We have been engaging recently with the Office for Government Procurement (OGP) to better understand how responsibilities in terms of data protection might best be handled by organisations procuring services. The OGP provides a very useful service to allow public sector organisations to avail of suppliers who have gone through preselection as part of requests for tender under structured framework contracts. This is intended to speed up the procurement process and limit the workload on individual public sector organisations removing much of the need to undertake individual public tenders.
When a service supplier is being sought to process personal data on behalf of a public sector organisation, the OGP will set out what it believes are the necessary requirements, in consultation with stakeholders. However, the obligation remains with each contracting public sector organisation to ensure the service supplier can meet its specific requirements in relation to implementing appropriate technical and organisational measures.
Procurement through the OGP
Where there is an identified need for services, the OGP works with stakeholders to set out the requirements to be listed in the request for tender. This will include the minimum security and data protection requirements identified as being necessary for the type of service that is to be provided as well as the necessary core functionality as identified with the stakeholders. Often this will include certification such as ISO 27001 or other recognised standards.
When the request for tender is published, the supplier provides details of their capability in response to the requirements published by the OGP. The suitability of applicants is then assessed against these requirements by the OGP in accordance with the weighting criteria.
Details of the selected providers are then shared with the public sector organisations who have indicated an interest in availing of the specified service. They will have full access to the information provided in reply to the request for tender by the service provider. At this point, the work of the OGP is complete. If a public sector organisation chooses to engage the service provider, it will do so under contract.
Before entering into a contract, the public sector organisation wishing to engage the service provider must ensure that the provider can meet its own requirements in terms of data protection and carry out further due diligence if necessary. Where more information or clarification is required, the public sector organisation should go back to the service provider to seek this information and seek necessary assurances to address any concerns. This due diligence is essential to be able to demonstrate that the supplier can enable the public sector organisation to meet its obligations under data protection legislation, especially where:
- There are large volumes of personal data involved;
- Special category data will be processed; or
- There are high risks to the rights and freedoms of data subjects whose personal data will be processed.
To be able to show pertinent questions have been asked as part of due diligence a Data Protection Impact Assessment (DPIA) should be completed. This may be a threshold DPIA or a full DPIA where needed. The service provider may indeed have undertaken their own in preparation for tendering which can be requested. Undertaking a DPIA is not the responsibility of the OGP, though when discussing the service to be procured with stakeholders, many of the relevant questions to be answered will ideally have been identified and included in the request for tender.
The information supplied in response to the request for tender and any additional answers received from the supplier should provide the necessary information to complete at least a threshold DPIA and a full DPIA when necessary. This information, the completed the DPIA and the terms of the contract (which will include the requirements under Article 28 of the GDPR) when taken together will form the documentation necessary to demonstrate accountability by the public sector organisation under the obligations of the GDPR. For the DPIA to be worthwhile in terms of protecting the data subjects and the public sector organisation, it needs be completed before the contract is entered into.
Where a service provider participating under the OGP framework cannot set out how it would meet the specific data protection requirements of the public sector organisation, the supplier should not be engaged with. Rather enquires should be made to identify whether another provider is capable of doing so at an acceptable price. A separate public tender process may be required depending on the value of the contract.
The OGP provides a useful service to help streamline procurement for public sector organisations. While data protection and security requirements are identified with stakeholders and included in the request for tender, it remains the obligation individual public sector organisations to assure themselves of any supplier’s capability to process personal data safely and securely.
Where a public sector organisation engages a service provider as a processor of personal data, it will need to be able to demonstrate how it was able to have confidence in that provider to meet the obligations under GDPR when entering into the contract. Given the current crisis, it is likely that the requirements of public sector organisations will evolve to include a stronger emphasis on a service provider’s resilience and their ability to restore the availability and access to personal data in a timely manner in the event of unforeseen circumstances.
If your organisation needs help with undertaking due diligence within a procurement process or to undertake appropriate risk assessments, including meaningful DPIAs, our advisors are here to assist. For information on our services, including training and cyber risk assessments, please feel free to contact our Data Governance and Cyber-Risk team for more information.