On 19 December 2017 the Crown Commercial Service (CCS) published Procurement Policy Note/Action Note PPN 03/17 on Changes to Data Protection Legislation and General Data Protection Regulation.
PPN 03/17 applies to all Central Government Departments, their Executive Agencies and Non Departmental Public Bodies ("In-Scope Organisations"). CCS notes that other public bodies will also be subject to the new data protection legislation and may wish to apply the approaches set out in PPN 03/17.
PPN 03/17 comprises 20-plus paragraphs of notes and three annexes:
|Annex B||Annex C|
Timing: In-Scope Organisations must begin to apply the provisions of PPN 03/17 immediately, ensuring any contract amendments take effect from 25 May 2018 and new provisions are applied to all new relevant contracts awarded on or after 25 May 2018. For contracts that concern law enforcement processing, amendments should take effect from 6 May 2018.
Action: The Notes include a list of actions required to be taken by In-Scope Organisations.
In-Scope Organisations should identify existing contracts involving processing personal data which will be in place after 25 May 2018 and then:
For contracts to be awarded on or after 25 May 2018, In-Scope Organisations should ensure:
Particular points of interest
The Notes in PPN 03/17 and the Guidance for In-Scope Organisations in Annex B include a number of points which it is worth highlighting:
Cost of compliance: In-Scope Organisations are advised not to routinely accept contract price increases from suppliers as a result of work associated with compliance with the new data protection legislation (including GDPR). The draft letter at Annex C includes a statement confirming that all suppliers are expected to manage their own costs in respect of compliance.
Contract liabilities: In-Scope Organisations should not accept liability clauses where Processors (usually the supplier in the context of public contracts) are indemnified against fines or claims under the GDPR. PPN 03/17 explains that "the legal penalty regime has been extended directly to Processors to ensure better performance and enhanced protection for personal data, therefore entirely indemnifying Processors for any GDPR fines or court claims undermines these principles." The draft letter at Annex C includes a statement to this effect.
Framework agreements: The guidance in Annex B reminds In-Scope Organisations who have established framework agreements for use by others that they should ensure that the terms governing use of the framework agreement reflect the standard generic clauses at Annex A. In-Scope Organisations should also ensure that suppliers on the framework agreement are aware that users of the framework agreement (customers) "may refine their individual call-offs to assure themselves of compliance with the new data protection legislation." Customers using framework agreements are reminded to review each call-off to ensure that roles and responsibilities under the data protection legislation have been updated.
Procurement documents: The guidance in Annex B also requires In-Scope Organisations to ensure that all relevant procurement documents make reference to the new data protection legislation (including GDPR) coming into force and to update terms and conditions in line with the standard generic clauses at Annex A, taking appropriate legal advice when doing so.
Contractual arrangements relying solely on the supplier's terms and conditions: In-Scope Organisations must ensure that contractual arrangements relying solely on the supplier's terms and conditions must meet the requirements of the data protection legislation (including GDPR). There is a specific note in paragraph 3 of the guidance in Annex B addressing the situation where the supplier is acting as Processor.
You can download a copy of PPN 03/17 from the CCS Procurement Policy Note web page.
See also the Information Commissioner’s Office web page.