Policy on Information Security and Data Protection

As a recruitment company, Altrix processes personal data in relation to its own staff, work-seekers and individual client contacts. It is vitally important that we abide by the principles of the Data Protection Act 1998 set out below.

Altrix holds data on individuals for the following general purposes:

• Staff Administration
• Advertising, marketing and public relations
• Accounts and records
• Administration and processing of work-seekers’ personal data for the purposes of work-finding services

The Data Protection Act 1998 requires Altrix as data controller to process data in accordance with the principles of data protection. These require that data shall be: –

1. Fairly and lawfully processed
2. Processed for limited purposes
3. Adequate, relevant and not excessive
4. Accurate
5. Not kept longer than necessary
6. Processed in accordance with the data subjects rights
7. Kept securely
8. Not transferred to countries outside the European Economic Area without adequate protection.

Personal data means data which relates to a living individual who can be identified from the data or from the data together with other information, which is in the possession of or is likely to come into possession of, Altrix.

Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on the data. It includes organising, adapting and amending the data, retrieval, consultation and use of the data, disclosing and erasure or destruction of the data. It is difficult to envisage any activity involving data which does not amount to processing. It applies to any processing that is carried out on computer including any type of computer however described, main frame, desktop, laptop, palm top etc.

Data should be reviewed on a regular basis to ensure that it is accurate, relevant and up to date and those people listed in the appendix shall be responsible for doing this.

Data may only be processed with the consent of the person whose data is held. Therefore, if they have not consented to their personal details being passed to a third party this may constitute a breach of the Data Protection Act 1998. By instructing Altrix to look for work and providing us with personal data contained in a CV, work-seekers will be giving their consent to processing their details for work-finding purposes. If you intend to use their data for any other purpose you must obtain their specific consent.

However, caution should be exercised before forwarding personal details of any of the individuals on which data is held to any third party such as past, current or prospective employers; suppliers; customers and clients; persons making an enquiry or complaint and any other third party.

Data in respect of the following is “sensitive personal data” and any information held on any of these matters MUST not be passed on to any third party without the express written consent of the individual:

• Any offence committed or alleged to be committed by them
• Proceedings in relation to any offence and any sentence passed
• Physical or mental health or condition
• Racial or ethnic origins
• Sexual life
• Political opinions
• Religious beliefs or beliefs of a similar nature
• Whether someone is a member of a trade union

From a security point of view, only those staff listed in the appendix should be permitted to add, amend or delete data from the database. However all staff are responsible for notifying those listed where information is known to be old, inaccurate or out of date. In addition, all employees should ensure that adequate security measures are in place. For example:

• Computer screens should not be left open by individuals who have access to personal data
• Passwords should not be disclosed
• Email should be used with care
• Personnel files and other personal data should be stored in a place in which any unauthorised attempts to access them will be noticed. They should not be removed from their usual place of storage without good reason
• Personnel files should always be locked away when not in use and, when in use, should not be left unattended
• Any breaches of security should be treated as a disciplinary issue
• Care should be taken when sending personal data in internal or external mail
• Destroying or disposing of personal data counts as processing. Therefore care should be taken in the disposal of any personal data to ensure that it is appropriate. For example, it would have been more appropriate to shred sensitive data than merely to dispose of it in the dustbin.

It should be remembered that the incorrect processing of personal data, e.g. sending an individual’s details to the wrong person, allowing unauthorised persons access to personal data, or sending information out for purposes for which the individual did not give their consent, may give rise to a breach of contract and/or negligence leading to a claim against Altrix for damages from an employee, work-seeker or client contact. A failure to observe the contents of this policy will be treated as a disciplinary offence.

Data subjects, i.e. those on whom personal data is held, are entitled to obtain access to their data on request and after payment of a fee. All requests to access data by data subjects, i.e. staff, members, customers or clients, suppliers, students etc, should be referred to James Lock, CEO, or Nousheen Bangee, Operations Manager, whose details are also listed on the appendix to this policy.

Any requests for access to a reference given by a third party must be referred to James Lock, CEO, and Nousheen Bangee, Operations Manager, and should be treated with caution even if the reference was given in relation to the individual making the request. This is because the person writing the reference also has a right to have their personal details handled in accordance with the Data Protection Act 1998 and not disclosed without their consent. Therefore, when taking up references, an individual should always be asked to give their consent to the disclosure of the reference to a third party and/or the individual who is the subject of the reference if they make a subject access request. However, if they do not consent then consideration should be given as to whether the details of the individual giving the reference can be deleted so that they cannot be identified from the content of the letter. If so the reference may be disclosed in an anonymised form.

Finally, it should be remembered that all individuals have the following rights under the Human Rights Act 1998 and in dealing with personal data these should be respected at all times:

• Right to respect for private and family life [Article 8]
• Freedom of thought, conscience and religion [Article 9]
• Freedom of expression [Article 10]
• Freedom of assembly and association [Article 11]
• Freedom from discrimination [Article 14]

Agreed Terms

1. Interpretation

1. The following definitions and rules of interpretation apply in this agreement.

2. Definitions

Access:

the provision by Altrix to You of the relevant user details including passwords, log in, usernames that You will require to be able to access The Platform.

Altrix:

ALTRIX TECHNOLOGY LIMITED incorporated and registered in England and Wales with company number 11305963 whose registered office is at 3 Copthall Avenue London EC2R 7BH.

Assignment:

means the acceptance and performance of Your Services for the Client for the period set out in the Shift.

Business Day:

a day other than a Saturday, Sunday or public holiday, when banks in London are open for business.

Client:

means the party that has agreed to provide the Shifts to the Platform for You to be assigned to in accordance with these terms and conditions.

Compliance Criteria:

Such compliance requirements required by the Client as notified to us from time to time that You must comply with in order to provide Your Services, including presenting to Altrix your:
– NMC pin
– DBS Certificate
– Valid Passport
– National Insurance
– Indemnity Insurance
– Photo for ID

Details of the Shift:

all information associated with the Shift including: location, hourly rate, hours required, ward, point of contact for the shift, unique invoice reference, unique shift reference.

Engage:

the employment of You by the Client directly or indirectly other than through Altrix (whether for a definite or indefinite period) as a direct result of Altrix’s provision of You to the Client. The terms Engaged or Engagement shall be
construed accordingly.

Data Protection Legislation:

(i) the General Data Protection Regulation (EU) 2016/679) (GDPR) and any national implementing laws, regulations and secondary legislation, as amended or updated from time to time in the UK and (ii) any successor legislation to the
GDPR or the Data Protection Act 1998.

Losses:

means all losses, liabilities, damages, costs, expenses whether direct or indirect including but not limited to: loss of profits; loss of sales or business; loss of agreements; any indirect or consequential loss; loss of or damage to
goodwill; loss of use or corruption of software, data or information.

The Platform:

Altrix’s online platform that hosts and provides the following information and services:
1) the Shift;
2) details of the Client;
3) Details of the Shift;
4) Your Profile;
5) Support.

Shift:

an available nursing shift(s) details of which the Client uploads to The Platform from time to time in accordance with the terms agreed between Altrix and the Client.

Support:

– a telephone help desk (operating 24 hours a day) to provide first-line technical support to users of the Platform to assist the Client with general enquiries;
– Remote diagnosis of any problems with the Platform and, where possible and as soon as reasonably practicable, correction of such faults.

Territory:

the United Kingdom.

Timesheet:

the document that records the number of hours worked by You at the Clients premises during an Assignment. This document must contain the unique vacancy reference number and be signed off at the end of each vacancy by the Client or
person authorised by the Client and sent to Altrix as evidence for payment of Your Fees.

Unsuitable:

means, in the opinion of Altrix and/or the Client You cease to have the appropriate skills or qualifications to comply with the Compliance Criteria or cease to hold a right to work in the Territory.

Vacancy Notice:

an Shift that is terminated by the Client must be notified to The Platform and the Nurse who has accepted the Assignment with at least 2 hours’ notice.

VAT:

value added tax chargeable under the Value Added Tax Act 1994.

You:

an individual that has agreed to these terms and conditions. Such individual has been Screened and supplied by Altrix to The Platform to provide the services for the Client as advertised in the Shift. Your/Yours shall be construed
accordingly.

Your Fees:

the fees payable to You by Altrix for Your Services provided during the Assignment as set out in the Shift. The currency of your fees will be pounds sterling.

Your Profile:

your user profile that is available once you have Access to the Platform. Your profile can be viewed by You and Altrix only, unless Altrix is audited by the Client whereby Altrix will conform with clause 13. Your profile will contain:
a) your Compliance Criteria information and Screening information;
b) your Timesheets;
c) your Assignment history;
d) your Payment history;

Your Services:

means the band 5 nursing services required and performed by You during each Assignment.

1. A reference to writing or written includes email subject to satisfactory proof of dispatch to the correct address but not fax.
2. Any obligation on a party not to do something includes an obligation not to allow that thing to be done.

3. Altrix’s obligations

1. Altrix shall:
   1. Provide You with Access to the Platform and Support.
   2. Use reasonable endeavours to promptly pay Your fees in accordance with clause 5.
   3. Use all reasonable endeavours to ensure the availability of The Platform (save that (i) Altrix makes no representation as to minimum uptime of the Platform, and (ii) nothing shall prevent Altrix from carrying out necessary
      development, remedial or maintenance work in respect of the Platform, albeit Altrix will endeavour to provide You with reasonable notice of any such works).
2. Altrix makes no representation to the Client as to (i) the suitability of You for any Shift, and/or (ii) Your clinical ability.
3. Altrix makes no representation to You as to: (i) the Client, and/or (ii) the suitability of the Client for You, and/or (iii) the suitability of the Shift for You.

4. Your obligations

You shall:

1. Co-operate with Altrix in all matters relating to this agreement.
2. Only use the Platform in connection with a Shift, including trying to find a Shift;
3. Not use the Platform to do anything for which the Platform is not designed, or would be unlawful or improper. Ensure the correct and proper use of The Platform at all times.
4. Not share Your Access details with anyone else without written consent of Altrix.
5. Ensure the details, documents and certificates requested by Altrix are complete, valid, accurate and not misleading;
6. Promptly deal with the expiry of any of the Compliance Criteria documents when notified by the Platform and notify Altrix immediately without delay if You become aware of your Unsuitability or become subject to any inquiry,
   investigation or proceedings that may lead to your Unsuitability.
7. Take out and maintain adequate insurance for Your Services at the Client’s premises during each Assignment;
8. Attend any Assignment that You accept on the Platform,
9. In the event You become aware that You will not be able to attend the Assignment for whatever reason, immediately register your inability to attend on the Platform.
10. Ensure you present Your Timesheet to the Client promptly at the end of each Assignment. Altrix cannot arrange payment of Your Fees without this.
11. Cooperate with the Client in relation to the provision of Your Services and comply with any policies and/or procedures that the Client has and informs you of.
12. Provide Your Services with reasonable diligence, skill and care.
13. Immediately notify Altrix of any Engagement you receive from the Client during the course of an Assignment or whilst you have Access to Altrix.
14. Comply with all applicable laws, regulations, codes and sanctions relating to anti-bribery and anti-corruption including but not limited to the Bribery Act 2010.

5. Fees, Payment and Vat

1. At the end of each Assignment You will provide Altrix with Your Timesheet that has been approved, in writing, by the Client.
2. Altrix will use reasonable endeavours to arrange for Your Fees to be paid in full cleared funds, into the Umbrella Company’s bank account You have specified in Your Profile within 24 hours of receiving approved Your Timesheet.
3. Altrix will not be responsible for any errors in the information You have provided that may cause delays in payment of Your Fees.
4. You understand that Altrix will not be in a position to pay Your fees without an approved Timesheet that has been signed off by the Client.
5. For the avoidance of doubt, no fee shall be payable in accordance with this agreement in respect of any period during which Your Services are not provided.
6. If you dispute the amount paid by Altrix in relation to any Assignment you must notify Altrix within 7 days of receiving Your Fees and You will cooperate with any request by Altrix for any information relating to the Assignment that
   it may require to investigate any disputed payment.
7. Altrix will not be responsible to You or any third party for any delay in paying Your Fees where the reason for the delayed payment is beyond Altrix’s control.
8. Time for payment of Your fees will not be of the essence.
9. You will bear your own expenses incurred in the course of an Assignment unless an expense(s) has been agreed in advance by the Client and recorded on your Timesheet.

6. Status

1. This agreement is not a contract of employment.
2. The relationship of You to Altrix and/or the Client will be that of an independent self-employed contractor and nothing in this agreement shall render You an employee, worker, agent or partner of Altrix and/or the Client and You shall
   not hold yourself out as such.

7. Term

These terms shall apply to each and every occasion on which You use the Platform. Each Assignment shall constitute a separate and divisible contract.

8. Default and early termination

1. Without affecting any other right or remedy available to it, either party may terminate this agreement with immediate effect by giving written notice to the other if:
   1. either party commits a material breach of any term of this agreement and (if such a breach is remediable) fails to remedy that breach within 10 Business days of receipt of notice in writing to do so.
2. Without affecting any other right or remedy available to You, You may terminate this agreement with immediate effect by giving written notice to Altrix if:
   1. Altrix fails to pay any amount due under this agreement on the due date for payment and remains in default more than 14 days after being notified in writing to make such payment.
   2. Altrix is dissolved, a petition is made to wind up Altrix, Altrix suspends or threatens to suspend payment of its debts as they fall due or admits inability to pay its debts or (being a company) is deemed unable to pay its
      debts within the meaning of section 123 of the Insolvency Act 1986 or Altrix ceases to carry on its business.
3. Without affecting any other right or remedy available to it, Altrix may terminate this agreement with immediate effect by giving written notice to You if:
   1. You become Unsuitable for Your Services;
   2. It comes to Altrix’s attention that You have previously failed to attend an Assignment once accepted more than twice in the previous three calendar months;
   3. The Client ends the Assignment with You because, in the Client’s reasonable opinion, You are not performing Your Services with reasonable, diligence, skill and care, including but not limited to complying with any of the
      Client’s policies or procedures.

9. Consequences of termination

1. On termination or expiry of this agreement:
   1. Altrix shall pay to You your due but outstanding unpaid fees (if any) in respect of Your Services save in circumstances whereby the Assignment has been terminated by us pursuant to clause 8.1.1 or 8.3.;
   2. Altrix will disable Your Access to The Platform.
2. Any provision of this agreement that expressly or by implication is intended to come into or continue in force on or after termination or expiry of this agreement shall remain in full force and effect.
3. Termination or expiry of this agreement shall not affect any rights, remedies, obligations or liabilities of the parties that have accrued up to the date of termination or expiry, including the right to claim damages in respect of any
   breach of the agreement which existed at or before the date of termination or expiry.

10. Liability and insurance

1. Nothing in this agreement shall limit or exclude either parties liability for death or personal injury caused by its negligence, and/or for fraud or fraudulent misrepresentation.
2. Subject to clause 10.1, Altrix will not be liable to You whether in contract, tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this agreement for any Losses caused by the
   actions of anyone other than Altrix.
3. Subject to clause 10.1 and 10.2 Altrix’s total liability to You arising under or in connection with this agreement, whether in contract, tort (including negligence), breach of statutory duty, or otherwise, will be limited to the
   lesser of (i) the insurance cover it has obtained in respect of its own legal liability, and (ii) the aggregate of Your Fees paid by Altrix to You in the 12-month period (or part thereof) prior to the occurrence of the issue giving
   rise to the liability.
4. You shall indemnify Altrix for all Losses suffered as a result of Your actions that are in contravention of these terms or in breach of any applicable law or regulatory rules to which You are subject.
5. You shall maintain adequate insurance(s) at all times in respect of Your Services.

11. Intellectual property rights

1. Altrix grants to You a non-exclusive, nontransferrable licence to use the Platform solely in connection with this agreement.
2. All intellectual property rights in or arising out of or in connection with the Platform or otherwise under this agreement (other than intellectual property rights in any materials provided by You) will be owned by Altrix.
3. You agree to grant Altrix a fully paid-up, nonexclusive, royalty-free, non-transferable licence to copy and modify any materials provided by You to Altrix for the term of this agreement for the purpose of providing the Services to
   You.

12. Confidentiality

1. Each party undertakes that it shall not at any time during this agreement, and for a period of five years after termination of this agreement, disclose to any person any confidential information concerning the business, affairs,
   customers, clients or suppliers of the other party except as permitted by clause 12.2.
2. Each party may disclose the other party’s confidential information:
   1. to its employees, officers, representatives or advisers who need to know such information for the purposes of carrying out the party’s obligations under this agreement. Each party shall ensure that its employees, officers,
      representatives or advisers to whom it discloses the other party’s confidential information comply with this clause 12; and
   2. as may be required by law, a court of competent jurisdiction or any governmental or regulatory authority.
3. No party shall use any other party’s confidential information for any purpose other than to perform its obligations under or in connection with this agreement.
4. You will comply with all of the Client’s terms and conditions relating to confidential information.

13. Data protection

1. Altrix will collect and process information relating to You in accordance with its privacy policy and notice in force from time to time.
2. The parties agree that for the purposes of the Data Protection Legislation, Altrix is the data controller and processor.
3. Altrix shall, in relation to any Personal Data (as defined in the Data Protection Legislation) processed in connection with the performance of this agreement:
   1. process that Personal Data only on the written instructions of you, unless Altrix is required by any applicable laws to otherwise process that Personal Data.
   2. ensure that it has in place appropriate technical and organisational measures, to protect against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data
      appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected.
   3. ensure that all personnel who have access to and/or process Personal Data are obliged to keep the Personal Data confidential.
   4. not transfer any Personal Data outside of the European Economic Area unless Your prior written consent has been obtained.
   5. Notify You without undue delay on becoming aware of a Personal Data breach;
   6. Upon a request from You in writing, delete or return Personal Data and copies thereof to the Customer on termination of the agreement unless required by Applicable Law to store the Personal Data;
   7. Maintain complete and accurate records and information to demonstrate its compliance with this clause 13;
   8. Indemnify You against any loss or damage suffered by You in relation to any breach by Altrix of its obligations under this clause 13.
   9. You consent to Altrix appointing the Client as a third-party processor of Personal Data under this agreement. Altrix confirms that it has entered into a written agreement with the Client incorporating terms which are
      substantially similar to those set out in this clause 13.

14. Notices

1. A notice given to a party under or in connection with this agreement shall be in writing and shall be:
   1. delivered by hand or by pre-paid firstclass post or other next working day delivery service at its registered office (if a company) or its principal place of business (in any other case).
2. Any notice or communication shall be deemed to have been received:
   1. if delivered by hand, on signature of a delivery receipt or at the time the notice is left at the proper address;
   2. if sent by pre-paid first-class post or other next working day delivery service, at 9.00 am on the second Business Day after posting or at the time recorded by the delivery service;
   3. if sent by email, at 9.00 am on the next Business Day after transmission following receipt of satisfactory proof of dispatch.
3. This clause does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

15. General

1. This agreement is personal to the parties and neither party may, without the prior written consent of the other assign, subcontract, novate, transfer or deal in any other manner with all or any of its rights or obligations under this
   agreement.
2. Each right or remedy of the parties under this agreement is without prejudice to any other right or remedy of that party whether under this agreement or not.
3. Neither party shall be in breach of this agreement nor liable for delay in performing, or failure to perform, any of its obligations under this agreement if such delay or failure results from events, circumstances or causes beyond its
   reasonable control.
4. This agreement constitutes the whole agreement between the parties and supersedes any previous arrangement, understanding or agreement between them relating to the subject matter of this agreement.
5. Both parties acknowledge that, in entering into this agreement it does not rely on any statement, representation, assurance or warranty of any person (whether a party to this agreement or not) other than as expressly set out in this
   agreement.
6. Nothing in this agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties.
7. If any provision of this agreement is found by any court, tribunal or administrative body of competent jurisdiction to be wholly or partly illegal, invalid, void, voidable, unenforceable or unreasonable it shall, to the extent of such
   illegality, invalidity, voidness, voidability, unenforceability or unreasonableness, be deemed severable and the remaining provisions of this agreement and the remainder of such provision shall continue in full force and effect.
8. Failure or delay by a party in enforcing or partially enforcing any provision of this agreement shall not be construed as a waiver of any of its rights under this agreement.
9. No variation of this agreement shall be effective unless it is in writing and signed by the parties (or their authorised representatives).
10. The parties to this agreement do not intend that any term of this agreement shall be enforceable by virtue of this agreement (Rights of Third Parties) Act 1999 by any person that is not a party to it.
11. The formation, existence, construction, performance, validity and all aspects of this agreement and any and all matters relating to it shall be governed by English law and the parties submit to the exclusive jurisdiction of the
    English courts.

End of Terms