Transport for London

TfL - Privacy and Data Protection Design Principles and Recommendations

Incomplete applications

Incomplete applications
3 SME, 1 large

Completed applications

Completed applications
11 SME, 4 large
Important dates
Opportunity attribute name Opportunity attribute value
Published Wednesday 28 February 2018
Deadline for asking questions Wednesday 7 March 2018 at 11:59pm GMT
Closing date for applications Wednesday 14 March 2018 at 11:59pm GMT


Opportunity attribute name Opportunity attribute value
Summary of the work TfL require support to define and apply Design Principles that will govern how they interact with customers regarding data protection. These will inform digital solutions, giving users greater control over their data (e.g. engaging communication of terms and conditions). The aim is to build trust between TfL and its customers.
Latest start date Tuesday 20 March 2018
Expected contract length 2 months
Location London
Organisation the work is for Transport for London
Budget range £40,000 - £70,000

About the work

About the work
Opportunity attribute name Opportunity attribute value
Why the work is being done On 25th May 2018, the new EU 'General Data Protection Regulation' (GDPR) comes into force. TfL wants to make the most of this opportunity to empower customers in relation to the personal data they share with TfL as they make use of online services. TfL aim to not only meet the regulation but go above and beyond for customers, making it easy to access and maintain their personal data and fully understand what data TfL hold, how we use it and what value we deliver back to the customer as a result.
Problem to be solved Ensure GDPR compliance.
Make the most of the opportunities GDPR offers, particularly in terms of building trust with customers.
Ensure the relevant information on the website and other digital channels is clear, easy to digest and follows a consistent approach and tone that feels right for TfL.
Consider digital tools and mechanisms that take the ‘privacy by design and default’ approach advocated by the ICO, that would help achieve our goal.
Who the users are and what they need to do As a TfL customer, who accesses services that require me to share information about myself (online), I need to be aware of my rights relating to my personal data and be able to exercise those rights easily. This will allow me to feel safe and confident when sharing information about myself and allow me to trust TfL to use it in a way that enables me to make the most of travelling in London.
Early market engagement Using the filters from the list of suppliers has identified the following suppliers who may be able to supply the services required:
Ernst & Young LLP
Frazer-Nash Consultancy
Numiko Ltd
Experienced Management Consultants Limited
Amberlight Change
4OC Ltd
EY-Seren Limited
Ethical Healthcare Consulting C.I.C.
Professional Programme Management Limited
Integral Enterprise Solutions Ltd
KDI Consultancy Limited
Watermelon Chang Lindley ltd (User Research)
MACI Innovations
Any work that’s already been done
Existing team The supplier will be working with members of TfL's Technology and Data (Digital) team. The supplier will be engaging with and managing key stakeholders from this department.
The Technology and Data Digital team are responsible for user experience and design of customer facing digital products. The team want to explore the opportunity that GDPR presents through improved design and UX, creating principles and applying them to a range of customer interactions.
Current phase Discovery

Work setup

Work setup
Opportunity attribute name Opportunity attribute value
Address where the work will take place 14 Pier Walk
North Greenwich
SE10 0ES
Working arrangements Work alongside TfL team members in groups, including Product team, UX and Design, Customer Information and Privacy to fact-find and contextualise the work and produce outputs of the overall task. Run 2 half-day workshops with stakeholder groups to gather ideas, requirements and collectively generate approaches and solutions.
20 work days are required, half of which, staff are required at TfL's office in North Greenwich. Collaborative work is required to capitalise on the supplier’s GDPR expertise, and broad experience applying the topic, to lead thought and discussion amongst stakeholders to provide robust recommendations and assistance.
TfL can not cover expenses.
Security clearance Staff must sign in at front desk and request visitor passes, these must be displayed at all times.

Additional information

Additional information
Opportunity attribute name Opportunity attribute value
Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Skills and experience
Opportunity attribute name Opportunity attribute value
Essential skills and experience
  • Be General Data Protection Regulation (GDPR) subject matter experts
  • Be Ethical Design and User Experience Specialists
  • Demonstrate strategy and planning experience
  • Demonstrate a good understanding of working in a Product-led environment, based on Aglie principles
  • Have a proven track record in delivering similar work for large organisations
Nice-to-have skills and experience
  • Demonstrate their experience of working with large public sector organisations
  • Demonstrate their experience of working closely with their clients UX team (rather than just operating as an external service)
  • Provide examples of managing diverse stakeholders with differing view points

How suppliers will be evaluated

How suppliers will be evaluated
Opportunity attribute name Opportunity attribute value
How many suppliers to evaluate 3
Proposal criteria
  • Technical Solution
  • Approach and Methodology
  • How the approach or solution meets user needs
  • How the approach or solution meets TfL's policy or goal
  • Estimated timeframes for completion
  • How they've identified risks and dependencies and offered approaches to manage them
  • Team Structure
  • Value for Money
Cultural fit criteria
  • Work as a team with TfL and the relevant stakeholders
  • Be transparent and collaborative when making decisions
  • Have a no-blame culture and encourage people to learn from their mistakes
  • Take responsibility for their work
  • Share knowledge and experience with other team members
  • Challenge the status quo
  • Be comfortable standing up for their discipline
  • Can work with clients with low technical expertise
Payment approach Capped time and materials
Assessment methods Written proposal
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

Questions asked by suppliers
Supplier question Buyer answer
1. You have highlighted a number of suppliers you feel are qualified to do this work. Will these be given preference over suppliers you have missed off the list? Hello,

The list of suppliers we highlighted was identified by applying the filters on the spread sheet from the following link:

The list was identified by applying filters based on the scope of works and based on how we require works to take place in London. However, should other suppliers outside of this list wish to apply then they may do so knowing that there will be no bias in the evaluation stage.
2. Given the shortlisting stage only closes on the 14th March, but you have a latest start date of 20th March, could you please provide an outline of the timescales for the next stage and the technical and pricing templates you would expect shortlisted suppliers to complete? Hello,

IMPORTANT INFORMATION FOR ALL INTERESTED SUPPLIERS: Please note that the latest start date is now changed to Monday 26th March 2018 - however, we are unable to make this change on the requirements page.

Regarding the technical and pricing templates, TfL would expect to see the proposal template, the financial template we send out (this will be a standard rate card) and we would also like to see CVs of the relevant staff who will be working on this project.
3. If progressed, please could you clarify the time lines and stages for the proposal period if the desired start date is 20/3/18 Hello,

Please refer to our response to Question 2 - the latest start date / contract award date will now be pushed back to 26th March 2018. Shortlisting will take place on March 14th, with the top 3 suppliers taken through to the proposal. The suppliers will have five working days to generate proposals (this is tight due to the urgency to award a contract and for works to commence).
4. 1 - Where will the new tender and response templates be posted (technical and financial)? 2 - Are suppliers still expected to respond to this tender and the new version templates that are yet to be posted? 3 - Will there be an additional stage of procurement, and what and when will this be? Hello,

After applications are submitted and three suppliers are shortlisted, the remaining work will take place outside of Digital Marketplace. The three shortlisted suppliers will submit their proposals via e-mail.

Suppliers may respond to the first phase of this tender (the competency-based shortlisting phase) should they wish to do so, however, only the shortlisted three suppliers will be required to respond to the new templates yet to be posted.

The remaining procurement stage is the request for proposal (RfP) stage, where shortlisted suppliers will be invited to propose their solutions to TfL. This will take place post-shortlisting.
5. Please could you clarify what is meant by ethical design? Hello,

Ethical Design is about designing in a way that respects the users’ rights. In this instance we are specifically interested in an ethical approach in the context of digital /web User Experience and Interaction Design. We want to explore an approach that puts building customer trust (by helping them feel empowered and in control) at the heart of the decisions we make, the features we create and the guidance we give to users.
6. Please could you advise what project work has been done to date? This piece of work will be a Discovery phase, focused on developing Design Principles and recommendations for further activities or digital tools. No specific work has been done to date. A degree of thought and planning has been completed but we’re looking to a supplier with GDPR and Ethical Design expertise to now help us pull that thought together in a coherent and more tangible way. A separate workstream is dealing with functional and technical compliance, that work is underway but does not have direct dependencies with this piece.
7. What is the cut-off time for submissions? The first stage related to supplier competencies closes on March 14th. We will evaluate these responses and shortlist the top three suppliers same day. The top three suppliers will have 5 days to respond to the Request for Proposal (response of 21st March).