Tender

NHS GDPR Compliance Tool

• The Common Services Agency (more commonly known as NHS National Services Scotland) (NSS)

F02: Contract notice

Notice identifier: 2024/S 000-040058

Procurement identifier (OCID): ocds-h6vhtk-046f75

Published 12 December 2024, 11:47am

---

---

Section I: Contracting authority

I.1) Name and addresses

The Common Services Agency (more commonly known as NHS National Services Scotland) (NSS)

1 South Gyle Crescent

Edinburgh

EH12 9EB

Email

michael.walker3@nhs.scot

Telephone

+44 1312756000

Country

United Kingdom

NUTS code

UKM - Scotland

Internet address(es)

Main address

http://www.nss.nhs.scot/browse/procurement-and-logistics

Buyer's address

https://www.publiccontractsscotland.gov.uk/search/Search_AuthProfile.aspx?ID=AA11883

I.2) Information about joint procurement

The contract is awarded by a central purchasing body

I.3) Communication

The procurement documents are available for unrestricted and full direct access, free of charge, at

www.publictendersscotland.publiccontractsscotland.gov.uk/

Additional information can be obtained from the above-mentioned address

Tenders or requests to participate must be submitted electronically via

www.publictendersscotland.publiccontractsscotland.gov.uk/

I.4) Type of the contracting authority

Body governed by public law

I.5) Main activity

Health

---

Section II: Object

II.1) Scope of the procurement

II.1.1) Title

NHS GDPR Compliance Tool

II.1.2) Main CPV code

• 72000000 - IT services: consulting, software development, Internet and support

II.1.3) Type of contract

Services

II.1.4) Short description

Procurement of a GDPR Compliance Tool to support NHS Scotland Information Governance with the delivery of their core compliance activities which include completion and review of Data Protection Impact Assessments, maintenance of Information Asset Registers and Records of Processing.

II.1.5) Estimated total value

Value excluding VAT: £900,000

II.1.6) Information about lots

This contract is divided into lots: No

II.2) Description

II.2.3) Place of performance

NUTS codes

• UKM - Scotland

Main site or place of performance

Scotland

II.2.4) Description of the procurement

Procurement of a GDPR Compliance Tool to support NHS Scotland Information Governance with the delivery of their core compliance activities which include completion and review of Data Protection Impact Assessments, maintenance of Information Asset Registers and Records of Processing.

The solution is required to enable NHS Scotland Information Governance to effectively deliver better and more efficient services to their colleagues, their organisation and third parties that they work with. The solution will also provide ease in carrying out the administrative activities, making tasks such as maintaining an archive of past assessments, templates, reporting, import and export of data more seamless, thereby improving NHS Scotland Information Governance business processes.

II.2.5) Award criteria

Quality criterion - Name: Functional Requirements / Weighting: 40

Quality criterion - Name: Non-Functional Requirements / Weighting: 30

Price - Weighting: 30

II.2.6) Estimated value

Value excluding VAT: £900,000

II.2.7) Duration of the contract, framework agreement or dynamic purchasing system

Duration in months

36

This contract is subject to renewal

Yes

Description of renewals

The Agreement includes two optional extension periods of 12 months each.

II.2.10) Information about variants

Variants will be accepted: No

II.2.11) Information about options

Options: No

II.2.13) Information about European Union Funds

The procurement is related to a project and/or programme financed by European Union funds: No

---

Section III. Legal, economic, financial and technical information

III.1) Conditions for participation

III.1.2) Economic and financial standing

List and brief description of selection criteria

SPD Q.4B.1.1: Bidders are required to provide statement of accounts or extracts relating to their business for the previous 3 years. Where any are risks identified by NSS as part of the due diligence carried out on the above information NSS may require Bidders to provide additional information to demonstrate financial standing. Additional information can include but not be limited to:

- parent company accounts (if applicable)

- deeds of guarantee

- bankers statements and references

- accountants’ references

- management accounts

- financial projections, including cash flow forecasts

- details and evidence of previous contracts, including contract values

- capital availability.

Bidders who cannot provide suitable evidence of a secure financial standing may be excluded from the procurement.

Q.4B.5.1 and Q.4B.5.2: It is a requirement of this contract that bidders hold, or can commit to obtain prior to the commence of any subsequently awarded contract, the types and levels of insurance indicated below:

Employers liability insurance: 5 000 000 GBP;

Public liability insurance: 1 000 000 GBP;

Professional indemnity insurance: 1 000 000 GBP

III.1.3) Technical and professional ability

List and brief description of selection criteria

4C.1.2 Please provide details of three relevant examples of services carried out during the last three years.

4.C.2 Bidders are required to confirm compliance with standards, such as ISO or equivalent, set by technical bodies, especially those responsible for quality control. Please provide examples such as the following:

- Cyber Essentials

- ISO 9001 - Quality Management Systems

- ISO 27001 - Information Security Management

- ISO 27017 - Code of practice for information security controls

- ISO 27018 - Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors

- UK Government 14 Cloud Security Principles

Please state the relevance of any such educational and professional qualifications.

4C.6: Bidders will be required to confirm that they and/or the service provider have relevant educational and professional qualifications such as the following: ISO27001 or equivalent ITIL qualifications [Helpdesk, etc] or equivalent other professional qualifications relevant to the Services outlined in the Contract Notice.

And:

4C.6.1: Bidders will be required to confirm that they and/or the service provider's managerial staff have relevant educational and professional qualifications such as the following: ISO27001 or equivalent ITIL qualifications [Helpdesk, etc] or equivalent other professional qualifications relevant to the Services outlined in the Contract Notice.

4C.10: Bidders will be required to confirm whether they intend to subcontract and, if so, for what proportion of the contract

---

Section IV. Procedure

IV.1) Description

IV.1.1) Type of procedure

Open procedure

IV.1.8) Information about the Government Procurement Agreement (GPA)

The procurement is covered by the Government Procurement Agreement: Yes

IV.2) Administrative information

IV.2.1) Previous publication concerning this procedure

Notice number: 2024/S 000-018198

IV.2.2) Time limit for receipt of tenders or requests to participate

Date

27 January 2025

Local time

12:00pm

IV.2.4) Languages in which tenders or requests to participate may be submitted

English

IV.2.7) Conditions for opening of tenders

Date

27 January 2025

Local time

12:00pm

---

Section VI. Complementary information

VI.1) Information about recurrence

This is a recurrent procurement: No

VI.2) Information about electronic workflows

Electronic ordering will be used

Electronic invoicing will be accepted

Electronic payment will be used

VI.3) Additional information

Estimated Value:

The estimated value provided in sections II.1.5 and II.2.6 includes the initial 36 month contract period and the two optional extension periods of 12 months each.

Cyber Security:

It is a mandatory requirement that Bidders complete and pass a cyber security questionnaire which will be issued by Core to Cloud. Potential Bidders who plan to submit a Tender should, at the earliest possible opportunity, provide the following information to NSS via the PCS-T message board to allow Core to Cloud to issue the questionnaire:

- Bidder name

- Contact email

- Contact telephone number

Successful Bidders must take part in the NHS Scotland cyber security monitoring programme.

Fair Work Practices:

Bidders must describe how they will commit to fair work practices for workers (including any agency or subcontractor workers) engaged in the delivery of the contract as detailed within the ITT.

Carbon Reduction:

Bidders must provide their Carbon Reduction Plan for the main organisation(s) where the service or systems will be operated from under the Contract. This information will be used to demonstrate that suppliers awarded to public sector contracts are supporting the Scottish ambition of a net zero position by 2040.

Scottish Landscape:

All Bidders must provide as much of the following information as possible:

- number of employees in Scotland.

- number and location of any bases in Scotland

- total spend in Scotland used to support your business

- use of local sub-contractors

- rent for office or warehouses

- salaries

- hotels & transportation

- goods/services provided by local businesses

- other expenses

The buyer is using PCS-Tender to conduct this ITT exercise. The Project code is 28095. For more information see: http://www.publiccontractsscotland.gov.uk/info/InfoCentre.aspx?ID=2343

Community benefits are included in this requirement. For more information see: https://www.gov.scot/policies/public-sector-procurement/community-benefits-in-procurement/

A summary of the expected community benefits has been provided as follows:

It is a mandatory requirement that Bidders agree to support the concept, provision and ongoing development of community benefits provision in relation to this Agreement. Bidders are required to agree to this mandatory requirement. They are also requested to provide a brief summary of the community benefits that have recently been delivered within Scotland, and also what impact and outcomes these have achieved. Bidders are required to summarise any community/social benefits that will be delivered as part of this Agreement if successful, or, alternatively, Bidders confirm that they will engage with the NHS Scotland Community Benefits Gateway (CBG). This gateway, developed through requests from suppliers seeking opportunities to support the delivery of community benefits within the contracting region, provides information community benefit opportunities. The CBG is a free and easy to use online service that connects NHS Scotland suppliers with third sector community organisations within Scotland and will be used for tracking and reporting, and is an approved, compliant route to the realisation of community benefits. For further information please visit: https://www.nss.nhs.scot/procurement-and-logistics/sustainability/access-our-community-benefit-gateway/.

(SC Ref:784857)

VI.4) Procedures for review

VI.4.1) Review body

Sheriff Court House

Edinburgh

EH1 1LB

Country

United Kingdom

VI.4.3) Review procedure

Precise information on deadline(s) for review procedures

Economic operators should approach the contracting authority in the first instance. However, the only formal remedy is to apply to the courts:

An economic operator that suffers, or is at risk of suffering, loss or damage attributable to a breach of duty under the Public Contracts (Scotland) Regulations 2015 or the Procurement Reform (Scotland) Act 2014, may bring proceedings in the Sheriff Court or the Court of Session.