Invitation to Tender

Provision of a solution for the secure transfer of personal data between parties in the gas and electricity industry

16th November 2018

Contents

Contents ................................................................................................................................................................. 2

Introduction ............................................................................................................................................................ 3

The Secure Communications Work Group ........................................................................................................ 3

The MRA and the SPAA ..................................................................................................................................... 3

Gemserv Limited ............................................................................................................................................... 3

The Problem ........................................................................................................................................................... 4

Identifying the issue .......................................................................................................................................... 4

The Scope of Interest ........................................................................................................................................ 4

Legal Advice ...................................................................................................................................................... 5

The Request ...................................................................................................................................................... 5

Tender Procedure ................................................................................................................................................... 6

Purpose ............................................................................................................................................................. 6

Indicative Timetable .......................................................................................................................................... 6

Procedure for submitting Tenders .................................................................................................................... 7

Evaluation of Responses ................................................................................................................................... 7

Checklist of Documents to be Returned ........................................................................................................... 8

Annex A – Form of Tender Declaration .................................................................................................................. 9

Annex B – Assessment Criteria ............................................................................................................................. 10

Annex C – Pricing Schedule ................................................................................................................................... 11

Annex D – Impacted MRA and SPAA Processes .................................................................................................... 12

Introduction

THE SECURE COMMUNICATIONS WORK GROUP

The Secure Communications Work Group (SCWG) is a sub-committee of the MRA Executive Committee (MEC)

established in accordance with clauses 6.53 and 6.54 of the Master Registration Agreement (MRA). The

purpose of the SCWG is to identify a common solution(s) to ensure the secure transfer of personal data sent

between parties to satisfy obligations in the MRA and the Supply Point Administration Agreement (SPAA).

THE MRA AND THE SPAA

The MRA and the SPAA are multi-party agreements that provide the governance mechanisms to manage the

processes that enable customers to transfer between suppliers for electricity and gas respectively. All suppliers

and network operators are required by their licence conditions to accede to the codes.

GEMSERV LIMITED

Gemserv Limited is the service company contracted by the MRA Service Company (MRASCo Ltd) to provide

services in support of the MRA, including the management of its governance and provision specialised

expertise. Gemserv is responsible for management of the tender process on behalf of MRASCo.

The Problem

IDENTIFYING THE ISSUE

Industry has identified disparities in the techniques implemented by MRA and SPAA parties in ensuring that

personal data is sent between parties via secure means. This has become apparent following the

implementation of the General Data Protection Regulation (GDPR) on 25th May 2018. Differences in practices

employed have led to operational inefficiencies and inconsistencies in security standards and (in some cases)

industry parties’ policies have proven contradictory to each other; resulting in additional challenges in

managing the transfer of personal data, fundamental to industry processes.

The area of most concern is the management of escalation processes; as standard, data within the industry is

sent by secure means over dedicated networks. However, if standard processes require exception

management, parties need an alternative secure way to communicate with each other to address escalations

in a timely and coordinated manner.

Within the MRA and the SPAA, and for the purposes of this Invitation To Tender (ITT), personal data is data

that meets the Information Commissioner’s Office (ICO) definition of personal data1, and in most cases means

customer name, customer address, Meter Point Administration Number (MPAN) in electricity, Meter Point

Reference Number (MPRN) in gas, Meter Serial Number (MSN), and meter read data.

THE SCOPE OF INTEREST

Through the establishment of the SCWG, MRA and SPAA parties sought to deliver a standard solution to the

secure transfer of personal data. To assess which processes are in scope (i.e. which processes involved the

transfer of personal data between industry parties) SCWG completed a review of the relevant codes and

annexes to the codes. A list of the processes impacted by the issue is included in Annex D. There are additional

processes that involve the transfer of personal data; however, these have existing standalone processes for

data transfer that have been developed to be secure for the type of data being sent between parties, and

therefore are not in scope of the ITT.

Through this review, it was identified that there are two channels by which data is currently sent between

parties that require resolution:

• data transferred via email

1 https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/what-is-

personal-data/

• data transferred over the telephone.

LEGAL ADVICE

Following legal review, SCWG assessed if current industry practices were fit for purpose; that is, whether

parties could reasonably continue to send personal data via email and telephone. The SCWG considered that

any email containing personal data should have encryption equal to or greater than 256 bits.

Consequently, the SCWG agreed that current practices of sending personal data via email should not continue.

It is not practicable to ascertain, audit and monitor that all industry parties had implemented email encryption

to a minimum acceptable standard.

It was agreed that personal data could continue to be communicated via telephone, and MRA and SPAA

parties are independently developing new best practice standards to introduce verification controls for this

type of communication. Personal data currently transferred via telephone is therefore outside the scope of

this ITT.

THE REQUEST

SCWG is seeking proposals from potential solution providers for the following:

Creation of a methodology for sending personal data between industry parties where that personal data is

currently communicated between parties via email to fulfil obligations of the MRA and the SPAA.

A solution should be proportionate to the problem identified, meet the minimum standards expected for

transfer of personal data under GDPR, be futureproof to protect the solution from changes to technology or

law, and best value to implement for any industry party irrespective of size.

Tender Procedure

PURPOSE

Industry wishes to engage a Technical Service Provider (TSP) to develop, maintain and support a solution to

ensure the secure transfer of personal data between all industry parties in accordance with GDPR.

This document sets out the tender process, identifying: information to be provided by prospective solution

providers:

• the timetable for the tender process

• a pricing schedule

• assessment criteria for potential solutions.

TIMETABLE

The timetable for tendering and subsequent activities is provided below:

Activity Date

Invitation to Tender issued 16th November 2018

Deadline for questions relating to the tender 5th December 2018

Deadline for receipt of tender 14th December 2018

All provisional solution providers advised of outcomes 31st January 2019

Contract award (if required) 28th February 2019

Contract start date (if required) 1st April 2019

Provisional solution providers should be prepared to present proposed solutions if required to the SCWG on

week commencing 7th January 2019.

Contractual arrangements may not be required in the event the preferred solution utilises an existing

contractual framework. However, it is proposed that the chosen solution should be ready for adoption no later

than 1st April 2019. If new contractual arrangements are required, the contract duration will be for three years

unless varied under the terms of that agreement.

PROCEDURE FOR SUBMITTING TENDERS

The page limit for this tender is ten pages (excluding declarations, pricing schedules and CVs).

For Tender Clarifications regarding the process or content of this ITT, contact MRAHelpdesk@gemserv.com. All

questions should be submitted by midday on 5th December 2018; questions submitted after this date may not

be answered. Answers to all questions will be circulated to all prospective solution providers no later than two

working days after the deadline.

Tenders will be received on or before the deadline of 12:00 on 14th December 2018. Please ensure your tender

is delivered no later than the appointed time on the appointed date. Gemserv does not undertake to consider

tenders received after that time. Gemserv requires tenders to remain valid for a period of one hundred and

eighty (180) working days from submission.

Tenders are to be submitted in electronic form to MRAHelpdesk@gemserv.com and must include relevant

declarations. Gemserv will have the right to disqualify you from the procurement if you do not provide all the

information requested in this ITT.

You will not be entitled to claim any costs or expenses that you may incur in preparing your tender whether or

not that tender is successful.

EVALUATION OF RESPONSES

Responses will be scored against each of the areas set out in Annex B, according to the extent to which they

meet the requirements of the tender. The criteria of each score is outlined in the table below. The total score

will be calculated by applying the weighting set against each area to give a score out of 100.

Score Summary Description

1 Not satisfactory Proposal contains significant shortcomings and does not meet the required standard

2 Partially satisfactory Partially meets the required standard, with one or more moderate weaknesses or gaps

3 Satisfactory Mostly meets the required standard, with one or more minor weaknesses or gaps

4 Good Meets the required standard, with moderate levels of assurance

5 Excellent Fully meets the required standard with high levels of assurance

Pricing will be marked proportionately to the lowest bid and the budget. Prices will be marked on the total cost

excluding VAT.

Organisations are strongly advised to structure their tender submissions to cover each of the criteria set out in

Annex B. The pricing schedule within Annex C is completed.

CHECKLIST OF DOCUMENTS TO BE RETURNED

▪ Proposal (maximum ten pages)

▪ Form of Tender Declaration (Annex A)

▪ Pricing schedule (Annex C)

Annex A – Form of Tender Declaration

To be completed in all cases

Having considered the invitation to tender and all accompanying documents we confirm that we are fully

satisfied as to our experience and ability to deliver the goods/services in all respects in accordance with the

requirements of this invitation to tender.

We hereby tender and undertake to provide and complete all the services required to be performed in

accordance with the invitation to tender for the amount set out in the Pricing Schedule.

We agree that this tender shall remain open to be accepted for one hundred and eighty (180) days from the

date below.

We understand that the contracting party is not bound to accept the lowest or any tender it may receive.

We certify that this is a bona fide tender.

…………………………………………………………………………........

Signature (duly authorised on behalf of the tenderer)

…………………………………………………………………………………

Print name

………………………………………………………………………….

On behalf of (organisation name)

………………………………………………………………………….

Date

Annex B – Assessment Criteria

Criterion Description Weighting

1

Relevant Knowledge and Experience

Demonstrates full understanding of the issue to be resolved 5%

Relevant expertise and experience in relation to providing

similar solutions to resolving equivalent industry issues 5%

2

Development and Delivery Plan

Solution clearly addresses the problem statement and

complies with relevant data protection legislation 25%

Demonstrates ability to transition industry parties to using

new solution with minimal disruption to process 10%

Proposal ensures that industry parties provided with

opportunity to fully engage in test and implementation of a

solution

10%

3

Approach to Support and Further Change

Clear and appropriate arrangements for 2nd and 3rd line

support 10%

Approach to delivery of further change, including delivery

of a futureproof and technology-proof solution 10%

4

Price

Costs to deliver core solution 12.5%

Support costs on an enduring basis 12.5%

Total 100%

Annex C – Pricing Schedule

Bidders must provide full detail of proposed pricing for the goods/services to be delivered using the proforma

below. Submissions on any other format, against different assumptions, changes in or against an incomplete

scope of work or alternatives will be rejected. The currency for all prices should be GBP (£). If applicable,

please convert your currency into GBP using the rate published by the European Central Bank on the day you

submit your tender.

Price (£)

Price of design, build, test and implementation of the solution to full deployment

Price of enduring technical support for parties utilising the solution post-deployment

Any further costs of solution provision (please fully detail justification in your response)

Please provide a rate card for future service enhancements to be charged on a time and materials basis.

Annex D – Impacted MRA and SPAA Processes

Code Annex Title

MRA MAP04 Procedure for Error Resolution and Retrospective Manual Amendments

MRA MAP05 Procedure for Entry Assessment and Requalification

MRA MAP08 The Procedure for Agreement of Change of Supplier Readings and

Resolution of Disputed Change of Supplier Readings

MRA MAP10 The Procedure for Resolution of Erroneous Transfers

MRA MAP12 The MRA Agreed Procedure for Customer Requested and Co-operative

Objections

MRA MAP13 Procedure for the Assignment of Debt in Relation to Prepayment Meters

MRA MAP14 Procedure for the Allocation of PPM Payments Transacted Against an

Incorrect Device

MRA MAP18 The MRA Agreed Procedure for The Green Deal Central Charge (GDCC)

Database

MRA MAP21 The MRA Agreed Procedure for Disconnections

MRA MAP24 Smart Prepayment Change of Supplier Exceptions Process

SPAA Schedule 8 Customer Requested Objection Agreed Procedure

SPAA Schedule 9 Assignment of Debt in Relation to Prepayment Meters Agreed Procedure

SPAA Schedule 10 The Procedure for Resolution of Erroneous Transfers

SPAA Schedule 11 The Procedure for Agreement of Change of Supplier Reading and the

Resolution of Disputed Change of Supplier Readings

SPAA Schedule 22 SPAA METERING SCHEDULE

SPAA Schedule 30 The Procedure for Resolution Of Duplicate Meter Points (RDM) For The

Same Gas Supply

SPAA Schedule 31 Procedure for the resolution of Crossed Meters

SPAA Schedule 33 Theft of Gas Code of Practice

To find out more please contact:

T: 020 7090 1029

E: MRAHelpdesk@gemserv.com

W: www.gemserv.com

London Office:

8 Fenchurch Place

London

EC3M 4AJ

Company Reg. No: 4419878