Data Protection and Public Procurement: impact of GDPR
Public sector purchasers will be data controllers for most of the contracts they let. The new legislation on data protection has brought renewed focus on how data is handled but now also on how the supply chain processes that data. The General Data Protection Regulation (GDPR) (and the Data Protection Act 2018, comes into force 25 May) will require data controllers to appoint data processors which can provide 'sufficient guarantees' that the requirements of GDPR will be met. Processors also must act only on the instructions of the data controller. This means that a public sector purchaser needs to have visibility of how data is being used and be sure that their suppliers (and their supply chains) are up to standard. Failure can bring fines of up to €20million for public bodies.
This briefing looks at the key considerations public sector purchasers need to consider when conducting a public procurement.
The Crown Commercial Service's standard Selection Questionnaire (SQ) (and the European Single Procurement Document) does not include any questions specifically on data protection. However, public sector purchasers will want to be sure they are assessing bids only from entities which are able to handle data in a compliant way.
When personal data is going to be shared as part of the contract, a 'project specific' question could be added to Part 3 of the SQ which asks applicants to disclose any data protection issues which have arisen. The question should be specific and could ask whether the applicant has had an enforcement notice imposed on them, any penalties levied or any other formal action by the ICO or been involved in any proceedings for breach of data protection legislation. It may also go further and ask for their data protection policies which can then be reviewed against stated criteria which should look for robust methods of ensuring compliance with data protection legislation. Whilst this may be scored, it would be more appropriate to assess this on a pass/fail basis.
As mentioned, processors must be able to give 'sufficient guarantees' that GDPR will be complied with. There are a number of areas a public sector purchaser will need to include in their contracts (see below) but might consider testing at tender stage.
A question might request a method statement (ultimately evidenced by contractual commitments, such as a data protection schedule to the main contract) which sets out how suppliers propose to process any data under the contract. The evaluation criteria could look for how the supplier will meet requirements such as ensuring:
- employees processing the data are subject to a duty of confidence;
- there are sufficient measures in place to ensure security of processing and the on-going integrity and confidentiality of data;
- sub-processors are only appointed with the prior consent of the client and they are subject to a written contract which flows-down the same obligations to the sub-processor that are imposed on the processor (any sub-processors which form part of a tender should be named and these bullet points met by the sub-processor);
- the processor will assist the client in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches, data protection impact assessments and allowing data subjects to exercise their rights under the GDPR (including strict time limits for compliance);
- there are mechanisms for the processor to delete or return all personal data to the controller as requested at the end of the contract; and
- the processor will submit to audits and inspections and be able to demonstrate on-going compliance.
The contract must deal with a number of requirements, including the bullet points listed above. The contract should always set this out in full- this is both commercially sensible and in line with current guidance.
A standard data protection clause or schedule should be included to cover this. In addition, it is sensible to include strict time-limits for compliance, including for the processor to notify the data controller in the event of a breach or receipt of a subject access request or complaint. These timescales should take into account the statutory timescales imposed on the controller and that the controller will have considerable work to undertake internally prior to complying once it has received notification from the processor.
The contract should also specify the data being shared and the purpose for which it is being shared. Clients will need to make sure that data is being used in compliance with GDPR (including identifying a lawful basis for using and sharing the data and being transparent with individuals about how that information is used) and one of the most important ways to achieve this is to tightly control how suppliers are processing that data.
Current contracts continuing beyond 25 May 2018 should also be reviewed and updated to reflect new data protection requirements.
Public sector purchasers need to keep a record of what data is being used and how. There should be an ongoing audit trail with supply contracts which is regularly updated. Processors will also need to keep a record and these can be provided to the client to help manage this requirement.
Ongoing compliance with the contract clauses should be monitored either through provision of reports or through KPIs.
Crown Commercial Services Procurement Policy Note 03/17:
Information Commissioner's Office: https://ico.org.uk/ EU Commission Model Clauses (for transfer to third countries): none at present but these are expected.