Section one: Contracting authority
one.1) Name and addresses
NHS Norfolk & Waveney Integrated Care Board
County Hall, Martineau Ln
Norwich
NR1 2DH
Contact
David Bailey
Country
United Kingdom
Region code
UKH15 - Norwich and East Norfolk
Internet address(es)
Main address
https://www.improvinglivesnw.org.uk/about-us/our-nhs-integrated-care-board-icb/icb-contact/
Buyer's address
https://www.improvinglivesnw.org.uk/about-us/our-nhs-integrated-care-board-icb/icb-contact/
one.3) Communication
The procurement documents are available for unrestricted and full direct access, free of charge, at
https://health-family.force.com/s/Welcome
Additional information can be obtained from the above-mentioned address
Tenders or requests to participate must be submitted electronically via
https://health-family.force.com/s/Welcome
Tenders or requests to participate must be submitted to the above-mentioned address
Electronic communication requires the use of tools and devices that are not generally available. Unrestricted and full direct access to these tools and devices is possible, free of charge, at
https://health-family.force.com/s/Welcome
one.4) Type of the contracting authority
Body governed by public law
one.5) Main activity
Health
Section two: Object
two.1) Scope of the procurement
two.1.1) Title
IG Support and Data Protection Officer Service to the Norfolk and Waveney GP Practices
two.1.2) Main CPV code
- 72300000 - Data services
two.1.3) Type of contract
Services
two.1.4) Short description
NHS Norfolk and Waveney Integrated Care Board require a Supplier to provide an information governance advice and guidance support service, together with a named Data Protection Officer
two.1.5) Estimated total value
Value excluding VAT: £360,000
two.1.6) Information about lots
This contract is divided into lots: No
two.2) Description
two.2.2) Additional CPV code(s)
- 72310000 - Data-processing services
- 72322000 - Data management services
- 72322000 - Data management services
- 72222300 - Information technology services
- 79410000 - Business and management consultancy services
- 72222300 - Information technology services
- 79400000 - Business and management consultancy and related services
two.2.3) Place of performance
NUTS codes
- UKH1 - East Anglia
Main site or place of performance
Norwich
two.2.4) Description of the procurement
NHS NWICB invite bids from suitably qualified suppliers to provide information governance advice and guidance support service, together with a named Data Protection Officer.
The requirement will include:
Data breaches
• The provision of advice and/or support to practices on the investigation of possible information security breaches and incidents.
• Advice on incident/breach assessment and reporting via the incident reporting tool within the DSPT to NHS England and reporting to the ICO (dependent upon severity of incident).
• Advice on assessment and reporting via the incident reporting tool within the DSPT to NHS England and ICO (dependent upon nature and severity of the breach).
• Advice on post-incident reviews and recommended actions for practice implementation.
To lead or direct data breach reviews and investigations where highly specialist knowledge is required or complex multi–party issues are involved.
Service Provider as data processor will:
• To take action immediately following a data breach or a near miss, alerting promptly the practice as data controller and with a report made to the senior management within the ICB and the practice within 12 (working) hours of detection.
• Report data breaches in line with NHS guidance (using the incident reporting tool within the DSPT) and legal requirements immediately following detection.
• Provide a Lessons Learned Report (with relevant action plan as appropriate) to the ICB within 2 weeks of the recorded resolution of the incident.
IG Policy Support
• Support for the production and maintenance of local information governance policies and procedures for practices. Provision of advice and support to practices on approval, ratification and adoption of the policies for their organisation.
Support for the Data Security and Protection Toolkit compliance
• Provide advice and guidance to practices on how to complete the DSPT, including the collection and collation of evidence in support of DSPT submissions. Provide practices with evidence required for DSPT where this is held by the ICB or its commissioned IT providers.
• Monitor DSPT compliance of practices and provide the ICB with details of any non-compliance with practice action plans.
IG consultancy and support
• Provision of advice, guidance and support on IG related issues, including existing operational processes and procedures or new business initiatives. Advice and guidance on personal data access (but not extending to legal advice).
Data Protection Officer (DPO) Support
Provision of advice, guidance and support on IG related issues including existing operational processes and procedures or new business initiatives to support practice designated Data Protection Officers including existing operational processes and procedures or new business initiatives. To include
• Access for Practices during normal service hours to specialist qualified advice on GDPR matters.
• Advice on compliance with GDPR obligations
• Advice reflecting national guidance on GDPR compliance as it is published.
• A review at least annually to identify and improve processes which have caused breaches or near misses, or which force staff to use workarounds which compromise data security. This may for example be a facilitated workshop at ICB level which would encourage shared learning.
A Data Protection Officer will be available (in addition the DPO support service) for practices to designate as their Data Protection Officer. A named Data Protection Officer could be shared between several practices. Note: Practices may choose to make their own DPO arrangements at their own cost.
• To act as the practice designated Data Protection Officer, providing:
o Specialist qualified advice on UK GDPR matters, obligations and compliance
o An annual review of processes which have caused a breach or near miss, or those which have forced staff to use a workaround which compromises data security
o Support practices to improve processes
two.2.5) Award criteria
Price is not the only award criterion and all criteria are stated only in the procurement documents
two.2.7) Duration of the contract, framework agreement or dynamic purchasing system
Start date
3 July 2023
End date
30 June 2025
This contract is subject to renewal
No
two.2.10) Information about variants
Variants will be accepted: No
two.2.11) Information about options
Options: Yes
Description of options
Option to extend the contract for up to an additional 24 months
two.2.13) Information about European Union Funds
The procurement is related to a project and/or programme financed by European Union funds: No
Section three. Legal, economic, financial and technical information
three.1) Conditions for participation
three.1.2) Economic and financial standing
Selection criteria as stated in the procurement documents
three.1.3) Technical and professional ability
Selection criteria as stated in the procurement documents
Section four. Procedure
four.1) Description
four.1.1) Type of procedure
Open procedure
four.1.8) Information about the Government Procurement Agreement (GPA)
The procurement is covered by the Government Procurement Agreement: Yes
four.2) Administrative information
four.2.2) Time limit for receipt of tenders or requests to participate
Originally published as:
Date
13 April 2023
Local time
10:00am
Changed to:
Date
14 April 2023
See the change notice.
four.2.4) Languages in which tenders or requests to participate may be submitted
English
four.2.6) Minimum time frame during which the tenderer must maintain the tender
Tender must be valid until: 31 August 2023
four.2.7) Conditions for opening of tenders
Date
13 April 2023
Local time
10:00am
Section six. Complementary information
six.1) Information about recurrence
This is a recurrent procurement: No
six.4) Procedures for review
six.4.1) Review body
NHS Arden and GEM CSU
Francis Crick House
Northampton
NN3 6BJ
Country
United Kingdom
Internet address
https://www.ardengemcsu.nhs.uk/
six.4.2) Body responsible for mediation procedures
NHS Arden and GEM CSU
Francis Crick House
Northampton
NN3 6BJ
Country
United Kingdom