Invitation to Tender

Transcription

1 Invitation to Tender Provision of a solution for the secure transfer of personal data between parties in the gas and electricity industry 16 th November 2018

2 Contents Contents... 2 Introduction... 3 The Secure Communications Work Group... 3 The MRA and the SPAA... 3 Gemserv Limited... 3 The Problem... 4 Identifying the issue... 4 The Scope of Interest... 4 Legal Advice... 5 The Request... 5 Tender Procedure... 6 Purpose... 6 Indicative Timetable... 6 Procedure for submitting Tenders... 7 Evaluation of Responses... 7 Checklist of Documents to be Returned... 8 Annex A Form of Tender Declaration... 9 Annex B Assessment Criteria Annex C Pricing Schedule Annex D Impacted MRA and SPAA Processes... 12

3 Introduction THE SECURE COMMUNICATIONS WORK GROUP The Secure Communications Work Group (SCWG) is a sub-committee of the MRA Executive Committee (MEC) established in accordance with clauses 6.53 and 6.54 of the Master Registration Agreement (MRA). The purpose of the SCWG is to identify a common solution(s) to ensure the secure transfer of personal data sent between parties to satisfy obligations in the MRA and the Supply Point Administration Agreement (SPAA). THE MRA AND THE SPAA The MRA and the SPAA are multi-party agreements that provide the governance mechanisms to manage the processes that enable customers to transfer between suppliers for electricity and gas respectively. All suppliers and network operators are required by their licence conditions to accede to the codes. GEMSERV LIMITED Gemserv Limited is the service company contracted by the MRA Service Company (MRASCo Ltd) to provide services in support of the MRA, including the management of its governance and provision specialised expertise. Gemserv is responsible for management of the tender process on behalf of MRASCo.

4 The Problem IDENTIFYING THE ISSUE Industry has identified disparities in the techniques implemented by MRA and SPAA parties in ensuring that personal data is sent between parties via secure means. This has become apparent following the implementation of the General Data Protection Regulation (GDPR) on 25 th May Differences in practices employed have led to operational inefficiencies and inconsistencies in security standards and (in some cases) industry parties policies have proven contradictory to each other; resulting in additional challenges in managing the transfer of personal data, fundamental to industry processes. The area of most concern is the management of escalation processes; as standard, data within the industry is sent by secure means over dedicated networks. However, if standard processes require exception management, parties need an alternative secure way to communicate with each other to address escalations in a timely and coordinated manner. Within the MRA and the SPAA, and for the purposes of this Invitation To Tender (ITT), personal data is data that meets the Information Commissioner s Office (ICO) definition of personal data 1, and in most cases means customer name, customer address, Meter Point Administration Number (MPAN) in electricity, Meter Point Reference Number (MPRN) in gas, Meter Serial Number (MSN), and meter read data. THE SCOPE OF INTEREST Through the establishment of the SCWG, MRA and SPAA parties sought to deliver a standard solution to the secure transfer of personal data. To assess which processes are in scope (i.e. which processes involved the transfer of personal data between industry parties) SCWG completed a review of the relevant codes and annexes to the codes. A list of the processes impacted by the issue is included in Annex D. There are additional processes that involve the transfer of personal data; however, these have existing standalone processes for data transfer that have been developed to be secure for the type of data being sent between parties, and therefore are not in scope of the ITT. Through this review, it was identified that there are two channels by which data is currently sent between parties that require resolution: data transferred via 1

5 data transferred over the telephone. LEGAL ADVICE Following legal review, SCWG assessed if current industry practices were fit for purpose; that is, whether parties could reasonably continue to send personal data via and telephone. The SCWG considered that any containing personal data should have encryption equal to or greater than 256 bits. Consequently, the SCWG agreed that current practices of sending personal data via should not continue. It is not practicable to ascertain, audit and monitor that all industry parties had implemented encryption to a minimum acceptable standard. It was agreed that personal data could continue to be communicated via telephone, and MRA and SPAA parties are independently developing new best practice standards to introduce verification controls for this type of communication. Personal data currently transferred via telephone is therefore outside the scope of this ITT. THE REQUEST SCWG is seeking proposals from potential solution providers for the following: Creation of a methodology for sending personal data between industry parties where that personal data is currently communicated between parties via to fulfil obligations of the MRA and the SPAA. A solution should be proportionate to the problem identified, meet the minimum standards expected for transfer of personal data under GDPR, be futureproof to protect the solution from changes to technology or law, and best value to implement for any industry party irrespective of size.

6 Tender Procedure PURPOSE Industry wishes to engage a Technical Service Provider (TSP) to develop, maintain and support a solution to ensure the secure transfer of personal data between all industry parties in accordance with GDPR. This document sets out the tender process, identifying: information to be provided by prospective solution providers: the timetable for the tender process a pricing schedule assessment criteria for potential solutions. TIMETABLE The timetable for tendering and subsequent activities is provided below: Activity Date Invitation to Tender issued 16 th November 2018 Deadline for questions relating to the tender 5 th December 2018 Deadline for receipt of tender 14 th December 2018 All provisional solution providers advised of outcomes 31 st January 2019 Contract award (if required) 28 th February 2019 Contract start date (if required) 1 st April 2019 Provisional solution providers should be prepared to present proposed solutions if required to the SCWG on week commencing 7 th January Contractual arrangements may not be required in the event the preferred solution utilises an existing contractual framework. However, it is proposed that the chosen solution should be ready for adoption no later than 1 st April If new contractual arrangements are required, the contract duration will be for three years unless varied under the terms of that agreement.

7 PROCEDURE FOR SUBMITTING TENDERS The page limit for this tender is ten pages (excluding declarations, pricing schedules and CVs). For Tender Clarifications regarding the process or content of this ITT, contact All questions should be submitted by midday on 5 th December 2018; questions submitted after this date may not be answered. Answers to all questions will be circulated to all prospective solution providers no later than two working days after the deadline. Tenders will be received on or before the deadline of 12:00 on 14 th December Please ensure your tender is delivered no later than the appointed time on the appointed date. Gemserv does not undertake to consider tenders received after that time. Gemserv requires tenders to remain valid for a period of one hundred and eighty (180) working days from submission. Tenders are to be submitted in electronic form to MRAHelpdesk@gemserv.com and must include relevant declarations. Gemserv will have the right to disqualify you from the procurement if you do not provide all the information requested in this ITT. You will not be entitled to claim any costs or expenses that you may incur in preparing your tender whether or not that tender is successful. EVALUATION OF RESPONSES Responses will be scored against each of the areas set out in Annex B, according to the extent to which they meet the requirements of the tender. The criteria of each score is outlined in the table below. The total score will be calculated by applying the weighting set against each area to give a score out of 100. Score Summary Description 1 Not satisfactory Proposal contains significant shortcomings and does not meet the required standard 2 Partially satisfactory Partially meets the required standard, with one or more moderate weaknesses or gaps 3 Satisfactory Mostly meets the required standard, with one or more minor weaknesses or gaps 4 Good Meets the required standard, with moderate levels of assurance 5 Excellent Fully meets the required standard with high levels of assurance Pricing will be marked proportionately to the lowest bid and the budget. Prices will be marked on the total cost excluding VAT.

8 Organisations are strongly advised to structure their tender submissions to cover each of the criteria set out in Annex B. The pricing schedule within Annex C is completed. CHECKLIST OF DOCUMENTS TO BE RETURNED Proposal (maximum ten pages) Form of Tender Declaration (Annex A) Pricing schedule (Annex C)

9 Annex A Form of Tender Declaration To be completed in all cases Having considered the invitation to tender and all accompanying documents we confirm that we are fully satisfied as to our experience and ability to deliver the goods/services in all respects in accordance with the requirements of this invitation to tender. We hereby tender and undertake to provide and complete all the services required to be performed in accordance with the invitation to tender for the amount set out in the Pricing Schedule. We agree that this tender shall remain open to be accepted for one hundred and eighty (180) days from the date below. We understand that the contracting party is not bound to accept the lowest or any tender it may receive. We certify that this is a bona fide tender.... Signature (duly authorised on behalf of the tenderer) Print name. On behalf of (organisation name). Date

10 Annex B Assessment Criteria Criterion Description Weighting Relevant Knowledge and Experience 1 Demonstrates full understanding of the issue to be resolved 5% Relevant expertise and experience in relation to providing 5% similar solutions to resolving equivalent industry issues Development and Delivery Plan 2 3 Solution clearly addresses the problem statement and complies with relevant data protection legislation Demonstrates ability to transition industry parties to using new solution with minimal disruption to process Proposal ensures that industry parties provided with opportunity to fully engage in test and implementation of a solution Approach to Support and Further Change Clear and appropriate arrangements for 2 nd and 3 rd line support Approach to delivery of further change, including delivery of a futureproof and technology-proof solution Price 25% 10% 10% 10% 10% 4 Costs to deliver core solution 12.5% Support costs on an enduring basis 12.5% Total 100%

11 Annex C Pricing Schedule Bidders must provide full detail of proposed pricing for the goods/services to be delivered using the proforma below. Submissions on any other format, against different assumptions, changes in or against an incomplete scope of work or alternatives will be rejected. The currency for all prices should be GBP ( ). If applicable, please convert your currency into GBP using the rate published by the European Central Bank on the day you submit your tender. Price ( ) Price of design, build, test and implementation of the solution to full deployment Price of enduring technical support for parties utilising the solution post-deployment Any further costs of solution provision (please fully detail justification in your response) Please provide a rate card for future service enhancements to be charged on a time and materials basis.

12 Annex D Impacted MRA and SPAA Processes Code Annex Title MRA MAP04 Procedure for Error Resolution and Retrospective Manual Amendments MRA MAP05 Procedure for Entry Assessment and Requalification MRA MAP08 The Procedure for Agreement of Change of Supplier Readings and Resolution of Disputed Change of Supplier Readings MRA MAP10 The Procedure for Resolution of Erroneous Transfers MRA MAP12 The MRA Agreed Procedure for Customer Requested and Co-operative Objections MRA MAP13 Procedure for the Assignment of Debt in Relation to Prepayment Meters MRA MRA MAP14 MAP18 Procedure for the Allocation of PPM Payments Transacted Against an Incorrect Device The MRA Agreed Procedure for The Green Deal Central Charge (GDCC) Database MRA MAP21 The MRA Agreed Procedure for Disconnections MRA MAP24 Smart Prepayment Change of Supplier Exceptions Process SPAA Schedule 8 Customer Requested Objection Agreed Procedure SPAA Schedule 9 Assignment of Debt in Relation to Prepayment Meters Agreed Procedure SPAA Schedule 10 The Procedure for Resolution of Erroneous Transfers SPAA Schedule 11 The Procedure for Agreement of Change of Supplier Reading and the Resolution of Disputed Change of Supplier Readings SPAA Schedule 22 SPAA METERING SCHEDULE SPAA Schedule 30 The Procedure for Resolution Of Duplicate Meter Points (RDM) For The Same Gas Supply SPAA Schedule 31 Procedure for the resolution of Crossed Meters SPAA Schedule 33 Theft of Gas Code of Practice

13 To find out more please contact: T: E: W: London Office: 8 Fenchurch Place London EC3M 4AJ Company Reg. No: