Translate1. Definitions
In the Contract, unless the context otherwise requires, the following terms have the meanings given to them below:
“Affiliate” means in relation to a body corporate, any other entity which directly or indirectly Controls, is Controlled by, or is under direct or indirect common Control with, that body corporate from time to time;
“Baseline Security Requirements” means the schedule which provides the baseline mandatory security requirements for all Suppliers; “BCDR Plan” means any plan prepared pursuant to paragraph 1 of Schedule 3 (Business Continuity and Disaster Recovery), as may be amended from time to time;
“Breaches of Security” means the occurrence of:
“Business Continuity Plan” has the meaning given in paragraph 1.2.1(b) of Schedule 3 (Business Continuity and Disaster Recovery);
“Business Continuity Services” has the meaning given in paragraph 3.2.2 of Schedule 3 (Business Continuity and Disaster Recovery);
“CHECK Scheme” means the scheme for penetration testing of data processing systems operated by the National Cyber Security Centre;
“Clause” means a specific point or provision in these Terms and Conditions.
“Commencement Date” means the commencement date, as specified in the award letter.
“Commercial Envelope” means the pricing schedule section within the Public Contracts Scotland e-tendering portal.
"Confidential Information" means any information which has been designated as confidential by either Party in writing or that ought to be considered as confidential (however it is conveyed or on whatever media it is stored) including information the disclosure of which would, or would be likely to, prejudice the commercial interests of any person, trade secrets, Intellectual Property Rights and know-how of either Party and all Personal Data;
“Contract” means any formal Contract entered into between the Supplier and North Ayrshire Council for the supply of the Services. The documents that form part of the Contract include, but are not limited to, the ITT, Quick Quote Project Brief or Single Tender Action documents, the Supplier’s bid, any clarification sought as part of the procurement process, these Terms and Conditions and the award letter.
“Contract Administrator” means the member of the Purchaser’s staff appointed for the purposes of overseeing the Contract, monitoring the performance of the Supplier and ensuring that the standards of service specified in the Contract are delivered. The Contract Administrator and their deputy shall be named at contract award.
“Control” means the possession by a person, directly or indirectly, of the power to direct or cause the direction of the management and policies of the other person (whether through the ownership of voting shares, by contract or otherwise) and “Controls” and “Controlled” shall be interpreted accordingly;
“COTS Software” means Supplier Software and Third Party Software (including open source software) that the Supplier makes generally available commercially prior to the date of signature of this Contract (whether by way of sale, lease or licence) on standard terms which are not typically negotiated by the Supplier save as to price;
“Cyber Security Incident” means anything, event, act or omission which gives, or may give, rise to:
in connection with the Services and/or this Contract.
“Data Breach” means any event that results, or may result, in unauthorised access to Personal Data held by the Supplier or any sub-contractor under or in connection with the Contract, and/or actual or potential loss and/or destruction and/or corruption of Personal Data in breach of the Contract, including but not limited to any Personal Data Breach.
“Data Controller” has the meaning given in the Data Protection Laws.
“Data Processor” has the meaning given in the Data Protection Laws.
“Data Protection Laws” means any law, statute, subordinate legislation regulation, order, mandatory guidance or code of practice, judgment of a relevant court of law, or directives or requirements of any regulatory body which relates to the protection of individuals with regard to the processing of Personal Data to which a Party is subject including the Data Protection Act 2018 and any statutory modification or re-enactment thereof and the UK GDPR.
“Data Subject” has the meaning given in the Data Protection Laws.
“Detailed Implementation Plan” means the plan developed and revised from time to time;
“Disaster” means the occurrence of one or more events which, either separately or cumulatively, mean, in the opinion of the Purchaser, that the Services, or a material part of the Services will not be available and significant effort is required to restore the Services;
“Disaster Recovery Plan” has the meaning given in paragraph 1.2.1(c) of Schedule 3 (Business Continuity and Disaster Recovery);
“Disaster Recovery Services” means the services embodied in the processes and procedures for restoring the Services following the occurrence of a Disaster;
“Disaster Recovery System” means the system used for the purpose of delivering the Disaster Recovery Services;
“Default” means any failing by a Party to perform its obligations under the Contract or meet the conditions of the Contract (including material breach), or any negligent act, omission or statement of a Party in connection with or in relation to the Contract.
“Deliverable” means anything to be delivered by the Supplier to the Purchaser and identified as a deliverable in accordance with the Ordering Procedures.
“Equipment” means equipment, plant, tackle, materials and other items supplied and used by the Supplier and/or the Supplier’s Representatives in the performance of the Supplier’s obligations under the Contract.
“Force Majeure Event” means any cause hindering the performance by a Party of its obligations, arising directly from acts, events or omissions which is beyond the reasonable control of the Party concerned and which is not attributable to the wilful act, neglect, or failure to take reasonable preventative action by that Party, its agents or employees, including, but not limited to, industrial action, fire, flood, violent storm, pestilence, explosion, malicious damage, armed conflict, acts of terrorism, any disaster, epidemic, pandemic, war or civil unrest, nuclear, biological or chemical warfare, or any other disaster, natural or man-made.
“Good Industry Practice” means standards, practices, methods and procedures conforming to legal and regulatory requirements and the degree of skill and care, diligence, prudence and foresight which would reasonably and ordinarily be expected from a skilled and experienced person or body engaged in a similar type of undertaking as the Supplier under the same or similar circumstances.
“Information Commissioner” means the Commissioner as set out in Part 5 of the Data Protection Act 2018.
“Intellectual Property Rights” means all copyright, patent, trademark, design right, database right and any other right in the nature of intellectual property whether or not registered, in any materials or works in whatever form (including but not limited to any materials stored in or made available by means of an information technology system and the computer software relating thereto) which are created, produced or developed as part of the Services by or on behalf of the Supplier.
“IT Environment” means the Purchaser System and the Supplier System;
“ITT” means the Purchaser’s invitation to tender.
“Judicial Order” means an ineffectiveness order or an order shortening the duration of the contract made in relation to the Contract under Chapter 6 of the Public Contracts (Scotland) Regulations 2015.
“Key Performance Indicators” means the performance measures detailed within the Contract which the Supplier must adhere to.
“Law” means:
in each case in force during the period of the Contract in Scotland.
“Malicious Software” means any software program or code intended to destroy, interfere with, corrupt, or cause undesired effects on program files, data or other information, executable code or application software macros, whether or not its operation is immediate or delayed, and whether the malicious software is introduced wilfully, negligently or without knowledge of its existence;
“Management Arrangements” means the arrangements for the strategic management of the relationship between the Parties, including arrangements for monitoring of the Supplier’s compliance with the Specification, the Key Performance Indicators, the Ordering Procedures and these Terms and Conditions.
“Milestone” means any event or task which must be completed by a particular date under the Contract, such as the delivery of a Deliverable, identified as a milestone in accordance with the Ordering Procedures.
“Open Source Software” means computer software that has its source code made available subject to an open-source licence under which the owner of the copyright and other Intellectual Property Rights in such software provides the rights to use, study, change and distribute the software to any and all persons and for any and all purposes free of charge
“Ordering Procedures” means the procedures for ordering Services set out in the ITT, Quick Quote Project Brief or Single Tender Action documents.
“Party” means the Supplier and the Purchaser respectively.
“Parties” means the Supplier and the Purchaser collectively.
“PCST” means the Public Contracts Scotland – Tender e-tendering portal.
“Personal Data” has the meaning given in the Data Protection Laws.
“Personal Data Breach” has the meaning given in the Data Protection Laws.
“Premises” means the location where the Services are to be performed, as specified in the Contract.
“Pricing Schedule” means the details of the pricing of the Services as at the Commencement Date set out in the Supplier’s commercial response, submitted via the PCST Commercial Envelope.
“Processing” has the meaning given in the Data Protection Laws and cognate expressions shall be construed accordingly.
“Procurement Card” means a type of company charge card used for smaller purchases to achieve greater cost efficiency, control and convenience. Procurement cards are also known as Purchasing Cards or P-Cards.
“Project Brief” means the invitation bid document associated with a quick quote.
“Purchase Order” means an order for particular Services placed in accordance with the Ordering Procedures.
“Purchaser” means North Ayrshire Council a local authority constituted in terms of the Local Government etc. (Scotland) Act 1994 and having its principal offices at Cunninghame House, Irvine, Scotland, KA12 8EE and their statutory successors whomsoever.
“Purchaser Data” means the data, text, drawings, diagrams, images or sounds (together with any database made up of any of these) which are embodied in any electronic, magnetic, optical or tangible media, and which are:
“Purchaser Property” means any corporeal moveable property issued or made available to the Supplier by the Purchaser in connection with the Contract.
“Purchaser Protected Information” means any specific protected information detailed in the ITT.
“Quick Quote” means a low value procurement exercise progressed by online quotation via PCS-T.
“Security Plan” means the security management system, plan and processes to be developed by the Supplier (including areas such as policy, staff management, supply chain management, asset management, technical controls and software life cycle management to ISO 27001 or equivalent) in accordance with paragraph 3 of Schedule 2 (Security Management) as updated from time to time in accordance with this Contract;
“Services” means the Services as are to be supplied by the Supplier to the Purchaser as set out in the Specification and as may be ordered in accordance with the Ordering Procedures.
“Service Levels” means the Service Levels identified as such in the Specification.
“Single Tender Action” means a procurement exercise progressed without a call for competition, as the circumstance meets an exemption reasons detailed in the Procurement (Scotland) Regulations 2016, Part 3 General Duties, Circumstances in which a contract can be awarded without competition.
“Software” means Specially Written Software, Supplier Software and Third Party Software
“SPD” means the Single Procurement Document completed by the Supplier and sent to the Purchaser.
“Specification” means the document forming part of the procurement process which sets out the Purchaser’s requirements and objectives of each stage of the delivery of the Services.
“Sub-Contract” means a Contract between two or more Suppliers, at any stage of remoteness from the Purchaser in a sub-contracting chain, made wholly or substantially for the purpose of performing (or contributing to the performance of) the whole or any part of this Contract.
“Supervisory Authority” has the meaning given in the Data Protection Laws.
“Supplier” means the person, firm or company to whom the Contract is issued.
“Supplier Representative” or “Supplier Representatives” or “Supplier’s Representatives” means all persons engaged by the Supplier in the performance of its obligations under the Contract including but not limited to:
- its Staff;
- its agents, suppliers and carriers; and
- any sub-contractors of the Supplier (whether approved under Clause 24 (Assignation and Sub-Contracting) or otherwise).
“Supplier Software” means software which is proprietary to the Supplier (or an Affiliate of the Supplier) and which is or will be used by the Supplier for the purposes of providing the Services;
“Staff” means any persons employed by the Supplier, and any persons employed by a third party but working for and under the control of the Supplier, who are or may be at any time concerned with the Services or any part of them.
“Tender” means the tender submitted by the Supplier to the Purchaser in response to the ITT.
“Third Party Software” means software which is proprietary to any third party (other than an Affiliate of the Supplier) or any Open Source Software which in any case is, will be or is proposed to be used by the Supplier for the purposes of providing the Services;
“TUPE” means the Transfer of Undertakings (Protection of Employment) Regulations 2006.
“UK GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data as it forms part of the law of the United Kingdom by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended by The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and 2020.
“Working Day” means a day other than a Saturday, Sunday or bank holiday in Scotland.
“Working Hour” means an hour between 0900 hours and 1700 hours on a Working Day.
2. Interpretations
2.1 The interpretation and construction of the Contract is subject to the following provisions:
2.1.1 words importing the singular meaning include, where the context so admits, the plural and vice versa;
2.1.2 words importing the masculine include the feminine and neuter;
2.1.3 reference to a clause is a reference to the whole of that clause unless stated otherwise;
2.1.4 references to any statute, enactment, order, regulation or other similar instrument are construed as a reference to the instrument as amended by any subsequent instrument or re-enacted;
2.1.5 references to any person include natural persons and partnerships, firms and other incorporated bodies and all other legal persons of whatever kind and however constituted and their successors and permitted assignees or transferees;
2.1.6 reference to “expiry or termination” of the Contract includes the making of a Judicial Order;
2.1.7 the words “include”, “includes” and “including” are to be construed as if they were immediately followed by the words “without limitation”; and
2.1.8 headings are included in the Contract for ease of reference only and do not affect the interpretation or construction of the Contract.
3. Parent Company Guarantee
It shall be a condition of this Contract that, if required by the Purchaser, the Supplier shall deliver a validly executed parent company guarantee in the form set out in the ITT, Quick Quote Project Brief or Single Tender Action documents. The rights and obligations of the Parties shall have no force or effect unless the parent company guarantee has been properly executed and delivered to the Purchaser. The parties acknowledge that if this condition has not been fulfilled any performance of this Contract by the Supplier shall be at the risk of the Supplier and the Purchaser shall not be liable for and the Supplier irrevocably waives any entitlement to payment of any fees, expenses or other payments in relation to such performance. Where the Supplier has failed to fulfil this condition prior to and no later than the Commencement Date the Purchaser shall have the right to terminate the Contract by notice in writing to the Supplier.
4. Nature of the Contract
4.1 The Contract is a public services contract within the meaning of regulation 2(1) of the Public Contracts (Scotland) Regulations 2015.
4.2 Save to the extent specifically provided for in this Contract, the Supplier acknowledges that it is not the exclusive Supplier of services to the Purchaser and as such no guarantee of work or volume of work has been granted by the Purchaser.
5. Period
5.1 The period of the Contract is detailed in the ITT, Quick Quote Project Brief or Single Tender Action documents unless it is terminated earlier under the terms of the Contract or extended under Clause 5.2.
5.2 The Purchaser may, by giving notice to the Supplier, extend the period of the Contract to an extension date specified in the ITT, Quick Quote Project Brief or Single Tender Action documents where applicable. Subject to that constraint, the Purchaser may extend the period of the Contract on more than one occasion.
6. Specification
The Supplier must comply with the Specification. In particular, the Supplier must meet or exceed the Service Levels.
7. Pricing Schedule
7.1 The Pricing Schedule sets out details of the pricing of the Services.
7.2 The prices in the Pricing Schedule are either not to be increased or may be varied for the period of the Contract in accordance with the arrangements set out in the PCST Commercial Envelope and the ITT, Quick Quote Project Brief or Single Tender Action documents.
7.3 Accordingly, the Supplier may not unilaterally increase the prices in the Pricing Schedule. But nothing in the Contract prevents the Supplier from improving on the prices in the Pricing Schedule for the purposes of a particular Order.
8. Ordering Procedures and Management Arrangements
8.1 The Ordering Procedures may be invoked by the Purchaser at any time during the period of the Contract.
8.2 The Parties must comply with the Ordering Procedures and Management Arrangements.
8.3 The Supplier must maintain the capacity to supply the Services throughout the period of the Contract.
9. Supplier's Status
At all times during the period of the Contract the Supplier is an independent Supplier and nothing in the Contract establishes a contract of employment, a relationship of agency or partnership or a joint venture between the Parties or between the Purchaser and any Supplier Representative. Accordingly, neither Party is authorised to act in the name of, or on behalf of, or otherwise bind the other Party save as expressly permitted by the terms of the Contract.
10. Notices
10.1 Any notice to be given from one Party to the other under the Contract shall be valid only if it is made in writing.
10.2 Further any such notice which is to be given by either Party to the other, except for the purpose of court proceedings, shall be given by email or physical letter sent by hand or by a signed for special delivery postal service (for example, Royal Mail Signed For or Royal Mail Special Delivery Guaranteed). Such notices shall be addressed to the Supplier or to the Purchaser in the following manner:
10.2.1 For the Supplier – to the address shown on the Purchase Order, or to such other address as the Party may by notice to the other have substituted therefor in accordance with this Clause;
10.2.2 For the Purchaser – addressed to Senior Manager (Corporate Procurement), 1st Floor West, Cunninghame House, Irvine KA12 8EE or via email to procurement@north-ayrshire.gov.uk, or to such other address as the Party may by notice to the other have substituted therefor in accordance with this Clause.
10.3 Where a notice is delivered by hand, it shall be deemed to have been delivered when it is left and signed for at the relevant Party’s address set out in Clause 10.2.
10.4 Where a notice is delivered by a signed for special delivery postal service, provided that it is not returned as undelivered, it shall be deemed to have been given at the earlier of: two Working Days after the day on which the letter was posted, or acknowledgement of receipt of such a letter by the Supplier or the Purchaser.
10.5 Where a notice is delivered by email it shall be deemed effective on the day of transmission, unless such transmission is not done on a day in which is not a Working Day or occurs after 1700 hours in which case it shall be deemed effective on the next Working Day.
10.6 The Supplier shall advise the Purchaser, as soon as practicable and in any event no later than seven days after any change, of a change of address for service by sending a notice in accordance with this Clause.
10.7 The Purchaser may change its address for service by sending a notice in accordance with this Clause.
10.8 The Purchaser shall not be responsible for any failure to intimate or delay in intimation arising out of or in consequence of the Supplier’s omitting to advise the Purchaser of a change of the Supplier’s address under this Clause.
11. Price
11.1 In consideration of the Supplier’s performance of its obligations relating to a Purchase Order, the Purchaser must pay:
11.1.1 the price due in accordance with the Pricing Schedule and the Ordering Procedures; and
11.1.2 a sum equal to the value added tax chargeable at the prevailing rate.
11.2 The Supplier may not suspend the provision of services if it considers that the Purchaser has failed to pay the price due.
12. Payment and Invoicing
12.1 The Purchaser must pay all sums due to the Supplier within 30 days of receipt of a valid invoice.
12.2 The Supplier must render invoices monthly in arrears.
12.3 The Supplier must ensure that each invoice contains appropriate Contract and Purchase Order references and a detailed breakdown of the Services provided. The Supplier must supply such other documentation reasonably required by the Purchaser to substantiate any invoice.
12.4 Value added tax, where applicable, must be shown separately on all invoices as a strictly net extra charge.
12.5 Interest is payable on the late payment of any undisputed sums of money in accordance with the Late Payment of Commercial Debts (Interest) Act 1998. In the case of sums due by the Purchaser, the sums referred to in this clause must be properly invoiced by the Supplier.
12.6 In this Clause 12, ‘valid invoice’ includes an electronic invoice meeting all the requirements set out in regulation 70A of the Public Contracts (Scotland) Regulations 2015.
12.7 The Purchaser will not be liable to pay for any Services carried out by the Supplier unless it is specified in a Purchase Order.
12.8 The Supplier shall be obliged to accept payment by means of BACS (Banks Automated Clearing Service) or Procurement Card.
13. Recovery of Sums Due
Wherever under this Contract any sum of money is recoverable from or payable by the Supplier, that sum may be deducted from any sum then due, or which at any later time may become due, to the Supplier under this Contract or under any other agreement or contract between the Supplier and the Purchaser.
14. Data Protection
14.1 The Data Schedule will define the data relationship and dependent on this either paragraph 14.2 or 14.3 shall be applicable. Where there are aspects of duality within the relationship then both paragraphs 14.2 and 14.3 shall apply.
14.2 The Supplier acknowledges that Personal Data described in the scope of the Schedule (Data Protection) will be processed in connection with the Services under this Contract. For the purposes of any such Processing, Parties agree that the Supplier acts as the Data Processor and the Purchaser acts as the Data Controller.
14.3 Notwithstanding Clause 14.2, the parties acknowledge that they are Joint Controllers for the purposes of the Data Protection Laws in respect of the Personal Data described in Schedule 1 as being under Joint Control. In respect of Personal Data under Joint Control, Clause 14.1 to 14.16 (under exception of 14.3) will not apply and the Parties agree to put in place a Data Sharing and Processing Contract (Controller to Controller).
14.4 Both Parties agree to negotiate in good faith any such amendments to this Contract that may be required to ensure that both Parties meet all their obligations under Data Protection Laws. The provisions of this Clause 14 are without prejudice to any obligations and duties imposed directly on the Supplier under Data Protection Laws and the Supplier hereby agrees to comply with those obligations and duties.
14.5 The Supplier will, in conjunction with the Purchaser and in its own right and in respect of the Services, make all necessary preparations to ensure it will be compliant with Data Protection Laws.
14.6 The Supplier will provide the Purchaser with the contact details of its data protection officer or other designated individual with responsibility for data protection and privacy to act as the point of contact for the purpose of observing its obligations under the Data Protection Laws.
14.7 The Supplier must:
14.7.1 agree and comply with the terms of the data processing provisions set out in the Schedule (Data Protection);
14.7.2 process Personal Data only as necessary in accordance with obligations under the Contract and any written instructions given by the Purchaser (which may be specific or of a general nature), including with regard to transfers of Personal Data outside the United Kingdom unless required to do so by any legal or regulatory requirement to which the Supplier is subject; in which case the Supplier must inform the Purchaser of that legal or regulatory requirement (unless prohibited from doing so by law) before Processing the Personal Data only to the extent, and in such manner as is necessary for the performance of the Supplier’s obligations under this Contract or as is required by the Law;
14.7.3 subject to Clause 14.7.2 only Process or otherwise transfer any Personal Data in or to any country outside the United Kingdom in accordance with the Data Protection Laws and with the Purchaser’s prior written consent and subject to a security risk assessment being undertaken;
14.7.4 take all reasonable steps to ensure the reliability and integrity of any Supplier Personnel who have access to the Personal Data and ensure that the Supplier Personnel:
14.7.5 implement appropriate technical and organisational measures including those set out in the Schedule (Data Protection) and in accordance with Article 32 of the UK GDPR to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration or disclosure, such measures being appropriate to the harm which might result from any unauthorised or unlawful Processing accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected and complete the security risk assessment.
14.8 The Supplier shall not engage a sub-contractor to carry out Processing in connection with the Services without prior specific or general written authorisation from the Purchaser. In the case of general written authorisation, the Supplier must inform the Purchaser of any intended changes concerning the addition or replacement of any other sub-contractor and give the Purchaser an opportunity to object to such changes.
14.9 If the Supplier engages a sub-contractor for carrying out Processing activities on behalf of the Purchaser, the Supplier must ensure that same data protection obligations as set out in this Contract are imposed on the sub-contractor by way of to implement appropriate technical and organisational measures. The Supplier shall remain fully liable to the Purchaser for the performance of the sub-contractor’s performance of the obligations.
14.10 The Supplier must provide to the Purchaser reasonable assistance including by such technical and organisational measures as may be appropriate in complying with Articles 12-23 of the UK GDPR, including any subject access request and/or responding to any enquiry made, or investigation or assessment of processing initiated by the Information Commissioner in respect of the Personal Data as soon as is possible but in any event within three business days of receipt of the request or any other period as agreed in writing with the Data Controller from time to time.
14.11 Taking into account the nature of the Processing and the information available, the Supplier must assist the Purchaser in complying with the Purchaser’s obligations concerning the security of Processing, reporting requirements for Data Breaches, data protection impact assessments and prior consultations in accordance with Articles 32 to 36 of the UK GDPR. These obligations include:
14.12 At the end of the provision of Services relating to Processing the Supplier must, on written instruction of the Purchaser, delete or return to the Purchaser all Personal Data and delete existing copies unless storage of the Personal Data is required by law.
14.13 The Supplier must:
14.14 Parties acknowledge that the inspecting Party will use reasonable endeavours to carry out any audit or inspection under Clause 14.13 (b) with minimum disruption to the Supplier’s day to day business.
14.15 The Supplier must maintain written records including in electronic form, of all Processing activities carried out in performance of the Services or otherwise on behalf of the Purchaser containing the information set out in Article 30(2) of the UK GDPR.
14.16 If requested, the Supplier must make such records referred to in Clause 14.15 available to the Supervisory Authority on request and co-operate with the Supervisory Authority in the performance of its tasks.
15. Public Access to Information
No term of this Contract, whether express or implied, shall preclude the Purchaser from making public, if required under the Freedom of Information (Scotland) Act 2002 (referred to in this clause as the “2002 Act”) or the Environmental Information (Scotland) Regulations 2004 (referred to in this clause as “the EIRS”) or both any information held relating to the Contract. In exercising its obligations under the 2002 Act and the EIRS, the Purchaser shall have due regard to the commercial interests of the Supplier but without prejudice to its duty to discharge its obligations under the 2002 Act or the EIRS. The interpretation of the Acts by the Purchaser, and any exemptions therein, will be final and conclusive subject only to any decision or binding ruling on the matter made by the courts. The Supplier will facilitate compliance by the Purchaser, with its obligations under the 2002 Act and the EIRS and comply with any requests from the Purchaser, for that purpose.
16. Confidentiality
16.1 The Supplier shall keep secret and not disclose and shall procure that the Supplier’s Representatives keep secret and do not disclose any information of a confidential nature or business data obtained by the Supplier by reason of this Contract except information which is in the public domain otherwise than by reason of a breach of this Clause.
16.2 All information related to the Contract will be treated as commercial in confidence by the parties except that the Supplier or Purchaser or both may disclose any information as required by law or Judicial Order to be disclosed.
16.3 The Supplier shall at all times comply with the Purchaser’s “IT and Cyber Security Policy” (“the Policy”) and it is the Supplier’s responsibility to ensure that the Supplier and the Supplier’s Representatives are familiar with and comply with the Policy as well as with any of the Purchaser’s related security standards, guidelines and procedures in relation to the Policy. The Policy can be obtained on request by contacting the Purchaser’s ICT Security Team by email at cybersecurityteam@north-ayrshire.gov.uk.
16.4 The provisions of this Clause 16 shall apply during the continuance of this Contract and after its termination howsoever arising.
17. Audit
17.1 The Supplier shall keep and maintain until the date falling seven (7) years after the date of expiry of the Contract or any period of extension, or as long a period as may be agreed between the parties, full and accurate records of the Contract including the orders placed, Services supplied under it, all expenditure reimbursed by the Purchaser, and all payments made by the Purchaser. The Supplier shall on request afford the Purchaser such access to those records as may be requested by the Purchaser in connection with the Contract.
17.2 The provisions of this Clause 17 shall apply during the continuance of this Contract and after its termination howsoever arising.
18. Advertising
18.1 The Supplier shall not use the North Ayrshire Council logo without the prior written consent of the Purchaser.
18.2 The Supplier shall not disclose any details relating to the Contract performance and operations with the Purchaser to any other party without the prior written consent of the Purchaser.
18.3 The Supplier shall not communicate in any form with the media, or make any publication or announcement, on any matter concerning the operation, involvement in or performance of the Contract, without the prior written consent of the Purchaser.
19. Provision of the Services
19.1 The Supplier must provide the Services:
19.1.1 in accordance with the Specification and the Ordering Procedures;
19.1.2 in accordance with the particular requirements of each Purchase Order; and
19.1.3 to the satisfaction of the Purchaser acting reasonably.
19.2 The Supplier acknowledges that the Purchaser relies on the skill, care, diligence and judgment of the Supplier in the supply of the Services and the performance of its obligations under the Contract.
19.3 For each Purchase Order for the provision of the Services, subject to any contrary requirements of the Purchaser communicated in accordance with the Ordering Procedures, the provisions of Clauses 19 and 20 apply.
19.4 The period for any Purchase Order agreed in accordance with the Ordering Procedures may be brought to an earlier end upon 3 months’ written notice by the Purchaser.
20. Deliverables and Milestones
20.1 The Supplier must provide the Services, including any Deliverables:
20.1.1 at the date(s), time(s) and location(s) required by the Purchaser; and
20.1.2 in good time to meet any Milestones required by the Purchaser.
20.2 When the Supplier believes acting reasonably that it has provided any
Deliverable or completed any Milestone in accordance with the Contract it must
notify the Purchaser.
20.3 The Purchaser may thereafter by notice to the Supplier acting reasonably:
20.3.1 accept the provision of the Deliverable or the completion of the Milestone (as appropriate), having regard to any acceptance criteria communicated in accordance with the Ordering Procedures; or
20.3.2 providing reasons, reject the provision of the Deliverable or the completion of the Milestone.
20.4 Where the Purchaser rejects the completion of a Milestone or provision of a Service or Deliverable in accordance with Clause 20.3.2, the Supplier must at its expense immediately rectify or remedy any defects and/or delays.
20.5 Risk and ownership in any Deliverables that are corporeal movables and in any physical media in which any Deliverables are delivered vests in the Purchaser upon acceptance in accordance with this clause.
20.6 Whether the defect or delay is due to the Purchaser or not, the Supplier shall deploy all additional resources to address the consequences of the default or delay. Where such default or delay is solely due to the Purchaser, any additional costs in respect of the said additional resources shall be agreed between the parties both acting reasonably.
21. Supplier's Personnel
21.1 The Supplier shall provide full particulars as required by the Purchaser of all Supplier Representatives, including but not limited to, a list of names and addresses of Supplier Representatives, specifying the capacities in which they are so concerned with the Services provided and the performance of the Contract. The Supplier shall take all reasonable steps to avoid changes of Supplier Representatives performing the Contract and shall provide the Purchaser with one month’s written notice and full particulars of any proposed additional or replacement Supplier Representatives.
21.2 At any time, the Purchaser may give notice to the Supplier that any Supplier Representatives are not to become or be involved further with the performance of the Contract and may require the Supplier to replace any Supplier Representatives removed under this Clause with another suitably qualified person. The decision of the Purchaser regarding the Supplier Representatives shall be final and conclusive. The Supplier shall act immediately on receipt of such notice to comply with the notice, including but not limited to, taking all necessary steps to avoid unauthorised person(s) from gaining access to the Premises and the Purchaser’s premises.
21.3 The Supplier shall bear the cost of any notice, instruction or decision of the Purchaser under this Clause 21.
22. Transfer of Undertakings (Protection of Employment)
22.1 The Supplier recognises that the Transfer of Undertakings (Protection of Employment) Regulations 2006 (“TUPE”) may apply in respect of the Contract, and that for the purposes of those Regulations, the undertaking concerned (or any relevant part of the undertaking) shall (a) transfer to the Supplier on the commencement of the Contract; (b) transfer to another Supplier on the expiry of the Contract.
22.2 During the period of six months preceding the expiry of the Contract or after the Purchaser has given notice to terminate the Contract or the Supplier stops trading, and within 20 Working Days of being so requested by the Purchaser, the Supplier shall fully and accurately disclose to the Purchaser or to any person nominated by the Purchaser information relating to employees engaged in providing the Services in relation to the Contract in particular, but not necessarily restricted to, the following:
22.3 The Supplier shall permit the Purchaser to use the information for the purposes of TUPE and of re-tendering, which shall include such disclosure to potential Suppliers as the Purchaser considers appropriate in connection with any re-tendering. The Supplier will co-operate with the re-tendering of the contract by allowing the transferee to communicate with and meet the affected employees and/or their representatives.
22.4 The Supplier agrees to indemnify the Purchaser fully and to hold it harmless at all times from and against all actions, proceedings, claims, expenses, awards, costs and all other liabilities whatsoever in any way connected with or arising from or relating to the provision or disclosure of information permitted under this Clause.
22.5 In the event that the information provided by the Supplier in accordance with this Clause becomes inaccurate, whether due to changes to the employment and personnel details of the affected employees made subsequent to the original provision of such information or by reason of the Supplier becoming aware that the information originally given was inaccurate, the Supplier shall notify the Purchaser of the inaccuracies and provide the amended information. The Supplier shall be liable for any increase in costs the Purchaser may incur as a result of the inaccurate or late production of data.
22.6 The provisions of this Clause 22 shall apply during the continuance of this Contract and after its termination howsoever arising.
23. Intellectual Property Rights
23.1 All Intellectual Property Rights in any material including but not limited to reports, guidance, specification, instructions, toolkits, plans, data, drawings, databases, patents, patterns, models, designs which are created or developed by the Supplier on behalf of the Purchaser for use, or intended use, in relation to the performance by the Supplier of its obligations under the Contract are hereby assigned to and shall vest in the Purchaser absolutely.
23.2 Any material, including but not limited to reports, guidance, specification, instructions, toolkits, plans, data, drawings, databases, patents, patterns, models, designs, furnished to or made available to the Supplier by or as directed by the Purchaser shall remain the property of the Purchaser.
23.3 Except as may expressly be provided for in the Contract, neither Party acquires any interest in or license to use the other Party’s Intellectual Property Rights owned or developed prior to or independently of the Contract.
23.4 The Supplier must not infringe any Intellectual Property Rights of any third party in providing the Services or otherwise performing its obligations under the Contract. The Supplier shall indemnify the Purchaser against all actions, claims, demands, losses, charges, costs and expenses which the Purchaser may suffer or incur as a result of or in connection with any breach of this Clause 23.4.
23.5 The Supplier shall, at the request of the Purchaser, provide the Purchaser with a complete and up-to-date copy of all electronically stored data and all other information necessary to ensure that the Purchaser can continue to use the electronically stored data so provided by the Supplier; all to the reasonable satisfaction of the Purchaser.
23.6 Electronically stored data shall mean data however stored on a computer storage medium, and shall include data stored in conventional files, databases and computer aided design files, and which contain relevant design information. The Supplier shall store all data on a suitable medium in either its native format or in a neutral file format to suit the Purchasers requirements.
23.7 The Purchaser reserves the right to verify and validate any information contained within the electronically stored data within one year from completion of the Services. The Supplier shall remedy at their own expense any defects or inadequacies discovered during the said one year and notified by the Purchaser to the Supplier and such defects or inadequacies shall be remedied within 14 Working Days of receipt of such notification.
23.8 The Supplier shall not have the right to use any reports, or other materials referred to in Clause 23.1 without the prior written consent of the Purchaser and then only upon such terms as may be imposed in connection therewith, except for information which is in the public domain.
23.9 The provisions of this Clause shall apply during the continuance of this Contract and after its termination howsoever arising.
24. Assignation and Sub-Contracting
24.1 The Supplier shall not assign or sub-contract any portion of the Contract without the prior written consent of the Purchaser. Sub‑contracting any part of the Contract shall not relieve the Supplier of any obligation or duty attributable to the Supplier under the Contract or these Clauses.
24.2 Where the Purchaser has consented to the placing of any Sub-Contract(s), the Purchaser reserves the right to obtain and keep copies of any Sub-Contract(s) from the Supplier, and the Supplier shall send copies of any Sub-Contract(s) to the Purchaser immediately at the Purchasers request.
24.3 Where the Purchaser has consented to the placing of any Sub-Contract, and the Supplier enters into a Sub-Contract, the Supplier must ensure that provisions are included which:
24.3.1 requires payment to be made of all sums due by the Supplier to the sub-contractor within a specified period not exceeding 30 days from the receipt of a valid invoice as defined by the sub-contract requirements and provides that, where the Purchaser has made payment to the Supplier in respect of the Services, or any part of the Services, and the sub-contractor’s invoice relates to such Services then, to that extent, the invoice must be treated as valid and, provided the Supplier is not exercising a right of retention or set-off in respect of a breach of the Contract by the sub-contractor or in respect of a sum otherwise due by the sub-contractor to the Supplier, payment must be made to the sub-contractor without deduction;
24.3.2 notifies the sub-contractor that the Sub-Contract forms part of a larger Contract for the benefit of the Purchaser and that should the sub-contractor have any difficulty in securing the timely payment of an invoice, that matter may be referred by the sub-contractor, to the Purchaser;
24.3.3 provides the Supplier with a right to terminate the Sub-Contract if the relevant sub-contractor fails to comply in the performance of its Contract with any legal obligations in the fields of environmental, social or employment law, or if any of the termination events specified in Clause 24.3 occur;
24.3.4 requires the sub-contractor to include provisions having the same effect as Clauses 24.3.1, 24.3.2, and 24.3.3 above in any Sub-Contract it awards; and
24.3.5 in the same terms as that set out in this Clause 24.3 (including for the avoidance of doubt this Clause 24.3.5) subject only to modification to refer to the correct designation of the equivalent party as the Supplier, sub-contractor and sub-sub-contractor as the case may be.
24.4 Suppliers to the Purchaser are requested to address complaints regarding late payment of invoices to, in the first instance, the addressee of the invoice and, in the second instance to the Senior Manager (Corporate Procurement), 1st Floor West, Cunninghame House, Irvine KA12 8EE or via email to procurement@north-ayrshire.gov.uk.
24.5 Any breach of this Clause 24 by the Supplier is a material breach for the purposes of Clause 45.1.3 (Termination).
25. Change of Name/Contract Novation
25.1 If the Supplier’s company name changes during the Contract but their company registration remains the same, the Supplier will be required to provide a copy of their “Certificate of Incorporation on Change of Name” at the earliest opportunity.
25.2 Where the company registration number changes the Supplier must inform the Purchaser immediately of any changes.
25.3 Where there is a change to any of the following the Purchaser reserves the right to terminate the Contract with immediate effect
- Location of service;
- Management structure;
- Staff providing the service;
- Operational policies and procedures.
25.4 Subject to the above the Purchaser reserves the right to consider continuing the Contract with the new company provided that the company:
26. Amendment
The Contract may be amended only by the written agreement of both Parties. Accordingly, the Supplier may not unilaterally amend the Contract.
27. Compliance with Law etc.
Throughout the duration of the Contract the Supplier shall be bound and obliged to comply with all applicable law, Good Industry Practice and the standards relevant to the Services (including regulatory bodies). During the period of the Contract the Supplier shall produce such evidence as the Purchaser may require to satisfy the Purchaser that the Supplier has complied with this Clause.
28. Supplier's Responsibility for Staff
28.1 The Supplier is responsible for the acts and omissions of all Supplier Representatives relating to the Contract as though such acts and omissions are the Supplier’s own.
28.2 The Supplier must ensure that all Supplier Representatives:
28.2.1 are appropriately experienced, skilled, qualified and trained;
28.2.2 carry out their activities connected with the Contract faithfully and diligently and with all with due skill, care and diligence;
28.2.3 and obey all lawful and reasonable directions of the Purchaser when carrying out activities under the Contract.
29. Security and Access to the Purchaser's Premises
29.1 Any access to, or occupation of, the Purchaser’s Premises which the Purchaser may grant the Supplier from time to time is on a non-exclusive licence basis free of charge. The Supplier must use the Purchaser’s Premises solely for the purpose of performing its obligations under the Contract and must limit access to the Purchaser’s Premises to such individuals as are necessary for that purpose.
29.2 The Supplier must comply with the Purchaser’s controls, procedures and policies concerning security and access to the relevant Purchasers Premises and any such modifications to those controls, procedures and policies or replacement controls, procedures and policies as are notified to the Supplier from time to time.
29.3 The Supplier must notify the Purchaser of any matter or other change in circumstances which might adversely affect future security and access to the Purchasers Premises.
29.4 At the Purchaser’s written request, the Supplier must provide a list of the names and addresses of all persons who may require admission to the Purchaser’s Premises in connection with the Contract, specifying the capacities in which they are concerned with the Contract and giving such other particulars as the Purchaser may reasonably request.
29.5 The Supplier must ensure that any individual Supplier Representative entering the Purchaser’s Premises complies with any controls, procedures and policies, if applicable, for obtaining access. The Supplier acknowledges that the Purchaser has the right to deny entry to any individual that does not comply with the Purchaser’s controls, procedures, and policies concerning security and access.
29.6 In accordance with the Purchaser’s controls, procedures and policies concerning visitor access, entry to the Purchaser’s Premises may be granted to individual Supplier Representatives for the purposes of meetings.
29.7 The Purchaser may, by notice to the Supplier, refuse to admit onto, or withdraw permission to remain on, the Purchaser’s Premises any Supplier Representative whose admission or continued presence would, in the opinion of the Purchaser acting reasonably, be undesirable.
29.8 The Purchaser will provide advice and assistance acting reasonably to the Supplier to facilitate the Supplier’s compliance with this Clause 29.
29.9 All decisions of the Purchaser under this Clause are final and conclusive.
29.10 Breach of this Clause 29 by the Supplier is a material breach for the purposes of Clause 45.1.3 (Termination).
30. Supplier's Equipment
30.1 The Supplier must provide all Equipment necessary to perform any required activities on the Purchaser’s Premises or otherwise necessary for the provision of Services.
30.2 But the Supplier must not, without the Purchaser’s approval:
30.2.1 bring Equipment onto the Purchaser’s Premises; or
30.2.2 leave Equipment on the Purchasers Premises.
30.3 Any Equipment brought onto the Purchaser’s Premises:
30.3.1 remains the property of the Supplier; and
30.3.2 is at the Supplier’s own risk and the Purchaser has no liability for any loss of or damage to the Equipment unless the Supplier is able to demonstrate that such loss or damage was caused or contributed to by the Purchaser’s Default.
30.4 The Supplier must keep all Equipment brought onto the Purchaser’s Premises in a safe, serviceable and clean condition. The Purchaser may at any time require the Supplier to remove from the Purchaser’s Premises any Equipment which in the opinion of the Purchaser acting reasonably is either hazardous, noxious or not in accordance with the Contract and substitute proper and suitable Equipment at the Supplier’s expense as soon as reasonably practicable.
30.5 On completion of any required activities on the Purchaser’s Premises or at the end of a Working Day (as appropriate), the Supplier must at its own expense:
30.5.1 remove all Equipment; and
30.5.2 leave the Premises in a clean, safe and tidy condition, clearing away all rubbish arising out of the Supplier’s activities.
30.6 The Supplier is solely responsible for making good any damage to the Purchaser’s Premises or any objects contained therein, other than wear and tear, which is caused by the Supplier.
31. Inspection of the Supplier's Premises and Documentation
31.1 Following award of the Contract, the Supplier shall permit representatives of the Purchaser, following the giving of reasonable notice, except in cases of urgency, to have access to the Premises, to inspect the Premises, to ensure that they are fit for the purposes of the Contract, that they comply with the Terms and Conditions of the Contract, all applicable law, Good Industry Practice, and to permit the representatives to carry out external quality audits and assessments of the Supplier.
31.2 Separately, the Supplier is obliged throughout the duration of the Contract to make available on request to the Purchaser all available documentation to substantiate its compliance with the Terms and Conditions of the Contract, all applicable law and Good Industry Practice, or any other requirements of the Contract relating to quality assurance and assessment of the Supplier’s performance of its obligations under the Contract.
31.3 Any breach of this Clause 31 by the Supplier is a material breach for the purposes of Clause 45.1.3 (Termination).
32. Purchaser Property
32.1 Notwithstanding Clause 30, the Purchaser may issue Purchaser Property to the Supplier. Where the Purchaser issues Purchaser Property to the Supplier, the Purchaser Property remains at all times the property of the Purchaser.
32.2 The Supplier undertakes the safe custody of the Purchaser Property and to that end must:
32.2.1 keep the Purchaser Property in good order and condition (excluding wear and tear);
32.2.2 comply with any particular security requirements communicated to the Purchaser in relation to the Purchaser Property;
32.2.3 use any Purchaser Property solely in connection with the Contract and for no other purpose; and
32.2.4 store the Purchaser Property separately and ensure that it is clearly identifiable as belonging to the Purchaser. 32.3 The Purchaser Property is deemed for the purposes of clause 32.2.1 to be in good order and condition when received by the Supplier unless the Supplier notifies the Purchaser otherwise within 5 Working Days of receipt.
32.4 The Supplier must not:
32.4.1 modify or replace the Purchaser Property;
32.4.2 use the Purchaser Property as security for a loan or other obligation;
32.4.3 sell, or attempt to sell or part with possession of the Purchaser Property; or
32.4.4 allow anyone to obtain a lien over, or right to retain, the Purchaser Property.
32.5 The Supplier authorises the Purchaser to enter any premises of the Supplier during Working Hours on reasonable notice to recover any Purchaser Property.
32.6 The Supplier undertakes the due return of the Purchaser Property and as such is liable for all loss of, or damage to, the Purchaser Property (excluding wear and tear), unless such loss or damage was caused or contributed to by the Purchaser’s Default. The Supplier must notify the Purchaser promptly and, in any event within 2 Working Days, upon becoming aware of any defects appearing in or losses or damage occurring to the Purchaser Property.
33. Health & Safety
33.1 The Supplier shall perform the Contract in such a manner as to be safe and without risk to the health or safety of persons in the vicinity of the place where the Contract is being performed (whether such persons are in the vicinity of the said place at the time when the Contract is being performed or otherwise) and in such a manner as to comply with any relevant health and safety or other legislation (including Statutory Instrument, Orders, or Regulations made under the said legislation) and any requirements imposed by a local or other regulatory authority in connection with the performance of the Contract type supplied to the Purchaser, whether specifically or generally. The Supplier shall indemnify the Purchaser against all actions, suits, claims, demands, losses, charges, costs and expenses which the Purchaser may suffer or incur as a result of or in connection with any breach of this Clause.
33.2 The Supplier must notify the Purchaser immediately of any risks to health or safety which are identified or arise during the Contract.
33.3 Notwithstanding Clause 29 (Security and Access to the Purchaser’s Premises) of this Contract the Supplier shall comply with any health and safety measures implemented by the Purchaser in respect of the Purchaser’s premises when accessing and/or occupying the Purchaser’s premises, and shall notify the Purchaser immediately of any incident(s) which causes or is likely to cause any personal injury or damage to property when accessing and/or occupying the Purchaser’s premises.
33.4 The Supplier shall notify the Purchaser immediately of any health and safety hazards which may exist or arise at the Premises which may affect the Supplier’s performance of its duties under the Contract.
33.5 The Supplier shall ensure that its health and safety policy statement (as required by The Health and Safety at Work etc. Act 1974) is made available to the Purchaser on request.
34. Tax Arrangements
34.1 Where the Supplier is liable to be taxed in the UK in respect of consideration received under this contract, it shall at all times comply with the Income Tax (Earnings and Pensions) Act 2003 (ITEPA) and all other statutes and regulations relating to income tax in respect of that consideration.
34.2 Where the Supplier is liable to National Insurance Contributions (NICs) in respect of consideration received under this contract, it shall at all times comply with the Social Security Contributions and Benefits Act 1992 (SSCBA) and all other statutes and regulations relating to NICs in respect of that consideration.
34.3 The Purchaser may, at any time during the term of this contract, request the Supplier to provide information which demonstrates how the Supplier complies with sub-clauses 44.1 and 44.2 above or why those clauses do not apply to it.
34.4 A request under sub-clause 44.3 above may specify the information which the Supplier must provide and the period within which that information must be provided.
34. 5 The Purchaser may supply any information which it receives under Clause 34 to the Commissioners of His Majesty's Revenue and Customs for the purpose of the collection and management of revenue for which they are responsible.
34.6 The Supplier shall take all reasonable steps to ensure the observance of the provisions of this Clause 34 by all Supplier Representative’s.
34.7 Where the Supplier enters into any sub-contract with any Supplier Representative, the Supplier must ensure that a provision is included which is in the same terms as this Clause 34 subject only to modification to refer to the correct designation of the equivalent party as the Supplier.
35. Equality
The Supplier undertakes that it has and shall comply with all statutory requirements in respect of ensuring equal opportunity in employment and has not and shall not unlawfully discriminate either directly or indirectly on such grounds as race, ethnic or national origin, disability, gender, sex or sexual orientation, religion or belief, or age and without prejudice to the generality of the foregoing the Supplier shall not unlawfully discriminate within the meaning and scope of the Equality Acts 2006 and 2010, the Part-Time Workers (Prevention of Less Favourable Treatment) Regulations 2000, the Fixed-Term Employees (Prevention of Less Favourable Treatment) Regulations 2002, the Human Rights Act 1998 or other relevant or equivalent legislation, and any statutory modification or re-enactment thereof. The Supplier shall take all reasonable steps to secure the observance of this Clause 35 by all employees and representatives of the Supplier.
36. Blacklisting
36.1 The Supplier must not commit any breach of the Employment Relations Act 1999 (Blacklists) Regulations 2010 or section 137 of the Trade Union and Labour Relations (Consolidation) Act 1992. Breach of this Clause is a material default which shall entitle the Purchaser to terminate the Contract.
36.2 Suppliers sub-contracting, assigning or novating any part of the Contract must impose the same Terms and Conditions on any sub-contractor or party to whom such a part of the Contract is novated or assigned.
37. Conflicts of Interest
37.1 The Supplier must take appropriate steps to ensure that the Purchaser is not placed in a position where, in the reasonable opinion of the Purchaser, there is an actual or potential conflict between the interests of the Supplier and the duties owed to the Purchaser under the Contract.
37.2 The Supplier must disclose by notice to the Purchaser full particulars of any actual or potential conflict of interest which may arise and must take such steps as are necessary to avoid or remove the conflict of interest.
37.3 Breach of this clause by the Supplier is a material breach for the purposes of clause 45.1.3 (Termination).
38. Corrupt Gifts or Payments
The Supplier shall not offer or give, or agree to give, to any employee or representative of the Purchaser any gift or consideration of any kind as an inducement or reward for doing or refraining from doing or for having done or refrained from doing, any act in relation to the obtaining or execution of this or any other Contract with the Purchaser or for showing or refraining from showing favour or disfavour to any person in relation to this or any such Contract. The attention of the Supplier is drawn to the criminal offences created by the Bribery Act 2010.
39. Warranties and Representations
The Supplier warrants and represents that:
39.1 it has full capacity and authority and all necessary consents (including where its procedures so require, the consent of its parent company) to enter into and perform its obligations under the Contract and that the Contract is executed by a duly authorised individual;
39.2 in entering the Contract it has not committed any offence under the Bribery Act 2010 or of fraud or uttering at common law or any other kind referred to in the Public Contracts (Scotland) Regulations 2015;
39.3 it has not committed any breach of the Employment Relations 1999 Act (Blacklists) Regulations 2010 or section 137 of the Trade Union and Labour Relations (Consolidation) Act 1992, or committed any breach of the Data Protection Laws by unlawfully processing personal data in connection with any blacklisting activities;
39.4 as at the Commencement Date, all information contained in the SPD, Quick Quote prequalification document, Single Tender Action documents and Tender remains true, accurate and not misleading, save as may have been specifically disclosed in writing to the Purchaser prior to execution of the Contract;
39.5 no claim is being asserted and no litigation, alternative dispute resolution procedure or administrative proceeding is presently in progress or, to the best of its knowledge and belief, pending or threatened against it or any of its assets which will or might have a material adverse effect on its ability to perform its obligations under the Contract;
39.6 it is not subject to any contractual obligation, compliance with which is likely to have a material adverse effect on its ability to perform its obligations under the Contract;
39.7 no proceedings or other steps have been taken and not discharged (nor, to the best of its knowledge, are threatened) for the winding up of the Supplier or for its dissolution or for the appointment of a receiver, administrative receiver, liquidator, manager, administrator or similar officer in relation to any of the Supplier’s assets or revenue;
39.8 it owns, has obtained or is able to obtain, valid licences for all Intellectual Property Rights that are necessary for the performance of its obligations under the Contract;
39.9 in the 3 years prior to the Commencement Date:
39.9.1 it has conducted all financial accounting and reporting activities in compliance in all material respects with the generally accepted accounting principles that apply to it in any country where it files accounts;
39.9.2 it has been in full compliance with all applicable securities and tax laws and regulations in the jurisdiction in which it is established;
39.10 it has not done or omitted to do anything which could have a material adverse effect on its assets, financial condition or position as an ongoing business concern or its ability to fulfil its obligations under the Contract;
39.11 it has made appropriate inquiries (for example as regards the Purchaser’s premises) so as to be satisfied in relation to all matters connected with the performance of its obligations under the Contract;
39.12 it has in place appropriate technical and organisational measures to safeguard any Purchaser Protected Information provided by the Purchaser;
39.13 there are no actual or potential conflicts between the interests of the Supplier and the duties owed to the Purchaser under the Contract, save as may have been specifically disclosed in writing to the Purchaser prior to execution of the Contract; and
39.14 it is deemed to have inspected any premises at which the services are to be performed as set out in the Specification before tendering so as to have understood the nature and extent of the Services to be carried out and is deemed to be satisfied in relation to all matters connected with the Services and the Premises.
40. Indemnity and Insurance
40.1 Without prejudice to any rights or remedies of the Purchaser, the Supplier shall indemnify the Purchaser against all actions, suits, claims, demands, losses, charges, costs and expenses which the Purchaser may suffer or incur as a result of or in connection with any damage to property or in respect of any injury (whether fatal or otherwise) to any person which may result directly or indirectly from any negligent or wrongful act or omission of the Supplier.
40.2 Neither Party is liable to the other Party under the Contract for any:
40.2.1 loss of profits, business, revenue or goodwill; or
40.2.2 indirect or consequential loss or damage.
40.3 But Clause 40.2 does not exclude any liability of the Supplier for additional operational, administrative costs or expenses or wasted expenditure resulting from the Default of the Supplier.
40.4 But neither Party excludes or limits liability to the other Party for:
40.4.1 death or personal injury caused by its negligence;
40.4.2 misrepresentation;
40.4.3 any breach of any obligations implied by section 12 of the Sale of Goods Act 1979 or sections 2 or 11B of the Supply of Goods and Services Act 1982.
40.5 The Purchaser shall indemnify the Supplier in respect of all claims, proceedings, actions, damages, fines, costs, expenses or other liabilities which may arise out of, or in consequence of, a breach of Data Protection Laws where the Supplier has acted in accordance with the Purchaser’s written instructions, notwithstanding the above, nothing within this Contract relieves the Supplier of any of their own direct responsibilities and liabilities under Data Protection Laws.
40.6 The Supplier and any Sub-Contractor must effect and maintain with a reputable insurance company:
40.6.1 Public liability insurance, to the value of at least ten million pounds (£10,000,000) sterling in respect of any one event and unlimited in the period;
40.6.2 Professional indemnity insurance, to the value of at least five million pounds (£5,000,000) sterling in the aggregate in the policy period;
40.6.3 Employer’s liability insurance, to the value of at least five million pounds (£5,000,000) sterling in respect of any one event and unlimited in the period;
40.6.4 Products liability insurance, to the value of at least ten million pounds (£10,000,000) sterling in the aggregate in the policy period;
40.6.5 Third-party motor vehicle insurance maintained throughout the period of the Contract, in accord with the provisions of the current Road Traffic Act 1988 (as amended). A valid motor vehicle certificate in the Supplier’s name, or (where there is no fleet but rather the Supplier permits employees to use their personal vehicles for business purposes), a letter signed by a person of appropriate authority, confirming that the Supplier has ongoing arrangements in place to ensure their employees' vehicles are appropriately insured and maintained.
40.7 Such insurance must be maintained for the duration of the Contract and for a minimum of 5 years following the expiry or termination of the Contract.
40.8 The policy or policies of insurance referred to in Clause 40.6 shall be shown to the Purchaser whenever the Purchaser requests, together with satisfactory evidence of payment of premiums, including the latest premium due thereunder.
40.9 The Supplier shall establish a robust internal process to receive and process any insurance claims intimated to it, the detail of which process will be made available to the Purchaser on request.
40.10 In the event that a claim is intimated to the Supplier, the Supplier shall immediately acknowledge receipt of such claim to the claimant, investigate the facts and process the claim with its insurance company to the Purchaser's satisfaction. If required by the Purchaser, the Supplier shall provide any information required on the nature of the claim or the manner in which it is being processed, having in mind that the Purchaser's name cannot be brought into disrepute.
41. Force Majeure
41.1 If either Party to this Contract is prevented or delayed in the performance of any of its obligations under this Contract as a direct result of a Force Majeure Event, and if such Party gives written notice to the other Party specifying the matters constituting the Force Majeure Event together with such evidence as it reasonably can give and specifying the period for which it is estimated that such prevention or delay will continue, then the Party in question shall be excused the performance or the practical performance as the case may be of such obligations in terms of this Contract which are so affected as from the date on which it became unable to perform them and for so long as the Force Majeure Event shall continue.
41.2 If the period during which either Party is delayed in or prevented from the performance of its obligations hereunder by reason of a Force Majeure Event exceeds two months, either Party may serve on the other one month’s notice of termination of the Contract.
41.3 Both Parties agree to use their best efforts to ensure that, during any period when a Force Majeure Event exists, the services are provided to the fullest extent practicable.
42. Dispute Resolution
42.1 In the event of any dispute arising out of or in connection with the Contract between the Parties either Party shall serve a notice on the other Party outlining the terms of the dispute. The Parties must attempt in good faith and in a spirit of mutual trust and co-operation to resolve the dispute as a matter of urgency and no later than 20 Working Days of either Party notifying the other of the dispute.
42.2 In the event of any dispute of an emergency nature arising out of or in connection with the Contract between the Parties the Purchaser shall be entitled to demand that the Supplier attempts in good faith and in a spirit of mutual trust and co-operation to resolve the dispute within any timescale as the Purchaser considers reasonable in the circumstances and the Supplier must comply. The Purchaser shall be the sole judge of what disputes are of an emergency nature.
42.3 Any dispute or difference arising out of or in connection with the Contract, including any question regarding its existence, validity or termination which cannot be resolved in good faith, shall be determined by the appointment of a single arbitrator to be agreed between the Parties, and failing agreement within 14 days after either Party has given to the other a written request to concur in the appointment of an arbitrator, by an arbitrator to be appointed by the Scottish Arbitration Centre on the written application of either Party. The seat of the arbitration shall be in Scotland. The language used in the arbitral proceedings shall be English.
42.4 Any arbitration under Clause 42.3 is subject to the Arbitration (Scotland) Act 2010.
42.5 Nothing in this Clause 42 shall:
42.5.1 prevent the Parties from complying with, observing and performing all their obligations in respect of the Contract regardless of the nature of any dispute between them arising out of or in connection with the Contract and notwithstanding the referral of any such matter or dispute for resolution under this Clause; nor
42.5.2 diminish the Parties to the Contract’s responsibilities in respect of contract administration.
43. Severability
If any provision of the Contract is held invalid, illegal or unenforceable for any reason by any court of competent jurisdiction, such provision is severed and the remainder of the provisions of the Contract continue in full force and effect as if the Contract had been executed with the invalid, illegal or unenforceable provision eliminated.
44. Waiver and Cumulative Remedies
44.1 Any failure of either Party to insist upon strict performance of any provision of the Contract, or the failure of either Party to exercise, or any delay in exercising, any right or remedy does not constitute a waiver of that right or remedy and does not cause a diminution of the obligations established by the Contract.
44.2 Accordingly, no waiver is effective unless it is expressly stated to be a waiver and communicated to the other Party in writing in accordance with Clause 10 (notices).
44.3 A waiver of any Default is not a waiver of any subsequent Default.
44.4 The rights and remedies provided by the Contract are cumulative and may be exercised concurrently or separately, and the exercise of any one remedy is not to be deemed an election of such remedy to the exclusion of other remedies.
45. Termination
45.1 The Purchaser may terminate the Contract by notice to the Supplier with immediate effect, or at such later date as the Purchaser may specify, if the Supplier commits a Default and if:
45.1.1 the Supplier has not remedied the Default to the satisfaction of the Purchaser within 20 Working Days, or such other period as may be specified by the Purchaser, after issue of a notice specifying the Default and requesting it to be remedied; or
45.1.2 the Default is not in the opinion of the Purchaser, capable of remedy; or
45.1.3 the Default is a material breach of the Contract.
45.2 The Supplier shall give notice to the Purchaser as soon as reasonably practicable if the Supplier is unable permanently or temporarily to meet any of the conditions of the Contract, or to observe or perform any of its obligations under the Contract.
45.2.1 In the event the Supplier gives the Purchaser the notice referred to at Clause 45.2 the Purchaser may terminate the Contract by notice to the Supplier with immediate effect, or such later date as the Purchaser may specify.
45.3 The Purchaser may also terminate the Contract in accordance with any provision in the Specification, ITT, Quick Quote Project Brief or Single Tender Action Documents.
45.4 The Purchaser may terminate the Contract with immediate effect by notice, or at such later date as the Purchaser may specify, in the event that:
45.4.1 the Contract has been subject to substantial modification which would have required a new procurement procedure in accordance with regulation 72(9) (modification of contracts during their term) of the Public Contracts (Scotland) Regulations 2015; or
45.4.2 the Supplier has, at the time of Contract award, been in one of the situations referred to in regulation 58(1) (exclusion grounds) of the Public Contracts (Scotland) Regulations 2015, including as a result of the application of regulation 58(2) of those regulations, and should therefore have been excluded from the procurement procedure; or
45.4.3 the Contract should not have been awarded to the Supplier in view of a serious infringement of the Purchaser’s obligations under The Public Contracts (Scotland) Regulations 2015 as amended by The Public Procurement etc. (Scotland) Amendment (EU Exit) Regulations 2020, Directive 2014/24/EU of the European Parliament, and any statutory modifications thereof; or
45.4.4 the Supplier fails to comply in the performance of the Services with any legal obligations and requirements under all applicable law, including without restriction: environmental law, social law, employment law, the Health and Safety at Work etc. Act 1974, and the Equality Act 2010.
45.5 The Supplier shall notify the Purchaser in writing immediately upon the occurrence of any of the following events:
45.6 On the occurrence of any of the events described in Clause 45.5 or, where the Supplier is an individual if the Supplier shall die or be adjudged incapable of managing his or her affairs within the meaning of the Adults with Incapacity (Scotland) Act 2000 or the Mental Health (Care and Treatment) (Scotland) Act 2003, the Purchaser shall be entitled to terminate this Contract by notice to the Supplier with immediate effect, or at such later date as the Purchaser may specify.
45.7 Notwithstanding any other rights under the Contract or otherwise in law, either Party may terminate this Contract by giving to the other Party not less than thirty (30) days’ notice in writing to that effect.
46. Consequence of Expiry or Termination
46.1 Where the Purchaser terminates the Contract under Clause 45 (Termination), the Purchaser may make other arrangements for the completion of the Services, and the Supplier shall indemnify the Purchaser against all costs thereof incurred by the Purchaser. The Purchaser shall be entitled to deduct from any amount due to the Supplier the costs thereof incurred by the Purchaser, and if the total cost to the Purchaser exceeds the amount (if any) due to the Supplier, the difference shall be recoverable by the Purchaser from the Supplier.
46.2 The termination of this Contract in accordance with Clause 45 (Termination) or its expiry shall not affect any right of action or remedy which shall have accrued or shall thereupon accrue to of either party and shall not affect the continued operation of Clauses 17 (Audit), 23 (Intellectual Property Rights), and 22 (Transfer of Undertakings (Protection and Employment)).
46.3 Following the service of a termination notice, the Supplier shall continue to perform its obligations in accordance with the provisions of this Contract until termination.
46.4 On expiry or termination of the Contract the Supplier must:
46.4.1 immediately return to the Purchaser all Purchaser Property and Purchaser Protected Information in its possession; and
46.4.2 destroy or delete any copies of Purchaser Protected Information (whether physical or electronic) in its possession.
47. Governing Law
This Contract shall be governed by and construed in accordance with Scottish law and the Supplier hereby irrevocably submits to the jurisdiction of the Scottish courts. The submission to such jurisdiction shall not (and shall not be construed so as to) limit the right of the Purchaser to take proceedings against the Supplier in any other court of competent jurisdiction, nor shall the taking of proceedings in any one or more jurisdictions preclude the taking of proceedings in any other jurisdiction, whether concurrently or not.
48. Counter Terrorism Prevent Duty
The Supplier shall throughout the period of the Contract assist the Purchaser with its statutory obligation under section 26 of the Counter-Terrorism and Security Act 2015 to have due regard to the need to prevent people from being drawn into terrorism, as reasonably required by the Purchaser.
49. Security and Data
49.1 The Supplier shall not delete or remove any proprietary notices contained within or relating to the Purchaser Data.
49.2 The Supplier shall not store, copy, disclose, or use the Purchaser Data except as necessary for the performance by the Supplier of its obligations under this Contract or as otherwise expressly authorised in writing by the Purchaser.
49.3 The Supplier shall preserve the integrity of the Purchaser Data and prevent the corruption or loss of the Purchaser Data, ensuring at all times that the relevant Purchaser Data is under its control or the control of any sub-contractor.
49.4 The Supplier shall perform secure back-ups of all Purchaser Data and shall ensure that up-to-date back-ups are stored off-site in accordance with the BCDR Plan. The Supplier shall ensure that such back-ups are available to the Purchaser (or to such other person as the Purchaser may direct) at all times upon request and are delivered to the Purchaser at such other intervals as may be agreed in writing between the Parties.
49.5 The Supplier shall ensure that any system on which the Supplier holds any Purchaser Data, including back-up data, is a secure system that complies with the Security Plan. Where appropriate, the system should reflect the Scottish Public Sector Supply Chain Cyber Security Policy for cloud-based requirements as the same may be updated from time to time.
49.6 The Supplier shall at all times when performing the Services comply with the terms of the BCDR Plan.
49.7 If any of the Purchaser Data is corrupted, lost or sufficiently degraded as a result of the Suppliers default so as to be unusable, the Purchaser may:
49.7.1 require the Supplier (at the Supplier’s expense) to restore or procure the restoration of Purchaser Data to the extent and in accordance with the requirements specified in Schedule 3 (Business Continuity and Disaster Recovery) and the Supplier shall do so as soon as practicable but not later than five (5) Working Days from the date of receipt of the Purchaser’s notice; and/or
49.7.2 itself restore or procure the restoration of Purchaser Data, and shall be repaid by the Supplier any reasonable expenses incurred in doing so to the extent and in accordance with the requirements specified in Schedule 3 (Business Continuity and Disaster Recovery).
49.8 If at any time the Supplier suspects or has reason to believe that Purchaser Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Supplier shall notify the Purchaser immediately and inform the Purchaser of the remedial action the Supplier will take, subject to the Purchaser’s prior written approval. The Purchaser reserves the right to demand the Supplier take any remedial action which the Purchaser considers necessary, acting reasonably, and the Purchaser shall do so as soon as practicable but not later than five (5) Working Days from the date of the Purchaser’s notice
49.9 The Supplier shall comply with the requirements of Schedule 2 (Security Management).
50. Malicious Software
50.1 The Supplier shall, as an enduring obligation throughout the Contract, use the latest versions of anti-virus definitions and software available from an industry accepted anti-virus software vendor (unless otherwise agreed in writing between the Parties) to check for, actively monitor for, contain the spread of, and minimise the impact of, Malicious Software in relation to the Purchaser’s System and the Supplier’s System.
50.2 Notwithstanding clause 0, if Malicious Software is found, the Parties shall co-operate to reduce the effect of the Malicious Software and, particularly if Malicious Software causes loss of operational efficiency or loss or corruption of Purchaser Data, assist each other to restore the Services to their desired operating efficiency.
50.3 Any cost arising out of the actions of the Parties taken in compliance with the provisions of clause 0 shall be borne by the Parties as follows:
50.3.1 by the Supplier where the Malicious Software originates from the Supplier Software, the Third Party Software supplied by the Supplier or the Purchaser Data (whilst the Purchaser Data was under the control of the Supplier) unless the Supplier can demonstrate that such Malicious Software was present and not quarantined or otherwise identified by the Purchaser when provided to the Supplier; and otherwise by the Purchaser.
51. United Nations Convention on the Rights of the Child (Incorporation) (Scotland) Act 2024 ("The 2024 Act")
51.1 Insofar as the Contract, or any part thereof, may relate to “functions of a public nature” the Supplier shall for the duration of the Contract act compatibly with the 2024 Act. During the period of the Contract, the Supplier shall produce such evidence as the Purchaser may require to satisfy the Purchaser that the Supplier has complied with this Clause.
52. Schedule 1 (Data Protection)
Data Processing provision as required by Article 28(3) of the UK GDPR.
This Schedule includes certain details of the Processing of Personal Data in connection with the Services:
Subject matter and duration of the Processing of Personal Data
The subject matter and duration of the Processing of Personal Data are:
The nature and purpose of the Processing of Personal Data
Complete relevant details.
The type of Personal Data to be Processed
Complete relevant details.
The categories of Data Subject to whom Personal Data related
Complete relevant details.
The obligations and rights of the Purchaser
The obligations and rights of the Purchaser as the Data Controller are set out in Clause 14 of the Contract.
53. Schedule 2 (Security Management)
1. Definitions
1.1 In this Schedule:
1.1.1 the following definitions shall apply:
“Security Policy Framework” means the Security Policy Framework published by the Cabinet Office as updated from time to time including any details notified by the Purchaser to the Supplier; and
“Security Tests” means both (a) tests carried out where relevant in accordance with the CHECK Scheme or to an equivalent standard to validate the Security Plan and security of all relevant processes, systems, incident response plans, patches to vulnerabilities and mitigations to Breaches of Security.
2. Security Arrangements
2.1 Both Parties shall provide a reasonable level of access to any members of their personnel for the purposes of designing, implementing and managing security in relation to the Services.
2.2 The Supplier shall ensure the up-to-date maintenance of a suitable security policy relating to the operation of its own organisation and systems and on request shall supply this document as soon as practicable to the Purchaser.
2.3 The Supplier shall comply with, implement and maintain all security measures
in all cases to the Purchaser’s reasonable satisfaction and in accordance with Good Industry Practice.
2.4 The Supplier shall notify the Purchaser promptly of any changes in its ability to meet the requirements of this Schedule 2, including any changes to certifications and accreditations.
2.5 The Supplier shall assist the Purchaser to comply with any applicable security requirements, codes, policies and practices in connection with the Services and/or this Contract.
2.6 The Supplier warrants and undertakes that it shall meet and comply with this Schedule 2 in connection with the provision of the Services and this Contract (including in respect of any certification or accreditation).
2.7 The Supplier shall on demand indemnify the Purchaser and keep the Purchaser indemnified fully against all losses, liabilities, damages, costs and expenses (including legal and other professional fees) which may arise out of, or in consequence of, a breach of the warranty in paragraph 2.6 by the Supplier or the Supplier’s Representatives.
3. Security Plan
3.1 Within twenty (20) Working Days after the commencement date, the Supplier shall prepare and submit to the Purchaser for approval in accordance with paragraph 3.3 a fully developed, complete and up-to-date Security Plan which shall comply with the requirements of paragraph 3.2.
3.2 The Security Plan shall:
3.2.1 meet the following requirements:
[and, where not specifically addressed by (a) to (d) above, ensure that controls are in place to combat common threats as described in the [Cyber Essentials scheme (such as the “5 technical controls”).]
3.2.2 at all times provide a level of security which:
3.2.3 document the security incident management processes and incident response plans applicable to the Services;
3.2.4 document the vulnerability management policy including processes for identification of system vulnerabilities and assessment of the potential impact on the Services of any new threat, vulnerability or exploitation technique of which the Supplier becomes aware, prioritisation of security patches, testing of security patches, application of security patches, a process for Purchaser approvals of exceptions, and the reporting and audit mechanism detailing the efficacy of the patching policy;
3.2.5 identify the necessary delegated organisational roles defined for those responsible for ensuring this Schedule is complied with by the Supplier;
3.2.6 detail the process for managing any security risks from sub-contractors and third parties authorised by the Purchaser with access to the Services, processes associated with the delivery of the Services, the Purchaser Property, the Premises, the Supplier’s System, the Purchaser’s System (to the extent that it is under the control of the Supplier) and any IT, information and data (including the Purchaser Confidential Information and the Purchaser Data) and any system that could directly or indirectly have an impact on that information, data and/or the Services;
3.2.7 unless otherwise specified by the Purchaser in writing, be developed to protect all aspects of the Services and all processes associated with the delivery of the Services, including the Purchaser Property, the Premises , the Supplier’s System, the Purchaser’s System (to the extent that it is under the control of the Supplier) and any IT, information and data (including the Purchaser Confidential Information and the Purchaser Data) to the extent used by the Purchaser or the Supplier in connection with this Contract or in connection with any system that could directly or indirectly have an impact on that information, data and/or the Services;
3.2.8 set out the security measures to be implemented and maintained by the Supplier in relation to all aspects of the Services and all processes associated with the delivery of the Services and at all times comply with and specify security measures and procedures which are sufficient to ensure that the Services comply with the provisions of this Schedule;
3.2.9 cross reference, if necessary, other Schedules which cover specific areas included within security standards and requirements which the Supplier is required to meet under this Contract;
3.2.10 be written in plain English in language which is readily comprehensible to the staff of the Supplier and the Purchaser engaged in the Services and shall reference only documents which are in the possession of the Parties or whose location is otherwise specified in this Schedule; and
3.2.11 be in accordance with the Security Policy Framework.
3.3 The Supplier shall update the Security Plan in accordance with any comments from the Purchaser, and shall review and revise the Security Plan regularly (or as per such other time period as agreed between the Parties) all in accordance with paragraph 4 (such updates shall incorporate any comments received from the Purchaser).
3.4 The Supplier shall deliver all Services in accordance with the Security Plan.
4. Amendment and Revision of the Security Plan
4.1 The Security Plan shall be fully reviewed and updated by the Supplier regularly to reflect:
4.1.1 emerging changes in Good Industry Practice;
4.1.2 any change or proposed change to the IT Environment, the Services and/or associated processes;
4.1.3 any new perceived or changed security threats; and
4.1.4 any reasonable change in requirement requested by the Purchaser.
4.2 The Supplier shall provide the Purchaser with the results of such reviews as soon as reasonably practicable after their completion and amend the Security Plan at no additional cost to the Purchaser. The results of the review shall include, without limitation:
4.2.1 suggested improvements to the effectiveness of the Security Plan;
4.2.2 updates to the risk assessments;
4.2.3 proposed modifications to respond to events that may impact on the Security Plan including the security incident management process, incident response plans and general procedures and controls that affect information security; and
4.2.4 suggested improvements in measuring the effectiveness of controls.
4.3 Subject to paragraph 3.1 any change which the Supplier proposes to make to the Security Plan (as a result of a review carried out pursuant to paragraph 4.1, a Purchaser request, a change to Service Specification, or otherwise) shall be subject to the Purchaser’s prior written approval.
5. Security Testing
5.1 The Supplier shall conduct relevant Security Tests from time to time (not less frequently than annually). Security Tests shall be designed and implemented by the Supplier so as to minimise the impact on the delivery of the Services and the date, timing, content and conduct of such Security Tests shall be agreed in advance with the Purchaser. Subject to compliance by the Supplier with the foregoing requirements, if any Security Tests adversely affect the Supplier’s ability to deliver the Services so as to meet the Key Performance Indicators, if applicable, the Supplier shall be granted relief against any resultant under-performance for the period of the Security Tests.
5.2 The Supplier shall provide the Purchaser with the results of such tests (in a form approved by the Purchaser in advance) as soon as practicable after completion of each Security Test.
5.3 Where any Security Test carried out reveals any actual or potential Breaches of Security or weaknesses (including un-patched vulnerabilities, poor configuration and/or incorrect system management), the Supplier shall promptly notify the Purchaser of any changes to the Security Plan (and the implementation thereof) which the Supplier proposes to make in order to correct such failure or weakness. Subject to the Purchaser's prior written approval, the Supplier shall implement such changes to the Security Plan and repeat the relevant Security Tests in accordance with the timetable agreed with the Purchaser or, otherwise, as soon as reasonably possible. For the avoidance of doubt, where the change to the Security Plan is to address a non-compliance with the security requirements (as set out in the Service Specification) and/or elsewhere in the Contract) or the requirements of this Schedule, the change to the Security Plan shall be at no cost to the Purchaser.
5.4 If any repeat Security Test carried out pursuant to paragraph 5.3 reveals actual or potential Breaches of Security exploiting the same root cause failure, such circumstance shall be deemed to constitute a material breach that is capable of remedy.
6. Security Plan Compliance, Information and Audit
6.1 Promptly upon request, the Supplier shall provide to the Purchaser such information and records in connection with the Supplier’s obligations under this Schedule 2 as the Purchaser may request.
6.2 The Purchaser shall be entitled to carry out such security audits as it may reasonably deem necessary in order to:
6.2.1 ensure that the Security Plan maintains compliance with the requirements and standards set out at paragraph 3.2 (Security Plan) of this Schedule 2 and the Baseline Security Requirements;
6.2.2 ascertain the impact of any Breaches of Security;
6.2.3 review and verify the integrity, confidentiality and security of any data relating to this Contract; and/or
6.2.4 review the Supplier's and/or any sub-contractor’s compliance with its obligations under this Schedule 2.
6.3 The Supplier shall (and shall ensure that any sub-contractor shall) provide the Purchaser, its agents and representatives with all reasonable co-operation and assistance in relation to audits, including but not limited to:
6.3.1 all data and/or records requested by the Purchaser;
6.3.2 access to any relevant premises and to any equipment owned/controlled by the Supplier, any associated or group company and any sub-contractor and, where such premises and/or equipment are out with the control of the Supplier, shall secure sufficient rights of access for the Purchaser, its agents and representatives as are necessary to allow audits to take place; and
6.3.3 access to any relevant individuals.
6.4 If, on the basis of evidence provided by such audits, it is the Purchaser's reasonable opinion that compliance with the security requirements of this Schedule 2 and the rest of the Contract and/or the Baseline Security Requirements is not being achieved by the Supplier, then the Purchaser shall notify the Supplier of the same and give the Supplier a reasonable time (having regard to the extent and criticality of any non-compliance and any other relevant circumstances) to implement any necessary remedy. If the Supplier does not become compliant within the required time, then the Purchaser shall have the right to obtain an independent audit against these requirements and standards in whole or in part.
6.5 If, as a result of any such independent audit as described in paragraph 6.2 the Supplier is found to be non-compliant with the security requirements of this Schedule 2 and/or the rest of the Contract and/or the Baseline Security Requirements, then the Supplier shall, at its own expense, immediately undertake those actions required in order to achieve the necessary compliance and shall reimburse in full the costs incurred by the Purchaser in obtaining such audit.
7. Breach of Security
7.1 Each Party shall promptly notify the other in accordance with the agreed security incident management process as defined by the Security Plan upon becoming aware that any Breaches of Security or attempted or potential Breaches of Security has or may have taken place.
7.2 Without prejudice to the security incident management process, upon becoming aware of any of the circumstances referred to in paragraph 7, the Supplier shall:
7.2.1 immediately take all reasonable steps (which shall include any action or changes reasonably required by the Purchaser) necessary to:
7.2.2 investigate the Breaches of Security or attempted or potential Breaches of Security completely and promptly and as soon as reasonably practicable provide to the Purchaser full details (using the reporting mechanism defined by the Security Plan) of the Breaches of Security or attempted or potential Breaches of Security, including a root cause analysis where required by the Purchaser.
7.3 If any action is taken in response to any Breaches of Security or potential or attempted Breaches of Security that demonstrates non-compliance of the Security Plan with the Baseline Security Standards or the requirements of this Schedule, then any required change to the Security Plan shall be at no cost to the Purchaser.
7.4 Following any of the circumstances referred to in paragraph 7, the Supplier shall:
8. Vulnerabilities and Corrective Action
8.1 The Purchaser and the Supplier acknowledge that from time to time vulnerabilities in the Purchaser’s System, the Supplier’s System and the Services will be discovered which unless mitigated will present an unacceptable risk to the Purchaser’s information, including Purchaser Data.
8.2 The severity of threat vulnerabilities for the Services shall be categorised by using an appropriate vulnerability scoring systems including:
8.2.1 the ‘National Vulnerability Database’ ‘Vulnerability Severity Ratings’: ‘High’, ‘Medium’ and ‘Low’ respectively (these in turn are aligned to CVSS scores as set out by NIST; and/or
8.2.2 Microsoft’s ‘Security Bulletin Severity Rating System’ ratings ‘Critical’, ‘Important’, and the two remaining levels (‘Moderate’ and ‘Low’) respectively.
8.3 The Supplier shall ensure the application of security patches to vulnerabilities in a timely and prioritised manner.
8.4 The Supplier shall ensure all COTS Software is upgraded within six (6) months of the release of the latest version, such that it is no more than one major version level below the latest release (normally codified as running software no older than the ‘n-1 version’) throughout the Contract.
8.5 The Supplier shall:
8.5.1 implement a mechanism for receiving, analysing and acting upon threat information supplied by GovCertUK, or any other competent Government Body;
8.5.2 ensure that the Purchaser’s System and the Supplier’s System (to the extent within the control of the Supplier) is monitored to facilitate the detection of anomalous behaviour that would be indicative of system compromise;
8.5.3 ensure it is knowledgeable about the latest trends in threat, vulnerability and exploitation that are relevant to the Purchaser’s System, the Supplier’s System and the Services by actively monitoring the threat landscape during the Contract;
8.5.4 pro-actively scan the Purchaser’s System and the Supplier’s System (to the extent within the control of the Supplier) for vulnerable components and address discovered vulnerabilities through the processes described in the Security Plan as developed under paragraph 3.2.1;
8.5.5 from the date specified in the Security Plan, provide a report to the Purchaser within five (5) Working Days of the end of each month detailing both patched and outstanding vulnerabilities in the Purchaser’s System and the Supplier’s System (to the extent within the control of the Supplier) and any elapsed time between the public release date of patches and either time of application or for outstanding vulnerabilities the time of issue of such report;
8.5.6 propose interim mitigation measures to vulnerabilities in the Purchaser’s System, and the Supplier’s System known to be exploitable where a security patch is not immediately available;
8.5.7 remove or disable any extraneous interfaces, services or capabilities that are not needed for the provision of the Services (in order to reduce the attack surface of the Purchaser’s System and the Supplier’s System); and
8.5.8 inform the Purchaser when it becomes aware of any new threat, vulnerability or exploitation technique that has the potential to affect the security of the Services, the Purchaser’s System and the Supplier’s System and provide initial indications of possible mitigations.
8.6 If the Supplier is unlikely to be able to mitigate the vulnerability within a timely manner under paragraph 8, the Supplier shall immediately notify the Purchaser.
9. Breach of Security Requirements
9.1 A breach of this Schedule 2 by the Supplier is a material breach for the purposes of Condition 19.2.
9.2 If the Supplier fails to comply with the provisions of this Schedule 2, the Purchaser may take any action it considers appropriate or necessary (and the Supplier shall comply with the Purchaser’s requests in this respect), including:
54. Schedule 3 (Business Continuity and Disaster Recovery)
1. BCDR Plan
1.1 Within sixty (60) Working Days from the commencement date the Supplier shall prepare and deliver to the Purchaser for the Purchaser’s written approval a plan, which shall detail the processes and arrangements that the Supplier shall follow to:
1.1.1 ensure continuity of the business processes and operations supported by the Services following any failure or disruption of any element of the Services; and
1.1.2 the recovery of the Services in the event of a Disaster.
1.2 The BCDR Plan shall:
1.2.1 be divided into three parts:
1.2.2 unless otherwise required by the Purchaser in writing, be based upon and be consistent with the provisions of paragraphs 2, 3 and 4.
1.3 Following receipt of the draft BCDR Plan from the Supplier, the Purchaser shall:
1.3.1 review and comment on the draft BCDR Plan as soon as reasonably practicable; and
1.3.2 notify the Supplier in writing that it approves or rejects the draft BCDR Plan no later than twenty (20) Working Days after the date on which the draft BCDR Plan is first delivered to the Purchaser.
1.4 If the Purchaser rejects the draft BCDR Plan:
1.4.1 the Purchaser shall inform the Supplier in writing of its reasons for its rejection; and
1.4.2 the Supplier shall then revise the draft BCDR Plan (taking reasonable account of the Purchaser's comments) and shall re-submit a revised draft BCDR Plan to the Purchaser for the Purchaser's approval within twenty (20) Working Days of the date of the Purchaser's notice of rejection. The provisions of paragraph 1.3 and this paragraph 1.4 shall apply again to any resubmitted draft BCDR Plan, provided that either Party may refer any disputed matters for resolution in accordance with the procedure outlined in Condition 24 (Dispute Resolution).
2. Part A of the BCDR Plan and General Principles and Requirements
2.1 Part A of the BCDR Plan shall:
2.1.1 set out how the business continuity and disaster recovery elements of the BCDR Plan link to each other;
2.1.2 provide details of how the invocation of any element of the BCDR Plan may impact upon the operation of the Services and any services provided to the Purchaser by a Related Supplier;
2.1.3 contain an obligation upon the Supplier to liaise with the Purchaser and (at the Purchaser's request) any Related Supplier with respect to issues concerning business continuity and disaster recovery where applicable;
2.1.4 detail how the BCDR Plan links and interoperates with any overarching and/or connected disaster recovery or business continuity plan of the Purchaser and any of its other Related Suppliers in each case as notified to the Supplier by the Purchaser from time to time;
2.1.5 contain a communication strategy including details of an incident and problem management service and advice and help desk facility which can be accessed via multi-channels (including but without limitation a web-site (with FAQs), e-mail, phone and fax) for both portable and desk top configurations, where required by the Purchaser;
2.1.6 contain a risk analysis, including:
2.1.7 provide for documentation of processes, including business processes, and procedures;
2.1.8 set out key contact details (including roles and responsibilities) for the Supplier (and any sub-contractors) and for the Purchaser;
2.1.9 identify the procedures for reverting to “normal service”;
2.1.10 set out method(s) of recovering or updating data collected (or which ought to have been collected) during a failure or disruption to ensure that there is no more than the accepted amount of data loss and to preserve data integrity;
2.1.11 identify the responsibilities (if any) that the Purchaser has agreed in writing that it will assume in the event of the invocation of the BCDR Plan; and
2.1.12 provide for the provision of technical advice and assistance to key contacts at the Purchaser as notified by the Purchaser from time to time to inform decisions in support of the Purchaser’s business continuity plans.
2.2 The BCDR Plan shall be designed so as to ensure that:
2.2.1 the Services are provided in accordance with this Contract at all times during and after the invocation of the BCDR Plan;
2.2.2 the adverse impact of any Disaster, service failure, or disruption on the operations of the Purchaser is minimal as far as reasonably possible;
2.2.3 it complies with the relevant provisions of ISO/IEC 27002, ISO/IEC 22301 and all other industry standards from time to time in force; and
2.2.4 there is a process for the management of disaster recovery testing detailed in the BCDR Plan.
2.3 The BCDR Plan shall be upgradeable and sufficiently flexible to support any changes to the Services or to the business processes facilitated by and the business operations supported by the Services.
2.4 The Supplier shall not be entitled to any relief from its obligations under the Key Performance Indicators(if applicable) or to any increase in the prices to the extent that a Disaster occurs as a consequence of any breach by the Supplier of this Contract.
3. Business Continuity Plan – Principles and Contents
3.1 The Business Continuity Plan shall set out the arrangements that are to be invoked to ensure that the business processes and operations facilitated by the Services remain supported and to ensure continuity of the business operations supported by the Services including, unless the Purchaser expressly states otherwise in writing:
3.1.1 the alternative processes (including business processes), options and responsibilities that may be adopted in the event of a failure in or disruption to the Services; and
3.1.2 the steps to be taken by the Supplier upon resumption of the Services in order to address any prevailing effect of the failure or disruption including a root cause analysis of the failure or disruption.
3.2 The Business Continuity Plan shall:
3.2.1 address the various possible levels of failures of or disruptions to the Services;
3.2.2 set out the services to be provided and the steps to be taken to remedy the different levels of failures of and disruption to the Services (such services and steps, the “Business Continuity Services”);
3.2.3 specify any applicable Key Performance Indicators with respect to the provision of the Business Continuity Services and details of any agreed relaxation to the Key Performance Indicators, if applicable, in respect of other Services during any period of invocation of the Business Continuity Plan; and
3.2.4 clearly set out the conditions and/or circumstances under which the Business Continuity Plan is invoked.
4. Disaster Recovery Plan – Principles and Contents
4.1 The Disaster Recovery Plan shall be designed so as to ensure that upon the occurrence of a Disaster the Supplier ensures continuity of the business operations of the Purchaser supported by the Services following any Disaster or during any period of service failure or disruption with, as far as reasonably possible, minimal adverse impact.
4.2 The Disaster Recovery Plan shall be invoked only upon the occurrence of a Disaster.
4.3 The Disaster Recovery Plan shall include the following:
4.3.1 the technical design and build specification of the Disaster Recovery System;
4.3.2 details of the procedures and processes to be put in place by the Supplier in relation to the Disaster Recovery System and the provision of the Disaster Recovery Services and any testing of the same including but not limited to the following:
4.3.3 any applicable Key Performance Indicators with respect to the provision of the Disaster Recovery Services and details of any agreed relaxation to the applicable Key Performance Indicators in respect of other Services during any period of invocation of the Disaster Recovery Plan;
4.3.4 details of how the Supplier shall ensure compliance with security standards ensuring that compliance is maintained for any period during which the Disaster Recovery Plan is invoked;
4.3.5 access controls to any disaster recovery sites used by the Supplier in relation to its obligations pursuant to this Schedule; and
4.3.6 testing and management arrangements.
5. Review and Amendment of the BCDR Plan
5.1 The Supplier shall review the BCDR Plan (and the risk analysis on which it is based):
5.1.1 on a regular basis and as a minimum once every six (6) months or as part of a major reconfiguration of the Services or the Supplier’s supply chain;
5.1.2 within three (3) calendar months of the BCDR Plan (or any part) having been invoked pursuant to paragraph 7; and
5.1.3 where the Purchaser requests any additional reviews (over and above those provided for in paragraphs 5.1.1 and 5.1.2) by notifying the Supplier to such effect in writing, whereupon the Supplier shall conduct such reviews in accordance with the Purchaser's written requirements. Prior to starting its review, the Supplier shall provide an accurate written estimate of the total costs payable by the Purchaser for the Purchaser’s approval. The costs of both Parties of any such additional reviews shall be met by the Purchaser except that the Supplier shall not be entitled to charge the Purchaser for any costs that it may incur above any estimate without the Purchaser’s prior written approval. 5.2 Each review of the BCDR Plan pursuant to paragraph 5.1 shall be a review of the procedures and methodologies set out in the BCDR Plan and shall assess their suitability having regard to any change to the Services or any underlying business processes and operations facilitated by or supported by the Services which have taken place since the later of the original approval of the BCDR Plan or the last review of the BCDR Plan and shall also have regard to any occurrence of any event since that date (or the likelihood of any such event taking place in the foreseeable future) which may increase the likelihood of the need to invoke the BCDR Plan. The review shall be completed by the Supplier within the period required by the BCDR Plan or, if no such period is required, within such period as the Purchaser shall reasonably require. The Supplier shall, within twenty (20) Working Days of the conclusion of each such review of the BCDR Plan, provide to the Purchaser a report (a “Review Report”) setting out:
5.2.1 the findings of the review;
5.3 Following receipt of the Review Report and the Supplier’s Proposals, the Purchaser shall:
5.3.1 review and comment on the Review Report and the Supplier’s Proposals as soon as reasonably practicable; and
5.3.2 notify the Supplier in writing that it approves or rejects the Review Report and the Supplier’s Proposals no later than twenty (20) Working Days after the date on which they are first delivered to the Purchaser.
5.4 If the Purchaser rejects the Review Report and/or the Supplier’s Proposals:
5.4.1 the Purchaser shall inform the Supplier in writing of its reasons for its rejection; and
5.4.2 the Supplier shall then revise the Review Report and/or the Supplier’s Proposals as the case may be (taking reasonable account of the Purchaser's comments and carrying out any necessary actions in connection with the revision) and shall re-submit a revised Review Report and/or revised Supplier’s Proposals to the Purchaser for the Purchaser's approval within twenty (20) Working Days of the date of the Purchaser's notice of rejection. The provisions of paragraph 5.3 and this paragraph 5.4 shall apply again to any resubmitted Review Report and Supplier’s Proposals, provided that either Party may refer any disputed matters for resolution in accordance with the procedure outlined in Condition24 (Dispute Resolution).
5.5 The Supplier shall as soon as is reasonably practicable after receiving the Purchaser's approval of the Supplier’s Proposals (having regard to the significance of any risks highlighted in the Review Report) effect any change in its practices or procedures necessary so as to give effect to the Supplier’s Proposals. Any such change shall be at the Supplier’s expense unless it can be reasonably shown that the changes are required because of a material change to the risk profile of the Services.
6. Testing of the BCDR Plan
6.1 The Supplier shall test the BCDR Plan on a regular basis (and in any event not less than once every year). Subject to paragraph 6.2, the Purchaser may require the Supplier to conduct additional tests of some or all aspects of the BCDR Plan at any time where the Purchaser considers it necessary, including where there has been any change to the Services or any underlying business processes, or on the occurrence of any event which may increase the likelihood of the need to implement the BCDR Plan.
6.2 If the Purchaser requires an additional test of the BCDR Plan, it shall give the Supplier written notice and the Supplier shall conduct the test in accordance with the Purchaser's requirements and the relevant provisions of the BCDR Plan. The Supplier’s costs of the additional test shall be borne by the Purchaser unless the BCDR Plan fails the additional test in which case the Supplier’s costs of that failed test shall be borne by the Supplier.
6.3 The Supplier shall undertake and manage testing of the BCDR Plan in full consultation with the Purchaser and shall liaise with the Purchaser in respect of the planning, performance, and review, of each test, and shall comply with the reasonable requirements of the Purchaser in this regard. Each test shall be carried out under the supervision of the Purchaser or its nominee.
6.4 The Supplier shall ensure that any use by it or any sub-contractor of “live” data in such testing is first approved with the Purchaser. Copies of live test data used in any such testing shall be (if so, required by the Purchaser) destroyed or returned to the Purchaser on completion of the test.
6.5 The Supplier shall, within twenty (20) Working Days of the conclusion of each test, provide to the Purchaser a report setting out:
6.5.1 the outcome of the test;
6.5.2 any failures in the BCDR Plan (including the BCDR Plan's procedures) revealed by the test; and
6.5.3 the Supplier’s proposals for remedying any such failures.
6.6 Following each test, the Supplier shall take all measures requested by the Purchaser, (including requests for the re-testing of the BCDR Plan) to remedy any failures in the BCDR Plan and such remedial activity and re-testing shall be completed by the Supplier, at no additional cost to the Purchaser, by the date reasonably required by the Purchaser and set out in such notice.
6.7 For the avoidance of doubt, the carrying out of a test of the BCDR Plan (including a test of the BCDR Plan’s procedures) shall not relieve the Supplier of any of its obligations under this Contract.
6.8 The Supplier shall also perform a test of the BCDR Plan in the event of any major reconfiguration of the Services or as otherwise reasonably requested by the Purchaser.
7. Invocation of the BCDR Plan
In the event of a complete loss of service or in the event of a Disaster, the Supplier shall immediately invoke the BCDR Plan (and shall inform the Purchaser promptly of such invocation along with the anticipated maximum period of outage). In all other instances the Supplier shall invoke or test the BCDR Plan only with the prior written consent of the Purchaser.