Staff Handbook - Policies and Procedures

1

Staff Handbook

Contents: Policies (Pages 2-88) Procedures ( Pages 89-102 )

2

Company Policies

Contents

1 2 3 4 5 6 7 8 9

Alcohol and Drug Misuse Anti-Bribery and Corruption

Data Protection

Disability

Environmental Email and Internet

Equality and Equal Opportunities

Family Friendly Policies

Fatigue 10 Fire Extinguisher 11 Health and Safety - Issued Separately 12 Medical Fitness 13 Mobile Phone and Device Policy 14 Modern Slavery and Human Trafficking 15 Quality 16 Redundancy 17 Safety Harness 18 Smoke Free 19 Safe System to Work 20 Sustainability Policy 21 Gifts, Entertainment and Hospitality

22 Timber 23 Vehicle 24 Whistle Blowing 25 Ex-offenders 26 Retirement Policy 27 Pandemic Policy

3

CHRIS SEDGEMAN SCAFFOLDING ALCOHOL AND DRUGS MISUSE POLICY We have an obligation under health and safety legislation to maintain a safe working environment for all workers and visitors to our premises. When an employee’s performance or ability to carry out their duties is affected by the misuse of alcohol or drugs we must take steps to ensure the health and safety of the employee, other employees and members of the public is not compromised. Employees also have an obligation under health and safety legislation to take reasonable care of their own health and safety and that of others who may be affected by their acts or omissions at work. 1.1 This Company is committed to upholding the highest standards of health and safety for the protection of its employees, and others who work on or visit the Company's premises or sites upon which the Company works. 1.2 Consequently, this policy statement has been issued by the Board of Directors and management. 1.3 This policy statement is to be drawn to the attention of all employees, applicants for employment, sub-contractors, agency employees and workers and visitors who come onto the Company's premises. 2 Policy objectives 2.1 The Company is aware of the serious dangers that arise as a result of persons taking unlawful substances and drinking alcohol. It has a responsibility under the law to ensure the health, safety and welfare of all employees, and must also assess the risks from any work activity and take all reasonable steps to reduce these risks. 2.2 Studies have shown that introducing a policy of random testing for drugs and alcohol can bring about a dramatic reduction in accidents and incidents of ill-health. 2.3 The company has contractual obligations to ensure that company employees working on-site in relation to particular jobs are free from the effects or withdrawal effects of alcohol or illegal or non-prescribed drugs. 2.4 Those contractual obligations are such that any employee of this company found to test positive (whether by our own testing procedure or one carried out on any site by the main contractor or any other person) under any drug or alcohol test will immediately be required to leave the site and will not be allowed to return to work at that site. Such an occurrence would also immediately affect the relationship between the customer and the company and may result in the loss of that and further contracts. 2.5 The tests establish whether the individual has at some point prior to the test taken the substance, rather than whether at the point of testing the individual's ability to work has been compromised. It is not therefore sufficient for the employee to turn up for work ready and capable. The employee must not test positive even for previous use of such substances. 2.6 The prevalence of such contractual terms is such that it is not normally practicable for a company employee to remain employed if he or she tests positive. 2.7 In any event, when an employee's performance or ability to carry out his or her duties is affected by the misuse of alcohol or drugs the company must take steps to ensure that the health and safety of the employee, other employees and members of the public is not compromised. 2.8 Employees also have an obligation under health and safety legislation to take reasonable care of their own health and safety and that of others who may be affected by their acts or omissions that work. 3 Our policies : 3.1 Consumption of alcohol and use or possession of illegal drugs at work 3.1.1 The consumption of alcoholic drinks during working hours is strictly forbidden, as is the taking of drugs (other than those prescribed or legally taken for a medical condition). This is a condition of your contract of employment. 3.1.2 Intoxication by reason of drink or drugs, and the possession of illegal drugs at work are offences that will be considered to be gross misconduct and will lead to disciplinary action and/or dismissal. 3.2 Consumption of and use or possession of illegal drugs outside work. 3.2.1 The taking of drugs (other than those prescribed or legally taken for a medical condition) is strictly forbidden. 3.3 Applicants for positions within the company, whether temporary or permanent: Company policy on drugs and alcohol testing 1 Introduction

Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

This is a controlled document

Alcohol and Drug Misuse Policy 24/06/24

4

3.3.1 Applicants will be required to furnish the company with a negative drug test prior to the commencement of any contract. 3.3.2 A failure to provide a negative test in accordance with 3.3.1 above will be a bar to employment by the company. 3.4 Pre-Employment and Random testing: 3.4.1 In the interests of health and safety, the Company has decided to introduce a policy of random testing for drugs and alcohol. These tests will only be carried out with employees' consent, and conducted by medically qualified persons and/or other personnel who have been trained accordingly. 3.4.2 The type of testing equipment used will be such as is appropriate in the circumstances, and the results will be assessed by laboratories that the United Kingdom Accreditation Service has authorised. 3.4.3 The results of any such test will be treated as confidential by the Company, and will not be disclosed to any person or organisation other than as required by law or for the purpose of legal proceedings. 3.4.4 The company has introduced pre-employment testing which may be completed either in-house via a trained member of staff or by an external organisation. Following the result of this test the company withholds its rights not to employ you if you fail this test. 3.5 Results 3.5.1 Donors can return to work following a negative alcohol test. A positive result for drugs or alcohol will result in the donor not to be able to return to out works and the above procedures will then be enforced. 3.5.2 Records of alcohol and drug test will be retained in the company office for a period of 10 years following the test. Records of positive will be retained indefinitely. 3.5.3 A representative will visit site / office as soon as possible of notification to carry out a test following an accident, serious incidents or suspected of being unfit through drugs or alcohol. 3.5.4 An employee whose drugs test returns as positive shall be informed that: • they have tested positive for drugs; and • they shall not undertake any work for Chris Sedgeman Scaffolding which is designated as Safety Critical Work post; and • their result shall be notified to the management. 3.6 Use of Plant/Vehicles on Site. Including working on site. 7.5.1 All work on operational sites (including the plant yard and depots), the operation of plant, commercial vehicles or crew buses and all works undertaken as Safety Critical and as such an alcohol limit of a maximum of 29 milligrams of alcohol per 100 millilitres of blood or the equivalent in urine or breath has been applied. PLEASE NOTE THIS IS BELOW HALF OF THE LIMITED ALLOWED FOR NORMAL DRIVING PURPOSES. 7.5.2 Alcohol Consumption Guidelines: To commence work with a zero or near alcohol level, employees should not consume any alcohol at all in the 12 hours before starting work, and in the 12 hours prior to that should not consume more than 5 units of alcohol. (1 unit is = to ½ pint of standard strength bear). 7.5.3 The drugs prohibited include as a minimum are listed in the appendix below. This list is not restricted to the drugs or drugs groups listed. In addition, many medicines obtained, with or without prescription, can effect performance at work and employees MUST contact Chris Sedgeman or Lynn Way to determine whether or not they should report for duty if they believe they are being adversely affected by such medications. Examples include tranquillisers, antidepressants, sleeping pills, some antihistamines for hay fever and some cough, cold or indigestion remedies. 7.5.3 Where an employee is employed on non-safety critical work (i.e., in the office), or is driving a company car, or private car on company premises in the normal course of their duties, the alcohol limit will be as laid down in the Road Traffic Act. However, the rules in relation to drugs and substance abuse remain as laid down above.

4

Disciplinary rules

4.1 It is a condition of employment that all employees accept and abide by the anti-drug and alcohol policy, and agree to the testing procedures that have been instituted. 4.2 If as a result of such testing an employee is found to have taken unlawful drugs or consumed alcohol while at work, disciplinary action will be taken that may result in the employee's dismissal. 4.3 It is a serious disciplinary offence for any employee to sell, supply, possess, distribute or take unlawful drugs. A serious disciplinary offence is also committed if an employee refuses to take a drug test when so required, without lawful excuse.

Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

This is a controlled document

Alcohol and Drug Misuse Policy 24/06/24

5

5

Drugs for medical purposes

5.1 This policy does not affect the taking of drugs that are prescribed for medical purposes by a qualified medical practitioner. 5.2 It will be for the employee to produce evidence to this effect if necessary. 6 Staff training and assistance 6.1 A staff awareness programme will be held to ensure that all employees are familiar with the objectives of this policy, the dangers of taking unlawful drugs or consuming alcohol while at work, and the disciplinary consequences of failing to pass a test. 6.2 Any employees who feel that they have a drug or alcohol problem should contact his or her GP for help and assistance. 6.3 What is alcohol or drug misuse? The consumption of alcohol or the use of illegal or non-prescribed drugs that affect your health, performance or the ability to carry out your duties is "misuse". 6.4 The mere use of such substances which results in a positive test as described above affects your ability to carry out your duties because you are unable to attend on particular sites and is therefore considered by the company to be misuse. 6.5 Alcohol or drug misuse can lead to: 6.5.1 sudden change in behaviour patterns 6.5.2 tendency to become confused 6.5.3 irritability 6.6.4 abnormal fluctuations in mood and energy 6.6.5 impairment of job performance 6.6.6 poor time-keeping 6.6.7 increase in short-term sickness absence 6.6.8 deterioration in relationships with other people. 6.8 If you tell us you have a problem with alcohol or drug misuse we will normally deal with the matter in confidence as a health issue. We will try to deal with cases of alcohol or drug misuse supportively, but there may be circumstances where this is not possible or appropriate. We may then use the disciplinary procedure or performance review procedure. 6.9 If conduct related to alcohol and/or drug misuse amounts to criminal conduct the disciplinary procedure may be used, and we may inform the police. 6.10 We will randomly test employees but we also reserve the right where we suspect alcohol or drug misuse to require an employee to have a medical examination, which may include tests to determine the presence of alcohol and/or drugs. 6.11 If you think your ability to carry out your duties at work may be affected by alcohol or drug misuse or for any other reason, you must tell us. You should contact Mr CJ Sedgeman. 7 Re-employment following a failed drugs test and/or dismissal. All the below is at the digression of the management and if the employee can re-apply for the existing position held. The management withholds the right to not re-employee any employee who has failed a drugs or alcohol test. If the employee is able to re-apply for his/her job, then the following procedures will apply: - 7.1 You will be asked for a fit for work note and letter from your doctor confirming you have had the relevant help to recover from your health problem. 7.2 A negative test result within the last week of re-employment/application. 7.3 The agreement of re-testing the employee, periodically, at the cost of the employee. 7.4 After the above supplied and then forwarded to our insurance company. Following confirmation that the employee is then insured to work the employee would then be re-employed. 7.5 If a positive test result does arise then the employee will then be instantly dismissed under gross misconduct and no will not be able to re-apply for another position within the company. Signed on behalf of the Board of Directors

Mr CJ Sedgeman, Managing Director

Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

This is a controlled document

Alcohol and Drug Misuse Policy 24/06/24

6

The following is a non-exhaustive list of the drugs that are prohibited under the Company's anti-drug policy: 1. Heroin 2. Cocaine 3. Crack 4. Ecstasy 5. LSD (Lysergic Acid Diethylamide) 6. Magic mushrooms 7. Cannabis 8. Barbiturates

9. Amphetamines 10. Tranquilisers 11. Anabolic steroids 12. Legal highs such as Methadrone 13. Propoxyphene 14. Benzadiazepines. 15. Methodone

16. Opiates 17. Alcohol

18. Tramadol 19. Ketamine 20. Other drugs classified as being harmful. Also included are variants of unlawful drugs and solvents.

I the undersigned acknowledge, that I have read, fully understand and agree with the contents of this Chris Sedgeman Scaffolding Limited Drugs and Alcohol Policy which form part of my terms and conditions of employment, staff hand book and I confirm that I will fully abide by all its requirements. Signature of acceptance of this document is detailed with the Policies and Procedures Agreement Declaration

Start Date:

21 st June 2023

Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

This is a controlled document

Alcohol and Drug Misuse Policy 24/06/24

ANTI-BRIBERY AND CORRUPTION POLICY Background and objectives

Anti Bribery and Corruption Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 Reasonable and proportionate hospitality, promotional business expenditure and other bona fide promotional activities that form part of an established way of doing business and are not motivated by an intention to induce the recipient to do something improper are not prohibited by the Bribery Act 2010. Assessment of the risk of bribery In order to implement effective and adequate procedures to prevent bribery it is necessary to assess the risk of bribery within our business. We have carried out a risk assessment. We are aware that as a commercial organisation in the UK we have a legal duty under the Bribery Act 2010 Section 7 to put in place adequate measures to prevent any person or body associated with us from undertaking bribery and corruption. This policy explains our commitment to the prevention of such conduct, and how we shall implement measures to put that commitment into practical effect. Our commitment We are committed to carry on our business fairly honestly and openly. We have a zero tolerance of bribery or corruption of any kind. We require all our employees to share our commitment and anyone found to have paid or been party to the payment of a bribe or who has received a bribe will be subjected to disciplinary action for gross misconduct, usually resulting in dismissal. Anyone convicted of an offence under the Bribery Act 2010 will be subjected to disciplinary action for gross misconduct, usually resulting in dismissal. Our commitment extends to all those with whom our organisation is associated in the carrying on of business and the terms upon which they are engaged. We require a similar commitment from all those with whom we are associated to zero tolerance of bribery and corruption and the implementation of appropriate measures to prevent it. The Managing Director, the Board and the senior management are all committed to the prevention of bribery and corruption. We shall regularly monitor and review the operation of this policy and the implementary procedures developed because of it. As a business we recognise that by not engaging in bribery and corruption we may lose sales to competitors that do so, but our commitment to prevention of bribery and corruption is such that we must expect and accept that this may occur. What is “bribery”? The essence of the UK law offence of bribery is that a person offers promises or gives another person a financial or other advantage that he intends to induce the other person to improperly perform a function or activity or to reward that person for such improper performance or where he knows that the acceptance of the advantage by that person is itself improper performance of a function or activity, provided that a person performing the function or activity is expected to perform it in good faith, impartially, or by performing it is in a position of trust. A function or activity is performed improperly when it is performed in breach of what a reasonable person in the UK would expect in relation to the performance of the type of function or activity involved. It is both an offence to bribe or to ask for or receive a bribe. The Bribery Act 2010 creates four offences: 1) Bribing another person. 2) Being bribed. 3) Bribing a foreign public official. 4) Failing to prevent bribery. (This offence can only be committed by corporate bodies).

We have identified that there is a risk of bribery in the following areas of our business: • Gifts, hospitality and travel expenditure; • Use of company assets for the benefit of third parties for non-business purposes; • Charitable and political donations and other corporate relations activities; • Sponsorships; • Obtaining licences, permits and regulatory clearances of any kind; Risk management procedures a) Terms and conditions of employment. It is a condition of employment of all staff and managers and directors that: "You may not promise offer or give, or cause to be promised offered or given, any form of bribe and the acceptance by you of any form of bribe is forbidden. "You also must not give or accept or arrange for a third party to give or accept, gifts entertainment or hospitality including charitable and political donations other than duly authorised by your employer’s Compliance Officer in accordance with your employer’s anti-bribery and corruption policy. Any offer to you of entertainment or hospitality or a gift or favour should be reported to your Manager and your employer’s Compliance Officer and should only be accepted when duly authorised by your employer’s Compliance Officer in accordance with your employer’s anti-bribery and corruption policy. "Any breach of your employer’s anti-bribery and corruption policy and procedures shall be treated as gross misconduct under your employer’s disciplinary procedure." b) Disciplinary Policy. Our disciplinary policy provides that any employee who “offers, gives, accepts or solicits any bribery (as defined by the Bribery Act 2010) or is party to or consents to or allows the participation of anyone else (whether an employee of the Company or not) in an act of bribery” shall be guilty of gross misconduct and liable to summary dismissal. c) Register of entertainment, hospitality, and gifts. All entertainment, hospitality and gifts shall be recorded in the company central hospitality register (however trivial). This includes all permitted acts of entertainment, hospitality and gifts by or on behalf of the Company and all entertainment, hospitality and gifts received by the Company or its employees, contractors and agents. d) Terms of Business. Our terms of business with all customers, agents, contractors and any suppliers of entertainment or hospitality are made on the express basis that: (i) The Company will not tolerate bribery in any form. (ii) Entertainment or hospitality offered or provided by or on behalf of the Company should be only be accepted on the basis that there is absolutely no expectation or implication by the Company or by any other party that anyone who is in receipt of such entertainment or hospitality will perform a function or activity other than in good faith, impartially, or in a position of trust and to the standard of what a reasonable person in the UK would expect in relation to the performance of the type of function or activity involved. • Movement of goods across borders and related activities; • Lobbying governments on policy, legislation and/or regulation.

Anti Bribery and Corruption Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

(iii) Entertainment or hospitality offered or provided to the Company or any employee or agent or contractor on behalf of the Company can be only be accepted on the basis that there is absolutely no expectation or implication by the Company or by any other party that anyone who is in receipt of such entertainment or hospitality will perform a function or activity other than in good faith, impartially, or in a position of trust and to the standard of what a reasonable person in the UK would expect in relation to the performance of the type of function or activity involved. e) Training. All employees and agents and contractors of the Company shall receive training in the Bribery Policy and the procedures adopted by the Company to prevent bribery. f) Due Diligence Enquiries. All employees, agents, contractors and those otherwise associated with the Company shall during the recruitment or contracting process be subject to enquiries to ensure that they have not participated in past acts of bribery. Monitoring and training. The Company shall monitor the Register of entertainment, hospitality, and gifts. The Company has appointed a Compliance Officer who is responsible for maintaining the Register and monitoring the activities of the Company to ensure that the Policy and Preventative measures contained in the policy are adhered to. All staff and agents and contractors shall undergo training. What to do if you suspect bribery or corruption. Any employee or anyone associated with the company who suspects that there is bribery or corruption must report it to the Compliance Officer. Our Whistleblowing Policy applies to all reports of suspected bribery or corruption. If you are offered a bribe or asked to make a bribe you must report this. We are committed to ensure that no one suffers any detriment as a result of refusing to accept or take part in bribery or corruption or reporting their concerns or suspicions of bribery or corruption in good faith. If you believe that you have suffered such a detriment you should raise it under the Grievance Procedure. Donations to charity, political donations and sponsorships. Payments made as donations to charity or political organisations or parties and sponsorships may be used as a subterfuge to hide bribery. We have written policies regulating all such activity in our business which must be adhered to. Summary and conclusions. The Company has a zero policy on bribery. It has assessed the risk of bribery in the conduct of its business and implemented preventative measures to prevent bribery. Signed

Mr C J Sedgeman, Managing Director Dated: 24-06-24

Anti Bribery and Corruption Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 5. that the processing is necessary for the purposes of our legitimate interests or those of a third party, except where those interests are overridden by the interests, rights and freedoms of the data subject. We will check that the processing is necessary for the purpose of the relevant lawful basis, except where the processing is based on consent. DATA PROTECTION POLICY (EMPLOYMENT) We obtain, keep and use personal information relating to our workforce for specific lawful purposes, and this policy sets out how we comply with our data protection obligations. We are committed to complying with our data protection obligations, and to being concise, clear and transparent about how we obtain and use personal information relating to our workforce, and how and when we delete that information once it is not required. The Data Protection Officer is responsible for data protection. The person with responsibility for data protection compliance is Lynn Way, Company Secretary & Financial Director. Data protection principles We will comply with the following data protection principles when processing personal information: 1. we will process personal information lawfully, fairly and in a transparent manner; 2. we will collect personal information for specified, explicit and legitimate purposes only, and will not process it in a way that is incompatible with those legitimate purposes; 3. we will only process the personal information that is adequate, relevant and necessary for the relevant purposes; 4. we will keep accurate and up to date personal information, and take reasonable steps to ensure that inaccurate personal information is deleted or corrected without delay; 5. we will keep personal information for no longer than is necessary for the purposes for which the information is processed; and 6. we will take appropriate measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage. Basis for processing personal information Before processing of personal information starts and regularly while it continues, we will review the purposes of the processing activity, and select the most appropriate lawful basis for that processing: 1. that the data subject has consented to the processing; 2. that the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract; 3. that the processing is necessary for compliance with a legal obligation; 4. that the processing is necessary for the protection of the vital interests of the data subject or another person;

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 Where data processing is likely to result in a high risk to an individual’s data protection rights we will carry out a data protection impact assessment (DPIA) to assess whether the processing is necessary and proportionate in relation to its purpose, the risks to individuals, and what measures can be put in place to address those risks and protect personal information. We will document our decision as to which lawful basis applies, to help demonstrate our compliance with the data protection principles. We will include information about the purposes of the processing and the lawful basis for it in our relevant privacy notices. Where sensitive personal information is processed, we will also identify and document a lawful special condition for processing that information. Where criminal offence information is processed, we will also identify and document a lawful condition for processing that information. When determining whether our legitimate interests are the most appropriate basis for lawful processing, we will conduct a legitimate interests assessment (LIA) and keep a record of it, and if the LIA identifies a significant privacy impact, we will consider whether we also need to conduct a data protection impact assessment (DPIA). We will include information about our legitimate We may from time to time need to process sensitive personal information. We will only process sensitive personal information if it is necessary for the performance of the employment contract, to comply with our legal obligations or for the purposes of our legitimate interests; and one of the special conditions for processing sensitive personal information applies: a) the data subject has given explicit consent; b) the processing is necessary for the purposes of exercising our employment law rights or obligations or those of the data subject; c) the processing is necessary to protect the data subject’s vital interests, and the data subject is physically incapable of giving consent; d) processing relates to personal data which are manifestly made public by the data subject; e) the processing is necessary for the establishment, exercise or defence of legal claims; or f) the processing is necessary for reasons of substantial public interest. Before processing any sensitive personal information, staff must notify us of the proposed processing, in order that we may assess whether the processing complies with the criteria noted above. Sensitive personal information will not be processed until the assessment has taken place; and the individual has been properly informed (by way of a privacy notice or otherwise) of the nature of the processing, the purposes for which it is being carried out and the legal basis for it. Our data protection privacy notice sets out the types of sensitive personal information that we process, what it is used for and the lawful basis for the processing. Data protection impact assessments interests in our privacy notices. Sensitive personal information

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 4. to have information erased if it is no longer necessary for the purpose for which it was originally collected or processed, or if there are no overriding legitimate grounds for the processing (“the right to be forgotten”); Documentation and records We will keep written records of data processing activities which are high risk, and which may result in a risk to individuals’ rights and freedoms or involve sensitive personal information or criminal records information, including: 1. our name and details and where applicable, those of other controllers, our representative and DPO; 2. the purposes of the processing; 3. a description of the categories of individuals and categories of personal data; 4. categories of recipients of personal data; 5. retention schedules; and 6. a description of technical and organisational security measures. As part of our record of processing activities we will document: 1. information required for privacy notices; 2. records of consent; 3. controller-processor contracts; 4. the location of personal information; 5. DPIAs; and 6. records of data breaches. If we process sensitive personal information or criminal records information, we will keep written records of the relevant purpose for which the processing takes place. We will conduct regular reviews of the personal information we process and update our documentation accordingly. Privacy notices We will issue privacy notices from time to time, informing you about the personal information that we collect and hold relating to you, how you can expect your personal information to be used and for what purposes. We will take appropriate measures to provide information in privacy notices in a concise, transparent, intelligible and easily accessible form. Individual rights You have the following rights in relation to your personal information: 1. to be informed about how, why and on what basis that information is processed – see our data protection privacy notice; 2. to obtain confirmation that your information is being processed and to obtain access to it and certain other information, by making a subject access request; 3. to have information corrected if it is inaccurate or incomplete;

5. to restrict the processing of personal information where the accuracy of the information is contested, or the processing is unlawful (but you do not want the information to be erased), or where we no longer need the personal information, but you require it to establish, exercise or defend a legal claim; and 6. to restrict the processing of personal information temporarily where you do not think it is accurate (and we are verifying whether it is accurate), or where you have objected to the processing (and we are considering whether our legitimate grounds override your interests). Individual obligations You are responsible for helping us keep your personal information up to date. You should let us know if the information you have provided changes. You may have access to the personal information of other members of staff, suppliers and customers or clients and we expect you to help meet our data protection obligations to those individuals. If you have access to personal information, you must: 1. only access the personal information that you have authority to access, and only for authorised purposes; 2. only allow other staff to access personal information if they have appropriate authorisation; 3. only allow individuals who are not our staff to access personal information if you have specific authority to do so; 4. keep personal information secure; 5. not remove personal information, or devices containing personal information, from our premises unless appropriate security measures are in place to secure the information and the device; and 6. not store personal information on personal devices. You should contact us if you are concerned or suspect that one of the following has taken place: 1. processing of personal data without a lawful basis for its processing; 2. any data breach; 3. access to personal information without the proper authorisation; 4. personal information not kept or deleted securely; 5. removal of personal information, or devices containing personal information, from our premises without appropriate security measures being in place; 6. any other breach of this policy or of any of the data protection principles. Information security We will use appropriate technical and organisational measures to keep personal information secure, and to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage. These may include: 1. making sure that, where possible, personal information is processed in such a way that it cannot be used to identify an individual, or encrypted;

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

2. ensuring the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3. ensuring that, in the event of a physical or technical incident, availability and access to personal information can be restored in a timely manner; and 4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. Storage and retention of personal information Personal information and sensitive personal information will be kept securely. Personal information and sensitive personal information should not be retained for any longer than necessary. The length of time over which data should be retained will depend upon the circumstances, including the reasons why the personal information was obtained. Personal information and sensitive personal information that is no longer required will be deleted permanently from our information systems and any hard copies will be destroyed securely. Data breaches A data breach may occur due to loss or theft of data or equipment on which personal information is stored, unauthorised access to or use of personal information by staff or a third party, loss of data resulting from an equipment or systems failure, human error, unforeseen circumstances, deliberate attacks on IT systems, such as hacking, viruses or phishing scams, and fraud where information is obtained by deception. In the event of a data breach we will make the required report to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals. We will notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law. International transfers We will not transfer personal information outside the European Economic Area (EEA), which comprises the countries in the European Union and Iceland, Liechtenstein and Norway. Training We will ensure that staff are adequately trained regarding their data protection responsibilities. Consequences of failing to comply We take compliance with this policy very seriously. An employee’s failure to comply with any requirement of this policy may lead to disciplinary action under our procedures, and this action may result in dismissal for gross misconduct.

Signed

Mr C J Sedgeman, Managing Director.

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 • provide the individual concerned with a copy of our data handling policy before asking them to complete a DBS application form or asking for their consent to use their information to access the DBS update service; DATA PROTECTION POLICY (CRIMINAL RECORDS) This policy supplements our data protection policy (employment). It sets out our policy on asking questions about a prospective or existing employee’s criminal record and carrying out Disclosure and Barring Service (DBS) checks. It shows our commitment to comply with the DBS Code of Practice and our data protection obligations, to treat prospective employees fairly and not to discriminate unfairly against any subject of a criminal record check on the basis of a conviction or other information revealed. It sets out how we comply with our data protection obligations in respect of criminal records information and seek to protect such information, and to ensure that staff understand and comply with the rules governing the collection, use and deletion of criminal records information to which they may have access in the course of their work. The person who is responsible for informing and advising us and our staff on our data protection obligations, including in relation to criminal records information, and for monitoring compliance with those obligations is Lynn Way, Company Secretary and Financial Director. We will ensure that all those who are involved in the recruitment process have been suitably trained to identify and assess the relevance and circumstances of offences; and have received appropriate guidance and training in the relevant legislation relating to the employment of ex- offenders and the Rehabilitation of Offenders Act 1974. Our policy statement Having a criminal record will not necessarily bar you from working with us. We will take into account the circumstances and background of any offences and whether they are relevant to the position in question, balancing the rights and interests of the individual, our employees, customers/clients, suppliers and the public. We will treat all applicants, employees and volunteers fairly but reserve the right to withdraw an offer of employment if you do not disclose relevant information, or if a DBS check reveals information which we reasonably believe would make you unsuitable for the role. Asking for criminal records information Before recruiting we will assess whether we are justified in seeking criminal records information for that job role and whether it is appropriate to limit the information sought to offences that have a direct bearing on suitability for the specific job, and whether the information should be verified with the DBS. The level of criminal records information and DBS check that we are entitled to request will depend on the post for which the prospective employee’s suitability is being assessed. We will only ask an individual to provide criminal records information in relation to convictions and cautions that we would be legally entitled to see in a DBS check for the relevant post. If we assess that we should use the DBS to verify criminal records information, we will:

• make every subject of a DBS check aware of the existence of the DBS Code of Practice and makes a copy available on request; • we will comply with the DBS Code of Practice.

Once criminal records information has been verified through a DBS check, we will:

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 • give the applicant the opportunity to provide an explanation if there are inconsistencies between the information supplied by the applicant and the information in the DBS certificate; • make a record that a DBS check was completed and whether it had a satisfactory or unsatisfactory result; and • delete the DBS certificate and any record of the information contained in it unless, in exceptional circumstances, we assess that it is clearly relevant to the on-going employment relationship. If it is not deleted it will be kept securely for no longer than is necessary, and no more than six months. We will not seek criminal records information from any source other than the individual concerned or the DBS. DBS certificate information will be handled and kept in accordance with our policy on handling DBS certificate information. Where information is disclosed We have a legal duty, when recruiting staff to work in regulated activity with children or vulnerable adults, to check whether they are on the relevant children’s or adults’ barred list. If a prospective employee’s name does appear on the relevant barred list, it would be against the law for us to employ them to work or volunteer with the relevant group. Where we have concerns about the information that has been disclosed by the DBS, we will discuss them with the prospective employee and carry out a risk assessment. In carrying out a risk assessment, we will take account of: • the relevance of the conviction or other matter revealed to the position in question; • the seriousness of the offence or other matter revealed; • the circumstances of the offence; • the age of the offence; • whether there is a pattern of offending; and • whether circumstances have changed since the offending took place. Data handling policy We will ensure that DBS certificate information is kept securely, in lockable, non-portable, storage containers with access strictly controlled and limited to those who are entitled to see it as part of their duties. In accordance with section 124 of the Police Act 1997, we will ensure that certificate information is only passed to those who are authorised to receive it in the course of their duties. We keep a

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541 1. Rejected job applicant records, including: contact details, application letters or forms, CVs, references, certificates of good conduct, interview notes, assessment and psychological test results. Retention period: Six months after applicant is notified of rejection. Application forms should give applicants the opportunity to object to their details being retained. record of all those to whom certificates or certificate information has been revealed. It is a criminal offence to pass this information to anyone who is not entitled to receive it. Once the DBS certificate has been inspected, it will be destroyed in accordance with the code of practice. Certificate information must only be used for the specific purpose for which it was requested and for which the applicant’s full consent has been given. Once a recruitment (or other relevant) decision has been made, we will not keep certificate information for any longer than is necessary. This is generally for a period of up to six months, to allow for the consideration and resolution of any disputes or complaints. If, in very exceptional circumstances, it is considered necessary to keep certificate information for longer than six months, we will consult the DBS about this and will give full consideration to the data protection and human rights of the individual before doing so. Once the retention period has elapsed, we will ensure that any DBS certificate information is immediately destroyed by secure means. DATA PROTECTION POLICY (DATA RETENTION - EMPLOYMENT) This policy supplements our data protection policy (employment). It sets out how long employment-related information will normally be held by us and when that information will be confidentially destroyed. The person responsible for implementing and monitoring compliance with this policy Lynn Way Company Secretary. We will review this policy annually to check that it is effective. Processes Hard copy and electronically-held documents and information will be retained for at least the period specified in our records retention schedule. All information must be reviewed before destruction to determine whether there are special factors that mean destruction should be delayed, such as potential litigation, complaints or grievances. Hard copy and electronically-held documents and information must be deleted at the end of the retention period. Hard copy and electronically-held documents and information will be disposed of securely. Schedule Employment records and information:

2. Application records of successful candidates, including: application letters or forms, copies of academic and other training received, references correspondence concerning employment, CVs, interview notes and evaluation forms, assessment and psychological test papers and results. Retention period: Six years after employment ceases. 3. Criminal records information: criminal records requirement assessments for a particular post, criminal records information forms, the Disclosure and Barring Service (DBS) check forms, DBS certificates. Retention period: Criminal records requirement assessments for a particular post - 12 months after the assessment was last used. All other information in this category - as soon as practicable after the check has been completed and the outcome recorded unless, in exceptional circumstances, we assess that it is clearly relevant to the ongoing employment relationship in which case, six months. If we consider it necessary to keep the information for longer than six months, the DBS should be consulted. 4. Employment contracts, including: personnel and training records, written particulars of employment, changes to terms and conditions. Retention period: Six years after employment ceases, unless document executed as a deed, in which case 12 years after employment ceases. 5. Directors' service contracts and any variations. Retention period: Six years from termination or expiry of the contract, unless executed as a deed, in which case 12 years from termination or expiry. 6. Copies of identification documents (e.g. passports). Retention period: Not less than two years from date of termination of employment. 7. Identification documents of foreign nationals (including right to work). Retention period: Not less than two years from date of termination of employment. 8. Records concerning a temporary worker. Retention period: Six years after employment ceases. 9. Employee performance and conduct records, including: probationary period reviews, review meeting and assessment interviews, appraisals and evaluations, promotions and demotions. Retention period: Six years after employment ceases. 10. Records relating to and/or showing compliance with Working Time Regulations 1998 including: registration of work and rest periods, working time opt-out forms. Retention period: Two years from the date on which the record was made. 11. Redundancy records. Retention period: Six years from date of redundancy. 12. Annual leave records; Parental leave records; Sickness records; Records of return to work meetings following sickness, maternity etc. Retention period: Six years after the end of each tax year.

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541

13. Records for the purposes of tax returns including wage or salary records, records of overtime, bonuses and expenses, Pay As You Earn (PAYE) records, including: wage sheets, deductions working sheets, calculations of the PAYE income of employees and relevant payments. Retention period: Six years plus current year. 14. Income tax and NI returns, income tax records and correspondence with HMRC. Retention period: Six years after the end of the financial year to which they relate. 15. Records demonstrating compliance with national minimum wage requirements. Retention period: Six years beginning with the day upon which the pay reference period immediately following that to which they relate ends. 16. Statutory sick pay (SSP) records. Retention period: Six years after the end of the tax year to which they relate. 17. Statutory maternity, paternity and shared parental pay records, calculations, certificates or other evidence. Retention period: Six years after the end of the tax year in which the period of statutory pay ends.

Data Protection Policy 24-06-24 Registered Office: Unit 2A Longrock Industrial Estate, Penzance, Cornwall. TR20 8HX Company Reg. No. 04124350 VAT Reg. No. 684598666 UTR No. 24386 09541