Government Data Loss: OGC Contract Compliance

July 1, 2008

New Cabinet Office mandatory requirements for the adoption of OGC model contract clauses and provisions relating to security and information assurance in contracts came into effect on 1 July. This follows the publication of the report Data Handling Procedures in Government.

The OGC states ‘Information is a key asset, and its proper use is fundamental to the delivery of public services. Whilst procuring authorities are best placed to understand their information and protect it, they need to do so with a context of clear minimum standards, ensuring protection of personal information. This applies equally where information may be managed or processed by third parties. The Data Handling Procedures in Government report outlines a number of new mandatory standards for data handling, in order to provide a minimum baseline level for protection and handling of personal data’.

The requirements apply to all departments in central civil government, and any bodies over which they have direct control. Where departments cannot require the use of new measures throughout their area of responsibility immediately, they are required to influence their delivery chain partners.

But the requirements do not apply only to ICT contracts; they apply to any contract where data handling and security is an issue. And, although the requirements do not apply to contracts signed before 1 July or where the ITT/ITP was issued prior to that date, review of such contracts, tenders or procurements is strongly encouraged by the OGC: 

Procuring authorities need to assure themselves that where data handling/security is relevant or an issue, adequate and sufficient security requirements and provisions have been incorporated in to those agreements so that personal information is protected, and that the procuring authority’s security policy is complied with. It may be necessary to consider variations to contractual agreements, where this is practically possible, taking on board the OGC model clauses. Any decisions related to incorporation of contractual variations should be made in the context of the aim of any such changes and securing best value for money for the taxpayer. It is recommended that as a minimum, you alert contractors to the new standards, so that they are clearly sighted on what Government’s expectations will be in this area when existing contracts are recompeted.’