The Crown Commercial Service (CCS), the organisation that oversees the running of the government’s G-Cloud framework, is facing criticism from prospective suppliers over the skill the data protection fragment of the 14th iteration of the purchasing agreement is worded and formatted.
Recognized as Schedule 7, the data protection fraction of the G-Cloud 14 framework agreement is being described by prospective suppliers as poorly drafted and nonsensical.
And CCS is now facing urgent calls to revise its contents, amid concerns that – in its contemporary inform – Schedule 7 might perchance well outcome in contracts called off below G-Cloud 14 being declared null and void.
Pc Weekly has a duplicate of the doc that information the total clarifying questions CCS has got from prospective suppliers about G-Cloud 14 since the framework documents had been made public on 19 February 2024.
A lot of of the featured questions increase concerns about how error-filled and complex to learn Schedule 7 is, with one prospective provider claiming the doc “can’t be agreed or even reviewed” in its contemporary create.
“Are you able to please reissue the phrases linked to personal data as there are lots of errors [and] drafting concerns,” wrote one prospective provider. “You might perchance well perchance also neutral contain incomplete and incoherent sentences and/or clauses the set up it appears to be you might perchance well also neutral contain gotten tried to accept updates, but it definitely appears to be something has long gone spoiled in the ticket-up.”
But any other provider moreover identified as out Schedule 7 for being “incorrectly laid out” and riddled with grammatical errors.
Representative assertion
In response to the questions, a CCS consultant acknowledged the organisation “will accept any mandatory amendments to the documents in due direction”.
In the meantime, questions are being asked about how and why CCS has allowed the doc to be published in its contemporary inform.
Nicky Stewart, inclined head of ICT at the UK’s Cabinet Administrative center, acknowledged Schedule 7 has “the total hallmarks of a rushed job”, and informed Pc Weekly of her shock at seeing a doc that is “to all intents and capabilities a work in development” launched to suppliers in this means.
“As a proposed legally binding doc, it’s now not attainable for suppliers to accept an informed assessment of the extent of their responsibilities below the Schedule, which is what any to blame provider must be doing,” she acknowledged.
“Equally, I doubt traders will probably be happy relying on the schedule in its contemporary create, given the big numbers of errors and referencing concerns within it. Efficient contracts are fully clear and unambiguous in each drafting and intent. Schedule 7 is neither. CCS must lawful the Schedule and reissue it as fleet as that you might perchance well also imagine.”
Owen Sayers, a senior companion at IT security consultancy Secon Solutions, backed Stewart’s search, and acknowledged the contents of Schedule 7 “falls fairly of below the celebrated” he would inquire of for “the kind of excessive-profile and intrinsically vital government procurement”.
Splicing documents
Sources in the public sector IT provider community contain pinpointed similarities in the contents of Schedule 7 and the data protection parts of the Public Sector Contract, prompting hypothesis that the errors in G-Cloud 14 will probably be the finish outcome of CCS trying to splice these two documents collectively – in particular as CCS has beforehand acknowledged that steps had been all in favour of G-Cloud 14 to align its contents with the PSC, which is the celebrated template the organisation makes exercise of when drawing up framework agreements
On 7 March, for instance, CCS confirmed it had revised down the volume of insurance cover G-Cloud 14 contributors must contain in the wake of a provider backlash.
As beforehand reported by Pc Weekly, CCS had initially informed suppliers they would must up the volume of insurance cover they must participate in G-Cloud 14 by £20m to accept certain the framework aligns with the PSC.
Where this provider principle is anxious, Sayers acknowledged “it’s clear this version suffers badly from cut-and-paste concerns carrying clauses over from each outdated G-Cloud variations and different government frameworks”.
That acknowledged, the concerns with Schedule 7 jog previous it being error-filled and complex to learn, but might perchance well moreover outcome in some public sector IT traders and suppliers unwittingly breaking the legislation when they job personal data, he added.
Right here’s on legend of Schedule 7 facets no references to the Data Protection Act (DPA) 2018 Part 3, which contains stringent necessities that dictate how police forces and legislation enforcement entities in the UK are imagined to job personal data for a legislation enforcement reason.
“The omission of DPA Part 3 is a in truth predominant one, since any contracts established without inclusion of the legally mandated Part 59 clauses will no longer give a lawful basis for processing legislation enforcement personal data,” Sayers continued.
“Whereas the risk of enforcement action by the Information Commissioner’s Administrative center (ICO) might perchance well also neutral be low, the explicit risk is a bother to an awarded contract from a provider who might perchance well present a lawful provider, or claims from the public who contain their data illegally processed, which the Act would enable.”
Neglecting to include these clauses might perchance well moreover accept G-Cloud 14 problematic for legislation enforcement entities to participate in.
According to G-Cloud gross sales data, published by public sector procurement consultancy Advice Cloud, the emergency services and products sector is the fifth-greatest purchaser of services and products by the framework, with a total spend to date of £399.81m by G-Cloud.
Breaking down the data extra, using the CCS Digital Market gross sales data, nine out of the tip 10 greatest customers of G-Cloud in the emergency services and products sector are legislation enforcement entities, including the likes of the Metropolitan Police, Thames Valley Police, Better Manchester Police and the Police Digital Service.
“Not including the main clauses which will probably be mandated by UK Data Protection legislation largely negates the price of the framework for the Legislation Enforcement sector, since any contract they award below it will probably be deemed void,” warned Sayers. “Police forces and different the same bodies would resulting from this fact must resolve if they continue to exercise G- Cloud, and breach DPA 2018, or originate their procurements out of doors of the framework using the lawful lawful phrases, which would introduce some large overheads.”
Sayers acknowledged it’s moreover no longer unusual for CCS contracts to neglect to include references to DPA 2018 Part 3, irrespective of it being the appropriate UK legislation for the entirety of the legislation enforcement sector for virtually six years.
Incidentally, a prior Pc Weekly investigation, published in December 2020, published that police forces across the UK had been unlawfully processing millions of individuals’s data on Microsoft 365 on legend of a nationwide roll-out of the know-how did now not meet the necessities of DPA 2018 Part 3.
“We favor at some point to recognise and take care of the incontrovertible fact that any legislation enforcement controller relying on these clauses to own and exercise services and products from G-Cloud, Cloud Compute 2 or any different framework will fracture the legislation if they job personal data below these contracts for a legislation enforcement reason,” acknowledged Sayers. “So will the suppliers who act as a processor.”
Pc Weekly set the total claims made about Schedule 7 being rushed and mistake-filled to CCS, along with the troubles in regards to the shortcoming of references made in it to DPA 2018 Part 3, and got the following assertion in response: “G-Cloud 14 is a dwell procurement. Suppliers might perchance well also neutral aloof submit questions in regards to the procurement instantly by the loyal clarification job, the set up they are going to be reviewed and addressed precisely.”