This opportunity is closed for applications

The deadline was Thursday 27 August 2020
Cabinet Office

Cabinet Office Personal Data Protection Delivery Enhancement

17 Incomplete applications

12 SME, 5 large

29 Completed applications

18 SME, 11 large

Important dates

Published
Thursday 13 August 2020
Deadline for asking questions
Thursday 20 August 2020 at 11:59pm GMT
Closing date for applications
Thursday 27 August 2020 at 11:59pm GMT

Overview

Summary of the work
The Cabinet Office needs to mobilise a programme to respond to the findings of a Data Handling Review through enhancing capabilities, standards and controls across the department to manage data privacy risk.
Latest start date
Monday 14 September 2020
Expected contract length
To be delivered prior to 31 December 2020
Location
London
Organisation the work is for
Cabinet Office
Budget range
The maximum spend under the contract will be £2.25million

About the work

Why the work is being done
Delivering the Cabinet Office business strategy places a critical reliance on enhancing the capture, storage, management and use of personal and non-personal data. Recent events, however, have identified weaknesses in the Cabinet Office capabilities for managing personal data privacy.

The Data Protection Act 2018 demands stringent obligations on the management of privacy risk and exposes the department to material penalties and regulatory censure in the event that risks are insufficiently managed or mitigated.

An independent review

https://www.gov.uk/government/publications/building-trust-in-digital-government

was commissioned following a high profile data breach in December 2019. The review identified systemic inconsistencies in data processes, controls and culture across Cabinet Office and that there is a significant risk that further and more impactful breaches will occur as the amount of personal data being handled by the Department increases.

The independent review of the Cabinet Office’s personal data handling practices proposed recommendations to enhance the overall risk management of data privacy across the department.

The Cabinet Office needs to implement this work prior to end December 2020
Problem to be solved
The independent review

https://www.gov.uk/government/publications/building-trust-in-digital-government

of the Cabinet Office’s personal data handling practices proposed recommendations to enhance the overall risk management of data privacy across the department.

Recommendation 1: Enhance accountability and governance
Aim: Establish unified leadership for personal data handling supported by extension of existing best practice delivery in Cabinet Office to increase consistency of delivery.

Recommendation 2: Reward the right behaviours and recognise skills
Aim: Strengthen existing business unit responsibilities through active identification and promotion of personal data handling experts.

Recommendation 3: Confirm a new Data Strategy
Aim: Define a new Data Strategy aligned to Cabinet Office values and Digital Government ambitions which will inspire current and future Cabinet Office resource.

Recommendation 4: Be transparent on progress
Aim: Develop the execution oversight and data analysis required to demonstrate progress on maturing data delivery capabilities to all stakeholders.

Recommendation 5: Refresh Training and Guidance
Aim: Rebuild Training and Guidance to become accessible on a sustained basis by all Cabinet Office resource.

Recommendation 6: Establish consistent standards and technology controls
Aim: Achieve consistent leading standards and controls across personal data handling processes.
Who the users are and what they need to do
Cabinet Office staff, stakeholders and the wider external community
Early market engagement
Any work that’s already been done
A review has been conducted

https://www.gov.uk/government/publications/building-trust-in-digital-government

Subsequently there have been 3rd party contracted individuals within the BAU teams working on our approach. As a consequence of this work we have decided to consider a co-ordinated and consolidated solution and hence this request for support for a team from one provider from the external market
Existing team
Existing Cabinet Office Data Protection Office; Digital Knowledge Information Management teams; Security; Information Assurance; 3rd Party Contracts team and the Chief Data Office
Current phase
Beta

Work setup

Address where the work will take place
Ordinarily in various locations across London

However during lockdown it is anticipated the majority of the work will be conducted remotely
Working arrangements
The newly appointed Cabinet Office Chief Data Officer (CDO) is commissioning this work.

During the early phases of the programme we would expect a comprehensive work schedule to be agreed

The vast majority of our staff are currently working from home, due to Covid-19. Remote working is expected during Covid-19 lockdown which would revert to a mixed on-site and remote delivery model once lockdown restrictions are eased/removed.
Security clearance
Personnel from the Service provider need to have both BPSS/CTC and an enhanced DBS check

For clarity, we do not need SC clearance

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Have demonstrable evidence of cultural and transformational programme management at CXO level within a FTSE 100 or Central Government function
  • Identify evidence of delivering Outcomes at pace in line with Data Governance
  • Be able to demonstrate your approach and experience of delivery across Discovery, Alpha, Beta and Live
  • Demonstrate how you would successfully deliver Beta, including identifying and managing any risks.
  • Demonstrate your approach and methodology
  • Demonstrate your ability to scale resources to the demands of this programme, giving an example of where this has been done successfully
  • Demonstrate experience of how, when delivering outcome based programmes, you have supported the development of internal capability (leaving a positive legacy)
  • All individuals deployed as part of the delivery team must have demonstrable experience in data practice or on a data change project
  • To be able to evidence experience of data practice and protection enhancements
  • The delivery team must have demonstrable experience of developing data policies, data security concepts and issues
  • The delivery team must have demonstrable experience in PMO, and operating as part of a change programme, to include implementing Risk and Data frameworks
  • The delivery team must have demonstrable experience of developing communication plans and reporting activities
Nice-to-have skills and experience
  • Evidence of how you look to transfer knowledge and up-skill teams to ensure continuity of delivery
  • Describe how you have adapted your delivery model to account for new remote working practices with an emphasis on pastoral care for your team.
  • Should have demonstrable influencing skills
  • Evidence of proven stakeholder management experience

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
3
Proposal criteria
  • Evaluation of technical solution delivery and its meeting of the Requirements
  • Evaluation of the delivery approach and methodology, (Transformation methods, processes, control and compliance)
  • Evaluation of how the approach or solution meets the Adrian Joseph review response policy and goal
  • Assessment of the team and individual's relevant Data Handling Experience/Track Record
  • Assessment of the individuals skills, knowledge, experience, capability and management.
  • Assessment of process to manage the delivery and the team, who may be remote working, to include project and quality assurance, delivery and currency
  • Risk and Critical Success Factors (and how will these be successfully managed)
  • Implementation Plan and estimated timeframes for the work
  • Assessment on value for money
  • Your approach to building multi-disciplinary teams
  • Your approach to managing conflict resolution (resources, stakeholders) and managing expectations
Cultural fit criteria
  • How the vendor will work with the Cabinet office BAU workstream owners
  • Demonstrate an empowered ‘can do’ team culture, encouraging constructive feedback and learning
  • Demonstrate how you work as a team, manage collaboration, share know-how and best practice, motivate & maintain high levels of engagement and how this links to our values
  • Actively promote diversity and inclusion as per the public sector equality duty
  • Your approach to embedding a team quickly within organisations with differing cultures
  • Your approach to pastoral care of core or subcontractor resource
Payment approach
Fixed price
Additional assessment methods
Presentation
Evaluation weighting

Technical competence

65%

Cultural fit

10%

Price

25%

Questions asked by suppliers

1. Has the Cabinet Office formally reviewed the six recommendations proposed by the review? If so, which of the six recommendations proposed by the review have been formally accepted?
The Adrian Joseph review provided 6 recommendations of which none have been rejected by the CO implementation plan
2. For any software or technical solution, what options are there around infrastructure for delivery? E.g. is it all on-premise, are AWS, Azure and/or GCP candidates?
In respect to technology, AWS or Azure are preferred to on-premise
3. We note a maximum of £2.5 million has been allocated for the entire project, but understand this bid is just for the Beta stage. What is the indicative budget for this stage?
£2.5m is budgeted for the project of which the beta stage is the only delivery. Run and operations and continuous evolution and maintenance will be budgeted as part of BAU workstream submissions and considered separate and will be beyond beta phase budget and outside of the £2.5m.
4. What is meant by data practice?
"Data practice" in this Requirement is a term used to indicate the Chief Digital & Information Office's, CDIO, organisational function responsible for CDIO Data & Analytics operations.
5. Do you have a team size and structure in mind?
It is expected that the supplier will recommend its team size and structure appropriate for delivery of the Requirement. We have no predetermined thoughts other than we do expect it to be greater than a single person plan.
6. We have experience of operating at CXO level within FTSE 100 companies AND a Central Government function. Do you require evidence for both?
We do not expect experience of both but any compounded experience that vendors have for the landed team will not be detrimental to their proposal
7. Is the Cabinet Office looking to appoint the services of an individual to advise on mobilising a programme to deliver the six recommendations proposed by the review? Or is the Cabinet Office looking to appoint a team of specialists, covering the six recommendations proposed by the review, that can deliver the recommendations made?
The Cabinet Office is looking to appoint a team of specialists, covering the six recommendations proposed by the review, in order to deliver the recommendations made, as a fixed delivery/output
8. Request eight states that “all individuals deployed as part of the delivery team must have demonstrable experience in data practice or on a data change project”. What do you mean by the delivery team? It is envisaged that to deliver your requirements a team including but not limited to data privacy experts, PMO experts, change experts, and business transformation experts may be required. Is it a binary requirement that all team members have demonstratable experiencing in data practice or on a data change project?
Your vision is correct. For clarity, we envisage an experienced team which may include multiple skillsets to deliver the project, some of which require specific SME knowledge. It may be that some of your team have skills that would not require in depth data experience.
9. Is there an incumbent and, if so, who?
There have been 3rd party contracted individuals within the BAU teams working on our approach. As a consequence of this work we have decided to consider a co-ordinated and consolidated solution and hence this request for support for a team from one provider from the external market
10. The 4th and 5th essential skills and experience requests ask us to "Demonstrate how you would successfully deliver Beta, including identifying and managing any risks" and "Demonstrate your approach and methodology". These two questions as currently written do not lend themselves to 100 word responses if you require a response that it is specific to this particularly programme. Please can you confirm if you are looking for a specific response or a more general demonstration of experience?
At this shortlisting stage, within the 100 word limit, we are expecting a more general demonstration of experience
11. You mention that there are 3rd party specialists who are already working within the team. Do you intend to keep these on? Will they be involved in the project? Would it be expected or preferred if these resources are incorporated into the project team?
It is our expectation that with the supplier submission we would no longer be requiring the resources.
12. What outcome is required by 31 December 2020? Does the Cabinet Office require definition and initiation of the programme to assess / deliver the six recommendations? Or does the Cabinet Office require assessment of the six recommendations proposed by the review? Or does the Cabinet Office require delivery of the six recommendations proposed by the review?
Assessment and delivery, although an initial assessment has been done and is referred to within the Requirements
13. Does the £2.25m budget include procurement of any technical solutions required during Beta? Or is the £2.25m for resource only?
Is the budget £2.25m or £2.5m?
The £2.25m budget is to include everything within Beta

The budget is for £2.25million
14. Is there an incumbent for this opportunity? Is the company that has provided the initial recommendations allowed to bid for this work?
There have been 3rd party contracted individuals within the BAU teams working on our approach.

This is an open invitation to all suppliers registered on DOS
15. Clarification........Ref Question 3.
The response should have referred to the correct budget of £2.25million
16. We note £2.5m has been allocated for the entire project. Please confirm indicative costs for the Beta phase
The budget for the entire Requirement is £2.25m, not £2.5m

This £2.25m is for the entire Beta
17. Is there an incumbent and, if so, who?
There have been 3rd party contracted individuals within the BAU teams working on our approach.
18. Revision to Expected contract length
We wish to focus on allowing the supplier an appropriate time frame to deliver a robust, sustainable and high quality solution, consequently we are allowing a longer tenure of contract.

Updated Expected Contract Length is : To be delivered prior to 31 March 2021
19. Please can you confirm the duration of the contract and the budget? Are you expecting the budget of £2.25m to be spent between the period 14 Sept 2020 and 31 Dec 2020?
We have just published an amendment to the expected tenure. All deliverables and outputs are to be delivered prior to 31 March 2021

The budget of £2.25m is to cover this Beta only, which now delivers prior to 31 March 2021
20. What is meant by Question 9 – “To be able to evidence experience of data practice and protection enhancements”. Are you looking for our experience of implementing policies, processes, technology and controls to resolve data protection issues and manage data protection risks?
Yes please
21. For question 8 – “All individuals deployed as part of the delivery team must have demonstrable experience in data practice or on a data change project” does this need to be answered with a specific example (e.g. situation, work and result) or can we provide an overview of our experience and skillset?
An overview and skillset of each of the individuals who will make up the delivery team
22. Does the target operating model or implementation plan form a dedicated component part of the Data Strategy component – or is this to be considered an implementation or operationalising phase after acceptance of the data strategy?
This is to be considered an implementation and operationalisation phase of the response to the Adrian Joseph review following acceptance of each of the workstream / BAU leads.
23. Data Delivery Capabilities – all focused-on compliance aspects in the report – do you also want to include the ability to demonstrate data value built on the core compliance details suggested?
We are not clear on what you are asking. We are always interested in the ability to demonstrate data value if that is what you are alluding to ?