Statement of Intent The Active Collection Bureau Limited (ACB) is required to process relevant personal and organisational data with regards to employees, clients, suppliers and visitors as a part of its business operations. It is the intent of ACB that all data is communicated, processed and retained in a confidential and secure manner and ACB shall take all reasonable steps to do so in accordance with this Policy. This policy is designed to clarify and provide guidance on the responsibility of both ACB and its employees in relation to the confidentiality and security of the communications or the processing and the retention of personal and organisational data. General Principles It is the Company's approach that: The confidentiality and security of communication, processing and retention of personal and organisational data are of importance to its clients, suppliers and those requesting information about ACB's services Information received from employees, clients, suppliers and visitors is treated confidentially, is communicated, processed and retained accordingly to the requirements for the information, and is not sold to third parties Information is processed and retained in accordance with this Policy, the Data Protection Policy, the Information & Communication Technology Policy, and as outlined in the Information & Technology Code of Practice (QEP/019) Client, Supplier & Visitor Confidentiality All employees have a responsibility to recognise the special relationship of trust between the Company and its clients, suppliers and visitors; as a general business practice, the Company holds their data and communications in strictest confidence. The Company undertakes to enter into confidentiality agreements with clients and suppliers as and when required on an operational or commercial basis. In conjunction with ACB’s Integrated Management System, as and when required ACB will conduct duty of care audits with regards to its suppliers. Information retained as a result of these audits will be held only for as long as is absolutely necessary and justifiable. ACB, as most organisations, owns and operates a company website, which in turn provides basic information about ACB and its services provided. Additionally, the website provides potential clientele and interested parties with a means of: Instigating ACB’s service quotation processes Contacting ACB either through: the email addresses provided, or the contact webform, which allows the potential clientele and interested parties to provide basic details and a short message. These details are used for contact and response purposes unless provided by the individual for additional communications and services. In addition, if you visit our website via a link from a third party website, we cannot be responsible for the privacy policies and practices of the owners and operators of that website and recommend that you check their own privacy policy. Employee Confidentiality All employment-related information about other ACB employees must be treated in a confidential manner. Employees may not gain access to or disclose such information without proper authorisation from an Executive Management Team (EMT) member and/or the party involved. Handling, Release & Security of Information The handling of personal information is dealt with under the Company's Data Protection Policy. Information is not released without consent; the only exceptions being the unlikely event that information is summonsed as a part of a legal proceeding, or that the information is required by law to be reported. Written authorisation is required for the release of information should employees, clients, suppliers and/or visitors wish the Company to share it with others. We at ACB are committed to ensuring that all information is secure. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect. On induction, all employees are made aware that commercial confidentiality is of utmost importance and that any approach by the Press should be directed to an EMT member. Under no circumstances should a statement or comment be given without the prior agreement of an EMT member.

Introduction The Company recognises recognises its business activities influence the communities and environments in which it operates and is committed in its endeavours to manage these potential impacts in a responsible manner. Throught the sound execution of the Company's Core Values and the appropriate performance of the Company in relation to the Company's corporate social responsibilities and commitments (CSRC) is linked to business success and operating in such a way that is safe for the Company's people and respectful to the environment The Company is committed to reviewing and continuously improving its CSRC programme by encouraging its business partners to strive for the same objectives and levels of performance and aspiring to proactively bring benefit to the communities in which it works. Employees The Company's employees bring a wealth of experience and perspectives to the Company and it seeks to promote this diversity by responding to the needs of all individuals in a fair and equitable manner, whilst observing the Company's commitment and responsibility to current legislation. Clients The Company recognises that its business and livelihood depend upon its clients and strives in all its activities to deliver high quality and value in the delivery of its services. Suppliers The Company aims to deliver maximum benefit and value to its clients by reducing costs throughout its suppliers through good supply chain management. Community The Company strives to be a responsible corporate citizen and is committed to enhancing relations with its neighbours and the community by ensuring that adequate controls are i place so that its impacts do not adversely affect or cause nuisance or harm to the Company's neighbours and the community. Where possible, the Company strives to make beneficial contributions to the local community by: supporting local charitable organisations through donations, sponsorship and provision of resources; endeavouring to recruit employees from the local community; and utilising local suppliers and contractors whenever possible to support the local economy. Environment, Health & Safety ACB's responsibility to the environment and to adopt sustainable practices in the way the Company does business is a key part of its CSRC. The health and safety of employees and all individuals who may be affected by ACB's business activities is of paramount importance to the Company and ACB promotes a safe and healthy working environment not only on its premises, but also for those working on client sites. The Company has formal policies and procedures in place setting out its commitment to and ensuring compliance with all applicable environment, health and safety legislation and regulations.

Statement of Intent The Active Collection Bureau Limited (ACB) is required to process relevant personal data with regards to its employees, visitors, clients and suppliers as part of its business operations and ACB shall take all resonable steps to do so in accordance with this policy. This policy is designed to clarify and provide guidance with relation to the Data Protection Act 2018 (DPA18) and the General Data Protection Regulation (GDPR). General Principles It is ACB's approach that personal data is: Fairly and lawfully processed Processed for limited specifically stated purposes Processed in accordance with the data subject’s rights Used in a way that is adequate, relevant and not excessive Accurate and up to date Kept for no longer than is absolutely necessary Kept safe and secure Not transferred outside the UK without adequate protection These principles are in line with the GDPR and the principles contained within. The GDPR places a duty on organisations to appoint a Data Protection Officer (DPO) if they meet the criteria as specified in Section 4, Article 37 of the GDPR. A review of the information that we at ACB process has been carried out by ACB's Executive Management Team (EMT) against the specified criteria, which concluded that ACB is not required to appoint a DPO, and as such one has not been appointed. We at ACB are committed to ensuring that personal data is secure. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect and retain. Staff processing personal data on behalf of the Company have a responsibility to treat such data in line with the GDPR and as directed by the Company (the Data Controller). The Company will comply with its obligations under the GDPR. The rules and guidance in this policy are applicable to and are to be carried out by all ACB staff. Information is processed and retained in accordance with this Policy, the Confidentiality Policy, the Information & Communication Technology Policy, and as outlined in the Information & Technology Code of Practice (QEP/019). Definition of Personal Data Personal data as defined in the GDPR means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, no matter the medium used to retain the information, whether the information is on paper, video tape, camera, computer or cassette, then the GDPR applies. Processing Personal Data ‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. The GDPR provides strict rules in the relation to processing such personal data about data subjects. If ACB individuals are in any doubt about what they may or may not do, they should seek advice from an EMT member or their nominated representative. If ACB employees are in doubt and cannot get in touch with their Line Manager or the EMT, the information concerned should not be disclosed. ACB holds and processes personal data with regards to visitors, clients and suppliers. Visitor information is processed for identification of the visitor and with relation to the specific nature of the visit. Client and supplier information is processed to provide a point of contact and for traceability of contracted works to be carried out. Visitors, clients and suppliers have the right under the GDPR to restrict, where applicable, the processing of their personal information; all such requests are required to be submitted in writing to an EMT member. ACB also holds and processes personal data with relation to its employees. Each of ACB’s employees has been provided with a Personal Information Declaration & Consent form, providing transparency as to what employee information will be processed and why the information is to be processed, while providing the employee with a means of consenting and/or restricting their personal information that is processed. If the employee’s personal data changes employees should inform ACB as soon as practicably possible so that records can be updated. Staff processing personal data on behalf of ACB have a responsibility to treat such data in line with the GDPR and as directed by the Company. All processing is carried out in line with site security protocols and/or current legislative and other compliance obligation requirements. Access to Personal Data Employees and others (data subjects) may request to inspect personal information which ACB holds in relation to them and request that any inaccuracies are corrected. Subject Access Requests (SARs) are required to be made in writing to an EMT member. All SARs are verified and authorised by the Managing Director and dependent upon the nature and extent of the SAR a fee may be charged for this service in line with the GDPR. This fee amount will be confirmed prior to allowing access to the information. Accuracy of Personal Information It is important that visitors, clients and suppliers provide ACB with the most up to date information and to update ACB as to any changes to the information as applicable. It is important that employees immediately notify any changes in personal information to the Deputy Director, or only in their absence another EMT member. These include changes to personal data as part of their employment, which generally covers changes of: name; address; telephone number; dependents (e.g. for parental and emergency leave requests); next of kin details; person to be notified in case of an emergency; qualifications (professional or educational); tax code; National Insurance number; bank details; driving license; and/or entitlement to work in the UK. Sensitive Personal Information ACB may also hold sensitive personal information with regards to its employees for, as applicable, equal opportunity monitoring, medical needs, union administration purposes, Statutory Payments (e.g. sickness, maternity, paternity), and employment administration processes. Sensitive personal information can include: racial or ethnic origins; religious or similar beliefs; trade union membership; physical or mental health; and/or convictions. Any changes to sensitive personal information should be notified to the Deputy Director, or only in their absence another EMT member, immediately. ACB will ensure that sensitive information is securely held and properly administered in accordance with the GDPR. It is important that any changes in personal circumstances (including the above personal and sensitive data) are notified to the Deputy Director immediately. We do not collect any sensitive personal information about clients, suppliers or visitors, other than is necessary to maintain their health and safety and for legitimate interest purposes whilst on our site; this information will be retained only for its intended purpose and then destroyed. Right to Erasure Under GDPR data subjects have the right to the erasure of their personal information that is held by ACB. All requests for erasure must be submitted in writing to an EMT member. A review of the information currently held by ACB will be carried out and a Personal Information Erasure Request form prepared, detailing to the requestor what information is held, what information ACB must retain in compliance with current legislation and what information will be erased. Transmitting Information ACB realises that during the regular course of business carried out, it will be required by legislative, contractual and/or other reasons to provide personal information to outside third parties – e.g. payroll service provider, occupational health service provider, logistics providers. The transmission of this information will be carried out in such a manner as to ensure the security of the information. All employees should be aware of the risks when transmitting personal data. The following is guidance for employees responsible for personal data: ay particular attention to the risks of transmitting confidential information by email or fax Transmit information between locations only if a secure network or comparable arrangements are in place or if, in the case of email, encryption is used All copies of email and fax messages received by Line Managers should be held securely ACB draws employees' attention to the risks of sending confidential, personal information by email or fax. If there are any questions as to the information security, they must consult their Line Manager or the EMT and the information concerned should not be disclosed without further approval If ACB sells all or part of its business it may provide personal data about employees, visitors, clients and suppliers to any prospective purchaser in the course of negotiations. So far as possible such data will be provided in an anonymous form and if this is not possible the prospective purchaser will be required to keep the information confidential in accordance with prevailing data protection legislation. ACB will transfer any employee personal data on any transfer or sale falling within the terms of the Transfer of Undertakings (Protection of Employment) Regulations. Monitoring ACB monitors emails and telephone calls but strictly in accordance with what is permitted under the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000. Employees have consented to this by a term in the employment contract. Any data protection queries should be addressed to the Managing Director, or only in their absence another EMT member. Data Breaches All information data breaches, suspected or actual, will be formally investigated in line with ACB’s Non-Conformance, Corrective Actions & Preventive Measures and any breach deemed as reportable will be reported to the relevant supervisory authority within 72 hours of ACB becoming aware of the incident. Each data breach will be investigated on a case by case basis and with appropriate levels of notification, corrective and preventive actions implemented as required by the specifics of the situation. Any ACB employee who fails to inform an EMT member of a potential or actual data breach will be subject to ACB’s Disciplinary Procedure. Data Retention It is ACB’s intent that data is kept no longer than is necessary; only data with valid justification in line with legislative and other compliance obligation requirements will be retained by ACB. Any unrequired data will be erased as soon as is reasonably practicable, electronic versions of the data will as applicable be redacted from documentation and/or deleted, hard copy documentation will be disposed of as appropriate to ACB’s information security protocols.

ACB recognises its responsibility and is fully dedicated to protecting the environment. The Company is aware that its operations have an effect on the environment and it is the Management's desire that all Company activities are carried out with minimum impact on the environment, wherever practical. ACB endeavours to source recycling opportunities for spent radioactive material rather than disposing of it to long-term storage facilities landfill or through incineration at an approved treatment facility. In addition, the Company undertakes to minimise the wastes from any processing by utilising the services of an approved recycler or reprocessor. In order to maintain and sustain this policy and achieve ACB's Environmental Aims & Objectives, the Company is committed to: Ensuring continual improvement in the Company's environmental performance and providing appropriate resources to accommodate this Monitoring environmental legislation, regulations and codes of practice that are relevant to ACB's operations, taking reasonable actions to ensure compliance Developing environmental awareness amongst employees and encouraging them to achieve environmental best practice Recognising the potential impact of climate change and the strategic and operational need to control, manage and reduce carbon dioxide and other greenhouse gas emissions Reducing the Company's use of natural resources such as energy and water Reusing resources whenever commercially viable rather than disposing of them, and encouraging the use of recycled materials and recycling initiatives Ensuring that all environmental aspects are considered for new or existing contracts, methods, processes, or equipment, in order to minimise adverse environmental impacts Seeking methods of improving the environmental performance of the Company's key suppliers and contractors Communicating openly and honestly with employees, customers, regulators and other interested parties who have authorisation to such information with regard to environmental protection Reviewing environmental targets and objectives at the next appropriate management system review meeting Adhering to the waste hierarchy and ensuring that waste is dealt with by the most preferred option possible

It is the Company's approach that all employees have a working environment that promotes dignity and respect, and where individual differences and the contributions made are recognised and valued. The Company's approach is as follows: The Company values the differences that a diverse workforce brings to the organisation The Company will not tolerate or engage in any practices that may be found to be treating employees, customers or visitors unfairly The Company will deal with discrimination or actions that affect equality in a robust manner, viewing such issues as gross misconduct where appropriate The Company is committed to providing equal opportunities in employment and eliminating unlawful and unfair discrimination

ACB's Health & Safety Policy is a requirement of the Health and Safety at Work Act 1974, as amended, and continues to be part of the quality assurance and environmental protection programme adopted by the Company to ensure that the highest standards of quality management and that of its services are adhered to. It is the policy of ACB to protect all persons including employees, customers, contractors and members of the public from potential injury and damage to their health that might arise from work activities. ACB is dedicated to providing and maintaining a safe working environment, equipment and systems of work for all employees and appropriate personnel - at no cost to those involved. Safety training is essential in establishing a safe system of work. The Company will ensure that such information, supervision and training of employees in health and safety requirements is provided as appropriate. A list of qualified first aid personnel is displayed. Health and safety is ingrained into everything ACB does. Where appropriate, operational procedures have a specific health and safety requirement, which is detailed in that procedure as required. The Company gives a high level of commitment to health and safety and it is the Company's intention to regularly review this policy to ensure its accuracy and compliance with the latest legislation and statutory requirements. In order to maintain and sustain this policy and achieve ACB's Health & Safty aims & Objectives, the Company is committed to: Ensuring continual improvement in the Company's health and safety performance and providing appropriate resources to accommodate this Monitoring health and safety legislation, regulations and codes of practice that are relevant to ACB's operations, taking reasonable actions to ensure compliance Developing health and safety awareness amongst employees and encouraging them to achieve health and safety best practices Ensuring that all health and safety aspects are considered for new or existing contracts, methods, processes, or equipment, in order to minimise risks

ACB recognises its responsibilities and obligations to its clients, the general public, and interested parties, and is fully dedicated to the maintenance and protection of the information it manages, in both electronic and hard copy form. The Company is aware that during its operations various information, both sensitive and non-sensitive is required and processed. In addition, the Company undertakes steps to appropriately secure and protect against the consequences of breaches of confidentiality, failures of integrity, or interruptions to the availability of that information. ACB has a strategy of providing the highest professional services and committed to maintaining an Integrated Management System (IMS), of which Information Security forms a part of, with trained and capable personnel and good working practices. ACB understands the importance of conformance to a recognised IMS and is thus committed to following the ISO 9001, ISO 14001 and ISO 27001 standards for its practices in the commercial disposal of low and intermediate level radioactive wastes. ACB maintains and keeps records of its IMS in accordance with ISO 9001, ISO 14001, ISO 27001 and all legal and regulatory requirements. Information Security Aims & Objectives are established based on the current business needs, current legislation and the requirements of clients, the general public, and interested parties. Aims & Objectives are reviewed at each management system review meeting to ensure that they remain measureable and consistent with this policy. To maintain and promote continual improvement in its information security activities, information will be managed according to the following principles, whereby ACB will: Ensure that all relevant information is compliant with Data Protection legislation and managed in accordance with the Company's Data Protection Policy Ensure that all information is handled and managed in accordance with the Company's Confidentiality Policy Ensure that employees understand and adhere to the Company's Clear Desk & Screen Policy Ensure that employees understand and adhere to the Company's Information & Communications Technology Policy Train its employees in the needs and responsibilities of information management and provide the resources to ensure the importance of meeting information security requirements is communicated and understood throughout the Company Adopt a forward-looking view on future business decisions, which may have information security impacts Follow a concept of continuously improving the effectiveness of the Company's IMS and make best use of the Company's resources in all information security matters Communicate the Company's Information Security Aims & Objectives and its performance against these Aims & Objectives throughout the Company and to interested parties Continue to successfully achieve high standards of performance as evaluated during surveillance assessment visits conducted by ACB's chosen certification provider

ACB has a policy of providing services of the highest professional quality and is committed to this as an obligation to its clients, the general public and the environment. ACB is also committed to maintaining a quality organisation, with trained and capable personnel and a good working environment. To achieve an efficient operation and maintain customer confidence, ACB understands the importance of conformance to a recognised managment system (IMS) and is thus committed to following the requirements of the ISO 9001 standard for its practices in the commercial disposal of low level and intermediate level radioactive wastes. The Quality Aims & Objectives are established based on the current business needs and are reviewed at each IMS review meeting to ensure that they remain measureable and consistent with the Quality Policy. ACB maintains and keeps records of its IMS in accordance with ISO 9001, as well as any other ISO standards the Company becomes certified to, and all legal and regulatory requirements. It is the responsibility of all staff to ensure that the contents of the IMS manual are understood and that the relevant policies and procedures laid down within the IMS are adhered to. The IMS is fully endorsed by the Directors of ACB, understood by all staff, and implementation by all Company personnel is mandatory. Each and every ACB employee is suitably competent and qualified to provide services to the Company's clients and is involved in and dedicated to achieving high quality standards for ACB's clients through the application of the IMS. To maintain continual improvement in its IMS activities, business will be conducted according to the following principles, whereby ACB will: Ensure that all waste is segregated, size-reduced where possible and prepared for a suitable waste stream Consolidate wastes to ensure the most cost effective solution for the Company's clients Engage everyone's commitment across ACB's supply chain and at all levels within the Company to build on ACB's quality culture Train its employees in the needs and responsibilities of quality management and provide the personnel and resources to ensure the importance of meeting and exceeding client requirements is communicated and understood throughout the Company Adopt a forward-looking view on future business decisions, which may have quality impacts Follow a concept of continuously improving the effectiveness of the IMS and make best use of the Company's management resources in all quality matters Communicate the Company's quality objectives and its performance against these objectives throughout the Company and to interested parties Continue to successfully achieve high standards of performance as evaluated during surveillance assessment visits conducted by ACB's chosen certification provider