Awarded to North Highland

Start date: Monday 22 June 2020
Value: £1,600,000
Company size: large
Home Office

Home Office Data Protection Compliance – Departmental Transformation Programme

9 Incomplete applications

7 SME, 2 large

39 Completed applications

27 SME, 12 large

Important dates

Monday 16 March 2020
Deadline for asking questions
Monday 23 March 2020 at 11:59pm GMT
Closing date for applications
Monday 30 March 2020 at 11:59pm GMT


Summary of the work
Requirement for data protection experienced personnel to augment the new Home Office Data Protection Compliance team whilst it recruits and develops people and processes. Supplier is expected to act as both ‘thinkers’ and ‘doers’ i.e. assisting with the detailed design of services whilst delivering products that will form ongoing capability.
Latest start date
Friday 1 May 2020
Expected contract length
2 years but work will be financially committed via statements of work
Organisation the work is for
Home Office
Budget range

About the work

Why the work is being done
This requirement is for a team to augment the new departmental Data Protection Compliance team whilst it recruits and develops people and processes. The supplier team is expected to act as both ‘thinkers’ and ‘doers’ i.e. assisting with the detailed design of services whilst delivering related products that will form the ongoing capability.

In May 2018, the new General Data Protection Regulation (GDPR) Legislation was established, which required organisations to implement stronger measures to protect the personal data of individuals. A series of isolated activities were undertaken to address the key requirements of the legislation across various Home Office Departments.

In response to this, the Data and Identity Directorate established the Data Protection Legislation Implementation Programme in January 2019 to co-ordinate departmental activities and help the Home Office to secure compliance with the new legislation. The programme aimed to assess the people, processes and technology required to support the Home Office’s compliance with this new Data Protection Legislation, whilst focussing on two key objectives:

1. Deliver initiatives which will provide long term sustainable compliance with Data Protection Legislation.
2. Increase the Department’s awareness of Data Protection Compliance and its importance.
Problem to be solved
The Data Protection Compliance team will be accountable for services that deliver or enable:
• Personal data breach management
• Information asset ownership & register
• Governance & (evidence-based) risk management
• Training, culture & awareness
• Privacy by design & default

High level designs and key products have already been produced, we require is to implement these, refine products at a working level, manage risks and opportunities, and provide a value-added service across the department in conjunction with the inter-related central functions e.g. Office of the Data Protection Officer (ODPO), Legal, Knowledge and Information Management, Cyber and Security.

This requirement is for mix of business analysis, performance analysis and design with elements of delivery and communications management to not only augment this team, but to bring experience of operationalising data protection within a complex environment and this latter element is what we’re really looking for.

The first six months of operation of the new team will be critical to prove their value to the Department. Delivery of defined pre-requisites will be required to help them prepare for full operation, also a stakeholder management approach to engage with the business and embed the new processes in day-to-day ways of working.
Who the users are and what they need to do
Users include, but are not limited to, the related central support functions e.g. KIMU, Security and Legal, Operations and Policy Groups, Data Protection Practitioners, including Information Asset Owners, and the Executive Committee.

Data Protection is everyone’s responsibility and this programme is part of a combined departmental culture transformation to ensure staff put data first and effectively exploit their information, whilst being complaint with legislation and guidelines.

It is also expected that the Supplier will offer skills transfer opportunities to the Data Protection Team and community, either via on-the-job training or by delivering one-off sessions (which can be delivered by alternative subject matter experts).
Early market engagement
Any work that’s already been done
The programme has made good progress in building a positive stakeholder community, convening departmental activity to address its objectives, as well as mitigating risk and acting on assurance recommendations e.g. designed IAO training, initiated roll-out and developed a high-level IAR.
Existing team
The Data and Identity Directorate was established in April 2017 to set the strategic direction in the use of data and identity as a centre of excellence and trusted partner across the sector.

The Directorate has responsibilities spanning the Home Office sector, combines deep expertise and experience in data protection, identity and forensics policy, excellence in policy making and strategy and blends policy, technology, project management and sector experience to tackle challenging user problems and build a stronger Department.

There is a related commercial arrangement in place, whereby a supplier is assessing our systems’ data retention compliance.
Current phase
Not applicable

Work setup

Address where the work will take place
We expect the supplier to be predominantly present at the 2 Marsham Street office and working from home/alternative HO sites/supplier sites is also supported.
Working arrangements
Flexible working is supported but core hours are 10:00-16:00, Monday – Friday.

We are seeking a small team to deliver these benefits and anticipate that it will be 4 or 5 individuals working part/full time. Suppliers may propose a team with an appropriately diverse mixture of skills, experience and specialisations to deliver the work, but it is essential to demonstrate experience of implementing data protection compliance and knowledge of the data protection legislation and standards.

The Supplier shall ensure protection of HMG information assets and with all materials produced branded for the Home Office and readily accessible/retrievable.
Security clearance
All staff must be SC security cleared (or be willing to be).

We will provide laptops, but if supplier ICT is utilised then personal data held off-shore should be kept within the EEA or in compliance with the U.S. - EU “Safe Harbor” Framework or countries with positive Adequacy findings.

Additional information

Additional terms and conditions
Rate caps - rates over £1000 per day are excluded.
SFIA 7 level resource is excluded. SFIA 6 is excluded for 'hands on' delivery roles.

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Have knowledge and understanding of the data protection legislation
  • Demonstrate experience of implementing data protection compliance regimes within an operational environment and within the last two years
  • Proven experience of delivering successful cultural change across a large and complex business environment
  • Demonstrate evidence of establishing information asset register(s) and developing information asset owner capabilities
  • Demonstrate evidence of embedding risk management frameworks/processes, preferably in relation to data protection, within the last two years.
  • Provide experience of successfully embedding governance
  • Evidence agility and flexibility to respond to changing demand and priorities e.g. from customer needs or own analysis, within the last twelve months.
Nice-to-have skills and experience
  • Demonstrate at least 2-years’ experience of working successfully in a central government environment
  • Describe the challenges often encountered when implementing data protection compliance within a large business
  • Access a range of additional resource and networks
  • Detail a proven track record of working in a multi-stakeholder environment and of bringing organisations together to deliver a shared objective

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
Proposal criteria
  • Mobilisation, approach/methodology & how they meet the programme objectives (including estimated timeframes for the work).
  • How they’ve identified risks and dependencies and offered approaches to manage them
  • Team organisation, diversity, skills and experience
  • Value for money
Cultural fit criteria
  • Work collaboratively with our organisation and other suppliers
  • Being open, honest and transparent when making decisions including having a no-blame culture and encouraging people to learn from their mistakes
  • Share knowledge, participate in skills transfer and can work with clients with low technical expertise
  • Be flexible in adapting to meet changing priorities and business requirements.
Payment approach
Capped time and materials
Additional assessment methods
  • Case study
  • Work history
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Will you sponsor any security clearances if they are required?
Sponsor - yes, but not fund
2. "Assisting with the detailed design of services": What services does this refer to, and what kind of design work is required?
Services that support the service offering of a data protection compliance team, hence designing processes and ways of working.
3. What further roles do you expect will be necessary to bring the Data Protection Compliance team to full capacity?
The roles and skills are laid out in the advert. Any additional form part of civil service recruitment.
4. What roles are currently covered in the current Data Protection Compliance team?
There is currently a Head of Unit and programme manager in situ, with a few civil servants going through onboarding. This requirement is part of the ‘start-up’ of this new team. Size and breadth will be determined by the number of resources vs prioritised risks.
5. Is there a recruitment strategy for building the Data Protection Compliance team, over what period is this expected to last?
Civil service recruitment is ongoing, no formal strategy has been designed
6. What are your SFIA level expectations for the project requirements?
Whatever SFIA level you deem necessary to deliver the requirement stipulated, noting the internal restrictions as laid out in the additional T&Cs section.
7. 'Refine products at a working level' will this require technical development or technical configuration?
If it does it is expected that Home Office will own the business requirements and the technical development will be done in house.
8. Which ‘elements of delivery’ will the supplier be expected to provide?
Refer to the detail in the DOS advert
9. How is ‘the community’ defined in reference to this project?
Central Home Office teams that have a vested interest / responsibility linked to data protection and Operational & Policy Groups i.e. the business areas that implement compliance.
10. During the Covid-19 situation, will the supplier be expected to come into the department’s offices, or can work be mostly or entirely done remotely?
Working remotely will be appropriate, as per government guidelines
11. Is the current situation with Covid 19 likely to delay the start date of this work?
On current assumptions, there will be no delay.
12. Can more detail be provided about the current Data Protection Compliance team i.e. size, mix of in-house vs. third-party support, structure etc?
There is currently a Head of Unit and programme manager in situ, with a few civil servants going through onboarding. This requirement is part of the ‘start-up’ of this new team. Size and breadth will be determined by the number of resources vs prioritised risks.
13. What is your vision for how the supplier team will work with the current Data Protection Compliance team e.g. will it be quite collaborative or will each team work quite separately with each having responsibility for delivery of specific products / services?
Collaboratively and individual strengths will be utilised to lead on specific areas.
14. What is the overall budget for this piece of work?
The supplier is to propose the level of resource to deliver the requirement.
15. What is meant by the nice-to-have skills / experience: “Access a range of additional resource and networks”?
You should bring your own network and company skills / IP to this requirement. We expect you to reach back as necessary to complement the team’s needs.
16. Can more detail be provided on the work done to date, including the IAO training and high-level IAR that have been developed?
IAO training: designed, trainers upskilled and 8% of roll-out achieved across 175 IAOs.
17. Can more detail be provided on the specific services and products that the team will be working on?
Please refer to the DOS advert
18. Will there be a change to timescales given current activity around Coronavirus?
On current assumptions, no
19. Will bids be acceptable from an organisation that provides both software products and consultancy in this area or is the requirement for an organisation that is completely independent?
Whilst the requirements would be separated and software development may likely be undertaken in house, this doesn’t preclude a company with both skills sets from bidding for the requirement
20. As it states that equipment will be provided by the department, can you confirm that the work falls outside of IR35?
The ‘Check employment status for tax’ tool has been completed and the resulting status is ‘off payroll’. Except for being provided with a HO laptop and secure email account, to ensure the service provider can effectively communicate, share work and access the secure environment, the successful supplier will be required to provide their own equipment.
21. What departments in the Home Office are in scope?
All HO departments apart from ALBs (Arms Length Bodies)
22. You described the supplier ‘assisting with the detailed design of services whilst delivering related products that will form the ongoing capability’. Are you clear on what needs to be designed? Will you require the supplier to conduct a gap analysis to determine what needs to be done?
A high level design has been produced – so yes, we’re clear and no gap analysis is required.
23. You have mentioned the duration and the expected size of team that is anticipated. Also that work will be financially committed via statement of work. Will you however be looking for a proposal that assumes the full team committed for the duration?
24. You describe the suppliers personnel as augmenting the new departmental Data Protection Compliance team. Will the suppliers staff be integrated fully into the HO team or will they be required to deliver specific and named products and services related to the scope of work only?
They will work collaboratively and individual strengths will be utilised to lead on specific areas.
25. Do you have an enterprise risk register that is managed and maintained dynamically?
It’s embryonic and the process of utilisation has only just begun
26. Are there existing performance analysis/business analysis frameworks that Data Protection operationalisation procedures will have to align with?
Yes as per standard Home Office operating procedures
27. How far advanced is the current Information Asset Register? And is the Home Office clear on what the desired end state should look like?
It is in development and yes, although we are open to your advice and expertise.
28. What is the current and desired staffing of the Data Protection Compliance team?
There is currently a Head of Unit and programme manager in situ, with a few civil servants going through onboarding. This requirement is part of the ‘start-up’ of this new team. Size and breadth will be determined by the number of resources vs prioritised risks.
29. Will the supplier be processing any personal data?
30. Are you clear on the estate you are trying to manage? Do you know where the records are and what you are processing?
That is the purpose of an IAR
31. Do you have a complete policy suite to underpin implementation and enable enforcement or is this in scope as well?
that policy team is part of the Data & Identity Directorate
32. How far advanced is the work on data retention compliance? Is the expectation that the findings of the data retention work will be remediated through further work with the incumbent supplier or through the ‘new supplier’
A new supplier as it likely will have to be a new commercial offering due to the business requirements, not least the size and complexity, plus differing skill set.
33. Do you have departmental privacy leads? If yes, how do they link in to the Data Protection Compliance team?
Yes, as a related stakeholder community
34. You describe the supplier needing to deliver defined pre-requisites to help [the department] prepare for full operation – what are these pre-requisites? What does the Home Office want delivered within the first 6 months?
Please refer to DOS advert for the overall requirement
35. What is the size of the team and estimated number of additional stakeholders?
Refer to earlier Q&A
36. Is there endorsement from senior leadership to support the change?
37. What is your budget, and have you secured budget to completion?
The supplier is to propose the level of resource to deliver the requirement. The requirement is funded.
38. Are there any existing security by design framework(s) developed?
Not within scope or this team’s responsibilities
39. Are there any additional relevant data protection regulations in addition to GDPR?
Data Protection Act 2018 applies.
40. What’s the current status of data retention/deletion?
Refer to DOS advert for overall requirement
41. Are there any existing technologies deployed to manage IAO/IAR?
42. What additional range of “resource and networks” would you like access to?
The supplier is to include their offer in their proposal
43. Possibility of start date deferred due to COVD-19?
Current assumption is no unless the supplier wants to request