invitation to tender - mrasco.com€¦ · annex a – form of tender declaration to be completed in...
TRANSCRIPT
Invitation to Tender
Provision of a solution for the secure transfer of personal data between parties in the gas and electricity industry
16th November 2018
Contents
Contents ................................................................................................................................................................. 2
Introduction ............................................................................................................................................................ 3
The Secure Communications Work Group ........................................................................................................ 3
The MRA and the SPAA ..................................................................................................................................... 3
Gemserv Limited ............................................................................................................................................... 3
The Problem ........................................................................................................................................................... 4
Identifying the issue .......................................................................................................................................... 4
The Scope of Interest ........................................................................................................................................ 4
Legal Advice ...................................................................................................................................................... 5
The Request ...................................................................................................................................................... 5
Tender Procedure ................................................................................................................................................... 6
Purpose ............................................................................................................................................................. 6
Indicative Timetable .......................................................................................................................................... 6
Procedure for submitting Tenders .................................................................................................................... 7
Evaluation of Responses ................................................................................................................................... 7
Checklist of Documents to be Returned ........................................................................................................... 8
Annex A – Form of Tender Declaration .................................................................................................................. 9
Annex B – Assessment Criteria ............................................................................................................................. 10
Annex C – Pricing Schedule ................................................................................................................................... 11
Annex D – Impacted MRA and SPAA Processes .................................................................................................... 12
Introduction
THE SECURE COMMUNICATIONS WORK GROUP
The Secure Communications Work Group (SCWG) is a sub-committee of the MRA Executive Committee (MEC)
established in accordance with clauses 6.53 and 6.54 of the Master Registration Agreement (MRA). The
purpose of the SCWG is to identify a common solution(s) to ensure the secure transfer of personal data sent
between parties to satisfy obligations in the MRA and the Supply Point Administration Agreement (SPAA).
THE MRA AND THE SPAA
The MRA and the SPAA are multi-party agreements that provide the governance mechanisms to manage the
processes that enable customers to transfer between suppliers for electricity and gas respectively. All suppliers
and network operators are required by their licence conditions to accede to the codes.
GEMSERV LIMITED
Gemserv Limited is the service company contracted by the MRA Service Company (MRASCo Ltd) to provide
services in support of the MRA, including the management of its governance and provision specialised
expertise. Gemserv is responsible for management of the tender process on behalf of MRASCo.
The Problem
IDENTIFYING THE ISSUE
Industry has identified disparities in the techniques implemented by MRA and SPAA parties in ensuring that
personal data is sent between parties via secure means. This has become apparent following the
implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. Differences in practices
employed have led to operational inefficiencies and inconsistencies in security standards and (in some cases)
industry parties’ policies have proven contradictory to each other; resulting in additional challenges in
managing the transfer of personal data, fundamental to industry processes.
The area of most concern is the management of escalation processes; as standard, data within the industry is
sent by secure means over dedicated networks. However, if standard processes require exception
management, parties need an alternative secure way to communicate with each other to address escalations
in a timely and coordinated manner.
Within the MRA and the SPAA, and for the purposes of this Invitation To Tender (ITT), personal data is data
that meets the Information Commissioner’s Office (ICO) definition of personal data1, and in most cases means
customer name, customer address, Meter Point Administration Number (MPAN) in electricity, Meter Point
Reference Number (MPRN) in gas, Meter Serial Number (MSN), and meter read data.
THE SCOPE OF INTEREST
Through the establishment of the SCWG, MRA and SPAA parties sought to deliver a standard solution to the
secure transfer of personal data. To assess which processes are in scope (i.e. which processes involved the
transfer of personal data between industry parties) SCWG completed a review of the relevant codes and
annexes to the codes. A list of the processes impacted by the issue is included in Annex D. There are additional
processes that involve the transfer of personal data; however, these have existing standalone processes for
data transfer that have been developed to be secure for the type of data being sent between parties, and
therefore are not in scope of the ITT.
Through this review, it was identified that there are two channels by which data is currently sent between
parties that require resolution:
• data transferred via email
1 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-
personal-data/
• data transferred over the telephone.
LEGAL ADVICE
Following legal review, SCWG assessed if current industry practices were fit for purpose; that is, whether
parties could reasonably continue to send personal data via email and telephone. The SCWG considered that
any email containing personal data should have encryption equal to or greater than 256 bits.
Consequently, the SCWG agreed that current practices of sending personal data via email should not continue.
It is not practicable to ascertain, audit and monitor that all industry parties had implemented email encryption
to a minimum acceptable standard.
It was agreed that personal data could continue to be communicated via telephone, and MRA and SPAA
parties are independently developing new best practice standards to introduce verification controls for this
type of communication. Personal data currently transferred via telephone is therefore outside the scope of
this ITT.
THE REQUEST
SCWG is seeking proposals from potential solution providers for the following:
Creation of a methodology for sending personal data between industry parties where that personal data is
currently communicated between parties via email to fulfil obligations of the MRA and the SPAA.
A solution should be proportionate to the problem identified, meet the minimum standards expected for
transfer of personal data under GDPR, be futureproof to protect the solution from changes to technology or
law, and best value to implement for any industry party irrespective of size.
Tender Procedure
PURPOSE
Industry wishes to engage a Technical Service Provider (TSP) to develop, maintain and support a solution to
ensure the secure transfer of personal data between all industry parties in accordance with GDPR.
This document sets out the tender process, identifying: information to be provided by prospective solution
providers:
• the timetable for the tender process
• a pricing schedule
• assessment criteria for potential solutions.
TIMETABLE
The timetable for tendering and subsequent activities is provided below:
Activity Date
Invitation to Tender issued 16th November 2018
Deadline for questions relating to the tender 5th December 2018
Deadline for receipt of tender 14th December 2018
All provisional solution providers advised of outcomes 31st January 2019
Contract award (if required) 28th February 2019
Contract start date (if required) 1st April 2019
Provisional solution providers should be prepared to present proposed solutions if required to the SCWG on
week commencing 7th January 2019.
Contractual arrangements may not be required in the event the preferred solution utilises an existing
contractual framework. However, it is proposed that the chosen solution should be ready for adoption no later
than 1st April 2019. If new contractual arrangements are required, the contract duration will be for three years
unless varied under the terms of that agreement.
PROCEDURE FOR SUBMITTING TENDERS
The page limit for this tender is ten pages (excluding declarations, pricing schedules and CVs).
For Tender Clarifications regarding the process or content of this ITT, contact [email protected]. All
questions should be submitted by midday on 5th December 2018; questions submitted after this date may not
be answered. Answers to all questions will be circulated to all prospective solution providers no later than two
working days after the deadline.
Tenders will be received on or before the deadline of 12:00 on 14th December 2018. Please ensure your tender
is delivered no later than the appointed time on the appointed date. Gemserv does not undertake to consider
tenders received after that time. Gemserv requires tenders to remain valid for a period of one hundred and
eighty (180) working days from submission.
Tenders are to be submitted in electronic form to [email protected] and must include relevant
declarations. Gemserv will have the right to disqualify you from the procurement if you do not provide all the
information requested in this ITT.
You will not be entitled to claim any costs or expenses that you may incur in preparing your tender whether or
not that tender is successful.
EVALUATION OF RESPONSES
Responses will be scored against each of the areas set out in Annex B, according to the extent to which they
meet the requirements of the tender. The criteria of each score is outlined in the table below. The total score
will be calculated by applying the weighting set against each area to give a score out of 100.
Score Summary Description
1 Not satisfactory Proposal contains significant shortcomings and does not meet the required standard
2 Partially satisfactory Partially meets the required standard, with one or more moderate weaknesses or gaps
3 Satisfactory Mostly meets the required standard, with one or more minor weaknesses or gaps
4 Good Meets the required standard, with moderate levels of assurance
5 Excellent Fully meets the required standard with high levels of assurance
Pricing will be marked proportionately to the lowest bid and the budget. Prices will be marked on the total cost
excluding VAT.
Organisations are strongly advised to structure their tender submissions to cover each of the criteria set out in
Annex B. The pricing schedule within Annex C is completed.
CHECKLIST OF DOCUMENTS TO BE RETURNED
▪ Proposal (maximum ten pages)
▪ Form of Tender Declaration (Annex A)
▪ Pricing schedule (Annex C)
Annex A – Form of Tender Declaration
To be completed in all cases
Having considered the invitation to tender and all accompanying documents we confirm that we are fully
satisfied as to our experience and ability to deliver the goods/services in all respects in accordance with the
requirements of this invitation to tender.
We hereby tender and undertake to provide and complete all the services required to be performed in
accordance with the invitation to tender for the amount set out in the Pricing Schedule.
We agree that this tender shall remain open to be accepted for one hundred and eighty (180) days from the
date below.
We understand that the contracting party is not bound to accept the lowest or any tender it may receive.
We certify that this is a bona fide tender.
…………………………………………………………………………........
Signature (duly authorised on behalf of the tenderer)
…………………………………………………………………………………
Print name
………………………………………………………………………….
On behalf of (organisation name)
………………………………………………………………………….
Date
Annex B – Assessment Criteria
Criterion Description Weighting
1
Relevant Knowledge and Experience
Demonstrates full understanding of the issue to be resolved 5%
Relevant expertise and experience in relation to providing
similar solutions to resolving equivalent industry issues 5%
2
Development and Delivery Plan
Solution clearly addresses the problem statement and
complies with relevant data protection legislation 25%
Demonstrates ability to transition industry parties to using
new solution with minimal disruption to process 10%
Proposal ensures that industry parties provided with
opportunity to fully engage in test and implementation of a
solution
10%
3
Approach to Support and Further Change
Clear and appropriate arrangements for 2nd and 3rd line
support 10%
Approach to delivery of further change, including delivery
of a futureproof and technology-proof solution 10%
4
Price
Costs to deliver core solution 12.5%
Support costs on an enduring basis 12.5%
Total 100%
Annex C – Pricing Schedule
Bidders must provide full detail of proposed pricing for the goods/services to be delivered using the proforma
below. Submissions on any other format, against different assumptions, changes in or against an incomplete
scope of work or alternatives will be rejected. The currency for all prices should be GBP (£). If applicable,
please convert your currency into GBP using the rate published by the European Central Bank on the day you
submit your tender.
Price (£)
Price of design, build, test and implementation of the solution to full deployment
Price of enduring technical support for parties utilising the solution post-deployment
Any further costs of solution provision (please fully detail justification in your response)
Please provide a rate card for future service enhancements to be charged on a time and materials basis.
Annex D – Impacted MRA and SPAA Processes
Code Annex Title
MRA MAP04 Procedure for Error Resolution and Retrospective Manual Amendments
MRA MAP05 Procedure for Entry Assessment and Requalification
MRA MAP08 The Procedure for Agreement of Change of Supplier Readings and
Resolution of Disputed Change of Supplier Readings
MRA MAP10 The Procedure for Resolution of Erroneous Transfers
MRA MAP12 The MRA Agreed Procedure for Customer Requested and Co-operative
Objections
MRA MAP13 Procedure for the Assignment of Debt in Relation to Prepayment Meters
MRA MAP14 Procedure for the Allocation of PPM Payments Transacted Against an
Incorrect Device
MRA MAP18 The MRA Agreed Procedure for The Green Deal Central Charge (GDCC)
Database
MRA MAP21 The MRA Agreed Procedure for Disconnections
MRA MAP24 Smart Prepayment Change of Supplier Exceptions Process
SPAA Schedule 8 Customer Requested Objection Agreed Procedure
SPAA Schedule 9 Assignment of Debt in Relation to Prepayment Meters Agreed Procedure
SPAA Schedule 10 The Procedure for Resolution of Erroneous Transfers
SPAA Schedule 11 The Procedure for Agreement of Change of Supplier Reading and the
Resolution of Disputed Change of Supplier Readings
SPAA Schedule 22 SPAA METERING SCHEDULE
SPAA Schedule 30 The Procedure for Resolution Of Duplicate Meter Points (RDM) For The
Same Gas Supply
SPAA Schedule 31 Procedure for the resolution of Crossed Meters
SPAA Schedule 33 Theft of Gas Code of Practice
To find out more please contact:
T: 020 7090 1029
W: www.gemserv.com
London Office:
8 Fenchurch Place
London
EC3M 4AJ
Company Reg. No: 4419878