natali_mis -

CCS slammed over errors in G-Cloud 14 data protection documents

The government’s procurement arm is under fire again, after prospective suppliers to the G-Cloud 14 framework raised complaints about CCS’s quality control procedures

The Crown Commercial Service (CCS), the organisation that oversees the running of the government’s G-Cloud framework, is facing criticism from prospective suppliers over the way the data protection portion of the 14th iteration of the purchasing agreement is worded and formatted.

Known as Schedule 7, the data protection part of the G-Cloud 14 framework agreement is being described by prospective suppliers as poorly drafted and nonsensical.

And CCS is now facing urgent calls to revise its contents, amid concerns that – in its current state – Schedule 7 could lead to contracts called off under G-Cloud 14 being declared null and void.

Computer Weekly has a copy of the document that records all of the clarifying questions CCS has received from prospective suppliers about G-Cloud 14 since the framework documents were made public on 19 February 2024.

Several of the featured questions raise concerns about how error-filled and difficult to read Schedule 7 is, with one prospective supplier claiming the document “cannot be agreed or even reviewed” in its current form.

“Can you please reissue the terms related to personal data as there are various errors [and] drafting issues,” wrote one prospective supplier. “You have incomplete and incoherent sentences and/or clauses where it appears you have tried to make updates, but it appears something has gone wrong in the mark-up.”

Another supplier also called out Schedule 7 for being “incorrectly laid out” and riddled with grammatical errors.

Representative statement

In response to the questions, a CCS representative stated the organisation “will make any necessary amendments to the documents in due course”.

In the meantime, questions are being asked about how and why CCS has allowed the document to be published in its current state.

Nicky Stewart, former head of ICT at the UK’s Cabinet Office, said Schedule 7 has “all the hallmarks of a rushed job”, and told Computer Weekly of her surprise at seeing a document that is “to all intents and purposes a work in progress” released to suppliers in this way.

“As a proposed legally binding document, it is impossible for suppliers to make an informed assessment of the extent of their obligations under the Schedule, which is what any responsible supplier should be doing,” she said.

“Equally, I doubt buyers would be comfortable relying on the schedule in its current form, given the large numbers of errors and referencing issues within it. Effective contracts are absolutely clear and unambiguous in both drafting and intent. Schedule 7 is neither. CCS needs to correct the Schedule and reissue it as quickly as possible.”

Owen Sayers, a senior partner at IT security consultancy Secon Solutions, backed Stewart’s view, and said the contents of Schedule 7 “falls somewhat below the standard” he would expect for “such a high-profile and intrinsically important government procurement”.

Splicing documents

Sources in the public sector IT supplier community have pinpointed similarities in the contents of Schedule 7 and the data protection portions of the Public Sector Contract, prompting speculation that the errors in G-Cloud 14 could be the result of CCS trying to splice these two documents together – particularly as CCS has previously stated that steps were taken with G-Cloud 14 to align its contents with the PSC, which is the standard template the organisation uses when drawing up framework agreements

On 7 March, for example, CCS confirmed it had revised down the amount of insurance cover G-Cloud 14 participants need to have in the wake of a supplier backlash.

As previously reported by Computer Weekly, CCS had initially told suppliers they would need to up the amount of insurance cover they have to participate in G-Cloud 14 by £20m to ensure the framework aligns with the PSC.

Where this supplier theory is concerned, Sayers said “it’s clear this version suffers badly from cut-and-paste issues carrying clauses over from both previous G-Cloud versions and other government frameworks”.

That said, the problems with Schedule 7 go beyond it being error-filled and difficult to read, but could also lead to some public sector IT buyers and suppliers unwittingly breaking the law when they process personal data, he added.

This is because Schedule 7 features no references to the Data Protection Act (DPA) 2018 Part 3, which contains stringent requirements that dictate how police forces and law enforcement entities in the UK are supposed to process personal data for a law enforcement purpose.

“The omission of DPA Part 3 is a very serious one, since any contracts established without inclusion of the legally mandated Section 59 clauses will not give a legal basis for processing law enforcement personal data,” Sayers continued.

“While the risk of enforcement action by the Information Commissioner’s Office (ICO) may be low, the real risk is a challenge to an awarded contract from a supplier who could provide a legal service, or claims from the public who have their data illegally processed, which the Act would allow.”

Neglecting to include these clauses could also make G-Cloud 14 problematic for law enforcement entities to participate in.

Read more about G-Cloud 14

According to G-Cloud sales data, published by public sector procurement consultancy Advice Cloud, the emergency services sector is the fifth-largest purchaser of services via the framework, with a total spend to date of £399.81m through G-Cloud.

Breaking down the data further, using the CCS Digital Marketplace sales data, nine out of the top 10 biggest users of G-Cloud in the emergency services sector are law enforcement entities, including the likes of the Metropolitan Police, Thames Valley Police, Greater Manchester Police and the Police Digital Service.

“Not including the key clauses that are mandated by UK Data Protection law largely negates the value of the framework for the Law Enforcement sector, since any contract they award under it could be deemed void,” warned Sayers. “Police forces and other similar bodies would therefore need to decide if they continue to use G- Cloud, and breach DPA 2018, or perform their procurements outside of the framework using the right legal terms, which would introduce some substantial overheads.”

Sayers said it’s also not unusual for CCS contracts to neglect to include references to DPA 2018 Part 3, despite it being the applicable UK legislation for the entirety of the law enforcement sector for nearly six years.

Incidentally, a prior Computer Weekly investigation, published in December 2020, revealed that police forces across the UK were unlawfully processing millions of people’s data on Microsoft 365 because a national roll-out of the technology did not meet the requirements of DPA 2018 Part 3.

“We need at some point to recognise and address the fact that any law enforcement controller relying on these clauses to procure and use services from G-Cloud, Cloud Compute 2 or any other framework will break the law if they process personal data under these contracts for a law enforcement purpose,” said Sayers. “So will the suppliers who act as a processor.”

Computer Weekly put all of the claims made about Schedule 7 being rushed and error-filled to CCS, along with the concerns about the lack of references made in it to DPA 2018 Part 3, and received the following statement in response: “G-Cloud 14 is a live procurement. Suppliers should submit questions about the procurement directly through the official clarification process, where they will be reviewed and addressed appropriately.”

Read more on Infrastructure-as-a-Service (IaaS)

Data Center
Data Management