Data protection is all-pervasive, and the world of procurement is no exception. Sharing data with bidders during a procurement exercise adds value – but any such data sharing, to the extent that it concerns personal data, also needs to comply with data protection legislation.
In this article we will consider how sharing data with bidders (including, in some circumstances, personal data) may improve the quality of your procurement exercise. We will also consider some of the risk areas for Contracting Authorities to take into account, as well as how to mitigate those risks.
Why share data with bidders?
Facts, evidence, and data – these are all good bases for sound decision-making within your organisation. But what about thoughts, feelings, and theories? These are not so reliable. Any organisation will recognise that having access to accurate and relevant data is key to the effective planning, delivery and monitoring of your services and operations.
And what about your suppliers? The same rules apply to them. In a procurement context, if a Contracting Authority can share informative data with bidders about the services for which they are tendering, this could help with (among other things):
- setting realistic expectations of what you need from your supplier;
- producing more reliable bids; and
- creating objective and evidence-based assessment criteria for those bids.
Data-driven procurement exercises can benefit Contracting Authorities and bidders alike. Data is factual, objective and its use could help counter allegations of bias made by a disgruntled supplier. Bidders armed with data about the services for which they are tendering will, in theory, produce more realistic bids and potentially be in a position to deliver services with more stability and predictability over the life of a contract.
What are some of the risk areas?
Sharing data with any third-party carries risk, and sharing information with bidders for the purposes of a procurement exercise is no exception. Contracting Authorities need to ensure that any data sharing does not compromise the confidentiality of information you may hold or put you in breach of data protection legislation.
As we approach the fifth birthday of GDPR, many will know that non-compliance with data protection legislation has serious consequences. The ICO has the power to impose monetary penalty notices for sums up to the equivalent of 4% of global turnover. On top of this, breaches of data protection legislation come with associated costs for incident management, reputational damage and risks of litigation from affected individuals.
If the nature of a tender exercise necessitates sharing personal data with bidders, that personal data should be limited to what is necessary. In turn, this will reduce the risk of a personal data breach. Still, it may not always possible to completely anonymise your bidder pack – the nature of a procurement may require some personal data is shared with bidders.
How do I mitigate data protection risks?
A key concept within data protection law is that 'data protection should be by design and by default'. Approaching a procurement exercise with data protection in mind from the very start will help avoid GDPR-related road-blocks along the way.
With this in mind, key points to consider before pressing play on your next procurement include:
- Why is this data being shared? If it is not necessary to share certain personal data with bidders via a tender pack, then that personal data should be removed. If you can summarise information in a way that removes personal data and is equally useful to the recipient, for example through statistical data on the demands on the service in terms of geography or volume, then this is clearly a more preferable alternative to sharing personal data.
- Who is making decisions about what data to share if you have concluded that the sharing is necessary? Ensure your procurement and data protection teams are working on this together from the outset. Also, who are the data subjects and would they reasonably expect their data to be shared in this way? You may need to update your privacy notice(s) or actively let certain data subjects know about your proposals.
- What data is being shared in the tender pack? Personal data is information that relates to an identified or identifiable individual – if you have redacted individuals' names from your tender pack, does this necessarily mean that all personal data is removed? What other information, which may not at first glance or in isolation look like 'personal data', will also need to be redacted?
- When is the tender pack going to be shared? Ensure a personal data sharing agreement is in place with any bidder before personal data sharing takes place – this should set out all your expectations of the bidder in respect of the personal data, from how they will use it, to when they will delete it, and everything in between. Another way to mitigate risk is to only share the full tender pack at second or other later rounds of the tender process – this reduces the number of bidders with which you would be potentially sharing personal data.
- Where is the data going? We live in a global economy and you may have bidders based in any part of the world – have you accounted for international data sharing, both in your data sharing agreements and your privacy notices?
- How is data being made available to bidders? If a tender pack contains personal data, any sharing should ideally be carried out via a secure platform. Bidders should also be subject to requirements to keep the data secure, and for it to be deleted (or returned to the Contracting Authority) when no longer required.
Having answers to the above questions may go some way to demonstrating adherence to the data protection principles within in your procurement.
