Information Commissioner's Office

Website development and managed hosting partner

Incomplete applications

20
Incomplete applications
17 SME, 3 large

Completed applications

22
Completed applications
22 SME, 0 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Friday 27 March 2020
Deadline for asking questions Friday 3 April 2020 at 11:59pm GMT
Closing date for applications Friday 10 April 2020 at 11:59pm GMT

Overview

Overview
Opportunity attribute name Opportunity attribute value
Summary of the work The ICO needs an experienced partner that can develop our Umbraco website and digital services, and develop and improve our hosted infrastructure (Azure), alongside supporting our existing site and setup, to meet the changing needs of our users and in line with GDS and ICO standards
Latest start date Monday 1 June 2020
Expected contract length 2 years
Location No specific location, eg they can work remotely
Organisation the work is for Information Commissioner's Office
Budget range Expected budget is:
Up to £100k/year for digital service development
Approx £180k/year for managed hosting, breakfix support, security and infrastructure, and out of hours provision and support

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done The ICO needs to procure a partner to help develop and maintain our website and digital services at ico.org.uk, and manage our hosted environment, on expiry of our current contract.
Problem to be solved The ICO needs an experienced partner that can develop our Umbraco website and digital services in line with GDS standards, and develop and improve our hosted infrastructure (Azure), alongside supporting our existing site and setup, to meet the changing needs of our users.
Who the users are and what they need to do As a data controller, I need to pay/renew my annual data protection fee, so that I meet my obligation to pay the data protection fee
As an information rights practitioner, I need to be able to access practical guidance about data protection, electronic marketing and freedom of information so that I can meet my obligations under information rights legislation
As an information rights practitioner, I need to be able to self-serve and/or contact the ICO to get the information and support I need, so that I can meet my information rights obligations
As a citizen, I need to be able to complain/report a concern about an organisations information rights practices to the ICO, so that the ICO can take action to improve the practices of organisations
As a citizen, I need to be able to self-serve and/or contact the ICO to get the information and support I need, so that I can exercise my information rights
Early market engagement
Any work that’s already been done
Existing team You will be working most closely with an ICO Product Owner (Digital Architect) and Tester, who manage the development of the services; communications team members who are responsible for the content, and; from time to time, ICO Business Ambassadors involved with specific development projects.
Current phase Live

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place The ICO's head office is in Wilmslow, Cheshire. However, it's expected that the work will be completed remotely.
Working arrangements The supplier's team would work closely with the ICO's staff. We run two-week agile sprints. The supplier team members would attend regular standups, refinement sessions, reviews and retrospectives, all remotely via video/audio and screen sharing. All work would be completed in the ICO's Azure environment. Azure DevOps is used to manage our backlog, user stories and deployments.
Security clearance Baseline Personnel Security Standard (BPSS)

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Experience of developing, supporting and maintaining Umbraco-based digital services, including the latest versions of Umbraco CMS, and Umbraco Forms.
  • Experience of extending Umbraco, especially Umbraco Forms.
  • Experience of maintaining and developing new integrations with Umbraco and Umbraco Forms as required, eg open source projects and other third party services.
  • Experience developing, supporting and maintaining pages, forms and databases in ASP.NET and SQL.
  • Experience of meeting best practice coding standards, including compliance with OWASP, and WCAG 2.1 accessibility standards to at least AA.
  • Experience of developing/maintaining digital services with good information rights practices, including compliance with the Data Protection Act, and the rules on cookies.
  • Experience of building digital services that are fully responsive so they work on different devices.
  • Experience of managing the application lifecycle and ability to maintain and develop automated deployment processes for virtual infrastructure and code.
  • Experience of managing and maintaining public cloud hosted environment to maintain appropriate security of information at OFFICIAL and up to OFFICIAL-SENSITIVE, in accordance with recognised frameworks.
  • Proven experience of agile project delivery, eg Scrum or DSDM, including processes to support structured, frequent changes.
  • Experience of supporting public sector organisations in meeting the Digital by Default Service Standard.
  • Experience of managing and maintaining DDoS attack mitigation tools and public cloud DR.
  • Experience of managing DNS.
  • Skills/ability to provide a helpdesk for logging faults and requests available 24/7, with normal support from 8am to 5pm weekdays, and ability to resolve major incidents 24/7, to set SLAs.
Nice-to-have skills and experience
  • Adheres to good data protection, electronic communications and freedom of information practices
  • Experience of supporting customers to become more self-sufficient, including skills and knowledge transfer to an expanding in-house development team.
  • Experience of operating in a way to support customers to meet open standards and avoid vendor lock-in.
  • Experience of integrating Umbraco/Umbraco Forms with back office systems, especially with Microsoft Dynamics CRM, in the cloud and/or on premise.
  • Experience of using Azure integration services, eg Logic Apps, Service Bus and API Management
  • Experience, provision of automated testing tools and ability to run automated testing.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 8
Proposal criteria
  • Relevance and depth of examples to meet all must-have technical requirements
  • Evidence, examples of relevant approach and methodology
  • Evidence, examples of providing solutions that meet user needs
  • Evidence, description of ability to provide support in line with requirements, and appropriateness of SLAs (please state what your support SLAs are)
  • Relevance of team skills that would work on our solutions
  • Value for money
Cultural fit criteria
  • Works as a team with our organisation and other suppliers
  • Is transparent and collaborative when making decisions
  • Embraces learning from mistakes
Payment approach Time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

60%

Cultural fit

10%

Price

30%

Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. Is this development only for Umbraco or would the ICO be interested in alternative solutions such as Drupal? The existing ICO website, ico.org.uk, is built on Umbraco and the requirement at this stage is for a supplier that would be able to help support and develop the existing site. We're not actively considering alternative content management systems at this time, however we would consider a move in the future if there was a compelling business case to do so.
2. Would you consider a move away from Azure? We’re not actively considering a move away from Azure at this time, however we would consider a move if there was a compelling business case to do so. We migrated our website to the Azure public cloud around two years ago. Since then we’ve found that Azure adequately meets our needs.
3. Will your existing incumbent be applying for this opportunity? The incumbent supplier has indicated that they will be applying for this opportunity.
4. The work says you need a partner to "develop our Umbraco website". Is this to build a new website or to further develop the existing one? The requirement is to maintain and develop our existing web estate. This includes the ICO website, built on Umbraco; plus the register of data controllers, registration form and payments form, which are separate applications written in .NET.
5. If a new website (rather than amends to the current one) is required will this be new and being built from scratch. If so what previous stages are in-progress, complete or needing doing (Discovery, UX, visual design, content etc.)? The requirement is to maintain and develop our existing web estate, which is in the Live phase.

For developments, we require a supplier that could supply the relevant skills and expertise that's appropriate for the scale of the development. For the duration of the contract, we would expect that there would be a mix of small improvements or enhancements, as well as some larger scale developments that might require more diverse skills such as UX and visual design.
6. What version(s) of Umbraco are now being used or targeted for the future? We are currently using Umbraco v7.4.3, and Umbraco Forms v4.4.7. We would expect to upgrade at some point during the course of the contract, and would ask for a recommendation from our supplier based on their assessment of our site, user needs, and the opportunities and risks involved.
7. The current site does not seem to allow for user accounts – is that also not a requirement for the future? Correct, the site doesn't currently use user accounts.

However, we are considering opportunities for customers to able to log in and make changes to their registrations, and possibly other functionality that would rely on users gaining access to their data. We may therefore consider using user accounts to deliver this functionality during the length of the contract.
8. Would the Authority consider potentially breaking down the hosting and development requirements to have a different supplier for each part? No, not for this procurement, the requirement is for a supplier to do both -- maintaining and developing; and managing the hosted environment.
9. How many users are to be supported? Most of the required support is for project work, regular monitoring and maintenance tasks related to managing the hosted environment, responding to incidents, and less frequent support requests from CMS users.
The main user groups to support are:
5-8 ICO regular CMS users
Two ICO staff who are routinely involved in projects to develop the website and digital services, plus relevant Business Ambassadors for each project
Indirectly:
support for approximately 700,000 data controllers registered with the ICO, who are required to renew their registrations each year.
we do not currently have figures for the number of visitors to the site.
10. What is the estimated amount of tickets raised by users? How many have been raised in the last 6 months? There were 40 support tickets raised in the past 6 months. These included incidents and requests for small developments/improvements.
Since January 2020, we have used approx 35 hours/month for support and would expect this would continue for the foreseeable future.
11. What are the SLAs? What business hours will the Service Desk be available for (24/7, 7/7)? We require:
A helpdesk for logging incidents and requests available 24/7.

Support for P1 incidents from 7am to 11pm, seven days a week.
Max response time: 1 hour. Status reports: every 1 hour. Target resolution: 4 hours.

Support for all other incidents and requests from 8am to 5pm weekdays:
P2
Max response time: 2 working hours. Status reports: every 2 working hours. Target resolution: 8 working hours.
P3
Max response time: 4 working hours. Status reports: Next business day. Target resolution: 3 business days.
P4
Max response time: 8 working hours. Status reports: Weekly. Target resolution: 5 business days.
12. What level of support is required by the Service Desk (Technical / Non-Technical)? The support would need to be sufficient to meet the service desk requirements and SLAs (see answer to #11).

In practice, we have found that providing a service desk does not necessarily need to be a technical resource (indeed, the service desk itself could be a online portal for logging requests and incidents), but the supplier needs a way of engaging a technical resource if one is required to respond to a request or incident.
13. Are any Applications to be hosted and supported? What are the Applications? There are four main applications (web apps in Azure) to support, and to manage the hosting for:
1. ico.org.uk -- the main ICO website, built on Umbraco
2. ico.org.uk/registration/new -- an online form for organisations to register with the ICO and pay their registration fee
3. ico.org.uk/registration/payment -- this is a form for organisations to pay to renew their registration fee
4. ico.org.uk/ESDWebPages/Search -- the register of fee payers
In addition, there is a web app that hosts the Welsh content translations, where available: cy.ico.org.uk
Each of the four main apps are also available in Testing and Staging.
14. Does the SLA define call and incident priorities? If so what are the details and stats against historical (12 months) For the past six months, approximately 40 incidents and requests WERE logged with the service desk. They can be broken down into:
P1s - 4
P2s - 12
P3s - 18
P4s - 6
15. What is the specification of the Hosting infrastructure? Server amounts, Storage, Memory? How much data needs to be hosted? To clarify, the requirement is not to host the applications, but to manage the hosting.

The web applications run on an Azure app service plan, currently sized at P2.
SQL databases and Blob storage are used to store content and media.
Total size of Production SQL DBs is approx. 18 GB.
16. What is your Disaster Recovery specifications The digital services are hosted in Azure, across two Azure regions. During normal operation, the services are served from the primary region, and the secondary region is host to the DR service, which is a mirror of the Production environment resources. When brought into operation, DR would operate at the same spec as Live.

We utilise a mix of standard Azure design patterns to keep the DR service in synch, including Azure Site Recovery for the VM that hosts the Umbraco CMS, and failover groups for the SQL databases.
17. Are any End User Devices required and to supported? No, we do not require any end user devices or support for those.
18. What is the size of the website? How many pages? According to Google, it's about 17,200, which would include for example a library of around 8,500 PDF decision notice documents.
19. How many changes have been made in the last 6 months? How many changes are expected going forward per month? We tend to maintain and require a fairly steady amount of resource input across our development sprints, and our delivery consequently is fairly consistent.
We have raised and implemented 29 formal change requests in the past 6 months.
We would expect that the rate of delivery and resource requirement would continue at similar rates going forward.
20. How will the service desk be contacted – telephone/email? The outcome we're looking for is that the service is supported in line with SLAs. We wouldn't necessarily stipulate that it's got to be support by email or phone, so please include in your proposal how you'd meet this.
21. Do you wish to keep your existing server schema? If you keep your existing server schema – how many servers to be hosted and what specification/capacity? Yes, our intention is to maintain, but also develop the existing virtual infrastructure and the way it's architected.
It is mostly Azure Platform as a Service, apart from a single VM that hosts the Umbraco CMS and some scheduled tasks managed via Hangfire.
We would like to move towards having the whole estate using PaaS and would plan to consider other architectural changes as opportunities arise and where there is a business case to support them.
See also the answer to #15.
The web service plan is set to two instances by default, and to autoscale if required.
22. Who is the incumbent supplier? Shout Digital Limited.
23. Is there an existing product backlog, and has it been prioritised? Yes, there is an existing prioritised Product backlog.

We continuously add to the backlog, as new development work is identified.
24. Please can you clarify the role around management/maintenance of the ICO's Azure environment? The ICO's digital services are hosted in the ICO's digital services subscription in Azure.
The requirement is to manage the hosted solution, including monitoring and reporting, regular patching of the VM, and maintenance and development where required, for example identifying and implementing changes to improve performance, improve security, and reduce costs.
25. Do you have an exit plan with the current provider? We have an offboarding provision in our current contract.

Also, our services are designed to be as supplier agnostic as possible, including that the services reside in the ICO's Azure subscription and the ICO's Azure DevOps.

Excerpt:
Prior to expiry of the contract, the Supplier shall ensure that it:
• creates an appropriate 'Management of Change' checklist and
process;
• packages and provides site source code and supporting databases;
• updates and provides technical documentation; and
• arranges knowledge capture and transfer sessions to provide a handover to the incoming team.
The Supplier shall produce a detailed technical handover document.
26. Will certified partners of Umbraco be considered more favourably? We will assess supplier proposals against their evidence of meeting the requirements. Suppliers may choose to list certifications as evidence. We would assess that evidence alongside other evidence provided.
27. Where do you see the main areas of complexity for this project? 'Integrations' as a general theme is where I think we will see the biggest challenges during the contract. This would include where we need to provide new integrations with third party services, and where we need to integrate our website-based digital services with our back end systems.
28. Presumably you would prefer the website to be built on Umbraco version 8? We would expect to upgrade Umbraco at some point during the course of the contract, and would ask for a recommendation from our supplier based on their assessment of our site, user needs, and the opportunities and risks involved.
29. Could you please confirm if the contract is purely for CMS technical support and development, or whether other services like SEO and analytics are in scope? We'd consider the ability to offer a full range of services to meet user needs favourably, alongside other examples of skills and experience to meet the requirements.
30. Given there is an incumbent supplier, pitching suppliers may need comfort that this procurement has a rationale behind it other than a mandatory requirement to re-tender. Are there skill sets or other specific requirements/bases that are behind this tender? While the trigger for this procurement is the upcoming expiry of the current contract, it is a genuine procurement exercise. This is a constantly changing and evolving area, and we want to ensure that we regularly check the market for skills and experience that meet our current and future requirements, and procure the best suppliers we can. We build our services to be as supplier agnostic as possible so that we can be in a strong position to change suppliers when opportunities arise. We will consider all proposals fairly against our criteria.
31. Could you please share more details on how services order process looks like for the development services and the support services respectively? I'm sorry, I don't understand the question. I'd be happy to help, please could you rephrase?
32. Are there any specific open-source projects and other third-party services that the site is currently integrated with, or where there are currently plans, or aspirations, to integrate with in the future? Existing integrations include a credit/debit card payment service (Global Payments), address and Companies House lookup (Data-8), cookie control tool (Civic), site search, PDF generator (abcPDF), live chat, language switcher (Linguaskin), read aloud functionality (Browsealoud), and Google Analytics. We have plans to offer paperless direct debits. And we're exploring tighter integration with our back office systems, which include Microsoft Dynamics CRM and will include a data warehouse.
33. How are the site's accessibility standards currently validated, and with what frequency? We use a third party tool, SiteImprove, to monitor the site’s compliance with the WCAG 2.1 accessibility guidelines. We get reports every five days.

We're also planning to conduct a full accessibility audit in early summer.
34. What is Microsoft Dynamics CRM currently being used for, e.g. case management, new registrations, searchable register data source, etc., and what version is it? We use Dynamics CRM for case management and registrations (so yes, it is used as the source of data for the public register). It is an on-premise solution, and it is air-gapped and not public facing. We are using Microsoft Dynamics CRM v8.5.
35. Beyond the posting of data from Umbraco Forms on the main website, what is the extent of Dynamics integration? Is it integrated with the separate.NET applications for new registrations and register search? If so, how is this done, e.g. using web services/API, REST/SOAP, etc.? Would support/maintenance/development of such integration services fall under the remit of this opportunity, or are they the responsibility of another provider? The integrations currently include the posting of data from various Umbraco Forms and the registration form to Dynamics; and the importing of data from Dynamics to the public register.

We currently use a combination of an SFTP file transfer service and secure email for moving the files and data to and from the website and Dynamics.

The processes that are within the Azure website subscription would fall within the responsibilities of this opportunity. Those are: Umbraco Forms and associated workflows, Hangfire and Windows scheduled jobs, the web mail service (SendGrid), and connection to the SFTP service.
36. What solution are you currently using for cookie preferences management – a bespoke one or one provided by a popular vendor such as TrustArc? Do you have a preference? (No pun intended!) We are using the cookie control tool provided by Civic.