TPG Policy Booklet

IT Access Control POLICY | Our Resources OBJECTIVE The purpose of this document is to define individual’s access IT Services, Facilities and Infrastructure provided by The Personnel Group and describes the logical and physical access conditions to such IT Services, Facilities and Infrastructure. SCOPE This policy applies to all TPG staff, contractors and participants. POLICY PROVISIONS The Personnel Group provides IT Services, Facilities and Infrastructure in support of the contracts held with the Australian Government, CoAct and other organisations from time to time. TPG provides public and private services, available to authorised users only. Public servers include the external websites (main website and the client portal) and access to controlled public computers. All other services are private and provided for use by authorised users only. Authorised users are eligible to hold an active account while their employment or contract with The Personnel Group is current. At the cessation of either employment or the contract, they are no longer considered Authorised Users and access is revoked. Access to Personnel Group IT Services, Facilities and Infrastructure Persons having any of the following relationships with TPG are automatically afforded Authorised User status: • current members of the governing body of TPG • currently employed staff In addition, contractors holding current contracts and support relationships with TPG may apply to become an authorised user. This access is to be reviewed annually (see Restrict Administrative Privileges. Account Creation Account Creation occurs when a person becomes an authorised user. The permissions and access is determined based on role and any special requirements identified by Area Managers, or members of the Senior Management Team. Account Deactivation Account deactivation occurs on termination of an Authorised User’s relationship with TPG. This may occur when employment ceases (via resignation, redundancy, termination or retirement) or when a contractual relationship is ended or expires. Account Privileges Assignment of account privileges is based on the principal of least privilege. An authorised user will be provided with access sufficient for their role in the business, with any additional rights being based on a need-to-use or need-to-know basis and authorised by an appropriate member of the Senior Management Team. Issue Date: 29/6/2020 Current Version: DP92-R1-06/2020 Page 1 of 2 Authorised by: Tracey Fraser, CEO

IT Access Control cont’d. POLICY | Our Resources Account Auditing and Security Accounts with administrative privileges will be audited according to Restrict Administrative Privileges, and all other accounts will be periodically audited to revoke any unused, unauthorised or non-active accounts. Privileges will be reviewed and may be reallocated or revoked at this time. Account details must be made secure in line with the User Password Policy which is part of the Information Security Management System at The Personnel Group. Service Accounts and Generic Accounts Service Accounts are used for specific applications only and are restricted in access to the systems they are related to. These accounts are allowed for service application activities only. Details of these accounts should be stored in the relevant service pages and passwords/passphrases should be stored in the Administrative Password store. Generic Accounts such as the common-* are used only for initial logins, and are to have no access to any file shares or data on the network. They are not to be used to store any data on computers and are subject to revocation or removal without notice. Breaches Breach of this Policy may result in disciplinary action detailed in QMS Quality Procedure 02 Human Resource Management, specifically 18.0 Disciplinary Action. Further, see 19.0 Serious and wilful misconduct and summary dismissal for further information. Staff or contractors learning of violations of this policy are obligated to bring this matter to the attention of the appropriate Team member within TPG without delay. Issue Date: 26/6/2020 Current Version: DP92-R1-06/2020 Page 2 of 2 Authorised by: Tracey Fraser, CEO

IT Mobile Devices POLICY | Our Resources OBJECTIVE The purpose of this document is to define how mobile devices are managed and used by staff of The Personnel Group. SCOPE This policy applies to all staff of The Personnel Group. POLICY PROVISIONS OWNERSHIP OF DEVICE • Mobile devices and all accessories always remain the property of The Personnel Group. • If requested mobile devices must be returned to The Personnel Group with all accessories, unlock codes and in original working condition (minus acceptable wear and tear).  PRIVACY OF COMMUNICATIONS  • The screen must not be in a position for sensitive data to be read over the shoulder by other people. • Talking on the device must take place so people cannot eavesdrop on the conversation or video conference. CARE OF DEVICE • Malfunctions or other technical problems must be reported immediately to ithelp@personnelgroup.com.au. • Mobile devices are carried or stored in a secured state when not being actively used. • Mobile devices are kept under continual direct supervision when being actively used. • The lending of a device to any other person is prohibited. • Every effort is made to not damage the device by having a protective case and keeping the device away from sharp or hard objects. USAGE OF DEVICE • The device is to be strictly used for work purposes only. • The OS and any installed apps must be kept up to date. • If an app is no longer needed it must be deleted. • You may tether your mobile device to your PC as long as it is for work purposes. DEVICE SECURITY • Pin code or similar mechanism must be used to restrict access to the device, the code or similar must be sent to HR so it can be recorded. • If hot-spotting is used on the device the password must be complex and be more than 10 characters in length. The hot-spot must be off when not in use and password must not be shared to anyone. Issue Date: 6/7/2020 Current Version: DP22-R4-01/2020 Page 1 of 2 Authorised by: Tracey Fraser, CEO

IT Mobile Devices cont’d PRIVACY WHILE USING THE DEVICE • No privacy must be assumed in using the device. All activities that take place on the mobile device may be recorded including internet usage, app usage and geolocation services. UNACCEPTABLE USE  The device must not be used in any of the following or similar circumstances: • Install and use data resource-heavy applications that contain streaming media and preloaded pictures such as Facebook, Yammer, YouTube or similar unless it is for work purposes. • Visit non work-related websites at any time (unless you are connected to your home Wi-Fi). • Create or exchange messages that are offensive, harassing, obscene or threatening. • Visit websites containing objectionable (including pornographic) or criminal material. • Exchange any confidential or sensitive information held by The Personnel Group (unless in the authorised course of their duties). • Create, store or exchange information in violation of copyright laws (including the uploading or downloading of commercial software, games, music or movies). • Use internet-enabled activities such as gambling, gaming, conducting a business or conducting illegal activities. • Create or exchange advertisements, solicitations, jokes, chain letters and other unsolicited or bulk email. • Play computer games during work time. BREACHES Breach of this Policy may result in disciplinary action detailed in QP02 Human Resource Management, and specifically see 18.0 Disciplinary Action. Further, see 19.0 Serious and wilful misconduct and summary dismissal for further information. Staff or contractors learning of violations of this policy are obligated to bring this matter to the attention of the appropriate The Personnel Group staff member without delay. Issue Date: 6/7/2020 Current Version: DP22-R4-01/2020 Page 2 of 2 Authorised by: Tracey Fraser, CEO

Motor Vehicles POLICY | Our Resources The Personnel Group (TPG) provides and maintains a fleet of vehicles, which are available for use by authorised personnel in direct relation to conducting TPG business and activities. At all times, the rules and standards set out in this policy are to be adhered to by Team members accessing these vehicles as this policy reflects TPG’s duty of care for both TPG participants and Team members, to provide a safe and healthy workplace. Failure to comply with this policy may result in the removal of vehicle usage or disciplinary action including termination of employment in serious circumstances. The purpose of this policy is to ensure that all TPG employees understand their basic responsibilities when operating company motor vehicles. Detailed procedural information should be sourced via TPG’s Promapp system. APPROVED DRIVERS When travelling for business purposes appropriate receipts must be provided and reimbursement for parking expenses sought via petty cash or expense reimbursement. • Must be an employee of TPG and hold a current motor vehicle license, proof of which is supplied to the People and Culture department. • Non-employees of TPG are not permitted to drive TPG vehicles unless prior approval from the Chief Financial Officer is obtained. • Employees must notify the People and Culture Department immediately of any change to the status or validity of their license, including being unfit to drive due to ill health, suspensions or cancellation of license. Driving a company vehicle with a suspended or cancelled license will result in instant dismissal. TPG reserves the right to dismiss an employee who loses his or her driver’s licence if the job requires use of a vehicle and if no other arrangements are available. VEHICLE OWNERSHIP/RESPONSIBILITY OF CARE AND APPEARANCE • Ownership of fleet vehicles is held by The Personnel Group and no alterations, additions or modifications are to be made to any vehicles without approval. • Either a Site Office or a Team member who has a specifically allocated car, have responsibility for care and maintenance of the vehicle. • As a minimum, a driver is responsible for basic maintenance, water, oil and tyre condition / pressure and must organise servicing as per manufacturers specifications. • Drivers must, at a minimum monthly, visually check their vehicle’s condition. Vehicles must not be driven when unsafe, un-roadworthy or in a condition that is likely to cause damage to the vehicle or provide any health and safety risk to Team members or clients or persons travelling in the vehicle. The Finance Department must be notified immediately to any fault that could render the vehicle unsafe or un-roadworthy. The inside and outside of TPG vehicles are to be kept clean and presentable at all times, with TPG files and personal items removed from the vehicles when not in use. • Vehicles provided to as part of an employment package for personal use, are to be kept presentable at the individual’s expense, not charged to a company credit card. • Pool cars are to be maintained by the site office they are allocated to. • Smoking is not permitted in any vehicle owned or operated by TPG. • The transport of pets in TPG vehicles is not permitted. In cases of emergency and the pet is properly caged, or the animal qualifies legally as a disability aid or companion, are the only circumstance in Issue Date: 7/6/2012 Current Version: DP44-R5-08/2020 Page 1 of 2 Authorised by: Tracey Fraser, CEO

Motor Vehicles cont’d. POLICY | Our Resources which an animal is to be transported with in a TPG vehicle. FUEL CHARGE CARDS/PARKING COSTS • Fuel charge cards are for fuel only and must remain in the vehicle at all times. • Parking of a company car is paid for by the company credit card during business hours. MOTOR VEHICLE REPORTING Use of in-car log book sheets and maintenance/condition reporting requirements are clearly laid out in TPG’s published procedures, all Team members must ensure they read and understand their responsibilities. MOTOR VEHICLE AUDITS Random Vehicle Audits will be conducted by the Finance department on all TPG vehicles. Breaches of TPG Motor Vehicle Policy will be reviewed by People and Culture department & TPG’s Management. Any necessary action, be it disciplinary or advisory, will be conveyed direct to either the garaging Team member or Area Manager concerned. ABIDANCE TO ALL ROAD RULES All Team members will abide by all road rules at all times. Payment of traffic violations or deliberate destruction of company assets, through breaking road rules or TPGs policies and procedures will be the sole responsibility of the offending driver, which may include the payment of insurance excesses. • Immediate dismissal may result if an employee is found to be in control of a TPG vehicle whilst under the influence of alcohol or drugs. • Fatigue while driving must be avoided and during any trip which is two hours or over in duration, a break of at least 10 minutes must be taken every two hours. TPG BUSINESS USE OF PERSONAL CARS For business purposes you are required to use a pool vehicle at all times. A pool car must be used in the transport of a client at all times. If a pool car is not available and the client is unable to provide their own transportation, then hire of a taxi is the next option. Clients cannot be transported in private vehicles. If a pool car is unavailable and you are NOT transporting a client, then you shall claim ATO kilometre reimbursement for the use of a private vehicle. The preferred option is to always use a TPG pool vehicle and all avenues to achieve this should be exhausted prior to the use of a personal vehicle. Kilometre reimbursements will be checked to identify if a pool car was available at the time, prior to the reimbursement of any kilometre claim. Please note if travelling further than 50 km’s in a trip in a personal vehicle, requires prior approval from your Manager, in order for kilometre reimbursement to be remunerated. Where an employee chooses to use their own motor vehicle for TPG business and not use a provided TPG pool car (not permitted for the transport of clients) and is involved in an accident, TPG will not be liable for any insurance or repair costs to the Team member’s vehicle or third party vehicle or property. The employee must have their own comprehensive or third party property insurance at all times. Issue Date: 7/6/2012 Current Version: DP44-R5-08/2020 Page 2 of 2 Authorised by: Tracey Fraser, CEO

Teleworking POLICY | Our Resources To guide team members to best information security practices while working outside of a Personnel Group office. Teleworking refers to all forms of work outside of the office, including non-traditional work environments, such as those referred to as “telecommuting”, “flexible workplace”, “remote work” and “virtual work” environments. These locations include: outreach, remote work, working within a co-location or community location and working from home. POLICY: PHYSICAL SECURITY This policy is to be read in conjunction with WHS Guidelines. Approval shall be considered to be granted for telework undertaken as a normal part of business with the inclusion of the teleworking activity noted in a team members ESS diary (i.e. outreach and co-location). Team members are to ensure they adhere to and comply with any and all safety procedures in place at the facility where telework is being undertaken. Prior to undertaking Work from Home, the team member will complete a Working from Home checklist, and submit to the HR department representative. The team member is responsible for ensuring that they have an area to work that is free from hazards that could impact their health and safety. Conditions of employment and variations in the conditions of employment The terms and conditions of the employment between The Personnel Group and the team member that apply at the employee’s usual place of employment also apply at the teleworking site. In particular the following will not be altered by this Policy: • any applicable legislation, awards or agreements • level of position and related remuneration The Personnel Group and the team member engaged in teleworking may agree to vary any of the terms and conditions of the telework agreement with the exception of the above. Any variation must be agreed to by both The Personnel Group and the team member and must be in writing and attached to this Agreement. Communication The team member agrees to be contactable and available for communication with The Personnel Group during the periods in which home based work is carried out. This may include the organisation monitoring technology platforms as per the Mobile Device Policy. Equipment If a team member is required to undertake telework, they will be allocated the required TPG owned equipment to undertake this work. Only TPG owned equipment is to be utilised to undertake any and all teleworking activity, and this equipment is not to be accessed or utilised by any third party (family, friends, etc). If a team member is required to work externally and does not have an allocated TPG Laptop they will be issued this item for the period of time they will be undertaking teleworking. Team Members will be able to hotspot off their mobile phone for internet connection or use their home internet connectivity. Equipment belonging to the Personnel Group and for use by the team member at the home based work site will be used solely for the purposes of The Personnel Group’s work by the team member only. IT Assets owned by the Personnel Group should be relocated with approval from a manager or the Head of IT Services only. No unauthorised movement of IT Assets is allowed. Issue Date: 26/8/2020 Current Version: DP100-R1-8/2020 Page 1 of 2 Authorised by: Tracey Fraser, CEO

Teleworking cont’d. POLICY | Our Resources Security of assets and information Security of information shall be as applied for The Personnel Group’s office based employment. It is agreed the team member shall take all reasonable precautions necessary to secure The Personnel Group’s equipment and procedures. The normal security policies still apply to staff and equipment. Of note, please refer to the Privacy and Confidentiality Policy, Clear Screen Policy and the Mobile Device Policy - this policy applies no matter where the device is used. Any physical assets, e.g. paper based forms, should be treated per QP08 Document & Data Control. Authorisation to move or relocate assets of this nature is required by a manager. • Access to Personnel Group data of any type must be accessed via Remote Desktop Services. Email may be accessed using Office 365. At no point may usernames or passwords be shared with anyone per the User Password Policy. Issue Date: 26/8/2020 Current Version: DP100-R1-8/2020 Page 2 of 2 Authorised by: Tracey Fraser, CEO