This opportunity is closed for applications

The deadline was Friday 23 September 2022
Information Commissioner's Office (ICO)

Website development and managed hosting partner

7 Incomplete applications

5 SME, 2 large

6 Completed applications

6 SME, 0 large

Important dates

Published
Friday 9 September 2022
Deadline for asking questions
Friday 16 September 2022 at 11:59pm GMT
Closing date for applications
Friday 23 September 2022 at 11:59pm GMT

Overview

Off-payroll (IR35) determination
Contracted out service: the off-payroll rules do not apply
Summary of the work
The ICO needs a partner that has the skills and experience to rebuild/migrate its Umbraco website to the latest stable and supported version, help us maintain and develop new digital services and hosted infrastructure, to meet the changing needs of our users and in line with relevant standards.
Latest start date
Tuesday 15 November 2022
Expected contract length
Two years
Location
No specific location, for example they can work remotely
Organisation the work is for
Information Commissioner's Office (ICO)
Budget range

About the work

Why the work is being done
The ICO needs a partner with the skills and experience to rebuild our website at ico.org.uk, help us develop new digital services, and manage our hosted environment, on expiry of our current contract.

Key dates:
Contract expiry - 28 January 2023
End of life of existing CMS software version - September 2023
Problem to be solved
The ICO needs an experienced partner that has the skills and experience to rebuild/migrate an Umbraco website to the latest stable and supported version, in line with the Government Service Standard; help us develop new digital services, and; maintain and develop our hosted infrastructure (Azure), to meet the changing needs of our users.
Who the users are and what they need to do
As a data controller (organisation), I need to pay/renew my annual data protection fee, so that I meet my obligation to pay the data protection fee.
As an information rights practitioner, I need to be able to access practical guidance about data protection, electronic marketing and freedom of information so that I can meet my obligations under information rights legislation.
As an information rights practitioner (including small business owners), I need to be able to self-serve, and use easy tools and/or contact the ICO to get the information and support I need, so that I can meet my information rights obligations.
As a citizen, I need to be able to complain/report a concern about an organisation’s information rights practices to the ICO, so that the ICO can take action to improve the practices of organisations.
As a citizen, I need to be able to self-serve and/or contact the ICO to get the information and support I need, so that I can exercise my information rights.
Early market engagement
Any work that’s already been done
Existing team
You will be working most closely with an ICO Product Owner (Digital Architect), Product Engineer (Developer) and Tester, who are responsible for the development of the services; communications team members who are responsible for the content, and; from time to time, ICO managers responsible for specific products and services.
Current phase
Live

Work setup

Address where the work will take place
The ICO's head office is in Wilmslow, Cheshire. However, it's expected that most of the work will be completed remotely. We would expect there may be benefit to occasional face-to-face collaboration sessions.
Working arrangements
The supplier's team would work in a multi-disciplinary team, working closely with the ICO's staff to plan, refine, develop, test, and deploy. We run two-week agile sprints. The supplier team members would attend regular standups, refinement sessions, reviews and retrospectives, all remote via video/audio and screen sharing. All work would be completed in the ICO's Azure environment. Azure DevOps is used to manage our backlog, user stories and deployments.
Security clearance
Baseline Personnel Security Standard (BPSS)

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • have experience of rebuilding a website in Umbraco where there is no direct upgrade path from a previous version, that involves redesigning some aspects, as well as some ‘migration’.
  • have experience of developing, supporting and maintaining Umbraco-based digital services, including the latest versions of Umbraco CMS, and Umbraco Forms.
  • have experience of maintaining, extending, and developing new integrations with Umbraco and Umbraco Forms as required, eg open source projects and other third party services.
  • have experience developing, supporting and maintaining pages, forms and databases in ASP.NET and SQL.
  • have experience of meeting best practice coding standards, including compliance with OWASP, and WCAG 2.1/2.2 accessibility standards to at least AA.
  • have experience of developing/maintaining digital services with good information rights practices, including compliance with GDPR, and the rules on cookies.
  • have experience of building digital services that are fully responsive so they work on different devices.
  • have experience of managing the application lifecycle and ability to maintain and develop automated deployment processes for virtual infrastructure, and code.
  • have experience of managing and maintaining public cloud hosted environment to maintain appropriate security of information at OFFICIAL and up to OFFICIAL-SENSITIVE, in accordance with recognised frameworks.
  • have proven experience of agile project delivery, eg Scrum or DSDM, including processes to support structured, frequent changes
  • have experience of supporting public sector organisations in meeting the Service Standard (https://www.gov.uk/service-manual/service-standard).
  • have experience of managing and maintaining DDoS mitigation tools and public cloud disaster recovery.
  • have experience of managing DNS.
  • experience of developing and integrating Umbraco with modern integration services, eg Logic Apps, Service Bus, API Management.
  • ability to provide a helpdesk for logging faults and requests available 24/7, with normal support from 8am-5pm weekdays, and ability to proactively resolve major incidents 24/7 to SLAs.
Nice-to-have skills and experience
  • provide evidence of adhering to good data protection, electronic communications and freedom of information practices.
  • show evidence of supporting customers to become more self-sufficient, including skills and knowledge transfer to an in-house development team.
  • show evidence of operating in a way to support customers to meet open standards and avoid vendor lock-in.
  • show evidence of integrating Azure technologies with back office systems, especially with Microsoft Dynamics CRM, in the cloud and/or on premise.
  • show evidence of providing automated testing tools and ability to run automated testing.

How suppliers will be evaluated

All suppliers will be asked to provide a written proposal.

How many suppliers to evaluate
6
Proposal criteria
  • Relevance and depth of examples to meet all must-have technical requirements.
  • Evidence, examples of relevant approach and methodology.
  • Evidence, examples of providing solutions that meet user needs.
  • Evidence, description of ability to provide support in line with requirements, and appropriateness of SLAs (please state what your support SLAs are).
  • Relevance of team skills that would work on our services
  • Value for money
Cultural fit criteria
  • work collaboratively, as a seamless, multi-disciplinary team with our collective skills complementing each other
  • work together in ways which enable us to prioritise, support our agility, and our collective and individual high performance
  • experiment together, learn and continuously improve, quickly learning and making changes if something doesn't work
  • thrive on delivering at pace and with impact
  • set clear objectives, make timely, informed decisions using evidence and insight, and measure and evaluate our work
  • take personal ownership and accountability for our work, learning from mistakes, continuously develop and celebrate our successes
  • embrace inclusive ways of working, and respect each other
  • actively encourage equality, diversity and inclusion in our working and thinking
Payment approach
Time and materials
Additional assessment methods
  • Case study
  • Work history
  • Reference
  • Presentation
Evaluation weighting

Technical competence

55%

Cultural fit

15%

Price

30%

Questions asked by suppliers

1. Would you be open to other CMS platforms i.e. WordPress?
No. We have chosen Umbraco as our CMS. We completed an options appraisal of CMSs and concluded that Umbraco was the best fit for our requirements, our skills and knowledge base, and value for money.
2. Could you please tell us your budget range?
We have chosen not to try and give a budget range for this opportunity. We would like suppliers to provide costs based on the requirements given, as well as any other information that may be requested and provided via the Q&As.
3. Are you able to confirm an approximate budget for this contract?
We have chosen not to try and give a budget range for this opportunity. We would like suppliers to provide costs based on the requirements given, as well as any other information that may be requested and provided via the Q&As.

We would like to see a breakdown of costs wherever possible.

We think a useful split of activities would be:
Website rebuild and migration
Development work (new and improved features in response to user needs)
Management of hosting
Provision of breakfix support
Out of hours provision
4. Are you able to confirm any incumbent supplier you may use for management of your website?
Shout Digital Limited is the incumbent supplier.
5. Is there an incumbent already in place?
Yes. The incumbent supplier is Shout Digital Limited.
6. Why are you looking to change supplier now?
We are reprocuring at this time because the ICO needs to recruit a partner with the right skills and experience to meet all our requirements, in time to have signed contracts and completed onboarding by the time our current contract ends on 28 January 2023.
7. Is there a budget already defined?
We have not defined a set budget for this opportunity. We are looking for suppliers to propose costs to complete the work, and will be assessing value for money as part of the scoring.
8. Why have you picked Umbraco?
We completed an options appraisal of CMSs and concluded that Umbraco was the best fit for our requirements, our skills and knowledge base, and value for money.
9. Could you please declare your anticipated budget, at least as a range?
We have chosen not to try and give a budget range for this opportunity. We would like suppliers to provide costs based on the requirements given, as well as any other information that may be requested and provided via the Q&As.

We would like to see a breakdown of costs wherever possible.

We think a useful split of activities would be:
Website rebuild and migration
Development work (new and improved features in response to user needs)
Management of hosting
Provision of breakfix support
Out of hours provision
10. Will support and maintenance of the site be included in scope? If so, would that be UK office hours, 24x7x365, or perhaps something else?
Yes. Skills/ability to provide a helpdesk for logging faults and requests is in the scope. We require the ability to log faults and requests 24/7; we would then require normal support from 8am to 5pm weekdays. We also require the supplier to be able to be available and proactively resolve major incidents 24/7, to set SLAs.
11. What version of Umbraco does the current site run on?
We are on Umbraco v7.15.7, and Umbraco Forms 7.5.4
12. Does the current site run on a Microsoft-hosted Azure tenancy, or does the ICO have a stand-alone or on-premise hosted Azure environment?
The services are hosted in the Azure public cloud, within the ICO's Azure tenancy, and within its own subscription.

The infrastructure is deployed across two Azure regions. During normal operation, the services are served from the primary region, and the secondary region is host to the DR service, which is a mirror of the Production environment resources.
13. Does the ICO wish to have the new site running on the same Azure platform / tenancy as it does at present?
We would choose to continue to have the site running in its own subscription within the ICO's Azure tenancy.

We currently run mainly PaaS resources, with a single VM (IaaS) hosting the CMS. We think there is an opportunity to make the service fully PaaS as part of the rebuild project.
14. What does the ICO wish the successful supplier to complete by the current contract expiry date of 28 January 2023? Is it to take stand up a support and development service for the outgoing web site, and production of the new web site can follow in due course later in the year?
The priority is to have a contract in place, and to have completed onboarding so that the supplier is in a position to take on support and maintenance of the current site by the contract expiry date.
The second priority is to have completed the site rebuild before the CMS end of life date.
Both dates present risk to the ICO so we would be keen to see proposals that aim to mitigate the risks surrounding those dates.
15. Does the ICO have a target date for when the new web site should be live?
Not a specific date.
The end of life date represents a risk for the ICO and its customers, so we would be looking for supplier proposals that aim to mitigate the risk around that date as much as possible.
16. Can the ICO provide the successful supplier with full access to the outgoing web site? The ICO owns all the IPRs, with no dependency on the outgoing current contract or supplier?
That is correct. The website and code is hosted in the ICO's Azure environment, and the contract states that the ICO owns all the IPRs to the existing site. An exit plan is provided for, which includes that the outgoing supplier would hand over any required information and provide support and knowledge transfer to the incoming supplier.
17. Can you please provide detail of your current Azure configuration?
The site and services are hosted in the ICO's Azure tenant, within a separate subscription. The resources supporting the main Umbraco site (ico.org.uk) are mostly PaaS, with one server (IaaS) supporting the CMS. Other PaaS resources support the Register of fee payers (ico.org.uk/ESDWebPages/Search) and the Registration form (https://ico.org.uk/registration/new), but the registration form will soon be replatformed to Umbraco so those will be decommissioned.
The Welsh mirror site (cy.ico.org.uk) is hosted on a web app within the subscription. It is powered by Linguaskin.
The Chatbot, available at ico.org.uk/for-organisations/data-protection-fee/, is also hosted within the subscription.
18. Does the ICO wish suppliers’ financial proposals to include Azure spend, which may include upgrades and new services? Or will the ICO resource and pay for those separately?
Azure hosting spend can be excluded from proposals. The ICO pays Microsoft directly for the services hosted within Azure.
19. What is is the Commercial envelope for this work?
We have chosen not to try and give a budget range for this opportunity. We would like suppliers to provide costs based on the requirements given, as well as any other information that may be requested and provided via the Q&As.
20. What is the budget range for this opportunity?
We have not defined a set budget for this opportunity. We are looking for suppliers to propose costs to complete the work, and will be assessing value for money as part of the scoring.
21. We note the site uses a subdomain for its search engine; is this within the scope of the redevelopment?
We would be open to including the search services as part of the redevelopment. This would need to be based on any proposed solution meeting the existing and required functionality, and representing value for money.
The search services that are externally hosted comprise:
Site search: icosearch.ico.org.uk/s/search.html?query=abc&collection=ico-meta&profile=_default
Decision notice search: icosearch.ico.org.uk/s/search.html?collection=ico-meta&profile=decisions&query
Disclosure log: icosearch.ico.org.uk/s/search.html?collection=ico-meta&profile=disclosurelog&&query=
22. Would the winning bidder be expected to copy the current sites content (both English and Welsh) into the new site?
The ICO expects to be responsible for copying most of the content into the rebuilt site, based on the assumption that the templates are likely to be different from what they are now and this may make automated migration of html content impossible.
We would like to see proposals for automated migrations of assets, for example PDF and images, and content where this may be possible.
ICO would expect to be responsible for the content on the Welsh mirror site.
23. Is re-development of the existing Chatbot in scope or do you plan to use the current externally provided version, if in scope we presume this also needs a Welsh language variant?
No, redevelopment of the existing Chatbot is not within the scope of the rebuild project.
24. The payment system appears to be a standalone product, is the plan to retain this or integrate it into Umbraco?
The payments system is a SaaS product provided by Global Payments. We plan to keep this service, loosely coupled, but integrated. We have integrated it into Umbraco as part of our service for customers to pay or renew by card (ico.org.uk/for-organisations/data-protection-fee/renew/renew-and-pay-by-card/), and are in the process of completing a similar integration as part of a redesign of the current registration form (ico.org.uk/registration/new).
When we next reprocure our payments service, we would expect to keep any reprocured payments service loosely coupled but integrated in a similar way.
25. The vacancies system appears to be externally hosted, is the plan to continue with this or integrate this into Umbraco?
We don't have any plans to fully integrate the vacancies service (ico.org.uk/about-the-ico/jobs/vacancies/) into Umbraco.
26. Aside from the Umbraco database, how many other databases and APIs does the back office integrate with?
The back office integrates with two databases: the Public register database enables checks to stop organisations registering that are already registered, and; a database that holds ID numbers of those who've paid, to allow logging of payments and to prevent organisations paying twice for the same registration.

APIs are used for integrations with Global Payments (card payment service), Data8 (predictive address, Companies House lookup, and bank validation), Live chat, and Azure Queues, used for capturing data from our transactional services.