such Services shall be provided by the Supplier as Ordered Services in accordance with the provisions of the Contract. 1.3 A Contract shall be entered into by the Supplier accepting an Order, served by a Customer, for the provision of Ordered Services in accordance with these Ordering Procedures. 2 Procedures 2.1 Two process maps have been included within this schedule explaining the ordering procedures relating to: (a) Model Contract 1: Joint Funded (NHSBSA/NHS Bodies) Subscriptions; (b) Model Contract 2: NHS Body Directly Funded Subscriptions; 3 Orders 3.1 An Order shall comprise: 10-404788-3 (a) the Customer’s Name, Registered Address, Registration Number; (b) the Customer’s requirement in terms of either (i) Device Subscriptions and quantities; and/or (ii) “One-Off” Optional Items/Services; (c) a unique Order reference number; (d) the call-off contract terms & conditions;; (e) the Customer’s invoice address; and invoice contact; (f) the Customer Authorised Representative(s) and contact details; (g) User Details; (h) Requested delivery date or delivery timetable; (i) Training – (i) required method(s) of training; (ii) proposed training venue (Customer to provide training venue). (j) Any other Customer / User information requested by the Supplier to deliver the Ordered Services 128 4 Acknowledgement Of The Order 4.1 On receipt of an Order, the Supplier shall send an acknowledgement of that Order to the Customer within two (2) Working Days. 10-404788-3 129 Part 1 – Joint Funded NHS BODY NHS NHS Body Advised 2. 1. NHS Body confirms (joint funded) requirements using proforma (provided by the NHSBSA) LWP Procurement process concluded. NHSBSA Finalises Costs/Services and advises NHS Bodies 3. Advise BSA by set deadline NHS Body 7. SUPPLIER NHSBSA (SMS) consolidates requirements from all NHS Bodies. Supplier Advised 4. NHSBSA formally advises NHS Body and Supplier that NHS Body has been allocated: £x (2 year funding) for ‘x’ no. of devices and that this funding is subject to 3rd year funding by NHS Body NHS body/Supplier finalise all arrangements and agree final version of (joint funded) contract 11. Signed Contract retained by NHS Body for records 10. NHSBSA (SMS) reviews and signs copies of Contract, retaining one copy for records and forwarding other (2) copies to NHS Body and Supplier Signed Contract (1 copy) Signed Contract (1 copy) Three copies of Call-Off contract produced for NHS Body. Signed by the Supplier (quoting NHSBSA unique contract reference and NHS Body’s order/contract reference –Note: These references will be used for payment control) 12. Signed Contract retained by Supplier for records NOTE: If NHS Body wants to order further Devices (funded directly by them) then a separate Call-Off contract/order will have to be created (See Part 2 Order Process) 10-404788-3 130 Supplier populates draft Call-Off Contract (from initial proforma forwarded by NHSBSA) 6. Supplier arranges meeting(s) with NHS Body authorised representatives Meeting(s) Arranged 8. 9. NHS Body Reviews and signs (3) copies of Contract and forwards to NHSBSA for final signature. 5. Part 2 – Direct Funded Supplier NHS Body 1. NHS Body either (1) requests meeting with Supplier’s Account Manager; or (2) the NHS Body will access/download Lone Worker Solution overview (rates/Service Levels etc) from web-site; or be provided with information by e-mail on application 3. 6. NHS Body completes Lone Worker (Call-Off Contract) Order form defining contract length, number of Users/subscriptions required – completing all mandatory fields on Lone Worker Order form & schedules, attaching NHS Body’s official Order (with both forms being approved/authorised in accordance with NHS Body’s standing financial instructions). 2. Meeting arranged with NHS Body; or NHS Body is provided with access to Lone Worker Solution Overview and (Call-Off Contract) Order Form, completion instructions and rates. 4. Supplier reviews (Call-Off contract) Order form and liaises with NHS Body’s authorised representative(s) to arrange training and finalise arrangements 5. Supplier signs Lone Worker (call-off contract) Order Form; retaining one copy & sending second copy back to NHS Body as Confirmation of Order. Discussion (if required) Lone Worker Order form (signed by both parties) returned to NHS Body, including schedule confirming key dates, training arrangements etc. 7. Implementation commences in accordance with agreed plan Notes: 1. A separate (Call-Off Contract) Order will be created for additional subscription(s) the NHS Body wishes to place. 2. The NHS Body (in consultation with the Supplier (if required)) will be responsible for managing/overseeing the total number of subscriptions and the respective terms/rate being applied for their organisation – ensuring that the most cost effective solution is being employed. 3. The LWP Call-Off Contract Terms & Conditions will apply to all Lone Worker orders (NHS Body’s Terms & Conditions will not apply). 10-404788-3 131 Schedule 7 Management Information 1 Introduction 1.1 This schedule 7 specifies the Management Information that the Supplier shall provide to the Authority and/or the Customer. 2 Management Information 2.1 The Supplier shall provide Management Information reports electronically to the Authority at: loneworkerprotection@cfsms.nhs.uk. 2.2 Authority reports shall be submitted within 8 days following month end, as outlined in schedule 12 (Governance). 2.3 Customer reports shall be submitted within 10 Working Days of the end of the monthly reporting period. 2.4 Project Management and Implementation Programme Management Information in respect of the Contract, will be provided in the agreed Customer format prior to the implementation of the Services. 2.5 Management Information specifications are detailed in the table below: 10-404788-3 132 REPORT : REPORT BROKEN DOWN BY : FREQUENCY : Authority Operational Report Customer Monthly Authority Contract Management Report Centrally and Customer Funded Strategic Reporting Authority Exception Report Customer Operational Reporting Centrally and Customer Funded Centrally and Customer Funded Monthly Quarterly As Required General 1 Service Credits due in respect of failure to attain Service Levels including a description as to the reason(s) for failure 2 Percentage Service Credit that will be rebated on the next months invoice 3 Number of Users and breakdown by Device 4 Number of suspensions and each suspension period 5 Number of cancellations 6 Number of terminations within the Term of the Contract, to include the number of months of subscription remaining at the point of termination 7 Number of devices reallocated following early termination 8 Spend to date and spend in year (April to April) in respect of NHS and Framework wide 9 Supplier order pipeline 10 Invoices raised and invoices outstanding 11 Executive Summary 12 Total Contracted value of Agreement 13 Operational, technical and Product Review Report 14 New developments 15 Proposed efficiencies including continuous improvement 16 Attrition Levels 17 Exception Report showing each case that the Supplier has agreed to 10-404788-3 133 Centrally and Customer Funded Customer Contract Manager Report Centrally and Customer Funded Centrally and Customer Funded Monthly Monthly Annually Annual Reports lower Charges than the Maximum Charges 18 Disputes between Supplier and Customer REPORT : REPORT BROKEN DOWN BY : FREQUENCY : 19 Number of ‘hits’ on marketing Web site 20 Number of expressions of interest achieved from marketing Web site 21 Breakdown of publicity marketing undertaken across NHS Customers Authority Operational Report Customer Monthly Authority Contract Management Report Centrally and Customer Funded Strategic Reporting Authority Exception Report Customer Operational Reporting Centrally and Customer Funded Centrally and Customer Funded Monthly Quarterly As Required ARC 22 Performance against Service Levels 23 Number of genuine alarms reviewed by LSMS 24 Number of Cases, detailing instances where a recording is supplied to the Police 25 Aggregated number of Cases, detailing instances where a recording is supplied to the Authorised Customer Rep 26 Number of status checks including the average per User 27 Aggregate number of dropped Red Alerts 28 Number of False Alarms 29 Number of Amber Alerts 30 Feedback on [x] % review of Amber Alerts 31 Number of Genuine Alarms Closed Safely 32 Number of Genuine Alarms (i) attack (ii) medical (iii) car breakdown (iv) other 33 Number of Genuine Alarms escalated to the Emergency Services 10-404788-3 134 Centrally and Customer Funded Customer Contract Manager Report Centrally and Customer Funded Centrally and Customer Funded Monthly Monthly Annually Annual Reports 34 Aggregated response times for Emergency Services from operator notification 35 Aggregate Operator response times 36 User satisfaction survey results REPORT : Authority Operational Report Authority Contract Management Report Strategic Reporting Authority Exception Report Customer Operational Reporting Customer Contract Manager Report Annual Reports REPORT BROKEN DOWN BY : Customer Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Monthly Monthly Quarterly As Required Monthly Monthly Annually FREQUENCY : 37 Breakdown of all complaints received Networks 38 Performance against Service Levels 39 Number of cases of poor network coverage 40 Number of cases of SIM swap outs due to poor network coverage Training 41 Number of Users trained, face to face/on line 42 Performance against Service Levels 43 Report on the status of all new Contracts where an agreed delivery/training date has been delayed Device and Device Usage 44 Performance against Service Levels 45 Device inactivity % per Customer 46 Number of cases of Device theft or loss 10-404788-3 135 47 Number of reported faulty Devices (i)on receipt of Device (ii) During the Term of the Contract 48 Number of faulty Devices (i) within 12 month warranty (ii) within extended warranty (iii) Device replaced where no fault found (iv) Device replaced due to accidental or malicious damage REPORT : Authority Operational Report Authority Contract Management Report Strategic Reporting Authority Exception Report Customer Operational Reporting Customer Contract Manager Report Annual Reports REPORT BROKEN DOWN BY : Customer Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Centrally and Customer Funded Monthly Monthly Quarterly As Required Monthly Monthly Annually FREQUENCY : Service Desk 49 Performance against service levels 50 Number if calls resolved on first contact 51 Number of calls referred to Technical administration 52 Number of calls closed without agreement of User or Escalation Point 10-404788-3 136 Schedule 8 Agreement Change Procedure 1 Introduction 1.1 This schedule 8 sets out: (a) the Agreement Change Procedure to be used by the Authority and the Supplier to effect changes to this Framework Agreement; and (b) the Operational Change Procedure. 2 Principles 2.1 The Authority and the Supplier shall conduct discussions relating to proposed changes to this Framework Agreement in good faith. Neither party shall unreasonably withhold or delay consent to the other party’s proposed changes. 2.2 Until such time as an Agreement Change Note (ACN) has been signed by both parties, the Supplier shall continue to provide and make available to Customers the Services in accordance with this Framework Agreement and relevant Contracts. 2.3 Any work undertaken by the Supplier, its Sub-Contractors or agents in connection with any proposed change to this Framework Agreement (other than that which has previously been agreed in accordance with the provisions of paragraph 2.2) shall be undertaken entirely at the expense and liability of the Supplier unless otherwise agreed between the Authority and the Supplier in advance. 2.4 Any discussions, negotiations or other communications which may take place between the parties in connection with any proposed change to this Framework Agreement, including but not limited to the submission of any written communications, prior to the signing by both parties of the relevant ACN, shall be without prejudice to the rights of either party. 3 Agreement Change Procedure 3.1 Should either party wish to amend this Framework Agreement, that party’s Framework Manager shall submit a draft ACN for discussion detailing the proposed change to the other party’s Framework Manager using the pro forma at Appendix 1. 3.2 Discussion between the parties following the submission of a draft ACN shall result in either: 3.3 10-404788-3 (a) no further action being taken on that draft ACN; or (b) agreement between the parties on the changes to be made to this Framework Agreement (including agreement on the date upon which the changes are to take effect (the “effective date”)), such agreement to be expressed in the form of proposed revisions to the text of the relevant parts of this Framework Agreement. Where agreement is reached in accordance with paragraph 3.2(b) the party submitting the draft ACN shall prepare the final ACN for execution by both parties. The final ACN, the content of which has been agreed between the parties in accordance with paragraph 3.2(b), shall be uniquely identified by a sequential number allocated by the Authority. 137 3.4 Two (2) copies of each ACN shall be signed by the Supplier and submitted to the Authority not less than ten (10) Working Days prior to the effective date agreed in accordance with paragraph 3.2(b). 3.5 Subject to the agreement reached in accordance with paragraph 3.2(b) remaining valid, the Authority shall sign both copies of the approved ACN within five (5) Working Days of receipt by the Authority. Following signature by the Authority, one (1) copy of the signed ACN shall be returned to the Supplier by the Authority. 3.6 An ACN signed by both parties shall constitute an amendment to this Framework Agreement pursuant to clause 12 (Amendments to this Framework Agreement). 3.7 The ACN pro forma is set out in Appendix 1 of this schedule. 4 Operational Change Procedure 4.1 Any "Operational Change", proposed by the Supplier shall be submitted in writing to the Authority for acceptance. 4.2 The Authority shall review any Operational Change proposals submitted pursuant to paragraph 4.1, and by written notice to the Supplier, without prejudice to its other rights and remedies, may elect as its sole option to: 4.3 10-404788-3 (a) accept the Operational Change; (b) return the Operational Change proposal, and invite the Supplier to re-submit the proposal together with any clarifications or amendments as the Authority may reasonably determine; or (c) reject the Operational Change. The principles set out in paragraph 2 shall also apply to the Operational Change Procedure, and no Operational Change shall be implemented by the Supplier unless and until written notice of acceptance, is issued by the Authority. 138 APPENDIX 1 Agreement Change Note for the Agreement Change Procedure Sequential Number: [to be allocated by the Authority’s Framework Manager] Title: ........................................................... Originator: .........................for the [Authority/Supplier] Date change first proposed: ........................................................... Number of pages attached: ................…………………………… WHEREAS the Supplier and the Authority entered into a Framework Agreement for the provision of lone worker Services dated [date] and now wish to amend that Framework Agreement; Reason for proposed change [Party proposing change to complete] Full details of proposed change [Party proposing change to complete] Details of likely impact, if any, of proposed change on other aspects of the Framework Agreement [Party proposing change to complete] Effect of proposed change on extant Contracts [Party proposing change to complete in accordance with clause 12.3] IT IS AGREED as follows: 10-404788-3 139 1 With effect from [date] the Framework Agreement shall be amended as set out below: [Details of the amendments to the Framework Agreement to be inserted here – to include the explicit changes required to the text in order to effect the change, i.e. clause/schedule/paragraph number, required deletions and insertions etc] 2 Save as herein amended, all other terms and conditions of the Framework Agreement inclusive of any previous ACNs shall remain in full force and effect. Signed for and on behalf of the Supplier By .................................................................................................... Name .............................................................................................. Title ................................................................................................. Date ................................................................................................ Signed for and on behalf of the Authority By .............................................................................................. Name .............................................................................................. 10-404788-3 Title ……………………………………………………………………. Date ............................................................................................... 140 Schedule 9 Maximum Charges Variation Procedure 1 Introduction 1.1 This schedule 9 details the Maximum Charges Variation Procedure applicable to this Framework Agreement. 1.2 The Charges shall only be varied through: (a) Indexing, in accordance with the provisions of paragraph 2; and (b) agreement between the parties at any time to decrease any of the Maximum Charges and the date from which such decrease shall apply. 2 Indexing 2.1 The Indexation Factor will be RPIX- The “Retail Prices Index excluding mortgage interest rates (RPIX)” as published by the Office of National Statistics at the year anniversary of the Agreement. The most recently published RPIX rate will be used to calculate revised Maximum Charges. (a) Indices are available at the following website: http://www.statistics.gov.uk/CCI/SearchRes.asp?term=chmk&x=28&y=13 2.2 In the event that any changes occur to the basis of RPIX, or it is no longer published, the Authority and the Supplier shall agree a fair and reasonable adjustment to that index or, if appropriate, shall agree a revised formula that in either event will have substantially the same effect as that specified in this schedule 9. Where the published figure specified in paragraph 2.1 is stated to be a provisional figure or is subsequently amended, that figure shall apply as ultimately confirmed or amended unless the Authority and the Supplier shall agree otherwise. 2.3 In respect of new Contacts, schedule 5 (Maximum Charges) shall be varied on the 1st Year anniversary of the Agreement, and on each subsequent anniversary using the following formula; ⎛ ⎛ RPIXd ⎞ ⎞ ⎟⎟ ⎟ NBCa = ⎜⎜ (EBCa ) × ⎜⎜ ⎟ RPIXp ⎝ ⎠⎠ ⎝ Where: NBCa = New Base Charge of New Orders EBCa = Existing Base Charge of New Orders RPIX = The “Retail Prices Index excluding mortgage interest rates (RPIX)” as published by the Office of National Statistics (http://www.statistics.gov.uk/instantfigures.asp). RPIXd = the value of the most recently published RPIX figures preceding the date when the indexation of the Charges is to be given effect. RPIXp is the value of RPIX in respect of 12 months prior to the current Anniversary year. 10-404788-3 141 The Existing Base Charge = the price that applies on signing the Agreement, as amended on the anniversary of the Framework Agreement, when a New Base Charge will be calculated in accordance with the principles detailed in this schedule 9.. 2.4 The Maximum Charges in respect of all Contracts that exist at the point at which revised Framework Agreement pricing is agreed, shall be varied on the anniversary of each individual Contract using the following formula; ⎛ ⎛ RPIXd ⎞ ⎞ ⎟⎟ ⎟ + (EBCo × (1 − Z )) NBCb = ⎜⎜ (EBCb − (EBCo × (1 − Z ))) × ⎜⎜ ⎟ ⎝ RPIXp ⎠ ⎠ ⎝ Where: NBCb = New Base Charge for Existing Orders EBCb = Existing Base Charge of Existing Orders EBCo = Base Charge at commencement of Agreement Z = % of the Base Charge at commencement of Agreement subject to Indexation as specified in Appendix 1 : % Of Maximum Charges subject to Indexation – Existing Orders RPIX = The “Retail Prices Index excluding mortgage interest rates (RPIX)” as published by the Office of National Statistics (http://www.statistics.gov.uk/instantfigures.asp). RPIXd = the value of the most recently published RPIX figures preceding the date when the indexation of the Charges is to be given effect. RPIXp = the value of RPIX in respect of 12 months prior to the current Anniversary year. The Existing Base Charge for Existing Orders (ECBb) = the price that applies on signing the Agreement as amended on the anniversary of the Framework Agreement when a New Base Charge will be calculated in accordance with the principles detailed in this schedule 9.. The Existing Base Charge at commencement of Agreement (EBCo) = the price that applies on signing the Agreement. 3 Procedure for agreeing to Lower Maximum Charges 3.1 Either party shall have the right from time to time during the Term to give notice to request a review of the Maximum Charges whether or not such a request is occasioned by any benchmarking undertaken by the Authority under clause 7.2 (Benchmarking). As soon as reasonably practicable after the date of the notice, the Supplier shall meet with the Authority to discuss in good faith the variation of the Charges. Any variation in the Charges shall be recorded in writing and shall take effect on the date agreed between the parties. The Authority shall not give notice under this paragraph more frequently that at three (3) months intervals during the Term. 3.2 In the event that, following a variation of the Maximum Charges in accordance with the Framework Agreement, the Charges under any Contract are above the level of the Maximum Charges; such Charges shall automatically be reduced to the level of the Maximum Charges with effect from the date that the revised Maximum Charges take effect. 10-404788-3 142 4 Implementation Of Adjusted Maximum Charges 4.1 Variations to Maximum Charges shall be made in accordance with the provisions of this schedule 9. The Supplier shall amend the Charges shown in the Catalogue to reflect such variations, where necessary. 4.2 The Supplier shall apply any adjustment to the Authority or Customer’s invoice (as appropriate) immediately. Variations to the Charges applicable to each Contract shall be made in accordance with the provisions of that Contract. 10-404788-3 143 Appendix 1 In respect of existing Contracts the Table below details the percentage of Maximum Charges that will be subject to indexation; % Of Maximum Charges subject to Indexation - Existing Contracts i750 – GSM Identicom i770 – GSM Identicom with man down function i757 – GSM Identicom with GPS i777 – GSM Identicom with GPS and man down function Contract Rental New Device : One User - Monthly Charge 1 Year 2 Year 3 Year 4 Year 5 Year Short Term Rental - Monthly Charge 39% 53% 61% 66% 69% 41% 55% 63% 68% 71% 37% 51% 59% 64% 68% 39% 53% 61% 66% 70% 53% 55% 51% 53% Pooled Devices 1st User Additional User Training Charge - Initial Charge per additional user As Contract Rental New Service 100% Managed Services - Monthly Charge Customer owned Mobile Phone Customer owned Identicom Device 10-404788-3 Customer owned SIM 91% 91% 144 SIM Provided by Supplier 93% 93% Schedule 10 Sub-Contractors 1 Introduction 1.1 This schedule 10 contains: (a) Details of the Sub-Contractors to be employed by the Supplier in the provision of Services pursuant to individual Contracts, and the safeguards/ protection taken in respect of such Sub-Contractors; and (b) The procedure to select, appoint and manage Sub-Contractors. 2 Sub-Contractors and Safeguards / Protection 2.1 The table of Sub-Contractors and safeguards/ protections, details in Part 1 the SubContractors in use as at the date of this Agreement; and in Part 2, the potential subcontractors that the Supplier has identified as an alternative/contingency. 2.2 The Supplier shall not be permitted to change from a Sub-contractor listed in Part 1 to a potential sub-contractor listed in Part 2, without the prior written approval of the Authority in accordance with the Agreement Change Procedure. Part 1 Name and full Obligation Details of Safeguards and Protection contact details The Supplier has put in place the following safeguards to secure the delivery of Devices from its Sub-Contractor (Connexion2) to enable the Supplier to fulfil its obligations under the Contracts: The provision of Identicom Devices and warranty on sub-contract to the Supplier Connexion2 Ltd Momentum House Carrera Court Church Lane Dinnington S25 2 RG 1.The sub-contract will step down the key obligations of the Supplier under the Contracts to Connexion2, including most importantly the Service Levels and business continuity provisions 2. The Supplier shall also have the following rights to ensure continuity of supply, particularly to secure the supply of critical components: 2.1 to take over third party supply contracts; 2.2 to have direct agreements with third party suppliers; 2.3 to require Connexion2 to hold adequate buffer stock of components based on 10-404788-3 145 Part 1 Name and full Obligation Details of Safeguards and Protection contact details anticipated demand; 2.4 to require Connexion2 to maintain business continuity plans 2.5 a bespoke escrow agreement with a reputable escrow agent requiring Connexion2 to deposit the source code relating to all intellectual property in an escrow agreement for access by the Supplier in the event that Connexion2 becomes; (i) insolvent, (ii) appoints administrators; or (iii) is in material breach of its contractual obligations to the Supplier; 2.6 to step in to Connexion2's major supply contracts if Connexion2 should fail (financially or operationally) Vodafone Specialist Communications Limited. 3 The Courtyards, Phoenix Square Wyncolls Road Colchester Essex CO4 9PE Primary provider of SIM cards and Network services on sub-contract to the Supplier The Supplier has agreed terms with Vodafone. The contract for Services will be signed once the contract with the NHS has been signed. Our contract is stand alone relating directly to the provision of services to the NHS Contract Term: TBC Renewal Date: TBC BT Global Services 1 River Gate Temple Quay Bristol BS1 6ED British Telecommunications PLC (Company Number 1800000) 81 Newgate Street London EC1A 7AJ 10-404788-3 Contract Term: Annual Supplier of landlines to the Supplier Renewal Date: July 2009 Contract Term: 27 years remaining on lease Agreement Landlord only for ARC, Pontefract 146 Renewed: Sept 2008 Part 2 Name and full Obligation Details of Safeguards and Protection contact details VC Electronics Ltd Unit 14, Goldthorpe Industrial Estate, Rotherham, South Yorkshire S63 9BL 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Manufacture of Devices under subcontract to Connexion2 Ltd (Primary source) 2. Sub-Contractor (VC Electronics) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (VC Electronics) contract includes ‘back to back’ business continuity plans and provisions. NSH Techlogistics Ltd Unit 2 Trillenium Coleshill B46 1JU 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Manufacture of Devices under subnd contract to Connexion2 Ltd (2 source) and primary repair agent 2. Sub-Contractor (NSH Techlogisitics) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (NSH Technlogistics) contract includes ‘back to back’ business continuity plans and provisions. Ikon Electronics Ltd Knaresborough Technology Park Manse Lane Knaresborough North Yorkshire HG5 8LF Manse Lane Knaresborough North Yorkshire HG5 8LF 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Manufacture of devices under subcontract to Connexion2 Ltd rd (3 source) 3. Sub-Contractor (Ikon Electronics) contract includes ‘back to back’ business continuity plans and provisions. Component Supplier for electronic components on sub-contract to Connexion2 Ltd 10-404788-3 2. Sub-Contractor (Ikon Electronics) contract includes suitable SLA's to ensure effective availability of goods and services. 147 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing Part 2 Name and full Obligation Details of Safeguards and Protection contact details Abacus Group PLC sources and components. Unit 5B, Waltham Park White Waltham, Maidenhead Berkshire SL6 3TP 1st/2nd sources for all 2. Sub-Contractor (Abacus Group) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (Abacus Group) contract includes ‘back to back’ business continuity plans and provisions. 2001 Electronic Components Ltd Eastman Way Stevenage Business Park Pin Green Stevenage Hertfordshire SG1 4SZ 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Component Supplier for electronic components on sub-contract to Connexion2 Ltd 2. Sub-Contractor (2001 Electronic Components Ltd) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (2001 Electronic Components Ltd) contract includes ‘back to back’ business continuity plans and provisions. Alpha Micro Ltd Springfield House Cranes Road Basingstoke Hampshire RG24 9LJ 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Component Supplier for IPB batteries on sub-contract to Connexion2 Ltd 2. Sub-Contractor (Alpha Micro) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (Alpha Micro) contract includes ‘back to back’ business continuity plans and provisions. Cinterion Wireless Modules GmbH Mr. Arthur Woode The Carriage Barn 10-404788-3 Primary supplier of GSM Modem on sub-contract to Connexion2 Ltd (previously Siemens) 148 1. The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing Part 2 Name and full Obligation Details of Safeguards and Protection contact details Bartlett's Court Bath Road, Maidenhead Berkshire SL6 3RX sources and components. 1st/2nd sources for all 2. Sub-Contractor (Cinterion Wireless Modules) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (Cinterion Wireless Modules) contract includes ‘back to back’ business continuity plans and provisions. Wavecom Ltd Wavecom Northern Europe Ltd. Suite 6, The Hub Fowler Avenue Farnborough Business Park Farnborough GU14 7JP GSPK Ltd Knaresborough Technology Park, Manse Lane Knaresborough North Yorkshire HG5 8LF Secondary supplier of GSM Modem on sub-contract to Connexion2 Ltd The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. 2. Sub-Contractor (Wavecom) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (Wavecom) contract includes ‘back to back’ business continuity plans and provisions The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Primary supplier of PCB on subcontract to Connexion2 Ltd 2. Sub-Contractor (GSPK Ltd) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (GSPK Ltd) contract includes ‘back to back’ business continuity plans and provisions AV Injection Junction Road Sutton in Ashfield Nottinghamshire NG17 5G 10-404788-3 Supplier of Identicom Form Factor on sub-contract to Connexion2 Ltd 149 The Supplier to ensure Connexion2 provide and maintain a business continuity plan that includes alternative manufacturing sources and 1st/2nd sources for all components. Part 2 Name and full Obligation Details of Safeguards and Protection contact details 2. Sub-Contractor (AV Injection) contract includes suitable SLA's to ensure effective availability of goods and services. 3. Sub-Contractor (AV Injection) contract includes ‘back to back’ business continuity plans and provisions Computer Network Services Huntingdon Business Park Blackstone Road Huntingdon PE29 6EX Supplier has new system contract. Full support and warranty. Supplier of Telephony to the Supplier 24/7 technical support contract Contract Term: 5 years Renewal Date: Sept 2013 Monitor Software Limited 3rd Floor Marlborough House Westminster Place York Business Park York YO26 6RW Jemline Developments Ltd Signal House Lyon Road Harrow Middlesex HA12AG TOPdesk UK limited, London House, 271/273 King Street, London W6 9LZ Contract Term: Annual Supplier of Alarm Handling Software to the Supplier Renewal Date: May 2009 Contract in place for data storage renewed annually & Due Nov 2009 Landlord for DR, Manchester Contract in place for DR Renewed annually & Due Nov 2009 In discussions for longer term agreement for co location for additional services Supplier of the CRM package to the Supplier Specific contract for the lone worker under negotiations. Current Maintenance contract: Annual Renewal Date: Apr 2009 3 Procedure To Select, Appoint And Manage Sub-Contractors 3.1 Subject always to the provision of clause 36 (Transfer and Subcontracting), the Supplier shall ensure that the Service is maintained at best value without compromising quality or cost. Sub- 10-404788-3 150 Contractors shall be evaluated, selected and measured on their ability to supply, manage and execute the Supplier’s requirements in a professional, efficient and timely manner. 3.2 In particular the Supplier shall identify and evaluate Sub-Contractors against a range of criteria that allow the Supplier to assess the likelihood of the Sub-Contractor defaulting on the delivery requirements necessary to sustain a successful outcome for the Services. These criteria shall cover, but not be limited to the Sub-Contractor’s: (a) Financial viability; (b) Management capacity; (c) Workforce resilience; (d) Organisation details (including financial status and insurance); (e) Technical capabilities and competence; (f) Approach & methodology; (g) Health and Safety issues; (h) Quality Management issues; (i) Environmental management; (j) Training and recruitment; (k) Business Continuity Plan; (l) Adherence to legislative and regulatory requirements; (m) Data Protection Policy; (n) Conformance to the Supplier’s corporate governance processes; (o) Commitment to achieve best value and optimum Supplier performance through securing volume leverage across the range of the Supplier’s business; (p) Respect of IPR and the confidentiality of information; (q) With whom long-term supply partnerships are created to ensure stability and security of supply that are consistent with supporting best practice in a healthy competitive environment; and (r) That share risk and reward appropriately with the Supplier. 3.3 Profiling and assessment of Sub-Contractor risks shall be a key element of the Supplier's Risk Management process and shall remain under review and independent verification by the Supplier’s insurance advisors. It shall also be a key element of the Business Continuity Plan. 3.4 The risk relating to all Sub-Contractors will rest (both financial and operational) completely with the Supplier. 3.5 The Supplier shall provide a risk assessment of its Sub-Contractors to include consideration of the following: 10-404788-3 151 (a) Failure of Sub-Contractor to perform, leading to contract or service delivery failure. The Supplier shall be responsible for the delivery of all sub-contract activity that supports the Services. The Supplier shall appraise, appoint and monitor the performance of any sub-contractor and to have in place adequate contingency plans to ensure no disruption to the Services. (b) 10-404788-3 Failure of Sub-Contractor to perform to the standards expected. (i) The Supplier shall be responsible for the standards achieved in support of the Service by any Sub-Contractor. (ii) Subject to clause 36 (Transfer and Sub-contracting), in its management of Sub-Contractors the Supplier shall demonstrate a fair and robust supplier management process. It shall formalise its relationship with a contract or service level agreement. This document shall encompass all aspects of the supply agreement, including but not limited to: (A) Scope of supply including terms and conditions, risks and price; (B) Scheduling of review meetings and parties to be present; (C) Agreed minimum quality levels; (D) Agreed minimum delivery performance levels; (E) Agreed stock holdings; (F) Response times; (G) A listing of the management reports and schedule of release; (H) Escalation points within all interested parties; (I) Manage the performance of Sub-Contractors through the use of jointly agreed Key Performance Indicators (KPIs) and back-to-back contract terms that shall include: 1) Percentage of deliveries arriving at agreed time; 2) Percentage of goods below agreed quality levels; 3) Average response time; 4) Number of pricing discrepancies, and 5) Customer satisfaction survey results; (J) Agreed penalties for non/poor performance; (K) Payment terms, including payment of invoices, debiting accounts and credit periods; (L) Step down risks and responsibilities; 152 10-404788-3 (M) Rights of step-in over the sub-contractor and its own supply chain partners; (N) Parent/Third Part guarantees/performance bonds; (O) Change of ownership obligations; (P) IP and Source Code protection; and (Q) Default and termination rights. 153 Schedule 11 Model Self Audit Certificate 1 Introduction 1.1 This schedule 11 contains a Model Self Audit Certificate. MODEL SELF AUDIT CERTIFICATE Dear Sirs In accordance with the Framework Agreement entered into on [ADD DATE] between the NHS Business Services Authority and Reliance Secure Task Management Limited (the Supplier), we confirm the following:1. In our opinion the Supplier has in place suitable systems for identifying and recording the transactions taking place under the provisions of the above Framework Agreement. 2. We have tested the systems and found them to be operating satisfactorily. 3. We have tested a sample of the transactions during our audit for the financial year ended [Add financial year] and confirm that they are correct and in accordance with the terms and conditions of the above Framework Agreement. Name: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Auditor’s Stamp Signed: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Date: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10-404788-3 154 Schedule 12 Governance 1 Introduction 1.1 This schedule sets out the high level procedures and processes to be followed by the Supplier in conjunction with the Authority and Customers to ensure appropriate governance of the Services and their management during the term of the Agreement and shall include: (a) Governance principles; (b) The role of the partnership board; (c) Governance bodies and structure; (d) Governance roles & responsibilities; (e) Governance meetings; and (f) Governance reporting. 2 Governance Principles 2.1 The Governance structure is underpinned by the following key principles: (a) the Framework Agreement will be maintained and managed between the Authority and the Supplier via scheduled and structured meetings and informal communication; (b) each Contract will be maintained and managed by the Supplier and Customer who will hold scheduled and structured communications and informal communications; (c) the Services shall be managed at a consolidated level by the Authority, who shall control any proposed changes to the Services and/or related scripts, process flows and standard operating procedures in accordance with the Operational Change Procedures; (d) the parties shall form a "Partnership Board" to undertake the activities defined in paragraph 3 of this schedule; and (e) where a change is agreed it will be implemented through the Agreement Change Procedure, or the Operational Change Procedure, as appropriate. 2.2 The provisions of this schedule as they relate to the resolution of issues are without prejudice to express provisions including clause 28 (Dispute Resolution) of this Framework Agreement or clause 27 (Dispute Resolution) and schedule 2-6 (Dispute Resolution Procedure) of any Contract in relation relating to Dispute resolution. 3 The Partnership Board 3.1 The Supplier shall appoint senior executives from the Reliance Security Group to comprise the Supplier side of the Partnership Board. The Partnership Board shall work in a strategic way to align the objectives of Supplier and Authority and shall meet at a mutually convenient location on a quarterly basis. 10-404788-3 155 3.2 3.3 The Authority shall appoint senior executives from the NHS Business Services Authority to be members of the Partnership Board. The role of the Partnership Board shall be to: (a) Review current performance/Service delivery; (b) Consider ideas for improving the quality of the Service; (c) Enhance and maximise the marketing of the Service; (d) Consider Authority queries and issues; (e) Commission and consider the results of studies, surveys and project that the Supplier and Authority shall jointly consider important to the delivering the Service successfully; (f) Consider a continuous improvement plan; (g) Consider new technologies/devices for potential inclusion in the Framework Agreement in accordance with clause 4.5 and 4.6 (the Available Services) and agree any amendments to the Catalogue using the Agreement Change Procedures. The Supplier shall provide, as members of the Partnership Board, the following as a minimum: (a) A Board Director selected from either Reliance Secure Task Management, Reliance High-Tech or Reliance Security Group; (b) The Director, Reliance ARC; and (c) The Supplier Framework Manager. 4 Roles & Responsibilities 4.1 The table below shows each role, and their key responsibilities, and the dedicated contract management team with sufficient capacity to manage the Framework Agreement and Contracts to the full satisfaction of the Authority. The Supplier shall manage the Services as a coherent, single entity, joining together the elements of Service Desk, Device, Airtime, Training, Technical Administration and ARC. The table below details the roles and their key responsibilities: Customer Role Supplier Role Supplier Key responsibilities MD of Counter Fraud Security Management Services Managing Director – Reliance Secure Task Management 2nd escalation point as defined in paragraph 7 below Head of SMS Director of Operations – Reliance Secure Task Management 1st escalation point as defined in paragraph 7 below 10-404788-3 156 Customer Role Supplier Role Authority Framework Manager Supplier Framework Manager/Contract Director Supplier Key responsibilities 1. The overall performance of the Service 2. Strategic support to the Partnership Board 3. Legislative compliance 4. Relations with the Authority, Authorised Customer Representatives and Users 5. Marketing and Communications 6. Promotion of Services to Potential Customers 7. Agree Operational Change Procedures 8. Service lead in relation to Maximum Charges Variation procedure 9. Service lead in relation to new Devices being introduced as a result of the new Device review process 10. Relationship account management 11. Ensure deliver consistent Services to meet the Service Levels and fulfil obligations in the Agreement and each Contract 12. Drive continuous improvement initiatives and service or technological innovations 13. National performance management 14. Overall responsibility for promotion Services to Potential Customers of 15. Environmental issues 16. The provision of all contractual commitments to the Authority including, but not limited to: 17. Management Information 18. Quarterly Business Reviews 19. Complaint Management 20. Rectification Plans when required 21. Management of an Incident and Issues Management Process 10-404788-3 157 Customer Role Supplier Role Supplier Key responsibilities 22. Arranging meetings, arranging venues in consultation with the Authority, issuing meeting materials to attendees and completing minutes of meetings 23. The Contract Director shall be responsible for the line management of the Training Manager, the National Accounts Manager and the ARC Manager. Service Maintenance Manager The Service Maintenance Manager shall be responsible for all the processes, systems and service delivery relating to the configuration of all Devices with SIM cards; the subsequent re-configuration of any Device in the field that requires a change as requested by the Authorised Customer nd Representative; 2 line technical support to all Users or Authorised Customer Representatives on problem solving, usability and SIM issues; the shipping and receipt of any faulty Devices and/or their replacements in line with agreed Service Levels and managing the Technology Refresh of any Device returned. User Manager Training The User Training Manager shall be responsible for managing the training deliverables for the contract; delivering the Training Plan; line management of the training team and of ensuring effective scheduling to meet the agreed Service Levels. Desk The Service Desk Supervisor shall be the line manager for all Service Desk Supplier Personnel and shall be responsible for delivering the Service Desk Schedule; rota management; training and provision of appropriate Management Information in respect of the Services Service Supervisor 10-404788-3 158 Customer Role Supplier Role National Manager Supplier Key responsibilities Account The National Account Manager shall be the line manager for the Account Managers, and shall be responsible for delivering first-line accountability of the Service to Authorised Customer Representatives and for the Sales and Marketing Plan, and shall have responsibility for: 1. Promotion of Services to Potential Customers 2. Put in place signed contracts with all Customers 3. Complaint Management 4. Ongoing Customer account management 5. Production of Non -Conformance reports 6. Notification that Supplier unlikely to achieve the implementation timetable, summarising the Delay and the reasons for it 7. Completion of a Correction Plan 8. Arranging progress meetings, arranging venues in consultation with the Customer, Potential Customer or Authorised Customer Representative, issuing meeting materials to attendees and completing minutes of meetings ARC Manager 10-404788-3 The ARC Manager shall be responsible for the line management of the ARC Supplier Personnel and the Service Desk Supervisor, delivering the ARC schedule and rota management and training requirements for the Supplier’s ARC personnel. 159 5 Governance Meetings 5.1 This paragraph describes in more detail the regular meetings which will be scheduled as a minimum requirement to ensure strong communication is maintained at all levels of the relationship. The Authority and/or Customer may convene additional meetings at any time provided that reasonable notice is given to the Supplier. The Authority may invite additional stakeholders at its discretion. 5.2 In the event that a representative identified in column 3 (Attendees) cannot attend the relevant meeting, such representative shall be entitled to (i) provide its decision or approval on any issue to be raised at the meeting in writing within 2 days following such meeting, or (ii) nominate an alternative representative to attend the meeting by giving not less than 2 days notice to the other party. 5.3 Governance Meetings shall be as follows: Meeting or Forum Frequency Attendees Review, Decisions Approvals Supplier/Customer Meeting Monthly Supplier 1. Discuss progress in respect of Contract(s) implementation and provision of ongoing Services 2. Discuss performance management and information provided via the Management Information monthly reporting process 1. To include a review of the Services at a national level, performance management, review Management Information, Service Levels and Service Credits, complaints, User satisfaction, survey results, areas of improvement, continuous improvement 2. Proposed changes to the Services that will effect the Operational Change Procedure Supplier Account Manager and Customer Authorised Customer Representative Supplier/Authority Monthly or other period as agreed between the parties using the Operational Change Procedure Supplier Supplier Framework Manager/Contract Director and invited Sub-Contractors as required Authority Authority Framework Manager and invited stakeholders The Authority Commercial Directorate as required 10-404788-3 160 Meeting or Forum Partnership Board Frequency Quarterly Attendees Review, Decisions Approvals 3. Proposed changes to the Services that will effect the Agreement Change Procedure including agreeing a recommendation for the Partnership Board in respect of the inclusion of new Devices in the Catalogue following a Product Review 4. Proposed changes that will require reference to the Maximum Charges Variation Procedure 5. Commercial review to include spend, Service Credits awarded, management fee Supplier 1. Board Director selected from either Reliance Secure Task Management, Reliance High-Tech or Reliance Security Group. Strategic issues which both parties believe require joint consideration. 2. Performance management including aggregated view of Service Level/Service credit status, complaints, User satisfaction survey results, areas of improvement, continuous improvement 3. Decisions on the inclusion of new Devices in the Catalogue following a Product Review The Director, Reliance ARC The Supplier Framework Manager Authority Authority Framework Manager and invited stakeholders 10-404788-3 and 161 5.4 Where a governance body identified in the table above reaches a decision or grants an approval, that body shall be responsible for ensuring that such decision or approval is clearly and accurately documented in writing and circulated amongst the members of each such body. 6 Governance Reporting 6.1 This paragraph identifies the regular reports required to be produced by the Supplier in order to drive the governance meetings and processes. 6.2 Reporting information shall be provided to facilitate the governance meetings as follows: To Be Delivered Agreed Date by Report Content Period Monthly Customer Reporting Content will be produced as detailed in Schedule 7 (Management Information) Monthly Within 8 days following month end Monthly Authority Reporting Content will be produced as detailed in Schedule 7 (Management Information) Monthly Within 8 days following month end and 1 week prior to Supplier/Authority monthly meeting as requested 7 Escalation Procedure 7.1 In the event of a dispute the matter shall be referred by the Authority or the Supplier as follows: Supplier Representative Authority Representative 1st Line Point Director of Operations – Reliance Secure Task Management Head of SMS If the escalated issue cannot be resolved within 10 Working Days of referral the matter shall be referred to the 2nd escalation point 2nd Line Point Managing Director – Reliance Secure Task Management Managing Director of CFSMS If the escalated issue cannot be resolved within 10 Working Days of referral the matter shall be referred to mediation as detailed in clause 28 of the Framework Agreement (Dispute Resolution) Escalation Route 10-404788-3 162 Escalation Process Schedule 13 Solution 1 Introduction 1.1 The Supplier Solution is an end to end Solution that offers Users the assurance and protection needed when working in isolation or vulnerable situations. The Services is based from a BS 5979 Cat II centre with 100% availability utilising the appropriate monitoring software and equipment. 1.2 The Supplier shall operate to the highest operating standards and comply with ISO 27001/2 Information Security Management. The ARC shall offer a robust solution even when faced with the most severe incidents which effect business operations. 1.3 The ARC is accredited with BS 5979 Cat II, and adheres to the following physical security controls; (a) Dual thickness walls; (b) Access control; (c) Airlock; (d) Independent air supply system; (e) Gas detectors; (f) CCTV internal; (g) Blast proof windows; (h) Secure server room; (i) Secure telephone system; and (j) Firewalls providing secure encrypted MPLS between sites. 2 ARC Solution Overview 2.1 The ARC is available 24 hours a day, 365 days per year. This centre (or virtual centre) is capable of monitoring Users Red Alerts, Amber Alerts and Status Checks covering every geographical location where NHS lone workers need to operate within England. 2.2 The Services provided will support a range of User profiles to support the needs of different situations arising from the diverse User groups and range of NHS bodies. The User profiles will allow bespoke escalation procedures e.g. escalation to colleagues instead of emergency response from the Police. The default profile should result in escalation to the Police service if appropriate. 2.3 The ARC is able to listen to and record events in a way that is legally admissible in prosecution cases that arise from incidents. 2.4 The Alarm Handling Software is designed for high availability with both on and off site replication through redundancy of data and systems, enabling continuous access and alarm 10-404788-3 163 handling capabilities. The handling and management of lone worker alarms is provided through the specialised Sentinel Plus+ alarm handling platform. Support of the bespoke elements is separately provided by Monitor Computer Systems, based in York. Over a number of years development work has been undertaken by Monitor Computer Systems to develop a product to reflect our experience of the lone worker Services. 2.5 In the event of an individual component failure, there is dual redundancy of systems at the primary site. If a catastrophic failure such as fire, flooding, power failure, criminal attack occurred at the primary site then Disaster Recovery (DR) is invoked and the signals redirected to the Disaster Recovery site servers. The Alarm Handling Software is actively health monitored so that proactive measures are taken in the event of a component failure (i.e RAID Hard Disk failure). 3 Service Desk Solution Overview 3.1 The Service Desk is co-located in Pontefract within the Alarm Response Centre (ARC) and is available between 6am and 8pm, Monday to Friday, excluding weekends and Bank Holidays. There will be an overlap of Service Desk Personnel in which a full handover of activity and events will occur within the Service Desk Working Day. 3.2 Between the hours of 8pm and 6am, weekends/Bank Holidays will be covered by the ARC Personnel. The facility at Pontefract and the Service Desk Personnel are to be dedicated to the Services, with Personnel performing all administration tasks relating to implementing new Users and ongoing support for existing Users. 3.3 The Service Desk Personnel will be able to access all associated systems to ensure quick and effective resolution of all issues, managing all enquiries and queries through to resolution, engaging with the ARC and Service Maintenance functions as necessary. 4 Service Desk Customer Relationship Software (CRM) 4.1 The CRM application used by the Service Desk will be fully auditable and transparent to Supplier Authorised Personnel, logging and tracking all enquiries and interactions with clients, regardless of nature. The Service Desk will use a new IT system to capture requests from Customers and Users and to co-ordinate the work done by the following groups of Supplier workers: 4.2 (a) The Service Desk Supplier Personnel at the call centre in Pontefract; (b) The ARC Supplier Personnel at the ARC in Pontefract; (c) The Supplier account managers working out in the field with the Customers; (d) The Supplier trainers working out in the field delivering training to the Users; and (e) The Supplier Service Maintenance Personnel configuring and issuing Devices and providing technical support based in the ARC. The Supplier will use the Microsoft CRM application to co-ordinate the work of the Service Desk operation. This application was chosen for the following reasons: (a) 10-404788-3 MS-CRM includes a lot of the standard helpdesk functionality already required for the Lone Worker Protection project; 164 4.3 (b) MS-CRM supports workflow between teams of users. It is easy to set up queues of cases for different teams and to automatically move cases from one queue to another as the status of the case changes; (c) MS-CRM includes a Knowledge Base module which can be used by the Service Desk to solve common User problems directly over the phone; (d) MS-CRM is a web application and can be accessed by remote users who are not within the Service Desk such as Supplier trainers and Supplier account managers; and (e) MS-CRM integrates with Microsoft Outlook. Emails correspondence is easily stored in the CRM database and calendar appointments and tasks can be set up through CRM and can be notified to users through the Outlook calendar and task list. The MS-CRM application is available to the following groups of Supplier remote users across a Virtual Private Network: (a) Supplier account managers; and (b) Supplier trainers 4.4 All users of the CRM application will have to supply a username and password to be able to access the system. The remote users will only be able to access the CRM system from Supplier PCs which are part of the Supplier domain. The CRM application will not be available to Supplier users across the Internet. 4.5 All data in the MS-CRM system will be stored in a Microsoft SQL server database. The SQL server database is a robust database technology based on a transactional processing schema which is backed up whilst the system is still live. The Supplier will configure the SQL database to use ‘log-shipping’ of the CRM database to the Disaster Recovery Site. The log shipping technology ensures that the remote copy of the database will always be constant. In the event of a problem with the database server at the primary site it will be possible for the Service Desk users to be switched to connect to the servers at the Disaster Recovery Site with minimal interruption to the Service Desk operations. 5 Signalling 5.1 The Sentinel Plus (Alarm Handling) software signal processing servers receive the inbound messages from a range of paths including IP, PSTN/WILLDN, GSM, SMS. 5.2 Once a signal has been received and processed by one of the signal processing servers it is matched with the relevant User details and presented in the alarm queue for the ARC Supplier Personnel to handle. Reverse channel commands can also take place to perform actions such as requesting the location of a Device. 6 Database 6.1 The Alarm Handling Software utilises an IBM Informix WGE2000 Database Server for storing alarm handling data, with RSS database for storing all User details, action information, and media files. 6.2 The database servers run on HP DL380 servers with RAID0+1 hard disk configuration. 10-404788-3 165 6.3 In the event of a failure, business will continue utilising the replicated off and on site databases. 7 Remote Replication Data between the primary and secondary database server is constantly replicated using IBM Informix RSS functionality. This data is also replicated over a high-speed internet link to the Disaster Recovery site, which is situated more than 60 miles away. 8 Maintenance Plan 8.1 System maintenance is performed by the Supplier onsite technical support team. On a daily basis logs are checked and notifications reviewed for any potential faults or security breaches. 8.2 The schedule of work is detailed in the Supplier’s maintenance plan, and is stored in a controlled document library. 9 Telephony system 9.1 Telephony is delivered via a Mitel 3300 IP telephony platform. The system provides a range of features such as automatic call distribution (ACD), call recording and reporting. It is covered by a 24/7 support and maintenance contract with Computer Network Services (CNS). Critical high risk components (such as hard drive, power supplies or fans) are configured in a dual redundant mode to minimise risk of failure. 9.2 In the event of a catastrophic failure, calls will be alternatively routed utilising the Supplier’s BT SmartNumbers Telephony DR solution. 9.3 The system is monitored by the network monitoring system and errors and early warning messages captured and acted upon immediately. 10 Firewalls 10.1 Site to site connectivity is delivered by a series of distributed Cisco ASA 5510 firewalls with a dual active failover configuration at critical points for added resilience. The Supplier firewall policies are configured to only allow traffic to and from trusted sources, and all operational data is encrypted to a 3DES standard whilst being sent between locations. The firewalls are managed by authorised Supplier Technical Support Personnel. Changes to the configuration polices are reviewed by the Supplier Technical Manager as part of the system request for change (RFC) process. The system is supported 24/7 by the Supplier on-call Technical Support Team. 10.2 The system is monitored by the network monitoring system and errors and early warning messages captured and acted upon immediately. 11 Security 11.1 All Supplier Personnel network users are required to authenticate with the network before they can gain access to any resources. User permissions are set by the Supplier Network Support Team by request of the Supplier Operations Manager. Supplier Super user and Administrator privileges are gained only following a request to the Supplier Technical Director and Supplier Technical Manager though the system request for change (RFC) process. 10-404788-3 166 11.2 In the event of a disaster, all security policies remain and Supplier Personnel are required to authenticate with the network via the offsite domain controller. 11.3 The Supplier operates a policy that data on all mobile Supplier Personnel laptops are encrypted as standard. 11.4 Network security policies are in place and will not allow Supplier Personnel to extract data from the network (ie. Burn onto CD or put onto other external storage device such as USB memory stick), without permission from the Supplier Network Manager. The protection is based on both physical and software restrictions. Access to removable storage points such as USB ports and CD drives is limited by physical means such as client workstations being in an enclosed cabinet away from reach of operators with further restrictions based on Windows Active Directory and Group Policy software permissions to use removable devices. 11.5 The above diagram is illustrative of the business processes and not the network layout. Firewalls are located between network subnets relating to the various physical locations such as Manchester (Second Site), Uxbridge (Group Services such as email and intranet resources) and other partners or customer VPN connections. Rules on each of our Firewalls dictate which types of traffic can access what particular services on a particular server. 10-404788-3 167 12 Business Continuity 12.1 Where an incident occurs between the hours of 6pm and 8am that requires management attention, due its impact on business operations, the ARC ‘Out of Hours’ escalation procedure is activated by the Supplier team leader. 12.2 Where an incident occurs between the hours of 8am to 6pm the Supplier crisis management team is available on site. 12.3 The Supplier notifies Customers, Users, and Authorised Customer Representatives of any Service disruption with 2 Working Hours, via SMS or email, including a clear indication of the estimated time of the Service disruption. 12.4 An incident is any occurrence that takes place, which may or may not impact business operations, that is not a usual or normal occurrence. An incident can be hardware or software related or may affect the building and or personnel and is not a ‘business as usual’ (BAU) event. Where such an incident occurs, the Supplier on-duty team leader will make an assessment as to the nature of the incident. Where the Supplier team leader concludes that the incident is hardware, software or building related, a log of the incident is be made in the SysAid application. 12.5 Where an assessment has been made by the Supplier team leader that escalation of an incident is required, the Supplier team leader will ascertain who the designated Supplier Centre On-Call Representative (COCR) is, as per the ‘Out of Hours’ Escalation procedure. 12.6 The Supplier team leader will provide a synopsis of the incident/problem to the Supplier COCR, the SysAid case number and any other relevant information. 12.7 Upon receipt of an ‘Out of Hours’ escalation call, the Supplier COCR will make an assessment of the incident using the details provided. The assessment will result in one of the following three actions: (a) Non Urgent – Resolve during normal business day – No action required; (b) Fix Required Now – No escalation necessary; or (c) Fix Required Now – Escalation required due to current/potential operational impact. 12.8 Where a fix is required with no escalation needed, the procedure will end; once the fix has been implemented successfully and Service is restored to business as usual. In situations where a fix AND escalation is required due to the operational impact of an incident, the Supplier COCR will contact the Supplier Centre Operations Manager (COM) and advise them of the issues. 12.9 If the incident is deemed to be non urgent, the Supplier COCR will make arrangements to have the issue rectified during the next normal business day. 12.10 A report/synopsis of all incidents will be made via email to the Supplier COM detailing the incident, impact and fix implemented. 12.11 When an incident occurs that is escalated to the Supplier COCR, the Supplier COCR may escalate it to the Supplier COM due to its operational impact. The Supplier COM will work with the Supplier COCR to: (a) 10-404788-3 Fix the problem; 168 (b) Investigate and implement a workaround; (c) Co-ordinate Service delivery; and (d) Escalate the problem further where appropriate. 12.12 Where a technical fix or the implementation of a workaround allows for the full or partial resumption of Service, the Supplier COM and the Supplier COCR will manage the incident through to satisfactory closure. 12.13 In situations where no fix can be implemented or a reasonable workaround found, and where there is deemed to be a risk that business as usual will not resume, the Supplier COM will activate the Crisis Management Team (CMT). 12.14 The Supplier COM will make contact with each member of the Supplier CMT to join a conference call at a designated time. 12.15 The Supplier CMT will discuss the incident, agree actions, and agree checkpoint calls to discuss progress until the incident is resolved. CMT Member Contact Details: Name Office Number 01977 696600 07798 746933 paul.holdstock @relitech.co.uk Mobile E-mail Paul Holdstock RMS Director Gareth Storey Operations Director 0208 3912200 07710 704282 gareth.storey @relitech.co.uk Technical Director Centre Operations Manager 0208 3912200 07730 427517 darren.wildgoose@relitech.co.uk 01977 696623 07960 872881 jed.yaqub @relitech.co.uk 01977 696607 07872 816365 shaun.wilcock @relitech.co.uk Darren Wildgoose Jed Yaqub Shaun Wilcock 12.16 Title Technical Engineer The Supplier CMT will use the Assumptions Based Communications Dynamics (ABCD) methodology as detailed in ISO27001 for incident resolution. The Supplier CMT will assign resource to focus on the following priorities: (a) Find a fix for the problem (b) Work on a primary workaround (c) Work on a secondary workaround (d) Prepare the DR solution for possible activation 12.17 The Supplier CMT will assess progress on each of the above points at every checkpoint call. 12.18 The Supplier CMT may not necessarily decide to invoke DR where no immediate fix for a problem is found. The Supplier CMT may decide that although the problem is Service 10-404788-3 169 impacting, limited Service should continue in parallel to a fix being sought due to the substantial impact of DR being invoked. 12.19 The Supplier Director and Supplier Operations Director will be responsible for invoking DR based upon the scenario being managed by the Supplier CMT and the recommendations of the Supplier Centre Operations Manager and Supplier Technical Team. There is no fixed timeline for the Supplier CMT to invoke DR. 13 DR Invocation and Site 13.1 In the event of an incident of such a magnitude that Services can no longer be delivered from the Supplier primary site, Service will be moved to the DR site at Delta House, based in Wythenshawe, Manchester. The site will have all the facilities necessary to accommodate the Supplier Personnel to either co-locate the operation from, or to relocate to, in the event of a catastrophic disaster. 13.2 In the event that DR is invoked and personnel on shift are indisposed due to circumstances outside the Supplier’s control, replacement personnel will be contacted using contact lists that are held off-site by the Supplier Centre Operations Manager and Supplier Operations Analyst. The Supplier will keep contact list up to date. 13.3 The Supplier will adhere to ARC physical security standards whilst working at the DR site and the Supplier Personnel will adhere to the following: (a) ARC Identification passes (where available) will be worn at all times; (b) Any passes issued to staff will be worn and clearly visible; (c) Security doors must not be propped open to allow easier access; (d) All doors in the DR site have swipe access locks to ensure security; (e) Anyone requiring access to any building or room within the building will be directed to Security at the main reception area – access will not be granted to people who do not have a valid pass; (f) Any suspicious persons will be brought to the attention of a senior member of staff immediately; and (g) When in a shared area of the building, conversations on detailed matters of any ARC business will not occur. 14 Systems 14.1 The Supplier will maintain an actionable business continuity plan to ensure that Service delivery is possible from a DR facility in the event of a catastrophic failure or disaster that would render the primary site unusable. A disaster can be an event such as a severe fire, aircraft impact or a total loss of communications which completely disables the primary site. 14.2 The Supplier will comply with BS5979. The Supplier will maintain a replicated system, at the Disaster Recover site, that will mirror that of the primary site. 14.3 The replicated system will handle lone worker signals in the event of a disaster. 10-404788-3 170 14.4 The replicated system will allow the ARC to continue Service and operation offsite in the event of a catastrophic disaster. 14.5 Information will be kept live and current between the site databases by real time database replication. In the event of a disaster the only experienced down time will be the time taken for BT to divert communication paths over to the DR site. 10-404788-3 171 14.6 10-404788-3 The Supplier will test DR procedures on a regular basis. The test schedule is detailed in the Supplier Maintenance Plan. Routine incremental and complete backups will be performed on a daily and monthly basis. Details of the schedule is included the Supplier Backup Procedure documentation. The Supplier will use a network and system monitoring software package. Any failures, major or minor, will be detected by the monitoring software and escalated to the Supplier Technical Support Team for resolution. 172 Schedule 14 Security Policy 1 Definitions For the purposes of this schedule the following definitions shall apply: Breach of Security means the occurrence of unauthorised access to or use of any Authority premises, the Services, the Solution or any ICT or data (including the Authority's Data) used by the Authority or the Supplier in connection with this Agreement IT Security Officers shall be IT competent and security aware users and shall have the same meaning as set out in the manual of protective security Security Plan means the Supplier's security plan prepared pursuant to paragraph 3, and set out in Appendix 3 to this schedule Security Policy means, to the extent applicable, the Information Security Management NHS Code of practice as replaced or updated from time to time Security Tests shall have the meaning set out in paragraph 4.1 2 Introduction 2.1 This schedule covers: (a) principles of security for the Supplier System, derived from the Security Policy, including without limitation principles of physical and information security; (b) wider aspects of security relating to the Service; (c) the creation of the Security Plan; (d) audit and testing of the Security Plan; (e) conformance to ISO/IEC:27002 (Information Security Code of Practice) and ISO/IEC 27001 (Information Security Requirements Specification) (Standard Specification); and (f) Breaches of Security. 3 Principles of security 3.1 The Supplier acknowledges that the Authority places great emphasis on confidentiality, integrity and availability of information and consequently on the security of the ARC and the security for the Solution. The Supplier also acknowledges the confidentiality of Authority Data. 3.2 The Supplier shall be responsible for the security of the Solution and shall at all times provide a level of security which: 10-404788-3 (a) is in accordance with Good Industry Practice and Law; (b) complies with the Security Policy; (c) meets any specific security threats to the Solution; and 173 (d) 3.3 complies with ISO/IEC27002 and ISO/IEC27001 in accordance with paragraph 6 of this schedule. Without limiting paragraph 3.2, the Supplier shall at all times ensure that the level of security employed in the provision of the Services is appropriate to maintain the following at acceptable risk levels (to be defined by the Authority): (a) loss of integrity of Authority Data; (b) loss of confidentiality of Authority Data; (c) unauthorised access to, use of, or interference with Authority Data by any person or organisation; (d) unauthorised access to network elements, buildings, and tools used by the Supplier in the provision of the Services; (e) use of the Solution or Services by any third party in order to gain unauthorised access to any computer resource or Authority Data; and (f) loss of availability of Authority Data due to any failure or compromise of the Services. 4 Security plan 4.1 Introduction 4.2 10-404788-3 (a) The Supplier shall develop, implement and maintain a Security Plan to apply during the Term (and after the end of the Term (as applicable) in accordance with part 1 of schedule 16 (Exit Assistance)) which will be approved by the Authority, tested, periodically updated and audited in accordance with this schedule. (b) The draft Security Plan provided by the Supplier as part of its bid is set out in Appendix 2. (c) The Security Plan in place as at the date hereof, is set out in Appendix 3. Development (a) As at the date hereof, and in accordance with paragraph 4.4 (Amendment and Revision), the Supplier has prepared and delivered to the Authority for approval the full and final Security Plan, as set out in Appendix 3, which is based on the draft Security Plan set out in Appendix 2. (b) If the Security Plan is approved by the Authority it will be adopted immediately. If the Security Plan is not approved by the Authority the Supplier shall amend it within 10 Working Days of a notice of non-approval from the Authority and re-submit to the Authority for approval. The parties will use all reasonable endeavours to ensure that the approval process takes as little time as possible and in any event no longer than 15 Working Days (or such other period as the parties may agree in writing) from the date of its first submission to the Authority. If the Authority does not approve the Security Plan following its resubmission, the matter will be resolved in accordance with the Dispute Resolution Procedure. No approval to be given by the Authority pursuant to this paragraph may be unreasonably withheld or delayed. However any failure to approve the Security Plan on the grounds that it does not comply with the 174 requirements set out in paragraphs 3.3(a) to 3.3(e) shall be deemed to be reasonable. 4.3 Content (a) 4.4 The Security Plan will set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with: (i) the provisions of this schedule (including the principles set out in paragraph 2; (ii) the provisions of schedule 3, part 1 (Services Description) relating to security; (iii) ISO/IEC27002 and ISO/IEC27001; (iv) the data protection compliance guidance produced by the Authority; (v) the minimum set of security measures and standards required where the system will be handling Protectively Marked or sensitive information; (vi) any other extant national information security requirements and guidance, as provided by IT Security Officers; and (vii) appropriate ICT standards for technical countermeasures which are included in the Solution. (b) The references to standards, guidance and policies set out in paragraph 3.3(a) shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, from time to time. (c) In the event of any inconsistency in the provisions of the above standards, guidance and policies, the Supplier should notify the Authority's Representative of such inconsistency immediately upon becoming aware of the same, and the Authority's Representative shall, as soon as practicable, advise the Supplier which provision the Supplier shall be required to comply with. (d) The Security Plan will be structured in accordance with ISO/IEC27002 and ISO/IEC27001, cross-referencing if necessary to other schedules of this Framework Agreement which cover specific areas included within that standard. (e) The Security Plan shall be written in plain English, in language which is readily comprehensible to the staff of the Supplier and the Authority engaged in the Services, and shall not reference any other documents which are not either in the possession of the Authority or otherwise specified in this schedule. Amendment and Revision (a) The Security Plan will be fully reviewed and updated by the Supplier annually, or from time to time to reflect: (i) 10-404788-3 emerging changes in Good Industry Practice; 175 (ii) any change or proposed change to the Supplier system, the Services and/or associated processes; (iii) any new perceived or changed threats to the Supplier system; and (iv) a reasonable request by the Authority. (b) The Supplier will provide the Authority with the results of such reviews as soon as reasonably practicable after their completion and amend the Security Plan at no additional cost to the Authority. (c) Any change or amendment which the Supplier proposes to make to the Security Plan (as a result of an Authority request or change to schedule 3 (Services) or otherwise shall be subject to the Change Control Procedure and shall not be implemented until approved in writing by the Authority. 5 Audit and Testing 5.1 The Supplier shall conduct tests of the processes and countermeasures contained in the Security Plan (Security Tests) on an annual basis or as otherwise agreed by the parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Authority. 5.2 The Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Authority with the results of such tests (in a form approved by the Authority in advance) as soon as practicable after completion of each Security Test. 5.3 Without prejudice to any other right of audit or access granted to the Authority pursuant to this Framework Agreement, the Authority shall be entitled at any time and without giving notice to the Supplier to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the Supplier's compliance with and implementation of the Security Plan. The Authority may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 5.4 For the purposes of this paragraph 5.4, a weakness means a vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. Where any Security Test carried out pursuant to paragraphs 5.2 or 5.3 above reveals any actual or potential security failure or weaknesses, the Supplier shall promptly notify the Authority of any changes to the Security Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Authority's approval in accordance with paragraph 4.2(b), the Supplier shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to the Authority. 10-404788-3 176 6 Compliance with ISO/IEC 27001 6.1 The Supplier shall obtain independent certification of the Security Plan to ISO 27001 as soon as reasonably practicable and will maintain such certification for the duration of the Framework Agreement. 6.2 The Supplier shall carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001 and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. 6.3 If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Supplier, then the Authority shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent of any noncompliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Supplier does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. 6.4 If, as a result of any such independent audit as described in paragraph 6.3 the Supplier is found to be non-compliant with the principles and practices of ISO 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. 7 Breach of security 7.1 Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan. 7.2 Upon becoming aware of any of the circumstances referred to in paragraph 6.1, the Supplier shall: (a) immediately take all reasonable steps necessary to: (i) remedy such breach or protect the Solution against any such potential or attempted breach or threat; and (ii) prevent an equivalent breach in the future, such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Supplier under this Framework Agreement, then the Supplier shall be entitled to refer the matter to the Agreement Change Procedure. (b) 10-404788-3 as soon as reasonably practicable provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. 177 Appendix 1 Security Policy 1 Introduction 1.1 Purpose The purpose of this document is to describe the Suppliers Security Policy for the NHS Lone Worker Framework Agreement. It describes the principles of how the Services will be adhered to in relation to people, property and assets. The Supplier has taken a strategic decision to work towards ISO/IEC27002 and ISO/IEC27001 in order to achieve a more effective and robust Information Security Management System (ISMS). As an integral part of the Policy, the Security Plan should be referred to alongside this Policy. 1.2 Scope The scope of this document is confined to a description of the Security Policy for the Supplier's Remote Monitoring Services and the steps to be taken to activate the appropriate standards. 1.3 Background The Supplier Centre in Pontefract has a security requirement to ensure that Services are delivered in accordance with ISO/IEC27002 and ISO/IEC27001. 2 Definitions For the purposes of this Policy the following definitions shall apply: Breach of Security The occurrence of unauthorised access to or use of any Authority premises, the Services, the Solution or any ICT or data (including the Authority's Data) used by the Authority or the Supplier in connection with this Agreement. IT Security Officers IT competent and security aware users Protectively Marked Protectively Marked or sensitive logical information which is embedded encryption Security Plan Supplier Security Plan for the Lone Worker Services Security Policy Supplier Security Policy for Lone Worker Services Security Tests Tests (security) of the processes and countermeasures contained in the Security Plan 3 Principles and the wider aspects of security 3.1 The Supplier will ensure the integrity, confidentiality and availability of information and security of the Alarm Receiving Centre and the confidentiality of Authority Data. 3.2 The Supplier will ensure security of the Services, and will further: 10-404788-3 178 3.3 (a) Abide by and comply with Industry Best Practice (British Standards) and regulatory and legislative requirements. (b) Ensure compliance with this framework document (the Security Policy) (c) Mitigate against any security and risk threats to the Solution. (d) Comply with ISO/IEC27002 and ISO/IEC27001 Acceptable levels of security and risk will be maintained in relation to: (a) Loss of integrity or Authority Data; (b) Loss of confidentiality of Authority Data; (c) Unauthorised access to, use of, or interference with Authority Data by any persons or organisation; (d) Unauthorised access to network elements, buildings, and tools used by the Supplier in the provision of the Services; (e) Use of the Solution or Services by any third party in order to gain unauthorised access to any computer resource or Authority Data; (f) Loss of availability of Authority Data due to any failure or compromise of the Services; (g) The Service Desk personnel will validate all Users who contact the Service Desk before accepting requests for change (RFCs); and (h) Devices will be processed and delivered to the Authority and Users under secure conditions. 4 The Security Plan 4.1 Content (a) 10-404788-3 The Security Plan sets out the security measures to be implemented and maintained in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with: (i) The provisions of this Security Policy; (ii) The provisions of the BSA Framework Agreement Schedule 14 relating to Security; (iii) ISO/IEC27002 and ISO/IEC27001; (iv) The data protection compliance guidance produced by the Authority; (v) Any other extant national information security requirements and guidance, as provided by IT Security Officers; and (vi) Appropriate ICT standards for technical countermeasures which are included in the Solution. 179 4.2 (b) The references to standards, guidance and policies set out in paragraph 3.2 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, from time to time. (c) In the event of any inconsistency in the provisions of the above standards, guidance and policies, the Supplier shall notify the Authority of such inconsistency immediately upon becoming aware of the same, and the Authority shall, as soon as practicable, advise the Supplier which provision shall be required to comply with. (d) The Security Plan is structured in accordance with ISO/IEC27002 and ISO/IEC27001, cross-referencing where necessary to other schedules of this Framework Agreement which cover specific areas included within that standard. (e) The Security Plan is written in plain English, in language which is readily comprehensible to the staff of the Supplier and the Authority engaged in the Services, and does not reference any other documents which are not either in the possession of the Authority or otherwise specified in this schedule. Amendment and revision (a) The Supplier will ensure that the Security Plan is fully reviewed and updated at least annually, or from time to time to reflect: (i) Emerging changes and developments in industry best practice. (ii) Any and all changes or proposed changes to Supplier systems, the Services and/or associated processes. (iii) Any new perceived or changed threats to Supplier systems. (iv) A reasonable request by the Authority. (b) The Supplier will provide the Authority with the results of such reviews as soon as reasonably practicable after their completion, and amend the Security Plan at no additional cost to the Authority. (c) Any change or amendment which the Supplier proposes to make to the Security Plan (as a result of an Authority request or change to schedule 3 (Services) or this schedule of the Framework Agreement), shall be subject to the Change Control Procedure and shall not be implemented until approved in writing by the Authority. 5 Auditing and testing of the Security Plan 5.1 The Supplier will conduct tests of the processes and countermeasures contained in the Security Plan on an annual basis, or as otherwise agreed by the parties. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Authority. 5.2 The Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Authority with the results of such tests (in a form approved by the Authority in advance) as soon as practicable after completion of each Security Test. 5.3 Without prejudice to any other right of audit or access granted to the Authority pursuant to this Framework Agreement, the Authority shall be entitled at any time and without giving notice to 10-404788-3 180 the Supplier to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the Supplier's compliance with and implementation of the Security Plan. The Authority may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 5.4 For the purposes of this paragraph, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. Where any Security Test carried out, pursuant to paragraphs 5.2 or 5.3 above, reveals any actual or potential security failure or weaknesses, the Supplier shall promptly notify the Authority of any changes to the Security Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Authority's approval in accordance with paragraph 4.2(c) above, the Supplier shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to the Authority. 6 Conformance to ISO standards (27001 and 27002) 6.1 The Supplier will obtain third party independent certification of the Security Plan to ISO 27001 standard as soon as reasonably practicable, and will maintain such certification for the duration of the Framework Agreement. 6.2 If sections of the Security Policy do not conform to industry best practice as described in ISO 27002 and, as a result, the Supplier reasonably believes that its certification to ISO 27001 would fail in regard to the said sections, the Supplier shall promptly notify the Authority of this and the Authority in its absolute discretion may waive the requirement for certification in respect of the relevant parts. 6.3 The Supplier will carry out such regular security audits as may be required by the British Standards Institute in order to maintain delivery of the Services in compliance with security aspects of ISO 27001, and shall promptly provide to the Authority any associated security audit reports and shall otherwise notify the Authority of the results of such security audits. 6.4 If it is the Authority's reasonable opinion that compliance with the principles and practices of ISO 27001 is not being achieved by the Supplier, then the Authority shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent of any noncompliance and any other relevant circumstances) to become compliant with the principles and practices of ISO 27001. If the Supplier does not become compliant within the required time then the Authority has the right to obtain an independent audit against these standards in whole or in part. 6.5 If, as a result of any such independent audit as described in paragraph 6.4, the Supplier is found to be non-compliant with the principles and practices of ISO 27001 then the Supplier shall, at its own expense, undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Authority in obtaining such audit. 10-404788-3 181 7 Breaches of security 7.1 Either party shall notify the other immediately upon becoming aware of any Breach of Security including, but not limited to an actual, potential or attempted breach, or threat to, the Security Plan 7.2 Upon becoming aware of any of the circumstances referred to in paragraph 7.1 the Supplier shall immediately take all reasonable steps necessary to: 8 (a) Remedy such breach or protect the Solution against any such potential or attempted breach or threat; (b) Prevent an equivalent breach in the future. Such steps shall include any action or changes reasonably required by the Authority. In the event that such action is taken in response to a breach that is determined by the Authority acting reasonably not to be covered by the obligations of the Supplier under this Framework Agreement, then the Supplier shall be entitled to refer the matter to the Agreement Change Procedure; and (c) As soon as reasonably practicable the Supplier will provide to the Authority full details (using such reporting mechanism as may be specified by the Authority from time to time) of such actual, potential or attempted breach and of the steps taken in respect thereof. Continuous improvement The Supplier shall continually improve the effectiveness of the ISMS through the use of the information security policy, information security objectives, audit results, analysis of monitored events, corrective and preventive actions and management review. 9 Corrective actions 9.1 The Supplier shall take action to eliminate the cause of nonconformities with the ISMS requirements in order to prevent recurrence. The documented procedure for corrective action shall define requirements for: 10-404788-3 (i) Identifying nonconformities; (j) Determining the causes of nonconformities; (k) Evaluating the need for actions to ensure that nonconformities do not recur; (l) Determining and implementing the corrective action needed; (m) Recording results of action taken (see paragraph 5.4); and (n) Reviewing of corrective action taken. 182 Appendix 2 Draft Security Plan from Supplier's Bid 1 Table of Contents 1 Introduction 2 Scope 3 Outputs 4 ISO 27001 accredited certification and service standards 5 Amendments and revision 6 Auditing and testing of the security plan 2 Introduction 2.1 The following security plan illustrates how the Supplier will meet the requirement of the Framework Agreement. The Security Plan sets out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and shall, at all times, comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with: (a) the provisions of this schedule; (b) the provisions of schedule 3 (Services) relating to security; (c) ISO/IEC27002 and ISO/IEC27001; (d) the data protection compliance guidance produced by the Authority; (e) the minimum set of security measures and standards required where the system will be handling protectively marked or sensitive information; (f) any other extant national information security requirements and guidance, as provided by IT Security Officers; and (g) appropriate ICT standards for technical countermeasures which are included in the Solution. 2.2 The references to standards, guidance and policies set out in paragraph 2.1 shall be deemed to be references to such items as developed and updated and to any successor to or replacement for such standards, guidance and policies, from time to time. 2.3 In the event of any inconsistency in the provisions of the above standards, guidance and policies, the Supplier shall notify the Authority of such inconsistency immediately upon becoming aware of the same, and the Authority shall, as soon as practicable, advise the Supplier which provision the Supplier shall be required to comply with. 2.4 The Security Plan shall be structured in accordance with ISO/IEC27002 and ISO/IEC27001, cross-referencing if necessary to other schedules of this Framework Agreement which cover specific areas included within that standard. 10-404788-3 183 2.5 The Security Plan shall be written in plain English, in language which is readily comprehensible to the personnel of the Supplier and the Authority engaged in the Services, and shall not reference any other documents which are not either in the possession of the Authority or otherwise specified in this schedule. 3 Amendment and Revision 3.1 The Security Plan shall be fully reviewed and updated by the Supplier annually, or from time to time to reflect: (a) emerging changes in Good Industry Practice; (b) any change or proposed change to the Supplier System, the Services and/or associated processes; (c) any new perceived or changed threats to the Supplier System; and (d) a reasonable request by the Authority. 3.2 The Supplier shall provide the Authority with the results of such reviews as soon as reasonably practicable after their and amend the Security Plan at no additional cost to the Authority. 3.3 Any change or amendment which the Supplier proposes to make to the Security Plan (as a result of an Authority request or change to the schedule 3 (Services) or otherwise shall be subject to the Change Control Procedure and shall not be implemented until Approved in writing by the Authority. 3.4 The security plan shall approach the service provision by focusing on two stated tenets of the Invitation to Participate in Dialogue: (a) Outputs; and (b) Standards. 3.5 The Security Plan sets out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services, and shall at all times comply with and specify security measures and procedures. 4 Scope 4.1 The Service shall operate as a managed Service with a single point of contact for all Service Desk interactions with the Supplier, irrespective of whether this is in relation to a subscription, un-subscription, a fault, issue, problem, query, request, addition or change in subscription of a Service. 4.2 The Alarm Receiving Centre (ARC) shall have a discrete contact number which will be available 24 hours a day, 365 days per year to manage incidents and alarms. The Alarm Monitoring Service (AMS) centre (or virtual centre) shall further be capable of monitoring every geographical location where Users need to operate within England. The Services provided by the Supplier shall support a range of User profiles to support the needs of different situations arising from the diverse User groups. 4.3 It is appreciated that a range of Devices shall be required to support the needs of different situations arising from the diverse User groups and range of Authority bodies. The Device or 10-404788-3 184 application shall enable Users to signal for assistance from the emergency services. A range of tracking options shall be available (from no tracking, basic tracking, through to more accurate tracking). 5 Outputs 5.1 In terms of deliverable outputs, there are a number of areas which shall receive specific attention; as follows: (a) (b) 10-404788-3 End to end Service (i) The Supplier shall provide full life-cycle management (including commissioning, configuration, administration, moves, changes, account administration, Service Desk support, maintenance, Technology Refresh and disposal). The Supplier shall process applications for Devices from Customers against agreed criteria to ensure eligibility and suitability of the Service. (ii) The supplied solution shall be capable of indicating three levels of alert for Lone Workers: (A) At work - the standard risk experienced by all workers in a normal days activity; (B) Heightened risk – this equates to a situation where an individual perceives a heightened sense of risk in a work environment e.g. a home visit; and (C) Incident - an incident is happening or has happened e.g. physical attack, verbal abuse etc. (iii) The above levels shall be referred to as Green, Amber and Red in line with risk measurement status. (iv) The agreed solution shall support the use of a range of User Devices to support diverse User groups and a variety of tracking options (from basic tracking to more accurate tracking). (v) The Services provided shall further support the provision of tailored User profiles to meet the needs of different situations arising from the diverse User groups and range of NHS bodies included in the scope. Alarm Management Service (AMS) (i) The Alarm Management Service shall be made up of the ARC and the Service Desk. (ii) The Supplier shall provide an ARC which shall be available 24 hours a day, 365 days per year. The Supplier shall support a range of User profiles to support the needs of different situations arising from the diverse User groups and range of Authority bodies. The User profiles shall allow bespoke escalation procedures e.g. escalation to colleagues instead of emergency response from the Police. The default profile shall result in escalation to the Emergency Services if appropriate. 185 (iii) (c) (d) Training (i) The Supplier shall carry out all initial Device User training in order that all Users shall receive a uniform level of training. (ii) Within the Security Plan there shall be contingency plans for any re scaling of training requirements, with the Supplier being in a position to re-engage at short notice. Information security management (i) The policy, practices and procedures to be implemented by the Supplier shall be based upon ITIL Best Practice guidance. ITIL underpins the foundations of ISO/IEC 20000 (Service Management Standard, previously BS15000). The Supplier shall work towards this standard, in a de facto manner, by ensuring that ITIL V3 disciplines are adhered to. The Supplier shall operate under ITIL V3, with appropriate Supplier personnel attending further accreditation courses over the next 2 months. In a service environment such as this, with critical Services being delivered, Security Management, in physical, logical and software / application security and the availability, integrity and confidentiality of information is key. All ICT shall comply with the Authority STEP policy, and in order to achieve this, the Supplier shall undertake the initial process to seek ISO/IEC 27001 accreditation. The accreditation process is under way with a full gap analysis being undertaken before application begins formally. (ii) All Users shall be fully trained in security policies and procedures and provided with regular updates. Security incidents, vulnerabilities and system faults shall be promptly reported through the dedicated Service Desk function. Sensitive ICT facilities shall be protected from unauthorised access through the use of physical controls. Critical ICT equipment including items such as cabling shall be protected against physical damage. (iii) Documented operating procedures shall be produced including logs and controls for: (iv) 10-404788-3 The ARC shall be able to listen to and record events in a way that is legally admissible in prosecution cases that arise from incidents. (A) Secure disposal of backup media, documents, voice recordings and test data; (B) Secure disposal and maintenance of ICT equipment; (C) Securely handling, transporting and storing of backup media and system documentation; (D) Any information and / or software exchanges between organisations; (E) Removal of ICT assets from site, and (F) Secure management of failover/contingent ICT equipment. Any changes to the agreed security policies and standards shall be approved by the Authority as part of the Service Transition phase detailed below. 186 Specific reference to this agreement process shall be incorporated into the release management protocols. Conversely, should the Authority propose any changes to the security policies and standards, the Supplier shall agree these changes, and after consultation with the Authority implement them in line with the defined process. (e) Protectively Marked or Sensitive Information The Suppliers Security Plan shall be in accordance with the Manual of Protective Security, and shall conform to the following requirements: (f) 10-404788-3 (i) Scope of the document; (ii) Service security environment; (iii) Use of the security Framework; (iv) Threats to services and clients; (v) Security control objectives; and (vi) Service functional security requirements. Service monitoring and management (i) There shall be one single point of contact for Users for assistance for all enquiries (Service Desk Transactions). This service shall effectively be 24 hours per day, 7 days per week (reduced service levels outside of normal hours). The Service Desk team shall have dedicated personnel performing all administrative tasks relating to implementing new Users and ongoing support for existing Users. Supplier Personnel shall be able to access all associated systems to ensure quick and effective resolution of all issues, managing all enquiries and queries through to resolution, engaging with the ARC and Service Maintenance functions as necessary. (ii) All communications with Users, regardless of the nature and method of communication shall be recorded, managed and where necessary tracked via the Client Relationship Management (CRM) system, through to resolution. The CRM system shall enable the generation of reports and analysis of key metrics such as volumes of calls, time to resolution from initial communication, types of queries, etc. This shall enable the Supplier to monitor performance and proactively identify and improve issues. It also provides all information relating to interactions with Users, enabling all Supplier Personnel to deal with queries without a reduction in the level of knowledge and hence service to that User. (iii) Specific ongoing support tasks performed by Service Desk staff: (A) Queries from a Device usage nature from a User (how to use properly, suspected faulty Devices, network coverage concerns); (B) Queries relating to changes in User details, points of contact details, reallocation of Devices. These shall be tracked and confirmed with User/Customer via the request for change process; 187 (g) (C) Issuing of reports to Customers and the Authority, highlighting key elements from the report data (Device inactivity, incorrect usage, etc). This enables the Service Desk Personnel to proactively work with Users to maximise their overall usage of Devices. For example, the Service Desk shall highlight Device inactivity that is explained by the fact the User has left the Customer organisation and hence the User details require deletion and the Device reallocating; (D) Proactively calling Users when they are struggling with Devices via the alarms coming through to the ARC e.g. Repeated false alarms; (E) Proactively updating Users on the progress of enquiries, ensuring confirmation from the User, before closing a transaction; (F) Specific new Customer implementation tasks performed by Service Desk Personnel shall include; (G) Liaise with Authorised Customer Representatives to organise and collect User information; (H) Liaise with Authorised Customer Representatives to set up effective and robust escalation points of contact for all Users; (I) Set up Users on alarm handling software and organise go-live dates; (J) Organise training programme; (K) Ensure Devices are despatched to the correct place at the correct time; (L) Proactively call Users in the early days, post training, to ensure Users are comfortable and confident with the Device. (iv) Service Desk Personnel shall work closely with the service maintenance personnel on Device queries; Device returns; Device loan swap outs etc. The Service Desk shall be covered 24/7 with the non-core hours between 8pm and 6am and weekends/Bank Holidays covered by the ARC. All internal communications shall be logged against the specific Customer/User to ensure full tracking and transparency. (v) Any change to a User, User account or User Device shall be controlled via the Supplier request for change process. Reporting All reporting of Service Desk transactions shall be driven through the CRM system with full flexibility on what and how issues are reported. (h) Functional services (i) 10-404788-3 Disaster Recovery The Supplier's ARC shall be accredited with BS 5979 Cat II, which assures Users that there shall be a disaster recovery procedure in place. The plan shall involve the duplication of the Supplier's server capability at another BS5979 Cat II site to ensure no operational downtime in the event of catastrophic failure on the primary Supplier 188 site. The Supplier shall continue to test this on an annual basis. There shall be 5 elements to the business continuity plan once service disruption is experienced: (a) An incident management process; (b) A crisis management team; (c) A disaster recovery technical plan; (d) A business continuity strategy; and (e) Physical security. The Suppliers ARC shall be accredited the BS 5979 Cat II, which by nature assures that physical security includes: (a) Dual thickness walls; (b) Access control; (c) Airlock; (d) Independent air supply system; (e) Gas detectors; (f) CCTV internal; (g) Blast proof windows; (h) Secure server room; (i) Secure telephone system; (j) Firewalls providing secure encrypted MPLS between sites; and (k) The risk assessment process. (A) The Supplier shall work with the Authority to provide a standardised risk assessment tool to inform the decision as to whether a Device is needed, and if so, which type of Device. (B) The risk assessment tool shall have the ability to deal with budgetary constraints at an Authority level, providing a sound rationale for not only identifying the Device variant required per User group, but also prioritising User groups within the organisation. The intellectual property rights for such a tool may be owned by the Authority to enable the Authority to offer this as an added service/tool to existing and new Customers. (iii) Account Management (A) 10-404788-3 Account Management is an integral part of the Suppliers Security Plan, and as such there shall be a dedicated team of Account Managers accessible 24 hours per day. 189 (B) (iv) (v) (vi) 10-404788-3 The tasks which the Supplier Account Managers shall undertake are as follows: Pre-mobilisation which includes: (A) Oversee all the implementation tasks; (B) Review the Lone Worker policies and procedures for each customer; (C) Identify Quarterly Business Reporting dates and attendees for each customer; (D) Meet with staff representatives; and (E) Identify and meet the appropriate contact in the customer’s Accounts department. Implementation/Mobilisation which includes: (A) Manage and deliver the implementation project; (B) Establish Gant chart and share with customer’s representative; (C) Task Trainer; (D) Task Service Desk administrator; (E) Agree deliverables with customer; (F) Oversee deployment of Devices; (G) Oversee training of Users; and (H) Report to Customer Relationship Manager on achievement of deliverables. Post-Implementation (A) Carry out Quarterly Business Reviews (QBRs) with customer; (B) Review reporting; (C) Identify additional training needs; (D) Manage deployment for Devices for New Starters/Leavers; (E) Conduct Incident Reviews; (F) Confirm invoice details monthly; (G) Maintain the CRM database on Users; (H) Oversee resolution of any issues raised through the Service Desk; and (I) Support any specific marketing tasks identified. 190 (i) Project Management (i) In relation to project management there are two further areas to consider. Firstly, there is the project management approach taken to deliver the Framework Agreement overall. Secondly there is the project management approach taken for individual clients when delivering the Services (ii) The approach is a pragmatic, based on several years of implementation experience. The process is divided into four distinct stages: 1. Pre-training 2. Training 3. Initial phase post-training 4. Ongoing phase post-training. (iii) Phase 1: Pre-Training (iv) (A) Assess how the solution will complement existing lone worker procedures and protocols and assist, where necessary, with any modifications or updates to these procedures and protocols. (B) Understand the working environment and risks faced by each User group and propose the most appropriate Device variant and associated Device set-up functionality per User. (C) Through a combination of checking network coverage ‘maps’ and obtaining local knowledge from Users, we determine the combination of GSM network operator SIM cards with which to commence service delivery. (D) Work through the necessary points of contact and alarm escalation procedures per User. (E) Jointly with the Customer, engage with the local/regional Police forces to clarify Police response processes. (F) Clarify the personal information required from Users and coordinate the necessary collection of this information. (G) Create the model for implementation. Areas covered here include resource levels for the organisation (internal trainers, administrators, project team and project managers for instance), training schedules (who gets trained, by whom, where and when) and the proposed frequency of project meetings. (H) Create and continuously update the project plan. The information generated from the implementation model is then dropped into a Gantt Chart; this is used to manage the project. Phase 2: Training. This includes the following: (A) 10-404788-3 The Supplier shall project manage the delivery of Devices (each Device is registered against an individual), the actual training 191 sessions (and content thereof) and coordinate ‘go-live’ dates. Quality face to face training will be offered to all Users. (v) (vi) Phase 3: Initial Phase Post-Training: (A) This covers the early stages of adoption of the Devices by Users. The Supplier shall coordinate frequent meetings and conference calls to analyse User activity levels, ensure correct usage of Devices, discuss any network coverage problems and solve any issues arising with escalation ‘points of contact’. Key to this is the circulation of activity data prior to the discussions. This is an assurance to jointly tackle issues quickly and ensure a successful implementation; (B) The frequency of these discussions are only reduced once both parties are satisfied the main issues have been dealt with successfully. All discussions are recorded and circulated, highlighting actions where necessary, to ensure transparency and the tracking and completion of actions in a timely manner. Phase 4: Ongoing Phase Post-Training (A) The Supplier shall issue monthly activity reports. The Supplier shall highlight ongoing User issues, general activity level issues, network coverage issues. The Supplier shall further agree with the Customer the frequency of contract review meetings to discuss the issues raised in these reports and any others through the contract until completion. 6 ISO 27001 accredited certification and Service standards 6.1 The Supplier is currently preparing for ISO 27000 accredited certification. A gap analysis exercise has taken place, and the Supplier is now in a position to provide details of the standard and its applicability to relationships with the Authority, and further inform interested parties of the progress made, and the projected efforts required to attain accredited certification of the 27000 standard. 6.2 The ISO body of standards is divided between three distinct sections. (a) ISO 27701; (b) ISO 27002; and (c) ISO 27005. 6.3 ISO 27001 is that part of the standard which reflects on the Information Security Management System (ISMS) requirements. During the certification phase the implementation and management of the ISMS will be audited against 27001. 6.4 ISO 27002 is a Code of Practice which is intended to provide a framework for international best practice in information security management and systems interoperability. It also provides guidance to which an external auditor may look, on how to implement certifiable ISMS. It does not, as the standard is currently written, provide the best for an international certification scheme. 10-404788-3 192 6.5 ISO 27005 this International Standard provides guidelines for information security risk management, and it supports the general concepts specified in ISO/IEC 27001, and is designed to assist the satisfactory implementation of information security based on a risk management approach. 6.6 The approach to the implementation of an Information Security Management Systems will be based on the recognised Plan; Do; Check; Act concept which is recognised throughout all standards within the ISO family of standards. 6.7 Of critical importance to the accreditation of ISO 27001 certification is the ability of the Supplier to provide a structured approach to the implementation of the ISMS. The standard sets out in paragraph 6.2, the required structured approach to the establishment of an ISMS, and there are six recognised steps which the Supplier will follow: 6.8 (a) Define the scope of the ISMS; (b) Define the Information Security Policy at board level; (c) Define a systematic approach to risk assessment and the risk acceptance criteria; (d) Carry out a risk assessment to identify, within the context of the policy and ISMS scope, the important information assets of the organisation and the risks to them. At this stage an assessment of all risk is established; (e) Identify and evaluate options for the treatment of the risks, selecting where required, the control objectives and controls to be implemented; and (f) Prepare a Statement of Applicability. Application of the PDCA cycle to a process approach means that, following the basic principles of process design, there needs to be both inputs to and outputs from the process. An ISMS takes, as its input the information security requirements and expectations of the interested parties (Authority and Supplier), and through the necessary actions and processes produce information security outcomes that meet those requirements and expectations. This means that the PDCA model is applied at two levels: (a) 10-404788-3 The strategic level, in terms of the development of the ISMS itself; and 193 (b) 6.9 At the tactical level, in terms of each of the processes within the ISMS. At the strategic level, the application of the PDCA cycle is applied to the development of the ISMS. The correspondence between the PDCA cycle and the stages identified in the Standard for the implementation and development of the ISMS as seen below is currently being adapted by the Supplier in order that 27000 accredited certification may be achieved. (a) (b) (c) Plan (Establish the ISMS) (i) Define the scope of the ISMS; (ii) Define the Information Security Policy at board level; (iii) Define a systematic approach to the risk assessment; (iv) Carry out a risk assessment to identify, within the context of the policy and ISMS scope, the important information assets of the organisation, and risks to them; (v) Identify and evaluate options for the treatment of these risks; (vi) Select for each approach, the control objectives and controls to be implemented; and (vii) Prepare a statement of applicability. Do (Implement and operate the ISMS) (i) Formulate the risk treatment plan, its documentation, including planned processes and detailed procedures; (ii) Implement the risk treatment plan and planned controls; (iii) Provide appropriate training for affected staff, as well as awareness programmes; (iv) Manage all operations and resources within the ISMS; and (v) Implement procedures that enable prompt detection of, and response to, security incidents. Check (Monitor and review the ISMS) (i) (d) Act (Maintain and improve the ISMS) (i) 10-404788-3 Monitor, review test and audit the above. Monitoring, reviewing, testing and audit has to be an ongoing process that covers the whole system, and a certification body will want to see evidence of at least one cycle of tests and audits on the ISMS, having been completed prior to a certification visit. Testing and audit outcomes will be reviewed by management, as will the ISMS in the light of the changing risk environment, advancing technology or other risk related circumstances; improvements to the ISMS will be identified, documented and implemented; and 194 (ii) Thereafter the ISMS will be subject to ongoing review, further testing and improvement implementation, a process recognised as continuous improvement. Fig 1.0 ISMS Project Roadmap Risk Assessment Board Policy Prepare Documentation Board Approval Agree Scope Training SOA Asset Inventory Plan Monitor/Review Incident Response Procedure Implement ISMS Do Identify, Implement and Improve Check Act Figure 1.0 shows the ISMS project roadmap, based on the PDCA concept which will be adopted by the Supplier 6.10 10-404788-3 In terms of deliverable standards, there are a number of areas which will receive specific attention; as follows: (a) Service management standards. The entire service architecture shall be managed, adhering to the ITIL processes operated by the Supplier. (b) The Supplier has a contract management team with the capacity and depth to be able to assist the BSA and CFSMS to develop the appropriate strategies necessary to translate developing business requirements across the Authority into firm deliverables, whether they are ICT strategies, the delivery framework or overall service capabilities, in line with STEP where applicable to this Framework Agreement. The shape of the contract management team is as follows: (i) Framework Manager / Contract Director; (ii) Operations Manager (deputy Contract Director); (iii) Service Maintenance Manager; (iv) User Training Manager; (v) Service Desk Supervisor; (vi) National Account Manager; and 195 (vii) ARC Manager. (c) In addition the Partnership Board, which will sit above the Contract Management Team and work in a strategic way to align the Supplier's objectives with those of the Authority, shall be a powerful tool for meeting Authority aspirations for the Services. The Supplier expects and anticipates meeting the Authority regularly to discuss their developing ideas for improving service delivery; for enhancing the ‘sales’ of the Services across the Authority; for meeting Customer expectations, queries and concerns; for ensuring that personnel and their representatives are fully briefed on a programmed basis throughout the year on the Services; and to help inform government on the outcomes of this important ‘pump-priming’ project. (d) The Supplier proposes that members of the Partnership Board from the Suppliers side contain at least the following: (e) (i) Director for Operations, Reliance; (ii) Director, Reliance ARC; and (iii) Contract Manager. Continual Service Improvement is the anchor which holds these processes together. It is imperative for the Supplier to deliver consistent, repeatable process activities to safeguard the Services quality. However, the continuous search for improvements as part of the promised Services quality is equally important. As technology develops and as Best Practice and legislation is updated, the need for a supplier to the Authority to be pro-active in its improvements is paramount. The following, on-going processes form the basis for annual service plans: (i) Measurement and Control; (ii) Service Measurement; (iii) Service Assessment and Analysis; and (iv) Service Level Management. 7 Amendment and revision 7.1 The Supplier shall ensure that the Security Plan is fully reviewed and updated annually, or from time to time to reflect: 10-404788-3 (a) Emerging changes and developments in industry best practice; (b) Any and all changes or proposed changes to the Supplier Systems, the Services and/or associated processes; (c) Any new perceived or changed threats to the Supplier System; (d) A reasonable request by the Authority; (e) The Supplier will provide the Authority with the results of such reviews as soon as reasonably practicable after their completion, and amend the Security Plan at no additional cost to the Authority; and 196 (f) Any change or amendment which the Supplier proposes to make to the Security Plan (as a result of an Authority request or change to the schedule 3 (Services) or otherwise, shall be subject to the Change Control Procedure and shall not be implemented until approved in writing by the Authority. 8 Auditing and testing of the Security Plan 8.1 The Supplier shall conduct tests of the processes and countermeasures contained in the Security Plan on an annual basis, or as otherwise agreed by the Authority and the Supplier. The date, timing, content and conduct of such Security Tests shall be agreed in advance with the Authority. 8.2 The Authority shall be entitled to send a representative to witness the conduct of the Security Tests. The Supplier shall provide the Authority with the results of such tests (in a form approved by the Authority in advance) as soon as practicable after completion of each Security Test. 8.3 Without prejudice to any other right of audit or access granted to the Authority pursuant to this Framework Agreement, the Authority shall be entitled at any time, and without giving notice to the Supplier, to carry out such tests (including penetration tests) as it may deem necessary in relation to the Security Plan and the Supplier's compliance with and implementation of the Security Plan. The Authority may notify the Supplier of the results of such tests after completion of each such test. Security Tests shall be designed and implemented so as to minimise the impact on the delivery Services. If such tests impact adversely on its ability to deliver the Services to the agreed Service Levels, the Supplier shall be granted relief against any resultant under-performance for the period of the tests. 8.4 For the purposes of this paragraph 8.4, a weakness means vulnerability in security and a potential security failure means a possible breach of the Security Plan or security requirements. Where any Security Test carried out pursuant to paragraphs 8.2 or 8.3 above reveals any actual or potential security failure or weaknesses, the Supplier shall promptly notify the Authority of any changes to the Security Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Authority's approval in accordance with paragraph 3.3(c) above, the Supplier shall implement such changes to the Security Plan in accordance with the timetable agreed with the Authority or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan to address a non-compliance with the Security Policy or security requirements, the change to the Security Plan shall be at no additional cost to the Authority. 9 Reviewers Comments 9.1 In terms of the gap analysis, it is suggested that the remainder of the project is structured as follows: (a) 10-404788-3 Project Team: To be formed at the earliest opportunity. Taking into consideration that the 27001 standard is technically neutral, it is imperative that the Project Team should be chaired by a senior executive or board member who is designated as responsible for the implementation of the ISMS. Members of the team will be selected from across the organisation. Key functions that should be represented are quality/process management; Human Resources; Training; IT/Facilities Management; Operations and Business Administration and Health & Safety. The team should be guided by a member with knowledge of ISO standards. 197 (b) Information Security Policy: Once the Project Team and management structure have been agreed, consideration of a board level Information Security Policy should be the next phase. The definition of the Information Security Policy is a requirement set out in clause 4.2.1 of the standard. Initially, the Information Security Policy should be a short statement no more than two A4 pages however, the policy will go through a number of stages of development, particularly as a result of the risk assessment, and the final version of the policy must satisfy clause 5.1.1 of the standard. (c) The risk assessment: ISO 27002 is clear in its introduction, that risk is a systematic study of assets, threats, vulnerabilities and impacts to assess the probability and consequence of risk. In terms of the ARC certification this equates to a systematic and methodical consideration of: (d) (e) 10-404788-3 (i) The business harm likely to result from a range of business failures; and (ii) The realistic likelihood of such failures occurring. The risk assessment should be carried out by a qualified and experienced risk assessor who has knowledge of qualitative risk assessment and management, and has the ability to identify the following areas of risk in line with clause 4.2.1d of the standard. (i) Assets within the scope; (ii) Threats; (iii) Vulnerabilities; (iv) Likelihood; (v) Impact; and (vi) Treatment of risk. Required documentation: Notwithstanding the production of the Information Security Policy, there are number of other documents, constituting the ISMS manual, which must be produced to meet the requirements of the standard: (i) The risk assessment report, to include risk treatment; (ii) Control objectives and procedures to support the ISMS manual; (iii) The Statement of Applicability; (iv) Evidence of the actions undertaken by the organisations top management team (minutes of all meetings); (v) A description of the management framework; (vi) Procedures that govern the management and review of the ISMS; and (vii) All business continuity and crisis management documentation. 198 10 Third party accredited certification: 10.1 Selection of auditors. There are two key issues which need to be taken into consideration relation to the overall policy of 27001 auditor selection: 10.2 10-404788-3 (a) The ISMS must be fully integrated into the organisation, with a recognition that standards such as ISO 9001 and 14001 have a synergy with 27001; and (b) There must be an agreement with potential third party auditors that the operations and business drivers of the ARC are unique, and the ISMS audit should take this into consideration when the initial audit takes place. The audit. Once a certification body has been selected and terms agreed, the organisation (the ARC) can concentrate on the actual process of certification. The process will familiar to the ARC as it is already in possession of ISO 9001 certification. The certification body will want to go through a two stage process. (a) The first stage will be a pre certification visit, which enables the auditors to become acquainted with the culture of the ARC; to carry out an initial document review; to assure themselves that the ISMS is sufficiently well developed to be capable of withstanding a formal audit and to obtain enough information about the ARC and the intended scope of the certification to plan the audit effectively. (b) The second stage will consist of two parts. The first part involves testing the organisations documented processes (the ISMS) against the requirements of the standard. The second part will test actual compliance by the organisation with its ISMS. (c) The above Security Plan sets out to meet the requirements of the NHS Lone Worker Protection Project, and is the basis for the bid for services at the ARC, Pontefract. An essential element of the bid is the requirement by the NHS Security Management Services (SMS) for the preferred supplier to have achieved ISO 27001 accredited certification. The lead time for stage one of the auditing process is generally 08 to 12 weeks, and to that end it is imperative that Reliance Hightech take immediate steps to implement an ISMS, having considered the above report and remarks. 199 Appendix 3 Reliance High Tech Security Plan for Lone Worker Support 1 Introduction 1.1 The following Security Plan will focus on lone worker support services areas relating to the Reliance Alarm Receiving Centre (ARC), Pontefract and the Disaster Recovery Centre (DRC) at Wythenshaw, Manchester, concentrating on: (a) Physical security; (b) Integrity of all data communications. The security guidelines and standards relating to the Alarm Receiving Centre at Pontefract will be replicated throughout all Reliance (and any third party) locations providing lone worker support. 2 Physical security 2.1 Both centers are accredited to BS 5979 Cat II, which assures Users that there is a disaster recovery procedure in place. The plan involves the duplication of the Reliance server capability at another BS5979 Cat II site to ensure no operational downtime in the event of catastrophic failure on the primary site. The BS 5979 accreditation is assessed and re certificated annually. This Reliance does, and shall continue to test this on an annual basis. 2.2 There are four elements to the recovery plan once service disruption is experienced: 2.3 2.4 10-404788-3 (a) An incident management process; (b) A crisis management team; (c) A disaster recovery technical plan; (d) A business continuity strategy. The physical risk assessments take into consideration the following threats: (a) Unauthorised intrusion; (b) Burglary; (c) Robbery; (d) Espionage; (e) Sabotage; (f) Offences against the person; (g) Criminal damage and arson; (h) Terrorism. As a result of such risk assessments, all necessary control measures and mitigation strategies are considered before the agreed counter measures are introduced. The risk is never static, 200 and as part of the ARC continuous improvement strategy, the dynamic risk assessment is constantly monitored. To further enhance security of the ARC and its operations, Reliance is in the process of achieving ISO 27000 certification. 3 The ARC 3.1 The ARC is accredited to BS 5979 Cat II, which by its nature assures that physical security includes the following strategies: (a) Crime Prevention Through Environmental Design Environmental protection considers security of the site in question by encapsulating the following issues: (i) a crime pattern analysis of the area surrounding the ARC to focus on crime pattern by type and volume, and including where possible, crime clear up rates. Crime in the area of South Yorkshire for the period 2007/2008 is as follows: (ii) Crime by type Volume Increase/ Decrease Burglary 19,647 -8% Violence against the person 24,453 -11% Robbery 1,283 -6% Vehicle crime 23,542 -14% Fraud 4,197 -4% Police and other emergency services response times. The ARC is located within the vicinity of the centre of Pontefract, and this in itself assures good emergency services response. Added to this is the fact that the ARC is co located with a key BT hub, and complies with OFTEL regulation, providing an extra dimension to the physical and technical security arrangements currently in place. There is formal internal and external CCTV coverage which is monitored from within the ARC. Further, employees are encouraged to monitor the situation whilst within and outside the location. (iii) Territoriality. Encouraging staff and management to assume responsibility of their working area and the general ARC environment. (iv) Adjoining buildings. Taking into consideration adjacent and adjoining buildings which may impact the integrity of the ARC With the exception of the BT hub, the ARC is not impacted by any other adjoining buildings. 10-404788-3 201 (v) (b) Road communications. In and around the area of the ARC, road communications are quite congested, and it would therefore be difficult for a potential aggressor to guarantee and effective and fast escape. Situational Crime Prevention In terms of situational crime prevention, the following tenets are taken into consideration: (c) (vi) Increasing the efforts of potential offenders: Target hardening; control of access; control of tools and weapons; (vii) Increasing the risk to offenders being apprehended: More effective surveillance techniques in terms of formal and informal surveillance; (viii) Reducing rewards to successful offenders: Preventing offenders from benefiting if attacking the ARC; and (ix) Removing excuses from ARC staff: Setting very clear and concise guidelines for all staff and management. Perimeter protection The Reliance ARC shares property with the main BT exchange, and as such there is open access to the car park, via a main gate which is the responsibility of British Telecom. Surrounding the car park area, and rear of the compound is a two meter high steel palisade fence which is in a good state of repair and well maintained. Lighting in and around the compound consists of wall mounted HID flood lights, and pole mounted high pressure sodium lighting unit with sufficient lux value to illuminate the area. (d) Main building The ARC is located on the first floor in a brick and concrete re enforced two story building. Access to the building is via a controlled environment in which visitors are allowed entry remotely from within once identification has been visually and verbally verified. Non authorized personnel will be escorted to the centre via a controlled a dual air locking system, and once inside they will sign in and be issued a visitors pass. Thereafter all visitors will be escorted whilst on the premises, surrendering their passes upon exiting the premises. Further, access is denied to visitors who have no confirmed appointment. Authorized personnel will use a proximity card reader system to access the building and restricted areas within. Access to the building is via a ground floor entrance, which has a single re enforced single leaf inward swinging unit, which has duel point internal locking mechanisms, and is linked to the alarm system. The electronic access control facility is managed by the ARC Operations Manager, with users being authorized and deleted under his stewardship. 10-404788-3 202 The ARC is manned twenty four hours per day, three hundred and sixty days per year by trained and vetted (see section f) operators, supervised by qualified managers. (e) Internal physical protection In terms of internal protection, the ARC and DRC have the following control measures in place: (f) (x) Duel thickness walls; (xi) A independent and controlled air supply; (xii) A gas detection system; (xiii) Stand by power (uninterruptible power supply, and a stand by generator); (xiv) Blast resistant window protection; (xv) An internal, centrally located server room which is alarmed and access controlled; (xvi) Internal CCTV; (xvii) A secure telecommunications system; (xviii) Firewalls providing secure encrypted MPLS between sites; and (xix) An Association of Police Officers (ACPO) standard Intruder Detection System (IDS). Personnel All personnel operating within the ARC are Security Industry Authority (SIA) licensed. That is to say that all operators are ten year vetted, and have passed the required SIA training course which guarantees competence. 4 Integrity of all data communications managed within the RMC 4.1 Overview The Alarm Receiving Centre (ARC) provides services to third parties via a number of mediums; namely IP, PSTN and ISDN connectivity. Current information security is achieved by the use of best working practices. 4.2 Service / Assets Detailed below are the current services / assets that the ARC provides as a business structure: (a) Bi-directional communications with customers systems The ARC receives connections from disparate customer systems in the form of alarm activations. The activations received at the ARC are passed through a hardware firewall and received by the hosting system within the ARC. Current connections are as follows: 10-404788-3 203 (i) Six ADSL connections; and (ii) One leased line. Protection of Assets – Full backups of the systems configurations take place on a weekly basis with sequential backups taken daily. Multiple routes for IP connectivity with internal resilience for all systems are currently in place. Duplicate critical equipment is stored on site to minimise service loss in the event of equipment failure. (b) Email The ARC provides access to email via the parent company IT department which is currently hosted off site in the Reliance head office. External email accounts in web based form are currently allowed. Current connections are as follows: (i) One leased line connection into Group Information Technology (IT). Protection of Assets – The email protection is currently under control of Group IT, external email accounts provide resilience but only by exception. (c) Internet Provision The ARC allows all employees’ access to the internet via the parent company IT department’s proxy servers via the leased line connections. Protection of Assets – The internet provision is currently under control of Group IT. Reliance IT, which provides support the Reliance Group have no formal ISO certification in place but work on best practice. User accounts are controlled via requests from the individual operating companies, domain rights are controlled on a specific application basis, password control is enforced with the use of alpha and numeric characters, change of password is every 30 days. Control of mobile communications is via VPN with triple DES encryption. (d) Domain Control Domain control is provided via Reliance IT hosted off site in the head office in Uxbridge. Current connections are as follows: (i) One leased line connection into Group IT. Protection of Assets – The Domain protection is currently under control of Group IT. (e) User Accounts User accounts are created and maintained via Reliance IT hosted off site in the head office in Uxbridge. Current connections are as follows:(i) One leased line connection into Group IT. Protection of Assets – The user account protection is currently under control of Group IT. 10-404788-3 204 (f) Passwords Control Password control are created and maintained via Reliance IT hosted off site in the head office in Uxbridge. Current connections are as follows: One leased line connection into Group IT. Protection of Assets – The password control protection is currently under control of Group IT. (g) Threats to the internal Systems Currently perceived threats into the ARC. (i) Virus / Malware; (ii) External Hack; (iii) Failure of hardware; (iv) Failure of Software; (v) Failure of connections to Group; (vi) Failure of Internet ; (vii) Internal espionage; and (viii) Human Error. Counter measures for perceived threats: (i) Virus / Malware etc Failure scenario – a new virus / malware not in the current list of definitions is received into the secure network. Control: All computer systems incorporate antivirus software with definitions updated daily and pushed to the desktop. The firewall monitors the secure network and incorporates Intrusion Prevention System (IPS) software that protects the network from malicious applications. This inline, network-based defence identifies, classifies, and stops known and unknown threats to your network, including: 10-404788-3 (A) Worms (B) Network viruses (C) System intrusion attempts (D) Application misuse 205 (ii) External Hack Failure Scenario - Access to the secure network could be gained if the hack assumed the IP address of a customer site, and the hack was on an allowed port. Control: The secure internal network only allows connections from trusted sources i.e. customer sites on individual system ports. (i) Failure of Hardware Failure Scenario – Multiple failures (2+) of servers, failures of both primary and secondary systems with insufficient spares holding to reinstate all servers before replacements can be sourced. Control: Images of machines taken, server information/application/ database/ system backed up and dual running of systems where required to provide agreed level of service to customers. (ii) Failure of Software Failure Scenario – Unforeseen error in software and manufacturer unable to provide solution within agreed service level resolution. Control: Backups of database and licensing information taken weekly, manufactures software on hardcopy is also held at the RMC. (iii) Failure of Connection to Group Failure Scenario – Both leaded line and ADSL connection are lost. Control: Current Domain connections are hosted via Reliance Group via a leased line there is a backup of ADSL connection. (iv) Failure of External Network Connectivity Failure Scenario – The BT exchange loses connection / BT systems fail. Control: There are redundant connections to the Internet provided via four ADSL connections each provided by separate ISP’s. (v) Internal Espionage Failure Scenario – Unknown external influences coerce the employees into espionage or identity theft leads to failure of BS7858. Control: All employees to the ARC are screened in accordance with BS7858:2008 incorporating personal credit checks to mitigate potential threats from external influences for espionage. (vi) Human Error Failure Scenario – Unexpected removal of information due to error by the individual 10-404788-3 206 Control: Training is deployed to all new staff and the ARC employs continual improvement methodology from ISO9001 with regular reviews to highlight area of development for the individual. (vii) Control of removable media Failure Scenario – Unauthorized employee uses removable media on site. Control: All USB memory devices on stationary operational systems are checked for virus/malware on insertion with auto play been disabled. Only authorized personnel are allowed to use removable media. Database access unless through the client application is restricted with reporting functionality only carried out by authorised personnel. Even though MP3 players are larger than a small memory sticks the ability to store large amounts of information on the small memory stick is still valid and so classified in the same risk category as mp3 players. (h) Encryption Failure Scenario – Information is gleaned form a snoop on the IP transmission. Control: VPN tunnels with encryption are used on some point to point connections with customer systems. Encryption between the ARC and ARC DR incorporates IPSec DES encryption. (i) Remote access Failure scenario - remote access by trainers, account management staff or head office staff Control: Remote access to the Group network is available to all Reliance users with the VPN client installed on their laptop. This is protected with IKE 3DES SHA1 encryption, and an issued certificate, user name and password- The Service Desk software and e-mail system is hosted on the Group Network, both applications have additional basic authentication. Remote access to the Remote Monitoring Services network is protected by an additional firewall. This is a dedicated network that the ARC runs from, and traffic policies exist relating to what data can come to and from the Group network. Remote connections to this network exist via IPSEC tunnels to the DR site and Monitor Computer Systems (The software supplier) for remote support. 10-404788-3 207 Schedule 15 Marketing and Communications 1 Initial Marketing & Communications 1.1 Publicity & Communications (a) On contract award the Supplier shall provide a dedicated marketing and communications team to work with the Authority to promote the Service; (b) The Authority and Customer have an obligation to promote the delivery of the Framework Agreement which the Supplier shall support. The Authority and the Supplier will undertake a national publicity campaign when the Agreement Framework is signed. At commencement and throughout the contract period for delivery Services, the Customer and Supplier shall publicise widely to patients, service users, stakeholders and the public, the use of lone worker services by NHS staff. The Customer will support the Supplier marketing and publicity strategy and ensure that NHS facilities to which the public access contain information on the use of lone worker services in that health body. (c) The Supplier shall: (i) Work in partnership with the Authority to establish and agree the specific publicity and communication requirements for the Service; and (ii) Collate all the available contact details for marketing and publicity purposes to Stakeholders including but not limited to: (iii) 10-404788-3 (A) Users; (B) Customers; (C) Authorities; (D) Representative bodies; such as UNISON, RCN etc. Create and maintain a dedicated web site for the Service specific to the Authority’s needs with detailed information for Customers and Users. The website will act as the central point of information for all marketing and communications activity and to ensure that relevant material is available online for all interested parties. The website will include but not be limited to: (A) A User interface for enquiries; (B) Frequently Asked Questions; (C) News and Bulletins; (D) Updates and new Customer listings; (E) Web conference training; (F) Authority Funding Guidance; 208 1.2 Details of Events, Seminars and Roadshows; (H) Case Studies; (I) User Group Forums; and (J) Service Video. (iv) Create a Press Briefing Pack providing full details of the Service with relevant information on the Supplier and Authority. (v) Distribute Press releases and marketing material including electronic direct marketing to all interested parties promoting the Service. (vi) The Authority will accept and test the content of all Supplier materials and images, as defined in the Implementation Plan in accordance with the Operational Change Procedure as detailed in schedule 8 (Agreement Change Procedure). Any further amendments shall be in accordance with the same procedure (Operational Change Procedure - schedule 8). Supplier materials and images will be compliant with NHS branding requirements. Marketing Campaign (a) (b) 10-404788-3 (G) The Supplier shall deliver a marketing campaign which ensures effective communication which meets the diverse needs of all relevant parties. In particular the following key messages will be incorporated into all activity: (i) Users – demonstrating the Authority’s commitment to take appropriate steps to better protect their personal security and safety, while they are in lone working situations; (ii) Customers – delivering a targeted sales strategy to ensure the maximum adoption of the Service to include identifying and working with ‘early adopters’ to exceed the target of 30,000 devices deployed within the first 12 months; (iii) Stakeholders – demonstrating the partnership approach taken between the Supplier and the Authority to ensure adoption of the Service so as to aid the development of a wider pro-security culture; (iv) General Public – raising awareness to support the overall objective of safeguarding NHS Staff; by engendering public and community support against the small minority of persons who present risks to staff. Consistent with the publicity requirements identified in the QC’s advice. As part of the initial marketing campaign the Supplier shall liaise with the Authority to ensure that the correct messages are being transmitted at all times to ensure that an effective balance is achieved between securing the required deterrent effect and ensuring that staff are not put at any further risk. In particular, the Supplier shall ensure that at all times communications does not: (i) Scare Users, Customers or the public by overplaying the risks to lone workers; (ii) Use violent or threatening imagery; (iii) Imply that technology alone can solve all problems; and 209 (iv) (c) Give the impression that the service will absolve managers of all their legal obligations to protect workers. The Supplier shall: (i) Ensure a presence in all relevant media publications during the initial ramp up period by means of news articles, editorials and press releases; (ii) Create marketing collateral including cases studies, brochures, flyers and electronic direct marketing material about the Service; (iii) Design and produce posters and an exhibition stand for attending events to promote the Service; (iv) Identify relevant conference, exhibition and seminar events for networking, sponsorship and exhibiting purposes and attend these events where appropriate to ensure publicity generation; (v) Create and maintain a publicity library recording details of relevant material published in journals, websites and news articles which can be referred to for future use by all interested parties; (vi) Create and maintain a library of PowerPoint presentations to assist and support the marketing campaign; specific to the audience; (vii) Effect introductions to all interested parties, advising them of the services about to be provided; (viii) Develop an email newsletter service for potential customers as part of an electronic direct marketing campaign; (ix) Research existing forums and User groups to identify suitable locations and events to host road show events promoting the service. The Supplier will then organise and host events for prospective customers on a regional basis; (x) Monitor the results of initial ramp up marketing activity and arrange visits to interested parties who have responded to the initial PR launch; (xi) Provide quarterly management information reports on marketing and communication activity undertaken and the results achieved; and (xii) Commit to maintaining awareness as a key element of the Publicity requirement and ensure that any Marketing needed will increase/expand to address take-up. 2 Ongoing Marketing & Communications 2.1 Publicity & Communications. The Supplier shall: 10-404788-3 (d) Deliver marketing material, in partnership with Customers and the Authority, to raise awareness of the Service over the long term, but especially to ensure the early take up of the Service by ‘early adopters’; (e) Seek permission from the Authority to publicise appropriate incidents; (for example a sanction pursued against an offender) that clearly demonstrates the problems encountered by lone workers and the measures put in place to protect them; 210 10-404788-3 (f) Provide information and material as appropriate about the Service and how it provides a solution to the problems faced by staff. For example supplying audio recordings of verbal abuse which lead to a successful prosecution; which can then be used to generate publicity about the solution so that future offenders may be deterred from assaulting staff. As part of this process the Supplier will play a key role in identifying appropriate material for both local and national publicity to help create a strong deterrent effect, in respect of protecting users; (g) Maintain a consistent and reoccurring set of communications to maintain a high profile over the long term. This will be achieved by collation of newsworthy articles, advertising, editorials and promoting real life case studies which have been approved by the Authority; (h) Shift the publicity and communications activity after the initial 12 months towards those Trusts and Bodies who have not yet sought to acquire the Service. Direct approaches will be made to establish the causes, such as: (i) Why they have put off making a buying decision; (ii) Their reasons for not benefiting from the available funding; and (iii) Any lack of understanding with regard to the Service. (i) Adapt publicity and communications activity in response to this feedback with the help of specific case studies other marketing collateral to demonstrate successful implementations with clear indications of the benefits achieved; (j) Identify and allocate resources that can be used as part of the ongoing marketing activity through relationships with interested parties including but not limited to the following: (i) Staff and Employee Representative Bodies – attendance at national conferences with exhibition material and speeches communicating the benefits of the service; (ii) Crime & Disorder Partnerships – publicity and communications activity with all partnerships in England, providing literature and information on the service; (iii) Emergency Services – liaison and attendance at relevant events such as ACPO conference, Ambex and the Emergency Services show; (iv) Local Security Management Specialists – attendance at quarterly regional LSMS meetings in England to communicate services available and the benefits; (v) Health & Safety Executive – attendance at national and regional events and safety awareness days with promotional material; (vi) Patients Association Patient Advice and Liaison Service (PALS)/Charity Groups – production of publicity and communications material specifically for public consumption advising of the Services and the benefits of improved safety and care; 211 2.2 10-404788-3 (vii) Award Events – submission of case studies and evidence for relevant award ceremonies related to safety and innovation which can raise the profile of the Service; and (viii) Supplier organised road show events at existing Customer locations, inviting nearby regional bodies to attend and see the Service in operation and hear the experiences of current users. Marketing Campaign. After the initial launch of the contract the Supplier shall undertake the following regular activity as part of the marketing campaign: (a) Weekly updates to the Website, with news and events information to ensure all interested parties are kept updated on the latest information about the Services; (b) Monitoring of website usage, hits and reacting to expressions of interest received to electronic direct marketing activity to ensure maximum awareness of the Service; (c) Visits to interested Customers by their sales representative’s staff to provide all additional material and information needed; (d) Press release updates, advertising and editorials issued to ensure market positioning throughout the contract period containing information on the latest developments in the Service and any new product solutions available to Customers; (e) Focused newsletter distribution and electronic direct marketing campaigns on those potential customers identified as most likely to take up the Service; (f) Sponsorship and promotion at seminars, conferences and exhibitions identified as relevant to the service which could help raise general awareness; (g) Provision of meeting dates for User group and road show events with existing and prospective customers on a national and regional basis to ensure maximum exposure; (h) Collation of the details of incidents received and monitored by the ARC which are suitable for marketing campaign activity; (i) Liaison with the Authority to discuss such PR activity relating to real life incidents and their suitability for use in marketing activity; (j) Maintenance of a publicity library of relevant news articles and publications for use by all interested parties; (k) Monitoring the effectiveness of marketing campaign activity to target audiences and then adjusting activity and material accordingly in response to feedback in order to support the contract objectives; (l) Ongoing maintenance and review of the Customer relationship management database and adherence to data protection laws. Ensuring that all information held is relevant, current and necessary. This activity will include the removal of contact details for persons who have requested removal from future marketing campaign activity; and (m) Monitoring environmental impact of the publicity and communications activity by seeking to reduce waste and minimising unnecessary use of paper and printing materials. This will include ensuring that as much of the marketing material as 212 possible is available in electronic format for distribution by email or on the website to download. The marketing campaign specified above will be provided by the Supplier up to a maximum expenditure as specified in schedule 5 (Maximum Charges). 10-404788-3 213 Schedule 16 Part 1- Exit Assistance 1 Introduction 1.1 This schedule details the agreed exit assistance services that will be provided by the Supplier on termination or expiry of the Agreement, and Contract(s). 2 Exit Assistance in Preparation for Exit and/or on Termination or Expiry of the Framework Agreement 2.1 At any time during or on exit of the Agreement the Supplier shall provide at the request of the Authority, on up to 3 separate occasions and in the format required by the Authority the following items at no charge to the Authority: (a) (b) (c) 10-404788-3 Twelve months of data, where the Agreement is terminated before there is twelve months of data the Supplier should provide data for the entire period of the Agreement. Data to be cut on a monthly basis detailing: (i) Customer numbers; (ii) the total number and average duration of Red Alerts; (iii) the total number and average duration of Amber Alerts; (iv) the total number of Status Checks; (v) the total number of Service Desk calls broken down by type of call and their average duration; and (vi) the total number of cases referred to second line technical support and their average duration. Using at least 12 months of data, the Supplier shall provide a report when requested by the Authority, on up to 3 separate occasions, providing the following information: (i) the average product life of each current Device; (ii) total yearly number of Device failures (broken down by type and model of Device) and the reason for failure; (iii) total yearly number of Devices that are replaced as a result of (1) loss; (2) damage; or (3) theft. Contracting information which details the: (i) current Customer contracting entities; (ii) Authorised Customer Representative contact details for the current Customers; (iii) the remaining term for the current Contract(s) (broken down by Customer), to include information on number of remaining Contract extension(s). 214 2.2 The Supplier shall agree with the Authority a handover plan for all of the Supplier's responsibilities as set out in the Security Plan, in Appendix 1 of schedule 14 (Security Policy). The Supplier will cooperate fully in the execution of the agreed plan, and provide skills and expertise of a suitable standard. 2.3 In addition to the exit assistance services detailed in paragraph 2.1 and 2.2 the Supplier shall provide any additional termination assistance as requested by the Authority, and such assistance shall be chargeable at rates calculated in accordance with the principles detailed in paragraph 9 of schedule 5 (Maximum Charges). 3 Exit Assistance in Preparation for Exit and/or on Termination or Expiry of a Customer Contract 3.1 At any time during or on exit of a Contract the Supplier shall provide at the request of a Customer, on up to 3 separate occasions and in the format required by the Customer, the following items at no additional charge to the Customer: (a) (b) (c) 10-404788-3 Twelve months of Customer data, where Contract(s) are terminated before there is twelve months of data the Supplier should provide consolidated Customer data for the entire period of the Contract cut on a monthly basis, which details for that Customer: (i) the total number and average duration of Red Alerts; (ii) the total number and average duration of Amber Alerts; (iii) the total number of Status Checks; (iv) the total number of Service Desk calls broken down by type of call and their average duration; and (v) the total number of cases referred to Supplier second line technical support and their average duration. Using at least 12 months of data the Supplier shall provide a report when requested by the Customer, on up to 3 separate occasions, providing the following information: (i) the average product life of each current Device; (ii) total yearly number of Device failures (broken down by type and model of Device) and the reason for failure; (iii) total yearly number of Devices that are replaced as a result of (1) loss; (2) damage; or (3) theft. Contracting information which details for that Customer an aggregated list containing information for each remaining Contract, which shall include the: (i) expiry date; (ii) number of remaining Contract extension(s); (iii) names of Users assigned to each Contract; (iv) name of the Authorised Customer Representative; and (v) name of the Customer department. 215 3.2 Six months prior to Contract expiry, or immediately in the case of early termination, the Supplier shall contact the Customer to agree the means by which the Customer requires recordings to be transferred from the Supplier to the Customer. The Authority shall have the right to specify at its sole discretion, and the Supplier shall ensure that: (a) recordings are transferred to the Customer or a specified third party in the format specified by the Customer; or (b) recordings are retained by the Supplier for the period of time required by the Contract. There shall be no additional cost associated with this requirement as this has been built into the Maximum Charges pricing. 3.3 In addition to the exit assistance services detailed in paragraph 3.1 and 3.2 the Supplier shall provide additional termination assistance as requested by the Customer, such assistance shall be chargeable at the rates calculated in accordance with the principles detailed in paragraph 9 of the Maximum Charges schedule of the Agreement or 2-3 of the Contract. 3.4 On expiry or termination of a Contract, the Customer shall use reasonable endeavours to collect Devices from Users, and return them to the Supplier, for disposal in accordance with the Waste Electrical and Electronic Equipment Regulations 2006 (WEEE). 3.5 Within 45 days of expiry or termination of a Contract the Supplier may contact the Customer, once only, providing details to the Customer of those Devices not yet returned to the Supplier pursuant to paragraph 3.4, and requesting the return of the same. Thereafter the Supplier accepts that it will have no further claim in relation to the Devices, but shall accept any Devices that may be returned by Customers for disposal in accordance with WEEE. Part 2– Staff Transfer 1 Definitions For the purposes of this Part 2 the following definitions shall apply: Employee Liabilities means all claims, including claims for redundancy payments, unlawful deduction of wages, unfair, wrongful or constructive dismissal compensation, compensation for sex, race or disability discrimination, claims for equal pay, compensation for less favourable treatment of part-time workers, and any claims (whether in tort, contract or statute or otherwise), demands, actions, proceedings and any award, compensation, damages, tribunal awards, fine, loss, order, penalty, disbursement, payment made by way of settlement and costs and expenses reasonably incurred in connection with a claim or investigation (including any investigation by the Equality and Human Rights Commission or other enforcement, regulatory or supervisory body and of implementing any requirements which may arise from such investigation), and any legal costs and expenses Employment Regulations means the Transfer of Undertakings (Protection of Employment) Regulations 2006 (SI 2006/246) as amended or replaced or any other Regulations implementing the Council Directive 77/187/EEC on the approximation of the laws of the Member States relating to the safeguarding of employees' rights in the event of transfers of undertakings, businesses or parts of undertakings or businesses Final Staff List means the relevant list of all Supplier Personnel engaged in or wholly or mainly assigned to, the provision of the Services or any part of the Services at the date of the Service Transfer 10-404788-3 216 Provisional Staff List means a list prepared and updated by the Supplier of all Supplier Personnel who are engaged in or wholly or mainly assigned to, the provision of the Services or any part of the Services as at the date of such list Relevant Transfer has the meaning given to it in the Employment Regulations Replacement Contractor means any third party service provider of Replacement Services appointed by the Authority from time to time Replacement Services any services which are substantially similar to any of the Services and which the Authority receives in substitution for any of the Services following the expiry or termination of this Agreement whether in whole or in part, whether those services are provided by the Authority internally and/or by any third party Staffing Information means in relation to all persons named on the Provisional Staff List, such information as the Authority may reasonably request (subject to Data Protection Requirements), but including in an anonymised format: (a) their ages, dates of commencement of employment or engagement and gender (b) details of whether they be employed, self employed contractors or consultants, agency workers or otherwise (c) the identity of the employer or relevant contracting party (d) their relevant contractual notice periods and any other terms relating to termination of employment, including redundancy procedures, and redundancy payments (e) the wages, salaries, profit sharing (f) details of other employment related benefits, including (without limitation) medical insurance, life assurance, pension or other retirement benefit schemes, share option schemes and company car schedules applicable to them (g) any outstanding or potential contractual, statutory or other liabilities in respect of such individuals (including in respect of personal injury claims) (h) details of any such individuals on long term sickness absence, parental leave, maternity leave or other authorised long term absence (i) copies of all relevant documents and materials relating to such information, including copies of relevant contracts of employment (or relevant standard contracts if applied generally in respect of such employees) and (j) any other "employee liability information" as such term is defined in Regulation 11 of the Employment Regulations Service Transfer means has the meaning given in paragraph 3 of schedule 16 part 2 (Staff Transfer) Service Transfer Date means the date of a Service Transfer Supplier Party means the Supplier's agents and contractors, including each Sub-Contractor Transferring Employee means those Supplier Personnel who are listed on the Provisional Staff List (or who are added in accordance with paragraph 4.6 of this schedule) and who are wholly or mainly 10-404788-3 217 assigned to the Services (or the relevant part thereof) immediately before the relevant Service Transfer Date 2 Purpose of this schedule This schedule sets out the parties respective right and obligations in relation to the application of the Employment Regulations to this Framework Agreement 3 Application of the employment regulations on termination or at the end of the term The Framework Agreement envisages that, subsequent to the commencement of the provision of the Services, the identity of the provider of the Services (or any part of the Services) may change (whether as a result of termination of this Framework Agreement, or part, or otherwise) resulting in the Services or related services being undertaken by the Authority or a Replacement Contractor. Such change in the identity of the supplier of such services shall be a "Service Transfer". The parties acknowledge that a Service Transfer will be a Relevant Transfer and in such event, the Authority, or a Replacement Contractor, would inherit liabilities in respect of the Transferring Employees. Accordingly, the Employment Regulations will apply. 4 Pre-service transfer obligations 4.1 The Supplier agrees, subject to compliance with the Data Protection Requirements that within 20 Working Days of the earliest of: (a) receipt of a notification from the Authority of a Service Transfer or intended Service Transfer; or (b) receipt of the giving of notice of early termination of this Framework Agreement or any part thereof; or (c) the date which is 12 months before the end of the Term; or (d) receipt of a written request of the Authority at any time (provided that the Authority shall only be entitled to make one such request in any six month period), it will provide the Provisional Staff List and the Staffing Information to the Authority or, at the direction of the Authority, to a Replacement Contractor and it will provide an updated Provisional Staff List at such intervals as are reasonably requested by the Authority. 4.2 At least 14 Working Days prior to the Service Transfer Date, the Supplier shall prepare (subject to compliance with Data Protection Requirements) and provide, or as appropriate procure that the Supplier Party shall prepare and provide, to the Authority or, at the direction of the Authority, the Replacement Contractor, the Final Staff List and the Staffing Information, which shall be complete and accurate in all material respects. The Final Staff List shall identify which of the Supplier Personnel named shall be Transferring Employees. The Final Staff List will be suitably anonymised so as to comply with Data Protection Requirements. 4.3 Subject to compliance with the Data Protection Requirements, the Authority shall be permitted to use and disclose the Provisional Staff List, the Final Staff List and the Staffing Information for informing any tenderer or other prospective Replacement Contractor for any services which are substantially the same type of services (or any part thereof) as the Services, provided that the Authority imposes on such third party obligations of confidence that are no less onerous than the Authority has to the Supplier in relation to that information. 10-404788-3 218 4.4 Upon reasonable request by the Authority and subject to compliance with the Data Protection Requirements, the Supplier shall provide, and shall procure that each Supplier Party shall provide, the Authority or at the request of the Authority, the Replacement Contractor, with access (on reasonable notice and during normal working hours) to such employment records as the Authority reasonably requests and will allow the Authority or the Replacement Contractor to have copies of any such documents. 4.5 The Supplier warrants that the Provisional Staff List, the Final Staff List and the Staffing Information will be true and accurate in all material respects. 4.6 In respect of each Service Transfer, from the date of the earliest event referred to in paragraphs 4.1(a) to 4.1(c) above, the Supplier agrees that it will not, and agrees to procure that each Supplier Party will not, other than in the ordinary course of business, assign any person to the provision of the Services (or the relevant part) which is the subject of a Service Transfer who is not listed in the Provisional Staff List and will not, other than in the ordinary course of business, without the prior written consent of the Authority (such consent not to be unreasonably withheld or delayed): (a) increase the total number of employees listed on the Provisional Staff List save for fulfilling assignments and projects previously scheduled and agreed; (b) make, propose or permit any material changes to the terms and conditions of employment of any employees listed on the Provisional Staff List, (c) increase the proportion of working time spent on the Services (or the relevant part) by any of the Supplier Personnel save for fulfilling assignments and projects previously scheduled and agreed; (d) introduce any new contractual or customary practice concerning the making of any lump sum payment on the termination of employment of any employees listed on the Provisional Staff List; (e) replace any Supplier Personnel listed on the Provisional Staff List or deploy any other person to perform the Services (or the relevant part) or terminate or give notice to terminate the employment or contracts of any persons on the Provisional Staff List save for: (f) 4.7 the execution of assigned operations as detailed in 4.6(a) and 4.6(c); and/or (ii) replacing voluntary resignations or staff terminated by due disciplinary process to satisfy the fulfilment of previously agreed work streams provided that any replacement is employed on the same terms and conditions of employment as the person he/she replaces; and the Supplier will promptly notify or as appropriate will procure that the Supplier Party will promptly notify the Authority or, at the direction of the Authority, the Replacement Contractor of any notice to terminate employment given by the Supplier or any Supplier Party or received from any persons listed on the Provisional Staff List regardless of when such notice takes effect. Within 7 Working Days following the Service Transfer Date, the Supplier will provide to the Authority or any Replacement Contractor, in respect of each person on the Final Staff List who is a Transferring Employee: (a) 10-404788-3 (i) the most recent month's copy pay slip data; 219 (b) details of cumulative pay for tax and pension purposes; (c) details of cumulative tax paid; (d) tax code; (e) details of any voluntary deductions from pay; and (f) bank/building society account details for payroll purposes. 5 The Supplier's indemnity 5.1 In connection with a Relevant Transfer under paragraph 3 of this schedule, the parties agree that: (a) (b) the Supplier will, and shall procure that any Supplier Party will, perform and discharge all its obligations in respect of all the Transferring Employees and their representatives for its own account up to and including the Service Transfer Date. The Supplier will indemnify the Authority and any Replacement Contractor against all Employee Liabilities arising from the Supplier's, or any Supplier Party's, failure to perform and discharge any such obligation and against any Employee Liabilities arising from or as a result of (i) any act or omission by the Supplier or any Supplier Party occurring on or before the Service Transfer Date or any other matter, event or circumstance occurring or having its origin before the Service Transfer Date save simply for accrual of service before that date; (ii) all emoluments and outgoings in relation to the Transferring Employees (including without limitation all wages, bonuses, PAYE, national insurance contributions, pension contributions and otherwise) payable in respect of any period on or before the Service Transfer Date; (iii) any claim arising out of the provision of, or proposal by the Supplier or any Supplier Party to offer any change to any benefit, term or condition or working condition of any Transferring Employee arising on or before the Service Transfer Date; (iv) any claim made by or in respect of any person employed or formerly employed by the Supplier or any Supplier Party other than a Transferring Employee for which it is alleged the Authority or any Replacement Contractor may be liable by virtue of this Framework Agreement and/or the Employment Regulations; the Supplier will indemnify the Authority and any Replacement Contractor against all Employee Liabilities arising from: (i) 10-404788-3 any act or omission of the Supplier or any Supplier Party in relation to its obligations under Regulation 13 of the Employment Regulations, or in respect of an award of compensation under Regulation 15 of the Employment Regulations except to the extent that the liability arises from the Authority or a Replacement Contractor's failure to comply with Regulation 13(4) of the Employment Regulations; 220 (ii) any breach by the Supplier or any Supplier Party of any and/or all of its obligations under paragraph 4 of this schedule; and/or (iii) any statement communicated to or action done by the Supplier or any Supplier Party to, or in respect of, any Transferring Employee on or before the Service Transfer Date regarding the Service Transfer which has not been agreed in advance with the Authority in writing subject to the timely availability of the Authority. 5.2 The Supplier will indemnify the Authority and any Replacement Contractor in respect of any Employee Liabilities arising from any act or omission of the Supplier or any Supplier Party in relation to any other Supplier Personnel who is not a Transferring Employee during any period whether before, on or after the Service Transfer Date. 5.3 If any person who is not a Transferring Employee claims or it is determined that his contract of employment has been transferred from the Supplier or any Supplier Party to the Authority, or a Replacement Contractor pursuant to a Relevant Transfer, or claims that his employment would have so transferred had he not resigned, then: (a) the Authority or the Replacement Contractor will, within 20 Working Days of becoming aware of that fact, give notice in writing to the Supplier; (b) the Supplier may offer (or may procure that a Supplier Party may offer) employment to such person within 20 Working Days of the notification by the Authority or the Replacement Contractor; (c) if such offer of employment is accepted, the Authority or the Replacement Contractor shall immediately release the person from his employment; (d) if after that period has elapsed, no such offer of employment has been made or such offer has been made but not accepted, the Authority or the Replacement Contractor may within 15 Working Days give notice to terminate the employment of such person; (e) Subject to the Authority or the Replacement Contractor acting in this way or in such other way as may be agreed between the Supplier and the Authority or the Replacement Contractor, the Supplier will indemnify the Authority and the Replacement Contractor against: (f) (i) all Employment Liabilities arising out of such termination or otherwise arising out of the employment of such person by the Authority or a Replacement Contractor; and/or (ii) any direct employment costs (if any) associated with the employment of such person by the Authority or the Replacement Contractor up to the date of termination of such persons employment. If such person is neither re-employed by the Supplier or any Supplier Party nor dismissed by the Authority or the Replacement Contractor within the time scales set out in this paragraph 5.3, such person will be treated as a Transferring Employee. 6 The Authority's indemnities 6.1 Subject to paragraphs 5 and 7, the Authority shall indemnify the Supplier and any Supplier Party against all Employee Liabilities arising from the Authority's or the Replacement 10-404788-3 221 Contractor's failure to perform and discharge any obligation and against any Employee Liabilities in respect of the Transferring Employee arising from or as a result of: (a) any act or omission by the Authority or the Replacement Contractor relating to a Transferring Employee occurring on or after the Service Transfer Date; (b) all emoluments and outgoings in relation to the Transferring Employees (including without limitation all wages, bonuses, PAYE, national insurance contributions, pension contribution and otherwise) payable after the Service Transfer Date; (c) any claim arising out of the provision of, or proposal by the Authority or any Replacement Contractor to offer any change to any benefit, term or condition or working condition of any Transferring Employee arising after the Service Transfer Date; (d) any failure by the Authority or any Replacement Contractor to comply with the obligations imposed on a transferee by Regulation 13(4) of the Employment Regulations in respect of the transfer of any Transferring Employees on the Service Transfer Date except to the extent such failure is caused by or related to an act or omission of the Supplier or any Supplier Party. 7 Mutual obligations 7.1 The parties shall co-operate to ensure that any requirement to inform and consult with the employees and or employee representatives in relation to a Relevant Transfer will be fulfilled. 7.2 The Authority will assume (or will procure that the Replacement Contractor, as the case may be, will assume) the outstanding obligations of the Supplier and any Supplier Party in relation to the Transferring Employees in respect of accrued holiday entitlements and accrued holiday remuneration to the Service Transfer Date. In consideration, the Supplier will or will procure that any Supplier Party will pay to the Authority (or the Replacement Contractor as the case may be) within 14 days of the Service Transfer Date the full amount necessary to enable the Authority or the Replacement Contractor to meet the cost of providing any such untaken holiday entitlements and remuneration as at the Service Transfer Date. The Authority or the Replacement Contractor, as the case may be, will reimburse the Supplier and any Supplier Party any amount paid by the Supplier or the Supplier Party before the Service Transfer Date in respect of holidays taken in excess of any Transferring Employee's entitlement to paid holiday in respect of the period ending on the Service Transfer Date. 8 Third party rights The parties agree that the Contracts (Right of Third Parties) Act 1999 shall apply to paragraphs 4, 5, 6, 7 and 10 of this schedule to the extent necessary that any Replacement Contractor and Supplier Party shall have the right to enforce the obligations owed to, and indemnities given to, the Replacement Contractor by the Supplier or the Authority to the Supplier Party. 9 Provisions where transfer regulations do not apply 9.1 The following provisions shall apply in the event of a Service Transfer to which the Employment Regulations do not apply: (a) 10-404788-3 the Authority or the Replacement Contractor can, in its discretion, make to any of the employees listed on the Provisional Staff List or any Supplier Personnel assigned to the Services an offer, in writing, to employ that employee under a new contract of 222 employment to take effect on the day after the termination referred to in paragraph 9.1(f) below of this schedule or at the earliest reasonable opportunity; (b) when the offer has been made by the Authority or Replacement Contractor and accepted by any employee or worker, the Supplier shall, and shall procure that any Supplier Party shall, permit the employee or worker to leave its employment, as soon as practicable depending on the business needs of the Supplier, which could be without the employee or worker having worked his full notice period, if the employee so requests and where operational obligations allow; (c) if the employee does not accept an offer of employment made by the Authority or Replacement Contractor, the employee shall remain employed by the Supplier (or the Supplier Party, as the case may be) and all Employee Liabilities in relation to the employee shall remain with the Supplier or the relevant Supplier Party; (d) if the Authority or the Replacement Contractor does not make an offer to any employee on the Provisional Staff List or any Supplier Personnel, then that employee and all Employee Liabilities in relation to that employee remains with the Supplier or relevant Supplier Party. 10 Conduct of claims 10.1 This paragraph 10 shall apply to the conduct, by a party from whom an indemnity is sought under this schedule, of claims made by a third person against a party having (or claiming to have) the benefit of the indemnity. The party having, or claiming to have, the benefit of the indemnity is referred to as the "Beneficiary" and the party giving the indemnity is referred to as the "Indemnifier". 10.2 If the Beneficiary receives any notice, demand, letter or other document concerning any claim for which it appears that the Beneficiary is, or may become entitled to, indemnification under this schedule ("Claim"), the Beneficiary shall given notice to the Indemnifier as soon as reasonably practicable and in any event within 10 Working Days of receipt of the same. 10.3 Subject to paragraphs 10.4 and 10.5, on the giving of a notice by the Beneficiary pursuant to paragraph 10.2 above, where it appears that the Beneficiary is or may be entitled to indemnification from the Indemnifier in respect of all (but not part only) of the liability arising out of the Claim, the Indemnifier shall (subject to providing the Beneficiary with a secured indemnity to its reasonable satisfaction against all costs and expenses that it may incur by reason of such action) be entitled to dispute the Claim in the name of the Beneficiary at the Indemnified own expense and take conduct of any defence, dispute, compromise or appeal of the Claim and of any incidental negotiations relating to the Claim. If the Indemnifier does elect to conduct the Claim, the Beneficiary shall give the Indemnifier all reasonable co-operation, access and assistance for the purposes of such Claim and, subject to paragraph 10.5 below, the Beneficiary shall not make any admission which could be prejudicial to the defence or settlement of the Claim without the prior written consent of the Indemnifier. 10.4 With respect to any Claim conducted by the Indemnifier pursuant to paragraph 10.3 above: 10-404788-3 (a) the Indemnifier shall keep the Beneficiary fully informed and consult with it about material elements of the conduct of the Claim; (b) the Indemnifier shall not bring the name of the Beneficiary into disrepute; (c) the Indemnifier shall not pay or settle such Claim without the prior written consent of the Beneficiary, such consent not to be unreasonably withheld or delayed; and 223 (d) 10.5 the Indemnifier shall conduct the Claim with all due diligence. The Beneficiary shall be entitled to have conduct of the Claim and shall be free to pay or settle any Claim on such terms as it thinks fit and without prejudice to its rights and remedies under this Agreement if: (a) the Indemnifier is not entitled to take conduct of the Claim in accordance with paragraph 10.3 above; (b) the Indemnifier fails to notify the Beneficiary of its intention to take conduct of the relevant Claim within 10 Working Days of the notice from the Beneficiary under paragraph 10.2 above or if the Indemnifier notifies the Beneficiary that it does not intend to take conduct of the Claim; or (c) the Indemnifier fails to comply in any material respect with the provisions of paragraph 10.4 above. 11 Sensitive claims 11.1 With respect to any Claim for which the Authority or the Supplier or the Supplier Party are the Beneficiary and the conduct of which the Authority or Supplier acting reasonably, considers is likely to have an adverse impact on the general public's perception of the Authority or the Supplier or the Supplier Party ("Sensitive Claim"), the Indemnifier shall only be entitled to take conduct of any defence, dispute, compromise or appeal of the Sensitive Claim with the Beneficiary's prior written consent. If the Beneficiary withholds such consent and elects to conduct the defence, dispute, compromise or appeal of the Sensitive Claim itself, it shall conduct the Sensitive Claim with all due diligence and if any failure to do so results in an increase in the amount recoverable by the Beneficiary in respect of an indemnity under this Agreement, the Indemnifier shall only be liable to indemnify the Beneficiary in respect of that amount which would have been recoverable by the Beneficiary had it conducted the Sensitive Claim with all due diligence. 11.2 The Beneficiary shall be free at any time to give written notice to the Indemnifier that it is retaining or taking over (as the case may be) the conduct of any Claim, to which paragraph 10.3 above applies notwithstanding that it does not have the right to do so pursuant to paragraph 10.3 if, in the reasonable opinion of the Beneficiary the Claim is, or has become, a Sensitive Claim. In such cases, the provisions of paragraph 11.1 above shall apply. 12 Recovery of sums 12.1 If the Indemnifier pays to the Beneficiary an amount in respect of an indemnity and the Beneficiary subsequently recovers (whether by payment, discount, credit, saving, relief or other benefit or otherwise) a sum which is directly referable to the fact, matter, event or circumstances giving rise to the Claim, the Beneficiary shall forthwith repay to the Indemnifier whichever is the lesser of 10-404788-3 (a) an amount equal to the sum recovered (or the value of the discount, credit, saving, relief, other benefit or amount otherwise obtained) less any out-of-pocket costs and expenses properly incurred by the Beneficiary in recovering or obtaining the same; and (b) the amount paid to the Beneficiary by the Indemnifier in respect of the Claim under the relevant indemnify, 224 provided that there shall be no obligation on the Beneficiary to pursue such recovery and that the Indemnifier is repaid only to the extent that the amount of such recovery aggregated with any sum recovered from the Indemnifier exceeds any loss sustained by the Beneficiary (including for this purpose any indirect Losses sustained by the Beneficiary which may be excluded by this Agreement from being recovered from the Indemnifier). 13 Insurance 13.1 Any person taking any of the steps contemplated by paragraphs 10.2 to 11.1 shall comply with the requirements of any insurer who may have an obligation to provide an indemnity in respect of any liability arising under this Agreement 14 Mitigation 14.1 Each of the Authority and the Supplier shall at all times take all reasonable steps to minimise and mitigate any loss for which the relevant party is entitled to bring a claim against the other party pursuant to the indemnities in this schedule. 15 Taxation 15.1 If any payment by one party under an indemnity in this Agreement is subject to income tax or corporation tax (or any tax replacing either or both of them) in the hands of the recipient (or a withholding made by the paying party in respect of tax), the recipient may demand in writing to the party making the payment that the payment shall be increased by such amount as would ensure that, after taking into account any such tax payable in respect of such additional amount, the recipient receives and retains a net sum equal to the amount it would have otherwise received had the payment not been subject to such tax or withholding. 10-404788-3 225 Schedule 17 Standards and Regulations 1 User Devices; 1.1 All Device variants shall comply with the following standards: (a) European and International Standards (b) Approved GSM Telecommunications modules (c) R&TTE – Radio and Telecommunication Terminal Equipment Directive (d) FCC – Federal Communications Commission (USA) (e) UL – Underwriters Laboratories Inc (f) IC – Industry Canada (g) GCF – Global Certification Forum (h) PTCRB – North American Type Certification Review Board (i) CE – European Consumer Goods Quality Control (j) Local GSM network operator certifications (k) Devices tested and passed for SAR and EMC Compliance to European and International standards (l) All Devices shall incorporate approved battery modules with integrated safety circuits (m) All Devices shall conform with CE specification where applicable and shall be CE marked (n) Devices shall conform to EN55022 Emissions and susceptibility and the EEC low voltage directive User provided mobile phone handsets supported by the Supplier shall meet the mandatory requirements listed below: 1.2 (o) No flip phones (p) No key locks to be deployed (q) No touch screen phones (r) No phones where speed dials cannot be easily set up by the User (s) No ‘qwerty’ keyboard based phones Device Disposal The Supplier shall dispose of returned Devices in accordance with the Waste Electrical and Electronic Equipment Regulations 2006 (WEEE) where applicable. 10-404788-3 226 1.3 ARC Building The ARC building shall conform to BS5979 Cat ii accredited by the Security Systems and Alarm Inspection Board (SSAIB) which is a UKAS approved board. 1.4 User/Customer Communications and Data The handling of the communications and data by the Supplier shall comply with the following standards: 1.5 (a) ISO/IEC27002 and ISO/IEC27001 (b) Data Protection Act 1998 (c) Regulation of Investigatory Powers Act 2000 (RIPA) (d) Telecommunications (Lawful Business Practices) (Interception of Regulations 2000 (e) Telecommunications (Data Human Rights Act 1998 (f) The Suppliers Data Protection obligation’s in clause 22 and 23 of the Agreement and 20 and 21 of the Contract (g) BS7858: security screening of individuals employed in a security environment Protection and Privacy) Communications) Regulations 1999 Account Management The Supplier shall manage the Services adhering to the Information Technology Infrastructure Library (ITIL) framework of best practice approaches, intended to facilitate the delivery of high quality information technology (IT) services. 1.6 Networks The Supplier shall monitor that any Network provider supporting the Service, adhere to, as a minimum the following standards: ISO 9001:2000 Quality management systems & processes BS 25999 Business Continuity Management ISO 14001 Environmental management system ISO 9001 Registration upgraded from the 1994 to 2000 version. 1.7 Service Desk The Service Desk shall be located in the ARC building, which shall conform to BS5979 Cat ii accredited by the Security Systems and Alarm Inspection Board (SSAIB) which is a UKAS approved board. The Supplier shall also conform to the following Call Centre Association (CCA) standards: (a) 10-404788-3 Training and staff development 227 (b) Internal communication and dispute resolution (c) Compliance with legislative requirements (e.g. Data Protection, Health & Safety, Equal Opportunities, etc.) (d) Customer feedback procedures (e) Performance level monitoring (f) Complaints handling 2 Compliance with European and International Standards 2.1 All Device variants shall use approved GSM Telecommunications modules, and shall meet the following standards: (a) R&TTE – Radio and Telecommunication Terminal Equipment Directive (b) FCC – Federal Communications Commission (USA) (c) UL – Underwriters Laboratories Inc (d) IC – Industry Canada (e) GCF – Global Certification Forum (f) PTCRB – North American Type Certification Review Board (g) CE – European Consumer Goods Quality Control (h) Local GSM network operator certifications 2.2 The Supplier shall provide Devices that meet the Standard Absorption Rate (SAR) and Electromagnetic Compatibility (EMC) Compliance to European and International standards, and shall retain compliance as and when Standards are revised. (FCC approvals test reports available on request). Devices shall incorporate approved battery modules with integrated safety circuits. 2.3 All User Devices shall be designed to conform with CE specification, where applicable, and shall be CE marked. User Devices shall also conform to EN55022 Emissions and susceptibility and the EEC low voltage directive. 10-404788-3 228 Schedule 18 Insurance Requirements 1 Introduction 1.1 This Schedule 18 sets out the Insurance Requirements with which the Supplier shall comply with in its provision of the Ordered Services. 2 Requirements 2.1 The Supplier shall, during the Term and until the expiry or earlier termination of this Agreement: (a) maintain in force the following insurance policies: (i) public liability insurance for a minimum amount of £5 million on an each and every claims basis; (ii) employer’s liability insurance for a minimum amount of £10 million on an each and every claims basis; and (iii) product liability insurance for a minimum amount of £10 million on an each and every claims basis, (together “the Supplier Policies”); 10-404788-3 (b) do nothing to invalidate any of the Supplier Policies; (c) on reasonable request from the Authority produce to the Authority such documentary evidence of such insurance including copies of broker letters or cover notes relating to such insurance and payment of premiums for the Supplier Policies as the Authority may reasonably require; and (d) procure that the terms of the Supplier Policies shall not be altered in such a way as to diminish the benefit of the Supplier Policies as provided at the Effective Date. 229