Public Sector IT Procurement Update: UK Government publishes updated Model Services Contract, guidance on GDPR re-papering and extends “G-Cloud 9” framework for cloud services procurement

Model Services Contract: On 1 January 2018, the Cabinet Office, Crown Commercial Service ("CCS") and the Government Legal Service ("GLS") published an updated version of the Model Services Contract ("MSC"). This version is stated to reflect developments in government policy, regulation and the market.The MSC forms a set of model terms and conditions for major services contracts that are published for use by the Government departments and many other public sector organisations. It has been developed for service contracts with a value over £10 million, reflects current government priorities and recommended ways of doing business and also aims to aid assurance and reduce administration, legal costs and negotiation time. It is stated to be suitable for use with the range of business services that Government purchases and contains appropriate provisions for contracts relating to business process outsourcing and/or IT delivery services.
The latest MSC was accompanied by both: (i) guidance on the MSC and; (ii) a statement of changes highlighting the (relatively minor) amendments made to the previous version issued, which include the introduction of reference to the EU-US Privacy Shield (for international transfers of personal data between the EEA the United States of America) and the introduction of e-invoicing, as well as relatively minor corrections and improvements.

GDPR re-papering: Of particular note, the data protection provisions were not updated in the latest MSC to take account of the requirements under the forthcoming GDPR (including the mandatory data processing conditions). However, at the end of December 2017 the CCS separately published a procurement policy note (PPN) explaining how “government buyers should bring existing and future commercial arrangements concerning data processing in line with” the GDPR. Whilst the PPN applies to all central government departments, their executive agencies and non-departmental public bodies, it acknowledges that other public bodies will also be subject to the GDPR and may wish to apply the approach set out in the PPN.

In particular, the PPN broadly covers the timing, key actions and key considerations for any new procurement after 25 May 2018 or any so-called “GDPR re-papering” exercise (i.e. contract variation and re-negotiation exercise to take account of GDPR requirements). As well as the process outlined and key areas to consider (including due diligence of existing contracts and existing or new suppliers to ensure they can implement appropriate technical and organisational measures to comply with the GDPR), the PPN also includes standard generic clauses, a draft letter to vendors and guidance to be applied to all stages of a procurement as well as the relevant documentation for contracts that include data processing activities.

G-Cloud 9 Framework: In November 2017, the CCS also decided to extend its IT procurement platform “G-Cloud 9” for (up to) 12 months, in line with the existing framework terms. The CCS has recently suggested that the next iteration of the platform (G-Cloud 10) is likely to go live in June 2018, slightly earlier than was originally intended.

G-Cloud 9 is the framework agreement that allows UK public sector bodies to procure cloud computing services covering infrastructure, platform, software and specialist cloud services via a compliant procurement vehicle (i.e. agreed with suppliers following the Official Journal of the European Union (OJEU) procurement process). G-Cloud, available via the Digital Marketplace, requires frequent procurement refreshes to take account of new suppliers and services.
G-Cloud 9 is the latest iteration of the framework, which first went live in February 2012. To date, the framework had been refreshed on an annual basis. The decision to postpone the refresh, for the first time, was made on the basis that the additional time between iterations of the framework agreement will allow a comprehensive review of end-user requirements. In parallel, the Government has also decided to extend other frameworks, including Digital Outcomes and Specialists 2 and Cyber Security Services. The Government anticipates that this will allow it to take a more holistic approach to the provision of IT services with the aim of providing a coherent end-to-end service for buyers and suppliers.
The delay has been met with criticism from interested stakeholders (particularly SME IT suppliers) and the Cloud Industry Forum’s G-Cloud focused Special-Interest Group has stated that any significant delay in the roll-out of G-Cloud 10, could go against the founding principles of the framework – i.e. principles to drive innovation, choice and value. It remains to be seen whether the new, more dynamic framework will justify the two-year wait.