Awarded to Zaizi Limited

Start date: Tuesday 7 May 2019
Value: £55,000
Company size: SME
Ministry of Defence

CCT679 - Digital Services Delivery of Digital Solution for Departmental Compliance

13 Incomplete applications

10 SME, 3 large

11 Completed applications

6 SME, 5 large

Important dates

Tuesday 26 February 2019
Deadline for asking questions
Tuesday 5 March 2019 at 11:59pm GMT
Closing date for applications
Tuesday 12 March 2019 at 11:59pm GMT


Summary of the work
MOD is seeking a supplier to conduct a discovery and alpha into digital services for all Data Subject Requests and an Information Asset register to allow MOD to better comply with the new provisions in the Data Protection Act 18.
Latest start date
Saturday 31 March 2018
Expected contract length
No specific location, eg they can work remotely
Organisation the work is for
Ministry of Defence
Budget range
Up to £75k which includes travel (excluding VAT)

About the work

Why the work is being done
Current manual departmental processes do not allow MOD to easily demonstrate compliance with the provisions of Data Protection Act 2018 (DPA18), placing the department at an increased risk of reputational damage and censure and/or punitive fines from the Information Commissioner's Office.
Problem to be solved
The problems which need to be solved are:
- Improving and widening the scope of the current manual Subject Access Request process, so it allows individuals to understand what information MOD holds, how it is being used and to request changes to that data and how it is used.
- A service is required that enables MOD personnel/teams to easily identify if they need to register an information asset, register it, check if a Data Protection Impact Assessment is appropriate and complete one if it is.
Who the users are and what they need to do
As a member of the public I want to be able to ask MOD what information it holds about me and exert my rights as a data subject. As a disclosed officer, I need to log and manage data subject requests, so that I can respond within the mandated time.
As an data asset owner, I want to log and manage information assets so that I can manage my assets appropriately.
As a compliance officer, I need to be able to run reports to monitor MOD's performance in handling data subject request and managing information assets.
Early market engagement
Any work that’s already been done
Existing team
Supplier will be working with policy SMEs from Defence, and a delivery manager and product manager
Current phase
Not started

Work setup

Address where the work will take place
Nominally based in MOD Main Building, London, the supplier will be expected to travel nationwide to meet users.
Working arrangements
The discovery team should work according to agile methodology, in line with the GDS Service Manual; daily stand-ups, sprint planning, sprints, retrospectives, show and tells.
The discovery team should work 5 days per week. The supplier should provide their own IT equipment. MOD will provide access to MOD systems and assets as required.
The supplier will need to collaborate with the MOD team and invest time in knowledge sharing and coaching to increase MOD staff capability.
All expenses will be included in the contract price and made in accordance with the MOD expenses policy.
Security clearance
Supplier should have SC clearance. Due to the time constraints for delivery we can not organise security clearance.

Additional information

Additional terms and conditions

Skills and experience

Buyers will use the essential and nice-to-have skills and experience to help them evaluate suppliers’ technical competence.

Essential skills and experience
  • Recent experience of managing and delivering discovery projects, meeting all requirements and successfully delivering outcomes within specified timescales
  • Recent experience delivering discovery agile projects according to Government Digital Standards (GDS), including GDS Service Design Manual ; the Digital Service Standard Assessment; Technology Code of Practice; wider industry standards.
  • Recent experience in delivering evidence-based research to inform a user-centered design, focus on user needs (including accessibility), end to end user journeys, motivations and goals
  • Recent experience of understanding digital services that meet identified user needs and business objectives
  • Recent experience in defining sets of functional and non-functional requirements and criteria that can be used to inform tool selection
  • Proven experience of defining data transformation and migration strategies and architecture for data collection and manipulation solutions
  • Be agnostic of any particular digital ways and software, enabling us to consider a range of options to meet user needs
Nice-to-have skills and experience
  • Recent experience of working wit in-house teams with limited agile experience and sharing knowledge, coaching, mentoring and upskilling to develop in-house team capability
  • Recent experience of evolving the most appropriate solution/data/technical architecture to meet user's requirements, fully integrating across different environments and technologies

How suppliers will be evaluated

How many suppliers to evaluate
Proposal criteria
  • Proposed plan of activities with clear deliverables and dates demonstrating the ability to complete the delivery of the discovery project within the required challenging timescales
  • Evidence of how the proposal represents value for money for MOD
  • Proposed supplier team structure, with evidence to demonstrate a strong team and how their skills and experience will deliver the required outcome
  • Evidence that the proposed approach and methodology for discovery will successfully ascertain user needs and meet specified objectives for the discovery
  • Identification of key options, assumptions, dependencies, risk and issues, with limited technical and agile expertise
  • Demonstration of appropriate approach to working with in-house teams with limited technical and agile expertise
  • Proposed workable and flexible approach to co-location of the team within DfE
Cultural fit criteria
  • Demonstrate understanding of MOD's need to deliver the best value for money solution
  • Demonstrate how you will work transparently, collaboratively and share your approach with the MOD Policy Team, as well as other policy teams, and seek actionable feedback
Payment approach
Fixed price
Assessment methods
  • Written proposal
  • Case study
  • Presentation
Evaluation weighting

Technical competence


Cultural fit




Questions asked by suppliers

1. Is the scope of the work required the completion of the Discovery Phase or will the supplier be required to complete Discovery and Alpha phases within the budget indicated?
At a minimum a Discovery should be completed, however if there is any remaining budget this will be used to develop an Alpha.
2. We would like to know if a security clearance is required for this project? If, so could you please specify this requirement.
At least one member of the team must be SC cleared.
3. The size of the team that the Dept has
The team delivering this project numbers 2; a delivery manager and a product owner. Subject Matter Experts will be called upon as required.
4. The number of MOD staff who will be working on this Discovery Phase collaboratively with the contractor.
5. Who is the MOD Product owner
The Authority cannot release this information at this time.
6. Is there a Sponsor who is driving this requirement
The Authority cannot release this information at this time
7. The proposal criteria includes "flexible approach to co-location of the team with DfE" - is that the Joint MOD DfE work on Cadets or does it refer to something else?
This requirement is a MOD requirement only. The mention of DfE was an error.
8. Does MOD have an existing Information Asset Register (IAR)?
Yes, it has multiple Information Asset Registers, all of which are different. The MOD now needs one central Information Asset Register to help us comply with the law.
9. What toolset does MOD present use to host the IAR (e.g Microsoft Excel)?
Excel, but other toolsets may be used as well.
10. Has MOD's existing IAR been brought up-to-date to meet GDPR/DPA 2018 requirements
Yes the registers have been amended where possible. However, they do not necessarily track or do everything that we need to be efficient.
11. What toolset (e.g Excel) does MOD presently use to log and manage Data Subject Requests?
The majority is Excel however there may be other toolsets used.
12. Please can you clarify the nature of an "Information Asset". Reference is made to the requirement for a Data Asset Owner to "log and manage Information assets so that I can manage my assets appropriately"
The Information Asset is a repository of data that has value to the MOD, has longevity, is retrievable by others and has an owner/s that is responsible for its through-life maintenance.
13. This is record/status that the information exists or is there a requirement to drill down into the data?
There is a requirement to centrally produce MI that captures activity across the MOD.
14. What is the current process for publishing Subject Access Requests?
Typically: A request is received (usually via email, sometimes via letter) and forwarded to a disclosure cell. They update their spreadsheet to note its arrival and when its due by. They manually process it then type a response letter to the requestor advising what they’re entitled to and sending information as required. This is issued via email or post. Every quarter we request stats which can be time consuming to compile, as individual spreadsheets / toolsets must be interrogated.
15. It is stated that the work will be normally based in MOD Main Building London. Would there be any flexibility for off-site working, with attendance at London as required (e.g. for sprint reviews/planning and show-and-tell)
16. Does the SC required have to be specific to the MoD? If you are not able to support with the clearance process, can our staff be cleared to work in other government departments?
SC can be transferred to department to department.

But currently UKSV (United Kingdom Security Vetting) which is owned by MOD carries out our vetting, but UKSV will be moving to the Cabinet Office in the near future.