BMJ Group Logo
Supplier code of conduct2025-10-22T11:02:48+00:00

Supplier code of conduct

Document owner: BMJ Legal
Effective date: 1 October 2025
Accountable GLT member: CFO
Due next review: 1 October 2026

Introduction

We are committed to upholding the highest standards of ethical conduct, social responsibility, and environmental stewardship. This supplier code of conduct (the “code”) outlines the principles and expectations that we require all our suppliers, contractors, and business partners (each a “supplier” or “you” and collectively, “suppliers”) to adhere to. We believe that a strong partnership is built on shared values and a mutual commitment to integrity.

Who must comply with this code?

All suppliers to BMJ Group must comply with this code. You must also ensure that your employees, workers, suppliers, agents, and subcontractors who form part of your supply chain are aware of this code and comply with it. You must implement a system of training for your workers to ensure that they are aware of, and comply with, the requirements of this code.

1. Labour and human rights

We expect our suppliers to respect and promote human rights in all your operations. This includes, but is not limited to:

  • Human rights: You must comply with all internationally recognised human rights understood, at a minimum, as those expressed in the International Bill of Human Rights and the principles concerning fundamental rights set out in the International Labour Organisation’s Declaration on Fundamental Principles and Rights at Work from time to time in force.
  • Forced labour: You must not use any form of forced, bonded, indentured, or involuntary labour. All work must be voluntary, and workers must have the freedom to leave their employment upon reasonable notice.
  • Child labour: You must not employ anyone under the minimum legal age for employment in the country where the work is performed, or under the age of 15, whichever is higher.
  • Wages and working hours: You must comply with all applicable laws and regulations regarding wages, benefits, and working hours. Compensation must be fair and reasonable, and overtime must be paid at the legally required rate.
  • Discrimination and harassment: You must take appropriate measures to prevent any form of discrimination. Employment decisions must be based on merit, skills, and experience, without regard to race, caste, colour, national origin, gender, gender identity, sexual orientation, religion, age, marital or pregnancy status, disability, union membership, or any other characteristic protected by law (and subject to any accommodations required or permitted by applicable law).
  • Freedom of association and collective bargaining: You must respect the right of workers to form and join unions, or to refrain from doing so, and to bargain collectively in accordance with local laws and regulations.
  • Safe and healthy workplace: You must provide a safe and healthy working environment for all employees, in compliance with all applicable health and safety laws and regulations.

2. Environmental stewardship

We expect our suppliers to operate in an environmentally responsible manner, actively working to minimise their carbon footprint and reduce emissions of greenhouse gases. Suppliers must also ensure that their own supply chains adhere to similar environmental standards, including:

  • Environmental permits and regulations: You must comply with all applicable environmental laws, regulations, and permits.
  • Materials and resources: You should prioritise the use of sustainable and ethically sourced materials, while minimising the use of environmentally harmful materials.
  • Waste management: You should minimise waste and ensure its proper handling and disposal.
  • Pollution prevention: You should take measures to prevent pollution of air, water, and soil.
  • Energy and resource efficiency: You should strive to improve your energy and resource efficiency.

3. Ethics and integrity

3.1 Anti-bribery, corruption, and fraud

Suppliers must comply with all applicable laws, statutes, and regulations relating to bribery, corruption, and fraud, including but not limited to the Bribery Act 2010, Criminal Finances Act 2017, and Economic Crime and Corporate Transparency Act 2023. To that end, suppliers must not:

  • Offer, pay, accept, or permit bribes, kickbacks, facilitation payments, or any other improper payments or benefits.
  • Engage in any activity that constitutes fraud or a fraud offence.
  • Evade or facilitate the evasion of tax.

For further information please refer to our Anti-Bribery and Anti-Corruption Policy. You must notify our Director of Finance as soon as possible if you believe or suspect bribery or corruption in any part of our business or supply chain. If you are unsure whether a particular act may constitute a bribe or corruption, we encourage you to still raise it.

3.2 Modern slavery and human trafficking

Suppliers must ensure that no form of modern slavery or human trafficking exists within their operations or their wider supply chains. This includes forced, bonded, indentured, involuntary, or compulsory labour, as well as the use of child labour. For further information please refer to our Anti Slavery and Human Trafficking Policy. You must notify us as soon as possible if you believe or suspect modern slavery or human trafficking in any part of our business or supply chain. If you are unsure whether a particular act constitutes modern slavery, we encourage you to still raise it by notifying our Director of Finance as soon as possible.

3.3 Fair business practices

Suppliers must comply with all applicable competition laws (including the Competition Act 1998) and conduct their business with honesty and integrity. You must not engage in unfair competition, price fixing, rigging bids, or inappropriate teaming and information sharing with competitors.

3.4 Conflicts of interest

Suppliers must disclose any actual or potential conflicts of interest that may arise in their business dealings with us.

4. Procuring and managing your supply chain

Suppliers are responsible for ensuring their own subcontractors and suppliers (“representatives”) adhere to the principles of this code.

4.1 Due diligence

Suppliers must carry out appropriate due diligence on prospective representatives. This due diligence must include, at a minimum:

  • Investigations into a representative’s record on human rights, treatment of workers, bribery, ethical behaviour, and environmental compliance.
  • Risk assessments for countries from which materials, components, or finished goods are sourced.
  • An assessment of the representative’s ability to meet the requirements of this code.

4.2 Ongoing management

In your dealings with representatives, you must:

  • Ensure your agreements with them include provisions requiring compliance with the relevant parts of this code.
  • Have measures in place to monitor that they are complying with these provisions and address any deficiencies or breaches.

5. Whistleblowing

We are committed to maintaining a culture where individuals feel safe and encouraged to raise genuine concerns about potential misconduct without fear of retaliation. This includes concerns related to any part of this code, such as labour and human rights, environmental issues, ethics, and integrity.

Suppliers and their representatives should, in the first instance, report any actual or suspected breach of this code to our Director of Finance as soon as possible.

5.1 Alternative reporting channels

  • Internal leadership team: You may contact our managing director or any other member of our Group senior leadership team.
  • Independent whistleblowing service: Our independent, third party service, BMJ NAVEX (run by Ethics Point). Details on how to make a report can be found here. A report of your concern will be sent to our Head of HR Operations or Director of People and Transformation.

5.2 Investigation and confidentiality

When you raise a concern, we will carry out an initial assessment to determine the scope of any investigation. We may need further information from you in order to do so. We will aim to keep you informed of the progress of the investigation and its likely timescale. If you want to raise your concern confidentially, we will make every effort to keep your identity secret. If it is necessary for anyone investigating your concern to know your identity, we will discuss this with you in advance.

5.3 Escalation of concerns

If you are not satisfied with the way in which your concern has been handled or resolved, you may escalate the matter by contacting the Chair of our Board. If the matter is still not resolved, you should contact the BMA Chief Executive.

5.4 External reporting

In some circumstances it may be appropriate for you to report your concerns to an external body such as a regulator. It will very rarely, if ever, be appropriate to alert the media. We strongly encourage you to seek advice before reporting a concern to anyone external. The independent whistleblowing charity, Protect, operates a confidential helpline. They also have a list of prescribed regulators for reporting certain types of concern.

6. Data protection and information security

Suppliers must comply with all applicable data protection laws and industry standards when processing any personal data on our behalf, including the UK GDPR. You are responsible for staying informed about and adhering to any updates to these legal frameworks.

6.1 Security measures

Suppliers must establish and maintain robust technical and organisational measures to ensure the security of all systems and data used to perform their obligations for us. These measures must meet or exceed industry best practice and include:

  • Data encryption: Encrypting all sensitive data, both when it is stored on systems (“at rest”) and when it is transmitted over networks (“in transit”).
  • User access controls: Implementing strong controls to protect data and systems based on the principle of least privilege, ensuring users only have access to information necessary for their specific role, including:
    • Multi factor authentication (MFA) for all system access.
    • Role based access controls (RBAC) to limit access to data.
  • System integrity: Protecting the integrity and confidentiality of all information to prevent unauthorised access by third parties.

6.2 Security incident and vulnerability management

You must notify us immediately of any cybersecurity incident or vulnerability that could impact the confidentiality, integrity, or availability of our data, systems, or services.

  • Notification time: Notification must be made within 24 hours of becoming aware of the incident or vulnerability.
  • Required information: The notification must include a detailed description of the event, what data is affected, and the steps being taken to address the issue.
  • Cooperation: Suppliers must cooperate fully with us during any investigation or inquiry related to an incident.

6.3 Business continuity

You must have a business continuity and disaster recovery plan in place to minimise the effect of any unplanned interruption to your services.

  • Plan requirements: The plan must be regularly reviewed, updated, and tested at least once every twelve (12) months.
  • Right to review: Suppliers must provide a copy of their latest plan to us upon request.

6.4 Audits and reporting

We reserve the right to conduct periodic audits of a supplier’s systems, processes, and records to ensure compliance with these requirements. This may be done through internal staff or by engaging a third party auditor. In the event of a suspected security issue, indication of non compliance, or a breach, we may initiate an immediate ad hoc audit of a supplier’s systems and processes.

  • Cooperation: You must provide all reasonable assistance and cooperation during any audit, including access to relevant personnel, records, and systems.
  • Required reporting: You must notify us immediately of any significant change in your security posture or risk profile, such as a change in ownership, a major cybersecurity incident, or a failure to comply with a relevant certification standard (for example, ISO 27001). Any such change may trigger a review and may result in a reassessment of your security controls and compliance status.

7. Artificial intelligence (AI)

We recognise the potential of AI to enhance services, but also its inherent risks. You must notify us as far in advance as possible if you intend to use an AI system to provide goods or services to our company. This applies to the direct use of AI for our services, not for your internal business operations.

7.1 Key principles for AI use

Suppliers must implement the highest standards of responsible and ethical practices when developing, using, or managing AI systems. This includes adhering to all applicable laws, regulations, and industry standards. Without limitation, you must ensure your AI systems and their use are:

  • Fair, ethical, and inclusive: AI systems must be designed and used in a way that respects human rights, promotes fairness and equality, protects privacy, and avoids discrimination and bias.
  • Safe and robust: AI systems must be robust, secure, and safe throughout their entire lifecycle. Suppliers must ensure they have appropriate quality control standards in place to ensure that AI enhances, not replaces, the processes behind delivering trusted outputs. Where AI is used to create content, dedicated experts should be utilised by suppliers to verify that all AI driven contributions meet evidence based standards, prioritising patient safety and clinical accuracy.
  • Transparent, explainable, and accountable: We expect transparency about when and how AI is used to provide services. All AI systems and their outputs must be disclosed and must be explainable, auditable, and traceable. Where appropriate, you must ensure that decisions or outcomes from an AI system can be challenged or contested. Suppliers must have appropriate governance and risk management procedures in place to promote accountable AI use, prioritising human review and responsibility in all workflows involving AI.
  • Compliant with data protection and security standards: You must ensure you comply with all applicable laws and industry standards relating to data protection and information security when using AI, including the UK GDPR.

7.2 Our data and confidential information

Suppliers must not use or retain our data or confidential information for the purposes of training or inputting into any AI system or model without our prior written approval (acting in our absolute discretion). This is a critical requirement to protect our intellectual property and data privacy.

7.3 Third party AI providers

If you use a third party provider to develop or provide an AI system, you are responsible for ensuring they adhere to the same high standards set out in this section.

7.4 Defect and service issue notification

Suppliers must promptly notify us of any identified issue, defect, or vulnerability in the AI systems in their services or supply chains that could impact the quality, integrity, or safety of the services supplied to us. This includes, without limitation, any issue that could affect data, accuracy, or service continuity. Suppliers must cooperate fully with us to investigate, contain, and resolve any such issue to ensure a swift and effective resolution.

8. Compliance and reporting

Compliance monitoring

Suppliers are responsible for monitoring your compliance with this code and for reporting any breaches. Suppliers must have appropriate systems in place to monitor their compliance with this code. You must provide us with a written confirmation at least once per year that you are able to comply with this code for the duration of your relationship with us. Upon a written request from us, you must provide any additional third party or self certifications to demonstrate compliance within thirty (30) days.

8.1 Breach reporting and non retaliation

You must report any breaches (actual or suspected) of this code as soon as possible to contractnotices@bmj.com. You must not retaliate or take disciplinary action against any worker who has, in good faith, reported a breach of this code or sought advice regarding its provisions.

8.2 Consequences of breach

Any breach of sections 1, 3, 4, 5, 6, or 7 of this code will be considered a material breach of the contract between the supplier and BMJ Group.

Document control and history

Version no Date approved Approved by Date implemented Next review date Reason for change
1 01/09/2025 Director of Finance 01/09/2025 01/09/2026 Original

Information

Advertising
Librarian hub
Legal information
Media hub
Open access at BMJ Group
Partnerships

Careers & Learning
Digital Health
Publishing & Events

Contact

Copyright © 2025 BMJ Publishing Group Limited. All rights reserved.
Cookie settings | Accessibility | Cookie policy | Modern Slavery Statement | Privacy policy | Website terms and conditions

Carbon-Conscious Website. EFWA Accreditation.

Go to Top