CONFIDENTIAL
Version History
SCHEDULE A4
LEGISLATION, POLICIES AND STANDARDS
Version No Date Comments
1.0 31/08/06 Agreed version as at date of signature of
CCN 1200
2.0 24/01/07 Baseline copy of 1.3
3.0 16/10/07 Baseline copy of 2.1
40 23/02/09 Baseline copy of 3.3
6.0 15/06/09 Moving all schedules to V6.0 as agreed
with Fujitsu
61 31/03/10 Applying changes as per CCN1276a
7.0 10/05/10 Moving all schedules to V7.0 as agreed
with Fujitsu.
8.0 21/02/12 Applying changes in CCN 1305a,
CCN1285, CCN1309a and CCN1294d
9.0 13/01/14 Applying changes as per CCN1349,
CCN1322b and CCN1345
10.0 10/09/15 CCD Reference update, applying changes
as per CCN1417 and as subsequently
amended in this CCN1506 and moving all
Schedules to v10.0 in accordance with
CCN1506
11.0 31/03/16 Applying changes as per CCN 1423c and
updating all Schedules to Version 11 as per
CCN1604
12.0 03/07/17 Updating all Schedules to V12.0
13.0 Updating as per CCN1617a and moving all
Schedules to v13.0
Schedule A4 Version 13.0
Page 1 of 19
POL00027927
POL00027927
POL00027927
POL00027927
CONFIDENTIAL
SCHEDULE A4
LEGISLATION, POLICIES AND STANDARDS
41. INTRODUCTION
14 The policies and standards defined in this Schedule shall apply to all relevant aspects of the Services,
24
HNG-X Development and Associated Change Development unless amended in accordance with
Schedule A3.
Fujitsu Services shall not knowingly undertake any activity which would prevent Post Office from, or
hinder it in, complying with these policies and standards, without the prior written consent of Post
Office.
In this Schedule A4, unless the context otherwise requires, any reference to a paragraph is to the
relevant paragraph of this Schedule.
LEGISLATION
General
2.1.1 Without limitation to the specific areas identified below, which shall not limit the generality of
this paragraph 2.1.1, all Services, HNG-X Development and Associated Change Development
and all Equipment shall comply to the extent required by law with all relevant legislation,
including all relevant Governmental Regulations and, from the due date of UK implementation,
EU Directives and EU Regulations. Fujitsu Services shall ensure that Services, HNG-X
Development, Associated Change Development and Equipment are maintained in compliance
with any subsequent legislation throughout the term of this Agreement and shall perform any
modifications necessary to ensure such continued compliance subject to Clause 12.1 of this
Agreement. Fujitsu Services shall give advance written notice to Post Office of any such
maintenance and/or modification work required under this paragraph. Post Office shall not
withhold its consent under Clause 12.1 if to do so would cause Fujitsu Services to fail to comply
with any such subsequent legislation. Fujitsu Services shall be entitled to recover from Post
Office the Fujitsu Service Cost (charged on an Open Book basis) of maintenance and/or
modifications required to ensure such continued compliance under this paragraph (which
includes, without limitation, continued compliance with relevant or subsequent legislation or
mandatory standards referred to in paragraphs 3.2 and 3.3).
2.1.2 Fujitsu Services shall, on request by Post Office, establish to Post Office's satisfaction the
compliance of Services, HNG-X Development, Associated Change Development or
Equipment with legislation or specified policies and standards. In the event that Fujitsu
Services and Post Office fail to agree that compliance has been demonstrated satisfactorily,
the matter shall be treated in accordance with Clause 70.
2.1.3. Fujitsu Services shall ensure that, where the installation of Equipment or the provision of
Services, HNG-X Development or Associated Change Development involves the alteration or
extension of existing building services, such work complies with the standards set out in British
Standards and Approved Codes of Practice which are deemed therein to satisfy the relevant
regulations, including without limitation the Electricity at Work Regulations 1989 and Electricity
Schedule A4 Version 13.0
Page 2 of 19
POL00027927
POL00027927
CONFIDENTIAL
at Work Regulations (NI) 1991 (S.R. 1991 No. 13) and BS 7671:1992, Requirements for
Electrical Installation.
2.1.4 Until 31st March 2015, Fujitsu Services shall give due attention to the effects on the
environment of the Equipment installed in Branches during manufacture, installation and use.
This includes:
(a) use of CFCs;
(b) energy consumption;
(c) recyclability of components;
(d) recyclability of Consumables;
(e) waste minimisation;
(f) use of sustainable resources;
(g) disposal of displaced equipment and waste; and
(h) making appropriate use of recycled materials.
2.1.5 Fujitsu Services shall, and shall procure that its Sub-contractors, when engaged in connection
with this Agreement, shall, adhere to environmental legislation applicable to its and their
respective activities, such as the Environmental Protection Act 1990 and insofar as it relates
to Northern Ireland any corresponding Northern Ireland legislation, and to the publication
“Waste Management: The Duty of Care - A Code of Practice”.
2.1.6 Notwithstanding anything to the contrary in paragraph 2.1.1, if Post Office requires that PIN
Pads comply with any new requirements with which they were not already required to comply
under this Agreement as at the date of signature of CCN 1200 in order to comply with the
provisions of “The Payment Card Industry PIN Entry Device Security Requirement (PCI PED)”
(or any similar, amended or replacement requirements from time to time issued by the payment
card industry), then the modifications to the PIN Pads and the work required by Fujitsu
Services to introduce and install them in Branches shall be agreed under the Work Ordering
Procedure and/or the Change Control Procedure, as appropriate.
2.2 Health and Safety
2.2.1 Fujitsu Services shall ensure until the expiry of the Engineering Service on 31% March 2015
that any Equipment installed at the Post Office Premises does not prevent Post Office and its
Agents from meeting their legal health and safety responsibilities as employers, including
without limitation those defined in:
(a) the Provision and Use of Work Equipment Regulations 1998 and the Provision
and Use of Work Equipment Regulations (NI) 1999; and
(b) the Workplace (Health, Safety and Welfare) Regulations 1992 and Workplace
(Health, Safety, and Welfare) Regulations (NI) 1993 (S.R. 1993 No. 37).
Schedule A4 Version 13.0
Page 3 of 19
POL00027927
POL00027927
CONFIDENTIAL
For the avoidance of doubt, responsibility in relation to any scheduled one-off PAT visits
resides with Post Office from September 15'" 2014.
2.2.2 The Equipment shall not interfere with the health or safety at work of Users, office staff or
others in the vicinity, including but without limitation interference as a result of emission of
acoustic noise, vibrations, heat, fumes or other radiation, or as a result of its construction.
2.2.3 Any new Branch Hardware supplied by Fujitsu Services will be provided with the appropriate
CE Mark documentation where applicable. Such documentation shall be provided prior to
purchase for standard off-the-shelf Branch Hardware otherwise it shall be provided after
purchase of the Branch Hardware.
2.3 Data Protection Act
2.3.1 Paragraphs 2.4, 2.5, 2.6 and 2.7 set out the Parties’ rights and obligations in relation to
Personal Data for which Fujitsu Services is the Data Processor and Post Office or a third party
is the Data Controller. Paragraph 2.8 sets out the Parties’ rights and obligations if and to the
extent that Fujitsu Services is the Data Controller of any Personal Data.
2.3.2 The Data Controller for particular Personal Data may be either Post Office or a third party.
Except where the context otherwise requires, if the Data Controller is Post Office, all references
to the Data Controller in paragraphs 2.4 to 2.8 inclusive are to be interpreted as references to
Post Office.
2.3.3 If Fujitsu Services:
(a) receives notice pursuant to paragraph 2.4.1(d); or
(b) otherwise becomes aware of any new categories of Personal Data that Post
Office intends will be processed by Fujitsu Services in connection with new types of
Transaction developed by Post Office using the AP-ADC Facility or the APOP Facility
or the APOP Business Capability (“New Personal Data”),
and Fujitsu Services reasonably believes that, in order to comply with its obligations set out in
paragraphs 2.3 to 2.6 (inclusive) regarding the processing of such data, it will incur additional
costs or expenses that it would not incur if that data was not Personal Data, then:
(c) Fujitsu Services shall notify Post Office of the reasons for such additional costs
and expenses; and
(d) the Parties shall agree any consequential changes to the provisions of
paragraphs 2.3 to 2.6 (inclusive) and/or reasonable additional Charges (as the case
may be) under the Change Control Procedure (in the case of changes to those
provisions or to Charges for recurring services) or by approval of a Work Order (in
the case of Charges for work defined in a Work Package description), before the
processing of any such New Personal Data can commence.
2.3.4 Fujitsu Services shall not, unless the Parties agree otherwise, be required to process Sensitive
Personal Data, as that term is defined in the Data Protection Act 1998 and Post Office shall
Schedule A4 Version 13.0
Page 4 of 19
POL00027927
POL00027927
CONFIDENTIAL
ensure, to the extent that Post Office, its employees, contractors or agents, determine or
control the data that is collected for processing, that such data does not include any Sensitive
Personal Data.
24 Post Office's authority and obligations
2.4.1 For the purposes of processing the Personal Data of each Data Controller which appoints Post
Office as a processor of that data, and prior to commencement of such processing, Post Office
shall:
(a) obtain delegated authority from each Data Controller to appoint Fujitsu Services
to process Personal Data of that Data Controller on the terms dealing with such
processing set out in this Agreement;
(b) obtain delegated authority from each Data Controller so that Fujitsu Services is
entitled to appoint any of Fujitsu Services’ sub-contractors listed in Schedule C2 to
process Personal Data of that Data Controller provided that, to the extent such
processing is undertaken by a sub-contractor, the subcontract incorporates terms
which are equivalent in nature and extent to those dealing with such processing set
out in this Agreement and which impose obligations upon that sub-contractor at least
as onerous as those imposed upon Fujitsu Services under this Agreement;
(c) ensure that the obligations, responsibilities and duties of Fujitsu Services in this
Agreement in respect of Personal Data are not wider or more onerous in nature or
extent than those which Post Office accepts under its own contract with each Data
Controller; and
(d) give at least 42 days prior notice to Fujitsu Services of any New Personal Data.
The terms referred to in paragraph 2.4.1(b) do not include terms related to payment.
2.4.2 Where Post Office fails to obtain delegated authority to the full extent referred to in paragraph
2.4.1, subject to paragraph 2.4.4, the Parties agree to co-operate with each other and to
execute such other additional agreements between them and/or each Data Controller as may
reasonably be required to give effect to the appointment of Fujitsu Services as a processor (in
accordance with the applicable provisions of this Agreement) of Personal Data on behalf of
that Data Controller.
2.4.3 In respect of any Personal Data of which Post Office is the Data Controller, Fujitsu Services
shall be entitled to appoint any of Fujitsu Services’ sub-contractors listed in Schedule C2 to
process that Personal Data provided that, to the extent such processing is undertaken by a
sub-contractor, the subcontract incorporates terms which are equivalent in nature and extent
to those dealing with such processing set out in this Agreement and which impose obligations
upon that sub-contractor at least as onerous as those imposed upon Fujitsu Services under
this Agreement.
2.4.4 Where Post Office fails to ensure that Post Office and Fujitsu Services have delegated
authority from each Data Controller to the full extent referred to in paragraph 2.4.1, or where
the terms of Post Office's contract with a Data Controller do not permit the Personal Data of
that Data Controller to be processed on the terms of this Agreement:
Schedule A4 Version 13.0
Page 5 of 19
POL00027927
POL00027927
CONFIDENTIAL
(a) Post Office shall indemnify Fujitsu Services in respect of all claims, demands,
actions, costs (including legal costs), expenses, losses and damages arising from or
incurred by reason of any processing of Personal Data by Fujitsu Services in the
absence of such delegated authority or permission, unless such processing by Fujitsu
Services is outside Post Office's or the Data Controller's instructions or otherwise in
breach of this Agreement; and
(b) Fujitsu Services shall not be required to perform any additional obligations or any
reduced or modified obligations as a result of such failure or lack of permission without
its agreement in accordance with the Change Control Procedure.
2.4.5 All instructions given by Post Office to Fujitsu Services (on its own behalf as Data Controller,
or on behalf of any other Data Controller) in respect of Personal Data shall at all times be in
accordance with the laws of the United Kingdom.
2.4.6 Fujitsu Services’ rights and obligations
(a) Fujitsu Services shall process Personal Data in accordance with the instructions
of each Data Controller which are as set out in the applicable provisions of the CCDs
listed:
(i) in the case of the Horizon Applications, in Schedule B4.2 and the CCDs
referred to in Schedule B4.2; and
(ii) in the case of Business Capabilities and Support Facilities, in Schedule
B3.2 and the CCDs referred to in Schedule B3.2,
that deal with such processing (or as may be agreed under the Change Control
Procedure).
(b) Fujitsu Services shall obtain no rights of any nature in Personal Data.
(c) Personal Data shall not be mechanically copied or otherwise reproduced by
Fujitsu Services and shall not be altered or supplemented with other data except to
the extent necessary to comply with the provisions of this Agreement.
(d) So far as this Agreement requires or as may be agreed under the Change Control
Procedure, Fujitsu Services shall arrange for the prompt and safe return of all Personal
Data together with all copies thereof which are under Fujitsu Services’ control to Post
Office or the relevant Data Controller.
(e) Fujitsu Services shall destroy or dispose of Personal Data in accordance with the
applicable provisions of this Agreement.
2.4.7 Subject Information Requests
(a) Fujitsu Services shall record and then refer all written Subject Information
Requests it receives to Post Office or (if Post Office shall have previously notified
Fujitsu Services of the appropriate Data Controller contact name and address) to the
Schedule A4 Version 13.0
Page 6 of 19
POL00027927
POL00027927
CONFIDENTIAL
appropriate Data Controller within five days of receipt of the request, whether or not
the request was received in error.
(b) Post Office shall notify Fujitsu Services of each Subject Information Request it
requires Fujitsu Services to deal with, providing the statutory time limit applicable in
respect of each such request and sufficient information in each case to enable Fujitsu
Services to locate and retrieve the information requested or to confirm that the
information is not held by Fujitsu Services, as the case may be.
(c) Fujitsu Services shall respond to each Subject Information Request as soon as
reasonably practicable taking into account the statutory time limit notified to Fujitsu
Services for that request and whether that time limit is reasonably achievable given
the amount of time between notification of that request and expiry of the statutory time
limit and the technical limitations of any systems used to source the information
requested.
(d) If and to the extent that the number, type and frequency of Subject Information
Requests is such that Fujitsu Services, having discharged its obligation under
paragraph 2.4.7(c), is not able to respond to Post Office's requests within the time
limits specified by Post Office, the Parties shall assess the need for changes to the
relevant system architecture and/or investment in hardware, software or other
equipment to enable such requests to be responded to within applicable time limits.
Any such changes and/or investment shall be agreed by the Parties under the Change
Control Procedure and/or Work Ordering Procedure, as applicable.
(e) Post Office shall pay Fujitsu Services’ Charges for assisting with Subject
Information Requests (but not for referring Subject Information Requests to Post Office
or to third party Data Controllers, for which Post Office shall not be charged), such
Charges to be calculated on a time and materials basis using Fujitsu Services rates
set out in paragraph 10.4 (but subject to paragraph 10.6) of Schedule D1.
25 Audit
If requested by Post Office, Fujitsu Services will allow reasonable access to its data processing
facilities and allow its procedures and documentation to be submitted for inspection (on Fujitsu
Services’ premises) by the auditors of each Data Controller in order to ascertain compliance with the
obligations of Fujitsu Services under this Agreement relating to data processing. Post Office shall give
Fujitsu Services reasonable notice of such access and/or inspection being required by a Data
Controller. Fujitsu Services’ charges for assistance provided to Post Office or a Data Controller for the
purposes of such access or inspection (which shall be paid by Post Office) shall be calculated on the
basis of Fujitsu Services’ rates set out in paragraph 10.4 (but subject to paragraph 10.6) of Schedule
D1
26 Security and disclosure of Personal Data
2.6.1 Fujitsu Services shall at all times:
(a) preserve the integrity of Personal Data; and
(b) maintain security over Personal Data,
Schedule A4 Version 13.0
Page 7 of 19
POL00027927
POL00027927
CONFIDENTIAL
in accordance with the provisions of this Agreement, including (but not limited to) paragraph
4.1.
2.6.2 The operational and technological processes and procedures in place to safeguard against
any unauthorised access, loss, destruction, theft, use or disclosure of Personal Data shall be
those which relate to Post Office Data set out in this Agreement.
2.6.3 Fujitsu Services shall not disclose any Personal Data to any person except to such of its
employees, agents, sub-contractors, third parties performing software maintenance or support
and consultants in each case who require that information in order for Fujitsu Services to
perform its obligations under this Agreement. Prior to disclosing Personal Data or any portion
thereof to such employees, agents, sub-contractors, third parties or consultants, Fujitsu
Services shall ensure the relevant employee, agent, sub-contractor, third party or consultant
is subject to a written contract with Fujitsu Services requiring them to comply with Fujitsu
Services’ obligations herein regarding the security and confidentiality of the Personal Data and
to comply with Fujitsu Services’ instructions in processing it. Fujitsu Services shall not
knowingly cause or allow an employee, agent, sub-contractor, third party performing software
maintenance or support or consultant to process Personal Data in a way that Fujitsu Services
would not itself be entitled to process it under this Agreement.
2.6.4 Fujitsu Services may disclose or transfer outside the European Economic Area Personal Data
which are an integral part of diagnostic data or data generated for diagnostic purposes subject
to and in accordance with the provisions of paragraph 2.6.3 and subject to the proviso that
either:
(a) the written contract referred to in paragraph 2.6.3 contains such other provisions
(in addition to those relating to security and confidentiality of the Personal Data) as are
necessary to satisfy the requirements of the eighth data protection principle of the Data
Protection Act 1998; or
(b) those requirements are otherwise satisfied or do not apply.
Fujitsu Services shall notify Post Office in writing whenever Personal Data are disclosed or
transferred outside the European Economic Area in accordance with this paragraph 2.6.4,
such notice to state who such Personal Data have been disclosed or transferred to and the
purpose of such disclosure or transfer and to contain, in general terms, a description of such
Personal Data.
2.6.5 Except as permitted by paragraph 2.6.4, Fujitsu Services shall not transfer Personal Data
outside the European Economic Area.
27 Indemnity
Fujitsu Services shall indemnify Post Office in respect of all claims, demands, actions, costs (including
legal costs), expenses, losses and damages arising from or incurred by reason of any breach by Fujitsu
Services of any of paragraphs 2.4.6(a), 2.4.6(c), 2.4.6(d), 2.4.6(e), 2.4.7, 2.5 and 2.6 provided that
such breach caused a Data Controller to fail to comply with the Data Protection Act 1998 and to the
extent such claims, demands, actions, costs (including legal costs), expenses, losses or damages
arise in connection with that failure.
Schedule A4 Version 13.0
Page 8 of 19
POL00027927
POL00027927
CONFIDENTIAL
28 Fujitsu Services as Data Controller
2.8.1 Without limiting the generality of Clause 33.2 to this Agreement, Fujitsu Services shall if and
when it is acting as a Data Controller rather than a Data Processor of Personal Data:
(a) ensure that having regard to the purpose or purposes for which Personal Data
were obtained and further processed, it has taken reasonable steps to ensure the
accuracy of the Personal Data;
(b) ensure that its notifications to the Information Commissioner are correct and up to
date;
(c) respond in a timely fashion to all Subject Information Requests in relation to
Personal Data; and
(d) respond in a timely fashion to all requests for information or assistance from the
Information Commissioner.
2.9 Freedom of Information Act
2.9.1 Fujitsu Services acknowledges that Post Office is subject to legal duties which may require the
release of information under FOIA and/or EIR and that Post Office may be under an obligation
to provide information on request. Such information may include Confidential Information.
2.9.2 In the event that Post Office receives a valid request for information under FOIA and/or EIR to
disclose Confidential Information (in whatever form), Post Office shall as soon as reasonably
practicable after receiving that request notify Fujitsu Services and the Parties shall consider
whether (i) the FOIA exemption in relation to confidentiality under section 41 FOIA or any other
exemption under FOIA or EIR applies in relation to that request and (ii) there is a duty to
confirm or deny that the Confidential Information in question is held by Post Office.
2.9.3 Post Office shall not, subject to paragraph 2.9.7:
2.9.3.1 if and to the extent the Parties agree that paragraph 2.9.2 (i) applies in respect of any
request, disclose the Confidential Information requested; and
2.9.3.2 if and to the extent the Parties agree that paragraph 2.9.2 (ii) does not apply in respect
of any request, confirm or deny that the Confidential Information in question is held by
Post Office.
2.9.4 In the event the Parties do not agree whether (i) to confirm or deny that the Confidential
Information in question is held by Post Office and/or (ii) the FOIA exemption in relation to
confidentiality under section 41 FOIA or any other exemption under FOIA or EIR applies in
relation to the valid request as soon as reasonably practicable within the time limit applying,
Post Office, in its reasonable opinion and notwithstanding anything in this Agreement to the
contrary, will determine whether (and to what extent) it (i) confirms or denies that the
Confidential Information in question is held by Post Office and/or (ii) discloses the Confidential
Information in relation to the valid request received.
Schedule A4 Version 13.0
Page 9 of 19
POL00027927
POL00027927
CONFIDENTIAL
2.9.5 Post Office shall notify Fujitsu Services of any order, decision, enforcement or practice
recommendation notice issued to it by the Information Commissioner or by any court or tribunal
in relation to the disclosure or non-disclosure of any Confidential Information (“FOIA Order”).
2.9.6 Onrequest from Fujitsu Services, Post Office shall bring to the Information Tribunal or to such
other courts and tribunals (having jurisdiction) as Fujitsu Services may reasonably require,
such actions and appeals against the disclosure of Confidential Information under FOIA as
Fujitsu Services may reasonably require, except where:
2.9.6.1 Post Office reasonably considers that to bring or continue such an action or appeal
would be materially detrimental to its public reputation and this materially outweighs
any damage to Fujitsu Services’ commercial interests which would arise as a result of
such disclosure; or
2.9.6.2 Post Office has received a written opinion from legal counsel experienced in FOIA
related matters (a copy of such opinion to be provided, for information only without
reliance, to Fujitsu Services upon request) that such an action or appeal has no
reasonable prospect of success.
2.9.7 Nothing in this Agreement (including in this paragraph 2.9) shall prevent Post Office from
complying with any valid FOIA Order when required to do so by law provided that:
2.9.7.1 if Post Office is legally permitted to take any action or appeal (as contemplated by
paragraph 2.9.6) in respect of that FOIA Order; and
2.9.7.2 Fujitsu Services reasonably requires Post Office to do so in accordance with paragraph
2.9.6 (and neither paragraph 2.9.6.1 nor 2.9.6.2 applies),
Post Office has taken such action or brought such appeal.
2.9.8 Fujitsu Services shall fully indemnify Post Office against all direct and indirect costs (including,
but not limited to, legal costs) and expenses reasonably incurred by Post Office in complying
with paragraph 2.9.6. Post Office shall use its reasonable endeavours to consult with Fujitsu
Services before incurring any such costs that are in excess of £10,000.
3. EQUIPMENT STANDARDS AND LEGISLATION
3.1 Fujitsu Services shall ensure that all Equipment is rated for continuous operation, and is capable of
functioning safely and reliably for an unlimited period, attended or unattended, in the installed
environment.
3.2 Each installation of such Equipment shall be physically and electrically safe and in compliance with
relevant legislation and recognised best practice. Such installation shall not cause interference with
other devices. Such Equipment may be required to be installed in residential premises.
3.3 In paragraph 3.2, “relevant legislation and recognised best practice” includes mandatory standards,
including all relevant Governmental Regulations and, from the due date of UK implementation, EU
Directives and EU Regulations. Such Equipment shall be maintained so as to be compliant with any
subsequent legislation or mandatory standards.
Schedule A4 Version 13.0
Page 10 of 19
POL00027927
POL00027927
CONFIDENTIAL
3.4 Fujitsu Services shall prove compliance with legislation or mandatory standards as and when
necessary.
3.5 Fujitsu Services shall ensure that all information technology, telecommunications or electrical business
Equipment (including but not limited to PIN Pads but not the power supply thereto) complies with BS
EN 60950, and that Equipment comprising AC power adapters (which for the avoidance of doubt
excludes PIN Pads) complies with BS EN 60065.
3.6 Fujitsu Services shall ensure that workstation aspects of the Equipment, excluding, for the avoidance
of doubt, PIN Pads and any other equipment which is used predominantly by Customers rather than
by Users, shall comply with The Health and Safety (Display Screen Equipment) Regulations 1992,
which implement Council Directive 90/270/EEC on working with display screen Equipment.
3.7 Fujitsu Services shall ensure that any Equipment containing laser emitters (including without limitation
laser printers and laser bar-code scanners) complies with BS EN 60825.
3.8 Fujitsu Services shall ensure that all electrical Equipment complies with:
3.8.1 the Radio Equipment and Telecommunications Terminal Equipment Regulations 2000 and
regulations 5 and 7 of the Electrical Equipment (Safety) Regulations 1994; and
3.8.2 the requirements of BS 7671 in relation to the method of connection to the main supply and
associated equipment earth leakage currents, insofar as it applies to the equipment supplied
by Fujitsu Services at the point of connection.
3.9 Fujitsu Services shall ensure that any Equipment connected, or intended for connection, to weighing
devices meets the requirements of Schedule 3 (Applications referred to in Article 1(2)(a) of the NAWI
Directive) of the Non-automatic Weighing Instruments Regulations 2000.
3.10 Fujitsu Services shall ensure that all visual display terminal Equipment (including without limitation
keyboards but excluding PIN Pads) complies with the relevant requirements of ISO 9241.
3.11 Fujitsu Services shall ensure that all Equipment that falls within the scope of either:
3.11.1 the Electromagnetic Compatibility (“EMC”) Regulations 1992, which implement Council
Directive 89/336/EEC (as amended by Directive 91/26/EEC, Directive 92/31/EEC and
Directive 93/86/EEC); or
3.11.2 the Radio Equipment and Telecommunications Terminal Equipment Regulations 2000, which
implement Council Directive 1999/5/EC and which replaced the provisions in the regulations
referred to in paragraph 3.11.1 relating to radio and/or telecommunications terminal
equipment,
complies with those Regulations.
3.12 Fujitsu Services shall ensure that Equipment covered by EN45501 complies with clause A4.5 (voltage
variations) and annex B of that standard.
3.13. Fujitsu Services shall ensure that the acoustic noise emission of any item of Equipment does not
materially add to average background noise levels of the environment in which it is installed, and shall
Schedule A4 Version 13.0
Page 11 of 19
POL00027927
POL00027927
CONFIDENTIAL
in no event exceed 60dB(A) when measured at a distance of 1 metre and in accordance with ISO
7779.
3.14 — Fujitsu Services shall ensure that all items of Equipment to which BS EN 60529 applies have an Index
of Protection rating of IP3X as defined in BS EN 60529.
3.15 Fujitsu Services shall ensure that Equipment complies with EN 55022 (Emissions) Information
Technology Equipment - Radio Disturbance Characteristics - Limits and Methods of Measurements.
4. POST OFFICE’S POLICIES AND STANDARDS
44 Security Policy
4.1.1 Fujitsu Services shall maintain an organised security infrastructure covering:
(a) the agreement of a security policy;
(b) allocation of security responsibilities;
(c) security education and training;
(d) reporting security Incidents;
(e) physical security control;
(f) virus control;
(g) business continuity;
(h) control of Software;
(i) safeguarding Post Office records;
(i) information classification;
(k) compliance with data protection and other legislation;
(I) information exchange control;
(m) Contractor's sub-contractors and suppliers;
(n) compliance with security policy;
(0) the management of fraud and risk during operation of the Services compatible
with Clause 16 of this Agreement;
(p) file integrity monitoring.
4.1.2 Fujitsu Services shall be compliant with IS027001 except for the Salesforce Support Service.
Schedule A4 Version 13.0
Page 12 of 19
POL00027927
POL00027927
CONFIDENTIAL
4.1.3 Security for the Services, HNG-X Development, Associated Change Development and
Equipment shall be managed and organised by Fujitsu Services in accordance with the CCD
entitled "Horizon Security Policy" (RS/POL/002) or RMGA Information Security Policy"
(SVM/SEC/POL/0003) as applicable and, when it comes into effect in accordance with
Schedule B3.1, the CCD entitled "Security Management Service: Service Description"
(SVM/SDM/SD/0017).
4.1.4 Security Standards
Fujitsu Services shall adhere to all parts applicable to the Fujitsu domain, as defined in Section
2 Definitions of the CRD entitled “Community Information Security Policy for Horizon”
(SVM/SEC/POL/0005) and co-operate with Post Office to assist Post Office in complying with
this standard and requirement.
4.1.5 Data Security
The confidentiality, integrity, validity and completeness of data shall be maintained throughout
all storage, processes and transmissions, including during periods of Service Failure and
recovery from Service Failure.
4.1.6 Prosecution Support
(a) Subject to paragraph 4.1.6(b), Fujitsu Services shall ensure that all relevant
information produced by the Infrastructure at the request of Post Office shall be
evidentially admissible (and, where relevant, capable of certification) in accordance
with the requirements of the law in relation to criminal proceedings.
(b) Fujitsu Services’ obligation in paragraph 4.1.6(a) shall apply to POL FS Data only
to the extent that:
(i) Fujitsu Services is responsible for the platforms on which the POL FS Data
is held and the performance of the POL FS Services; and
(ii) Performance of the obligation in paragraph 4.1.6(a) is achievable, taking
into account that once POL FS Data has been loaded onto the POL FS
System, the use of that data is controlled by Post Office.
(c) At the direction of Post Office, audit trail and other information necessary to
support live investigations and prosecutions shall be retained for the duration of the
investigation and prosecution irrespective of the normal retention period of that
information, provided that such information has not already been destroyed by Fujitsu
Services where such destruction is permitted by this Agreement.
5. CONTRACTOR’S POLICIES AND STANDARDS
5.1 Quality Management System
5.1.1 Fujitsu Services shall operate a quality management system which complies with BS EN ISO
9001:2000 for all its activities within the scope of this Agreement.
Schedule A4 Version 13.0
Page 13 of 19
POL00027927
POL00027927
CONFIDENTIAL
5.1.2 The quality management system shall be applied to all aspects of the provision of Services,
HNG-X Development and Associated Change Development hereunder.
5.1.3. The quality management system shall be audited and certified by a BSI accredited auditor,
who is independent of both Fujitsu Services and Post Office:
(a) in any event, at intervals of not longer than twelve months; and
(b) in addition, within 20 Working Days of any such request.
5.1.4 Fujitsu Services shall within one month of each audit:
(a) provide Post Office with copies of all reports produced by the auditor on the
quality management system; and
(b) notify Post Office of and carry out Fujitsu Services’ proposed follow up actions
where required.
5.2 Human-Computer Interface
Horizon
5.2.1 Fujitsu Services shall maintain the CCD entitled “HNGX-UI Style Guide (DES/APP/STD/0001)
(formerly “Horizon Office Platform Service Style Guide” (SD/STD/001)), which relates to the
Horizon Service Infrastructure and the Horizon Applications, until the commencement of the
Roll Out Phase. The Horizon Office Platform Service Style Guide shall remain relevant in its
then current form, in relation to Branches utilising the Horizon Applications, until completion of
the Roll Out Phase (at which point all provisions of the Horizon Office Platform Service Style
Guide shall cease to have effect).
5.2.2 The Horizon Office Platform Service Style Guide shall set out in relation to the Horizon Service
Infrastructure general guidelines for the Human-Computer Interface, including without
limitation details of screen layouts, system navigation routes and help and manual entry
facilities.
5.2.3 Fujitsu Services shall ensure that, in respect of the Horizon Service Infrastructure, the Human-
Computer Interface provides a consistent look and feel across all applications delivered by
Fujitsu Services over that infrastructure, and that the Human-Computer Interface is easily
adapted to facilitate the introduction of new applications. This provision shall not apply in
relation to any Transaction types developed and introduced by the Post Office using the AP-
ADC Facility and, unless the Parties agree otherwise, shall not apply in respect of third party
applications selected by Post Office.
5.2.4 Fujitsu Services shall maintain the CCD entitled "HNG-X Style Guide" (ARC/SOL/ARC/0001),
which relates to the HNG-X Service Infrastructure, the Business Capabilities and Support
Facilities. The provisions of that HNG-X Style Guide shall come into effect upon
commencement of the Roll Out Phase in respect of those Branches in which HNG-X has been
implemented.
Schedule A4 Version 13.0
Page 14 of 19
POL00027927
POL00027927
CONFIDENTIAL
5.2.5 The HNG-X Style Guide shall set out in relation to the HNG-X Service Infrastructure general
guidelines for the Human-Computer Interface, including without limitation details of screen
layouts, system navigation routes and help and manual entry facilities.
5.2.6 Fujitsu Services shall ensure that, in respect of the HNG-X Service Infrastructure the Human-
Computer Interface provides a consistent look and feel across all applications delivered by
Fujitsu Services over that infrastructure, and that the Human-Computer Interface is easily
adapted to facilitate the introduction of new applications. This provision shall not apply in
relation to any Transaction types developed and introduced by the Post Office using the AP-
ADC Facility and, unless the Parties agree otherwise, shall not apply in respect of third party
applications selected by Post Office.
Generally
5.2.7 Fujitsu Services shall use reasonable endeavours to specify a Human-Computer Interface
which is intuitive and easy to use by Counter Clerks and other Users to minimise errors and
delays.
5.2.8 Not Used
6. ADDITIONAL POLICIES AND STANDARDS
6.1 Encryption keys used that could directly or indirectly expose plain text PIN values and any keys used
in association with MACs shall be managed in accordance with the principles established in ISO 8732
and ISO 11568 as applicable.
6.2 The key management scheme used between each PIN Pad and the rest of the Infrastructure shall be
the DUKPT scheme as defined by the ANSIX.24-2004 standard.
6.3 The HSM shall be conformant to the standards set out in the versions of FIPS 140-1 level 3 and ISO
9564 1%! Edition 1991 section 6.3.1 as specified in the LINK information security standard issued
January 2001 (subject to such dispensations from that standard as LINK may grant from time to time).
6.4 Fujitsu Services shall operate a secure method for the remote initialisation of PIN encryption keys (if
any) held in PIN Pads.
6.5 Sensitive Data captured in respect of each Branch prior to the HNG-X PCI Date in respect of that
Branch shall remain encrypted whilst it is within the Horizon Service Infrastructure whether in transit
or in storage, save where the TIS or Application Interface Specification for connection to an external
service specifies otherwise.
6.6 Cardholder Data captured in respect of each Branch on or after the HNG-X PCI Date in respect of
that Branch shall be handled as described in the CCD entitled “Security Constraints”
(ARC/SEC/ARC/0001).
6.7 Sensitive Authentication Data captured in respect of each Branch on or after the HNG-X PCI Date in
respect of that Branch shall be handled as described in the CCD entitled “Security Constraints”
(ARC/SEC/ARC/0001).
Schedule A4 Version 13.0
Page 15 of 19
POL00027927
POL00027927
CONFIDENTIAL
68 Sensitive DC Data captured in respect of each Branch prior to the HNG-X PCI Date in respect of that
Branch shall be handled as described in the CCD entitled “Mapping Schedule B3.2 to the HNG-X
Solution” (REQ/GEN/REP/1091) (formerly “Debit Card MoP Functional Description” (EF/SER/001)).
6.9 Sensitive DC Data captured in respect of each Branch on or after the HNG-X PCI Date in respect of
that Branch shall cease to be handled as described in the CCD entitled “Mapping Schedule B3.2 to
the HNG-X Solution” (REQ/GEN/REP/1091) (formerly “Debit Card MoP Functional Description”
(EF/SER/001)).
6.10 Fujitsu Services shall run weekly Anti Virus scans on the PCI defined Windows platforms as detailed
in the Cardholder Environment Specification document and DEV/GEN/SPE/0007. Scheduling of the
activities will be performed on a weekly basis and logs saved for a period of 12 months.
6.11. The PCI Cardholder Environment is detailed in a network diagram as described in the CCD
DES/SEC/ION/2006.
7. SYSTEM AND DATA SECURITY
7A Legal and Regulatory Controls
7.1.1 Regulation of Investigatory Powers Act 2000
The security features, capabilities and related procedures provided by Fujitsu Services in respect of
all Services, HNG-X Development, Associated Change Development and Equipment shall be
compliant with the requirements of Part 3 of the Regulation of Investigatory Powers Act 2000 (the
“Act’). In the event that any provision of this Agreement imposes an obligation on Fujitsu Services
which is inconsistent with any requirement imposed by the Act, the requirement of the Act shall prevail
over the provisions of this Agreement and those provisions shall cease to apply to the extent of such
inconsistency.
7.1.2 Other Legal and Regulatory Controls
Fujitsu Services shall comply with all banking laws and regulations, including all relevant instructions,
standards and directions of a regulatory authority, which are in force and applicable to Fujitsu Services
on 26 April 2004. Fujitsu Services shall co-operate with Post Office to agree any necessary changes
to ensure compliance with any subsequent changes to such laws, regulations, instructions, standards
and directions and the Banking Code, such changes (and Fujitsu Services’ reasonable charges in
respect of such changes) to be agreed and introduced under the Change Control Procedure.
7.1.3 CAPO
The Parties agree and acknowledge that in the event that additional or different legal or regulatory
requirements arise in respect of provision of the NBS and the Banking Business Capability to CAPO
beyond those which apply for provision of the NBS and the Banking Business Capability to other Banks.
then compliance by Fujitsu Services with such additional or different legal and/or regulatory
requirements and the charges for such compliance will be dealt with through the Change Control
Procedure.
Schedule A4 Version 13.0
Page 16 of 19
POL00027927
POL00027927
CONFIDENTIAL
7.2 Security for the Existing Services
The security features, facilities and functionality set out in this paragraph 7 shall not reduce, mitigate,
add to or modify any of Fujitsu Services’ security obligations under this Agreement in respect of the
Services as they existed immediately prior to the date of approval of the CCN which introduced the
NBS.
7.3 Security Organisation and Management
7.3.1 Fujitsu Services shall not unreasonably withhold assistance requested by Post Office (or by
Post Office on behalf of a member of the Royal Mail Group) in connection with the investigation
and resolution of any actual or potential security breach or threat.
7.3.2 Where a potential security breach or threat arises which is not addressed by this Agreement
(including the CCD entitled "Security Management Service: Service Description"
(SVM/SDM/SD/0017)), Fujitsu Services’ charges in respect of co-operation and assistance in
respect of such breach or threat (which shall be paid by Post Office to Fujitsu Services) shall
be calculated on a time and materials basis using the applicable rates specified in paragraph
10.4 of Schedule D1.
8. ETHICAL AND ENVIRONMENTAL COMPLIANCE
8.1 Fujitsu Services acknowledges on behalf of itself and other members of the Fujitsu Services Group
that the Fujitsu Services Group is supportive of the principles contained in the UN Global Compact,
the UN Universal Declaration of Human Rights and the Eight Fundamental International Labour
Organisation Conventions (each as may be amended from time to time) in the course of providing the
Services, HNG-X Development and/or Associated Change Development.
8.2 Fujitsu Services shall take reasonable steps (and shall ensure that members of the Fujitsu Services
Group shall take reasonable steps) to:
8.2.1 comply with local legal and regulatory requirements relating to occupational health, safety at
work and the environment;
8.2.2 provide staff and others engaged in the performance of this Agreement with appropriate
health, safety at work and environmental impact training applicable to their activities;
8.2.3 where necessary, identify and implement policies for improvement in health, safety at work
and environmental impact;
8.2.4 ensure the pay and working conditions of staff (including employees, casual and agency
workers) comply with all applicable laws, industry specific regulations and binding codes of
conduct;
8.2.5 ensure no individual is employed (including on a casual or temporary basis) directly or
indirectly in relation to its activities who is below the applicable minimum legal age for
employment;
Schedule A4 Version 13.0
Page 17 of 19
POL00027927
POL00027927
CONFIDENTIAL
8.2.6 ensure no person under 18 years of age is employed (including on a casual or temporary
basis) directly or indirectly in relation to its activities for any hazardous work;
8.2.7 ensure no person is engaged in work directly or indirectly in relation to its activities as a result
of forced, bonded or compulsory labour; and
8.2.8 to the extent the relevant law permits, allow all employees the freedom to join, or not to join,
an employee representative body,
in the course of providing the Services, HNG-X Development and/or Associated Change
Development.
8.3 Fujitsu Services shall notify all its Sub-contractors, as soon as reasonably practicable, that they should
have appropriate policies in place to adhere to the principles referred to in paragraph 8.1 and each of
the requirements set out in paragraph 8.2 when performing the obligations which Fujitsu Services has
sub-contracted to them under this Agreement.
8.4 Upon request by Post Office, Fujitsu Services shall:
8.4.1 provide to Post Office reasonable evidence of the steps taken by Fujitsu Services and, where
relevant, other members of the Fujitsu Services Group to comply with the requirements set out
in paragraph 8.2; and
8.4.2 use reasonable endeavours to procure, to the extent the request so requires, that the Sub-
contractors shall provide to Post Office reasonable evidence of the policies which they have in
place to adhere to the principles referred to in paragraph 8.1 and each of the requirements set
out in paragraph 8.2 when performing the obligations which Fujitsu Services has sub-
contracted to them under this Agreement.
9. ASSOCIATED DOCUMENTS,
9.41 The following CCDs are associated with this Schedule A4:
Document Reference Document Title
1.
SVM/SEC/POL/0003 RMGA Information Security Policy
2. SVM/SDM/SD/0017 Security Management Service: Service
Description
3. SVM/SEC/POL/0003 RMGA Information Security Policy
4. SD/STD/001 Horizon Office Platform Service Style
Guide
5. DES/APP/STD/0001 HNGX-UI Style Guide
6. RS/CSD/001 Departmental IT Security Standards
Schedule A4 Version 13.0
Page 18 of 19
POL00027927
POL00027927
CONFIDENTIAL
7. DES/SEC/ION/2006 PCI CARDHOLDER ENVIRONMENT
9.2 The following CRD is associated with this Schedule A4.
Document Reference Document Title
1. SVM/SEC/POL/0005 Community Information Security Policy for
Horizon
Schedule A4 Version 13.0
Page 19 of 19