OGC ICT Services Model Agreement: mandatory security provisions from 1 July 2008

The Office of Government Commerce (OGC) issued version 2.2.1 of the OGC IT Services Model Contract on 1 July 2008, amending the security provisions in version 2.2 of the model contract. A new guidance note has also been issued, listing specific security provisions within version 2.1.1. These provisions will be mandatory for all ICT contracts signed after 1 July 2008, except where invitations for tenders have been sent out before this date. However, the guidance urges public authorities to strongly consider including the new security requirements in such contracts.

The guidance note explains that the mandatory clauses and schedules are also compulsory for any non-ICT government contract where data handling or security is an issue.

The new mandatory clauses are as follows:

• Clauses 28.11 and 28.12 deal with staff vetting;
• Clause 40 protects data provided by a public authority to the contractor, including personal data;
• Clause 41 protects personal data which is processed by the contractor for the purpose of the agreement. The guidance note highlights that additional provisions may be needed in the event that any transfer of personal data outside of the European Economic Area (EEA) will take place. While not specifically mentioned in the guidance, these additional terms will be based on the model contract clauses for transfer to data processors based outside of the EEA which have been approved by the European Commission (and are available on the Europa website);
• Clause 42 sets out the contractor's requirements to assist with Freedom of Information Act requests. The guidance notes that where there are unusually high volumes of such requests, it may be appropriate to agree to pay for assistance with those requests;
• Clause 45.2 is a warranty relating to staff vetting and security. The note explains that if staff vetting is a high priority issue, it may be appropriate to include additional staff vetting provisions in schedule 2.5;
• Clause 43 contains confidentiality obligations. The guidance note states that it will not in all circumstances be necessary to elicit direct confidentiality undertakings from staff. It also states that authorities should consider the imposition of confidentiality provisions as part of the supply chain provisions imposed on sub-contractors; and
• Clause 48 requires the parties to comply with the security requirements in schedule 2.5 and schedule 2.5 itself. Schedule 2.5 has been updated in relation to areas such as staff vetting, security standards and obligations in relation to security planning, testing and auditing. Public authorities will need to complete the technical security specifications within the schedule, including those that relate to areas such as physically protecting servers, data backups, access rights and staff security clearances.

A detailed list of the changes to the drafting in version 2.1.1 is available on the Partnerships UK website.

Whilst not mandatory, the guidance urges public authorities to additionally consider the security requirements of the following clauses and schedules:

• Clause 12 Standards
• Clause 13 Quality Assurance and Performance Monitoring
• Clause 24 Audits
• Clause 49 Business Continuity and Disaster Recovery
• Schedule 1 Definitions
• Schedule 2.3 Standards
• Schedule 4.2 Commercially Sensitive Information
• Schedule 8.5 Exit Management
• Schedule 8.6 Business Continuity and Disaster Recovery Provisions

For those working in public sector ICT, as a customer or a supplier, it will be important to understand the key changes to the model ICT agreement. Wragge & Co's experts in public sector IT have put together an analysis of what the key amendments in version 2.2 will mean for customers and suppliers.