A summary of our mandated corporate policies is provided below:
Ultra Electronics takes a zero tolerance approach to bribery and corruption and prohibits its employees from offering, giving, or receiving bribes or personal inducements, or requesting others to do so on their behalf, for any purpose. Any employee who breaches this policy may be subject to criminal prosecution and will face disciplinary action, which could result in dismissal for gross misconduct.
Approval of Bids represents a key part of Ultra’s internal control system. It is important that Bids are competitive, present acceptable levels of risk and predict satisfactory financial returns. Compliance with this Policy ensures:
- bid prices are competitive and satisfactory levels of profitability are achieved
- risks are identified, evaluated and mitigated
- issues pertinent to the Bid are raised and addressed during the Bid approval process with adequate levels of internal scrutiny
- commercial, financial and legal obligations are managed appropriately
Ultra communicates in a variety of ways to various stakeholders including customers, suppliers, investors, financial institutions and the general public. The Communication Policy helps protect Ultra’s reputation through consistent communications in compliance with stock market rules.
Ultra Businesses must comply with local competition laws. Failure to comply with such laws can lead to significant fines based on worldwide annual turnover.
Approval of contracts, contract changes and ongoing contract compliance management represents a key part of Ultra’s internal control system.
All Contracts entered into by the Ultra businesses must be effectively managed from a financial, operational, technical, commercial and legal perspective throughout the Project lifecycle (negotiation, delivery, termination and expiration) to help realise financial objectives and mitigate and control contractual risk.
Compliance with this policy is required ensure:
- contracts and contract changes are properly negotiated and have a risk profile acceptable to the individual Ultra business and the wider Ultra Group.
- contract risks are identified, mitigated and managed.
- contract performance and compliance is reviewed throughout the Project lifecycle.
- contract change control processes are adopted and followed
Ultra Electronics conducts its activities in a responsible manner, having regard to their effect on the environment and the communities in which Ultra operates.
Businesses are required to carry out their duties in such a way as to minimise environmental damage and maximise conservation of materials and energy in compliance with national, regional and local environmental legislation.
Ultra is committed to safeguarding the personal data of all data subjects. Known as Personally Identifiable Information in some of the countries where Ultra operates, personal data is only ever processed where there is legitimate and lawful reason to do so. Where explicit consent is required Ultra commits to obtaining and recording this from data subjects before processing commences.
Ultra collects and processes information about data subjects as part of its day-to-day operations. This includes personal data relating to individuals who work for Ultra in any capacity and personal data processed for customers, suppliers, partners and other parties.
All processing of personal data is undertaken in compliance with prevailing data protection and privacy law in the countries where we operate. This commitment is essential to ensure that personal data remains safe and the rights of data subjects are respected. These laws include:
- UK – Data Protection Act 2018 and the General Data Protection Regulation (GDPR)
- Europe – the General Data Protection Regulation (GDPR)
- USA – US Federal Trade Commission and State legislation insofar as it is published, the California Consumer Privacy Act (2018) for example
- Canada - Personal Information Protection and Electronic Documents Act (PIPEDA) and equivalent Provincial law specifically the Quebec Privacy Act
- Australia – Australian Privacy Act (1988) and the Australia Privacy Principles
Read our full Data Privacy Notice here
Ultra businesses are required to maintain documents, records and other materials that are necessary to meet legal obligations, whilst promptly disposing of documents and records which are no longer necessary.
Where local rules dictate, a record of destruction of documents or records must be retained.
Each Ultra business is required to maintain a database of all signed contracts.
Data protection law prohibits the retention of employee personal data for longer than is necessary. The period for retaining records is determined by the nature of the record and its contents. Ultra is committed to data privacy and respecting the rights of data subject rights. Ultra is committed to ensuring that personal data is only held for as long as it is needed before being securely disposed. Ultra data retention principles are:
- Legal retention – Ultra complies with Data Protection and Privacy Legislation when storing records and will only store personal data for so long as it is necessary for a particular purpose.
- Limited retention – Ultra limits historic retention of records and only stores documents needed.
- Maintained retention – Ultra maintains records to ensure documents are regularly and systematically destroyed at the end of the retention period.
- Safe retention – Ultra stores records in accordance with the Group Information Security Policy. Records are stored appropriate to their classification and in a way that allows straightforward identification of the records.
- Justifiable retention – Ultra only stores records beyond their retention period where justifiable.
Ultra Electronics requires that all employees conduct themselves in ways that demonstrate high ethical standards in all of their dealings with customers, suppliers, governments, the public and each other. The integrity of Ultra Electronics rests on the integrity of its employees.
Employees are permitted to offer modest non-cash gifts to business partners where appropriate for marketing purposes or, as long as the gift is occasional and not regular or repeated, other purposes such as expressing thanks or making a goodwill gesture.
Employees are permitted to accept token gifts from business partners or potential business partners where this constitutes legitimate and reasonable marketing or where it is a legitimate goodwill gesture.
However, if the giving or receiving of gifts or hospitality is in any way for the purposes of obtaining an inappropriate advantage or benefit, then this may amount to a bribe which is prohibited by the Gifts and Corporate Hospitality policy and by law.
The Gifts and Corporate Hospitality Policy sets out financial limits and approval levels for gifts and hospitality. It also outlines that both gifts and hospitality must be recorded in a gifts and hospitality register.
Ultra ensures the confidentiality, integrity and availability of data is preserved through its adherence to certain principles which are applied to all information assets for which Ultra businesses are responsible.
Each Ultra employee is required to comply with the Acceptable Use Policy for computing services and facilities provided by or on behalf of Ultra.
Ultra is committed to ensuring that any Offset activity in which it is involved is completed in full compliance with all applicable laws and regulations and in accordance with Ultra Electronics’ Anti-Corruption and Bribery Policy.
Ultra businesses may only engage in Offset where they can demonstrate:
- there is no inherent risk of corrupt or unethical behaviour;
- appropriate due diligence has been conducted;
- there is a compelling justification for the level of Offset required; and
- internal approval has been obtained
Dealing in the securities of Ultra where employees or directors are in possession of information which is not available to the public (“Inside Information”), or the unauthorised disclosure of confidential information relating to Ultra, is prohibited.
Dealing in the securities of other companies where individuals have access to Inside Information about that company (for example, one of Ultra’s customers or suppliers) is also prohibited.
Ultra operates a Dealing Code which applies to individuals who are given access to Inside Information.
Ultra complies with all relevant statutory Health and Safety requirements in jurisdictions in which it operates.
Businesses are required to ensure that a suitable written Health and Safety Policy exists for their business and that the necessary organisational procedures and appropriate arrangements are in place to implement and support the policy.
All employees are responsible for taking reasonable care for his or her own Health and Safety and must ensure that they do not endanger the well-being of others by their acts or omissions.
Every individual whose personal data is held by Ultra has rights in respect of that data. This includes individuals who work for Ultra in any capacity as well as customers and business contacts. Ultra supports the entitlement of individuals to exercise their rights to protect and verify the correct use of their personal data. These rights are:
- Right of access (subject access requests) – the right to request a copy of the personal data that Ultra has concerning the individual and supporting information explaining how the personal data is used.
- Right of rectification – the right to request that Ultra rectifies inaccurate personal data concerning the individual.
- Right of erasure (right to be forgotten) – the right, in some situations, to request that Ultra erases all personal data concerning the individual.
- Right to restrict processing – the right, in some situations, to request that Ultra does not use the individual's personal data they have provided (e.g. if they believe it to be inaccurate).
- Right to data portability – the right, in some situations, to request that Ultra ports the individual's data to that individual or their new provider in machine readable format.
- Right to object – the right to object to certain processing of their personal data (unless Ultra has overriding compelling grounds to continue the processing) and the right to object to direct marketing/profiling.
The Group Data Protection Officer works with HR representatives and Privacy Champions to deliver rights requests ensuring compliance with prevailing data protection and privacy law. Rights requests are recorded via the Data Protection and Issues Log held within each business.
Ultra Businesses are required to maintain:
- a register of all current legal agreements entered into by that business
- a list of authorised signatories who can sign legal agreements on behalf of that business; and
- the level of authority delegated to each authorised signatory
Modern slavery is the deprivation of a person's liberty by another in order to exploit them for personal or commercial gain. Ultra has a zero-tolerance approach to modern slavery and is committed to acting ethically and with integrity in all its business dealings and relationships.
Read our full Modern Slavery Statement here
All Ultra Businesses must comply with the economic or financial sanctions or trade embargoes administered or enforced by:
- the U.S. government, including those administered by the Office of Foreign Assets Control of U.S. Department of the Treasury (OFAC);
- the Canadian government, including the Minister of Foreign Affairs and the Canadian Department of Foreign Affairs, Trade and Development;
- the United Nations Security Council;
- the European Union; and
- Her Majesty's Treasury of the United Kingdom.
A personal data breach occurs where there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed. Ultra Electronics has a duty to report personal data breaches to the relevant Supervisory Authority within the timeframe required by the Supervisory Authority. In the UK for example, Ultra has 72 hours to report a data breach to the Information Commissioner’s Office.
Aligned with Ultra’s commitment to safeguard all personal data, in the event a data breach is suspected, the Group Data Protection Officer commences an investigation to determine whether a data breach has occurred, and whether it is likely to result in a high risk to a data subjects’ rights and freedoms. Data subjects who have had their data compromised via a data breach are notified without undue delay with clear details including likely consequences and the measures to be taken.
Ultra has appointed a network of Privacy Champions across the Company to establish, embed and encourage good practice within each Ultra business when dealing with the processing of personal data. Privacy Champions work in each business as first responders to support the implementation of data protection and privacy policies, support training and development activity and channel communications with the Group Data Protection Officer. These individuals meet regularly and are trained and guided by the Group Data Protection Officer to raise organisational awareness and help develop a positive data protection and privacy culture. Ultra promotes and supports industry initiatives including the annual Data Privacy Day issuing newsletters and running other activities suggested and supported by Privacy Champions.
All UK businesses have a Data Breach and Issues Log to record non-reportable data breaches and other personal data related issues occurring at an operational level. The Data Breach and Issues Log will be implemented across Ultra globally by the end of 2021. Global Privacy Champions are also responsible for reporting data breaches to the Group Data Protection Officer. Following investigation reportable data breaches are reported to the relevant Supervisory Authority by the Group Data Protection Officer. Non-reportable breaches are recorded via the Data Breach and Issues Log.
The Group Data Protection Officer collates data reported via the Data Breach and Issues Log and reports annually to the Executive Team. The reported measures include:
- Total time spent by Privacy Champions
- Data breaches non reportable (number of)
- Subject Access Requests (number of)
- Right to Erasure (number of)
- Policy / process / procedure rollout (time spent implementing)
- Training / development (time spent)
The Group Data Protection Officer examines data submitted year on year to identify trends, emerging risks and areas for improvements.
The Risk Management Framework provides a formal process to assist Ultra Electronics in:
- Identifying the top level risks that can undermine the business model, future performance, solvency or liquidity of the Ultra Group
- Developing and implementing procedures to ensure risks are identified and assessed against accepted criteria and that appropriate control and mitigation measures are implemented
- Defining and documenting responsibilities for Risk Management and reporting.
Ultra has a very low appetite for risk where its culture, reputation or financial standing might be adversely affected.
Ultra Electronics is subject to the stringent anti-corruption requirements of the US Foreign Corrupt Practices Acts (the “FCPA”), the UK Bribery Act (the “UKBA”) and the local laws of the countries in which it operates. The FCPA and UKBA prohibit the bribery of foreign public officials by Ultra or those working on its behalf.
Ultra, in accordance with Regulator expectations, undertakes intermediary compliance reviews proportionate to the risks involved in the engagement of an intermediary.
Employees are encouraged to raise any genuine concerns they might have about certain wrongdoings within the company without fear of reprisal.
The whistleblowing policy allows individuals to disclose any action or inaction by Ultra or any of its workers, that the individual reasonably believes could lead or amount to:
- a criminal offence including bribery;
- a failure to comply with any legal obligations;
- a miscarriage of justice;
- danger to the health and safety of any individual;
- damage to the environment, or
- the deliberate concealment of information concerning any of the matters.
Disclosures may be reported using either of the following routes:
- directly to the individual’s Line Manager
- via the employee Hotline – EthicsPoint