Archive for the 'Public procurement' Category

Our Public Law team blog on a legal challenge to Barnet Council’s decision to outsource a wide range of services to outsourcing firm Capita. The judicial review is based on a number fo grounds, including an alleged breach of the public procurement regulations and an alleged breach of the Council’s fiduciary duty to tax payers.

As local authorities increasingly look to efficiences that can be made through shared sevrices and outsourcing, this hearing will be closely watched by both local authorities and suppliers of outsourcing services.

Brodies PublicLawBlog

Local authorities are increasingly expected to to find new and innovative ways of managing diminishing budgets and limited resources but the recent move by Barnet Council to outsource £320m worth of services has caused some to ask whether they have gone a step too far.

The Council has reportedly agreed to outsource services including the Council’s call centre, payroll, information technology and human resources to Capita over a 10 year period.  This has resulted in a backlash from some residents, one of whom (a disabled person who fears that the agreement could have an adverse impact on the support services she currently receives) has raised judicial review proceedings in the English High Court. 

The argument is that the contract is unlawful because the Council: (1) failed to comply with section 3(2) of the Local Government Act 1999 which places an obligation on local authorities to consult all stakeholders including residents…

View original post 67 more words

Will the proposed EU directive on web accessibility lead to confusion and hinder innovation?

Following on from my blogpost last month on the European Commission’s draft directive on the accessibility of public sector websites, I have an article in the forthcoming edition of C&L Magazine, the journal for the Society of Computers and the Law.

Under the proposed directive, new EU-wide rules will be introduced setting out specific requirements in relation to the accessibility of certain websites operated by public sector organisations. In the article, I analyse the impact of the proposed directive on public authorities.

If implemented as it currently stands, the directive raises a number of concerns:

  • Firstly, organisations are presumed to comply with the new law if they achieve Level AA conformance with the W3C‘s Web Content Accessibility Guidelines 2.0 (WCAG). The problem with WCAG is that whilst they provide a good starting point for accessible design, they are only one part of the wider accessibility jigsaw. Indeed, legislating in a manner that requires compliance with a fixed set of technical guidelines is concerning, because WCAG (and therefore the law) will inevitably fail to keep up with evolving technologies for delivering online services (for example, mobile or rich media).
  • This approach could have been mitigated by allowing organisations to deviate from WCAG compliance, if they can justify why this is an appropriate thing to do (as the UK Equality Act provides), but the draft directive does not provide such flexibility.
  • Finally, and perhaps more concerningly, the directive does not explain how it is intended to interact with pre-existing national laws that apply to the accessibility of services provided over the web, where a breach is based on actual discrimination taking place. This creates the very real risk that a public authority could comply with the requirements of the directive, whilst simulateously being in breach of its obligations under the Equality Act (or vice versa).

Whilst the directive may help achieve the Commission’s primary stated aim of removing barriers in the market for the provision of web development services in the EU (by ensuring that public sector organisations are obliged to set standardised technical criteria for accessibility), the directive is a fairly blunt instrument. I remain unconvinced that the directive will have such a positive impact upon the accessibility of websites to users with disabilities.

A far better approach would be to look at adopting the guidance contained in the British Standards Institute’s British standard on commissioning accessible websites.

You can read the article in full on the SCL website.

Martin Sloan

Our Public Law team blog on a proposed extension to the number of bodies subject to the Freedom of Information (Scotland) Act 2002. Under the proposals, arm’s length bodies set up by local authorities to carry out certain functions will be within scope. IT and outsourcing vendors who currently provide services to these sorts of organisations (or are considering bidding for contract opportunities) may wish to bear this in mind when reviewing their contracts.

Brodies PublicLawBlog

The Scottish Government last week announced its intention to increase the number of bodies subject to the Freedom of Information (Scotland) Act 2002 (“FOISA”).   The Government wants to extend FOISA to arm’s length bodies established by local authorities that provide cultural, sports and leisure activities to the public.  It remains to be seen whether they will achieve their aim:  long-in-the-tooth FOI practitioners will know the history of attempts by previous administrations in Scotland to expand the scope of FOI.

Currently FOISA applies to the list of organisations at Schedule 1 (as amended from time to time by section 4).  The Scottish Ministers can also designate other bodies as a ‘Scottish public authority’ under section 5 of FOISA  if they are neither already on Schedule 1 nor capable of being added to Schedule 1 by the section 4 power.    Now that all sounds quite complicated, but in order to be designated a public authority the body must be exercising functions…

View original post 117 more words

Real time journey information systems – enabling innovation through data sharing and interoperability

Over the last few years, I’ve been involved in a number of projects involving the creation and use of transport and journey information in the transport sector. These include the procurement of real time passenger information (RTPI) (where real time journey information is made available to passengers online and through on-street display boards) and smart ticketing systems and the opening up of that data to third parties through an API.

When procuring a RTPI system, there are a number of issues to consider.

Firstly, who owns the data? RTPI systems are often procured by a local authority or regional transport partnership. The location data going in to the system may be collected by equipment owned by the local authority (or the contractor operating the system) and deployed on vehicles or by the bus company’s own fleet tracking system. It will then be processed by the RTPI system to provide the real time journey data. The contracts that are put in place between the various entities need to make clear who owns the data and what rights each of the other parties have to use it.

Secondly, it’s important that the RTPI system enables interoperability. This will allow data to be shared with other RTPI systems (for example, multi-modal or in neighbouring geographic areas) and other users (for example, mobile apps developers seeking to incorporate journey information in their products and services). This means that the system will need to include appropriate APIs that make the data available in a recognised industry standard format. As part of any support and maintenance arrangements, those interfaces should keep up with market developments on interoperability.

Re-use of public sector information regulations
Part of the reason for local authorities making available data through an API is a response to the Re-use of Public Sector Information Regulations, which implemented an EU directive on the re-use of public sector information directive (the PSI Directive) and the UK Government’s Open Data iniative.

The regulations are intended to open up access to information and datasets held by public authorities, so that publicly owned data can be reused for innovative purposes. The regulations provide rules on requests to reuse information held by public sector organisations. RTPI and journey data is a good example of data that can be reused and mashed up into other applications.

Notably, the regulations prohibit public authorities from acting in a discriminatory manner or from entering into exclusive arrangements in relation to the re-use of public sector information unless that arrangement is in the public interest. This means that local authorities should not be entering into exclusive arrangements in relation to the use of transport information that they hold.

The regulations also limit any charges that the public authority may levy on the use of the information. The authority may recover a “reasonable return on investment”, but cannot charge for the costs it has incurred if it has already charged the recipient under freedom of information or data protection laws.

The authority should also publish details of its charging structure and terms of use of the information.

Rather than develop bespoke interfaces and licence terms for each person seeking to utilise the data, the easiest way for local authorities to make available RTPI data is through a publicly available API, with a standard form licence setting out the terms of use.

Proposed reform
The European Commission is currently consulting on new legislation in this sector.

It does not think that the PSI Directive has been effective in ensuring open access to transport data. Notably, the PSI Directive applies only to public sector bodies (so not private transport operators), and does not apply to information where the intellectual property rights are owned by a third party – for example, the bus or train company in question.

The Commission is therefore proposing that all transport operators are obliged to make available, fare, schedule and real time journey information in an industry standard format. The Commission proposes that the European standardisation bodies work together to develop related standards to ensure interoperability using a common standard.

This should help to open up access to transport data that is not currently being made available, and lead to new and innovative use of that data by third party developers.

What’s not clear from the proposed consultation is how the reforms will work in practice. In the UK, public transport is largely run by companies in the private sector. However, RTPI systems for buses tend to be operated by local authorities or regional transport partnerships, who then aggregate data from different operators. In order for the reforms to be effective the new laws will need to cover all parts of the chain.

There will be other concerns as well. In the UK, the bus industry is regulated by traffic commissioners, who have powers to fine operators for late running services. There is often a tension between bus companies and local authorities when making available real time journey information as that could be used to easily analyse the company’s performance without the need for commissioners to stand at bus stops with a watch, a timetable and a clipboard. It will be interesting to see whether the transport industry lobbies against this requirement.

In the meantime, any organisation considering procuring an RTPI or other transport data system should ensure that their technical specification addresses interoperability, the use of common (or mandated standards) and APIs to help ensure compliance with the Commission’s proposals.

The consultation closes on 12 March 2013.

Martin Sloan

ICO imposes £250,000 fine following failure to adequately supervise service provider

The Information Commissioner (ICO) yesterday imposed his second highest fine to date, and highest outside the NHS, on a Scottish local authority following inadequacies in relation to an outsourcing contract.

This case involved a local authority which outsourced the scanning of pension records to a third party, as part of a long term scanning project. The arrangement commenced in 2005, and involved the scanning of thousands of files. However, no written contract was in place between the local authority and the supplier, and it appears no supervision or monitoring of the supplier’s information security arrangements was ever carried out.

The problems came to light in September last year, when a member of public noticed that a paper recycling bank was overfilled with discarded files. Fortunately, the individual in question reported the find to the police, who in turn secured the site and alerted the local authority. Upon investigation, it turned out that almost 900 files had been disposed of by the supplier at recycling banks that day alone. Prior to the breach coming to light, the supplier a further 8,000 files having previously been disposed of by the supplier.

The records in question contained a large amount of personal data, including national insurance numbers, salary and bank account details. Some files also contained information on ill health benefits.

Data protection and outsourcing
When organisations think of outsourcing, they will usually think of high value projects involving IT or the outsourcing of entire business processes.

This case highlights that the same rules on data security apply to the performance of more routine, low value, tasks contracted out to third parties. The fact that this particular local authority had no written contract in place with the supplier, never mind robust provisions dealing with data security suggests that this appointment was likely an adhoc arrangement that did not go through the formal governance procedures.

It is also clear that supervision of the supplier’s activities fell through the cracks. Nevertheless, the local authority remains responsible under the DPA for ensuring that the data in question is adequately protected.

The case also serves as a reminder of the importance of exercising contactual rights of audit and oversight. It is not simply enough to include a data protection clause in a contract. The ICO expects data controllers to be able to demonstrate that they have carried out appropriate diligence on the adequacy of security measures put in place by their suppliers, and to continually monitor the supplier to ensure that the measures are being complied with and remain fit for purpose.

Justiciation for the penalty
As I have noted previously, when considering what security measures are appropriate, the ICO expects data controllers to take into account the sensitivity of the information involved, and likely distress that may arise from loss or unauthorised access.

In imposing such a high monetary penalty in this case, the ICO noted that serious contraventions had occurred, with breaches by the local authority of a number of other obligations under the Data Protection Act (DPA). These included failures to:

  • choose a supplier that provided sufficient guarantees in relation to information security measures;
  • take reasonable steps to ensure compliance with those measures; and
  • have in place a written contract with the supplier which obliged the supplier to act only on the local authority’s instructions and to comply with obligatisons equivalent to those imposed under the seventh data protection principle (which requires that appropriate measures are taken against unauthorised or unlawful processing of personal daya ana against acceidental loss or destruction of, or damahge to personal data).

ICO guidance
The ICO provides some guidance for organisations intending to outsource a service (or reviewing their existing contracts with service providers:

  • Always select a reputable organisation to work with;
  • Make sure the organisation has appropriate data security measures in place, including how it disposes of data
  • And make sure the organisation has appropriate security checks on staff too
  • Put a clear, enforceable contract in place
  • Make sure that contract requires the contractor to report any security breaches or other problems to you, and have procedures in place on how you will act if problems are reported
  • If you are going to transfer personal data outside of the European Economic Area, make sure you’re doing so in line with Data Protection Act 1998

For small to medium sized organisations, more detailed guidance is available on the ICO’s website.

The importance of reviewing your supply arrangements
Since the monetary penalty regime came into force, many organisations have focussed on their internal information security arrangements and staff training.

As the latest ICO fine makes clear, however, now is the time to:

  • review your supply arrangements to ensure that appropriate contracts are in place with suppliers (having regard to the activities of that supplier), that your suppliers are complying with their contractual obligations; and
  • separately review your policies on procurement, information security and the management of suppliers.

The cost of carrying out such a review is likely to be low compared to the potential fines that could be imposed by the ICO (and the reputational damage that follows) if any of those contracts are found to be deficient.

Brodies can help you to carry out such an exercise by working with your internal compliance and procurement teams to review the terms of your supplier contracts and your internal policies. To discuss this further, please contact me or your usual Brodies contact.

e-Update on ICT projects in the public sector: avoiding delays, cost overruns and service failures

Following my blog about the recent Audit Scotland report into ICT projects in the Scottish public sector, we have this morning issued an e-update to clients and contacts summarising the key issues and recommendations.

The e-update also emphasises the importance of early stage legal input to ensure that the procurement runs to track and initial procurement documentation doesn’t cause problems further down the line (to continue the train analogy).

You can read the e-update by following this link.

If you would like to sign-up to receive future e-updates, please follow this link to register. If you’d like to discuss any of the issues covered in the update please get in touch.

ICT procurement in the public sector – avoiding delays, overruns and service failures

Audit Scotland today published its report following an audit of three public sector IT projects in Scotland. I’d recommend that anyone in the public sector who is involved in ICT procurement reads it – particularly if they are about to embark on any transformational or shared services projects.

Common issues
The findings could be summarised in a single phrase: “lack of governance” – whether within the contracting authority itself or as between the contracting authority and its supplier.

But the report goes into more detail than this, and highlights a number of common issues:

  • Project teams often had a lack of skills and experience in relation to ICT projects.
  • External consultants were used to plug these gaps, but often only at key stages (and often after the project was underway), meaning that there was little support during the intervening periods. Elsewhere, the contracting authority relied upon the supplier for guidance on key decisions.
  • Business cases did not always clearly define the planned benefits of a project, meaning that it was then difficult to measure success – in some cases the “whole-life costs” section was left blank. As such, it was impossible to measure value for money.
  • Intended users of the ICT were not sufficiently involved in the design of programmes – this meant that the solution delivered didn’t always meet the requirements of users. This was exacerbated by an over reliance on the supplier for key decisions.
  • Programme management was weak – with failings in financial control and progress reporting. Boards were provided with insufficient detail, and governance arrangements that were in place weren’t always adhered to.
  • In complex projects, there was a lack of ownership of individual elements of the project, which contributed to cost and time overruns and led to a failure to identify that the overall project was behind schedule and over budget (the “boiling frog” analogy)
  • Finally, Audit Scotland also identified problems with the Scottish Government’s “Gateway” review process, which is intended to provide assurance on project management.

Surprisingly, it seems that in many cases these projects were commenced without carrying out a competitive procurement exercise. Instead, the organisations concerned appointed an incumbent supplier to carry out the work. This lack of competitive procurement undoubtedly exacerbated the problems encountered with cost overrruns and the unsuitability of the solution provided by the supplier.

The cost of getting it wrong can be high. Poor project implementation results in delays, increased cost and end user dissatisfaction, as the ICT service fails to meet the needs of users. In the case of one project reviewed by Audit Scotland, the contracting authority decided that the structure of its wider contract with its IT supplier was inappropriate. It is now in negotiations over the level of compensation due to that supplier as a consequence of terminating 20 months early.

Audit Scotland’s Recommendations
Audit Scotland makes a number of recommendations which all procuring authorities should consider adopting:

  • ensure that an effective governance procedure is in place and is being complied with
  • ensure that established project management frameworks are followed
  • ensure that robust performance management arrangements have been developed and that appropriate progress reporting is taking place
  • ensure that a detailed skills assessment has been completed at the outset of a project to ensure that team members have the necessary skills and experience to undertake their roles

To assist procuring authorities, Audit Scotland’s report includes a list of questions that senior managers and project boards can use to scrutinise and challenge the management of ICT programs undertaken by their authority.

Some additional recommendations
I would add some additional recommendations to the Audit Scotland list:

  • Think carefully before appointing an incumbent supplier to deliver a project. Even if there aren’t procurement law issues, a competitive procurement is likely to deliver better cost efficiencies and a more appropriate solution.
  • Consider the most appropriate procurement procedure for the project. Should you buy off-catalogue (eg OGC) or procure directly? If the latter, consider whether the competitive dialogue procedure gives you more control in more complex projects.
  • Ensure that a clear specification for the services being procured is developed up front with input from all key stakeholders (including those that will be using the services).
  • Develop an appropriate governance and reporting structure both for the internal team within the contracting authority(ies), and also between the contracting authority and the supplier, to ensure that performance, costs and delivery are closely monitored and problems quickly identified and resolved.
  • If there are multiple contracting authorities or agencies, ensure that there is an appropriate governance and reporting structure between the lead authority and the other agencies/authorities, so that the interests of all relevant parties are properly managed.
  • Ensure that a suitably qualified team is assembled to support the procurement throughout the project. This includes external IT consultants (where skills aren’t available in-house) and legal advisors to ensure that the contract terms and conditions and procurement documents are fit for purpose and incorporate the agreed governance structure. This team should be involved from the outset to ensure that the initial ITT or RFP is as detailed as possible, and doesn’t set the project off in the wrong direction.

Delivering public services – What’s right for Scotland? Brodies’ Conference 3rd November 2010 in Stirling

Brodies is holding a free half-day conference “Delivering public services – What’s right for Scotland?” on Wednesday 3rd November in Stirling.

Earlier this year we commissioned a major survey of local authority Chief Executives and Chief Finance Officers which provides a fascinating insight into how Scottish Councils might respond to budget constraints by embracing new models for service delivery.

The results of the survey will feed into the central themes of what promises to be a lively discussion:

  1. To what extent can shared services (in their various formats), outsourcing and even off-shoring reduce the cost of public sector services in Scotland?
  2. Is it time for a radical shake up? Can Scotland learn from models used elsewhere in the UK?

Our panel of speakers includes:

  • Jonathan Pryce, Director for Improving Public Services, Scottish Government
  • George Black, Chief Executive, Glasgow City Council
  • Dave Watson LLB, Unison
  • Brian Devlin, Business Director, AMEY
  • Douglas Mathie, Partner, Transformation & Shared Services Group, Brodies LLP

Following the presentations there will be a debate chaired by Jackie McGuire Head of our Transformation and Shared Services Group.

The event starts at 0830 with breakfast and finishes at 1300 with a buffet lunch.

The event is at the Barcelo hotel in Stirling (near the railway station). 

If you want to attend then click the Accept button below.


New Lingo: “Counter-Sourcing”

A couple of weeks ago I met up with Neil MacKenzie of Capgemini Consulting  for coffee.  I originally met Neil at a CIPS event in Glasgow.

Neil is a Vice President in Capgemini Consulting.  His team delivers procurement services to the private and public sector.

We talked about lots of things that our relevant clients were doing (preserving client confidentiality – of course), and generally shared market intelligence. 

Neil also explained the concept “counter-sourcing” to me.  Apparently it means helping suppliers sell to customers who are using “sourcing” techniques to squeeze the supplier.  

I like the slightly Orwellian feel of this word. 

But I suppose the point is that it is good to have experience of helping both buyers and sellers. It means you understand each sides’ issues, and this means you get to the a deal that both sides can live with quicker.

Also check out the new photo sign-off below. What do you think?


Twitter: @BrodiesTechBlog feed

December 2017
« May    

%d bloggers like this: