The Office of Government Commerce (OGC) launched the new OGC Model ICT Services Agreement Version 2.3 on 6 August, replacing last year's Version 2.2.1. As was the case for Version 2.2.1, Version 2.3 has been the subject of extensive consultation with various groups, including Intellect and the Financial Distress Advisory Panel which was set up specifically to consider financial distress provisions of the model contract.
Schedule 7.4 (Financial Distress)
A key change brought about by Version 2.3 is the introduction of the 'short form' Financial Distress Schedule to be used for smaller, less strategic projects and which incorporates only Level 1 triggers and consequences.
Other key changes include that where credit ratings are to be used, these will take primacy over other financial distress triggers.
The OGC has added new guidance in Section B of this schedule to assist with use of this Schedule. The parties should note that the new guidance comments that financial distress events 'should not be subject to negotiation, except in exceptional circumstances and after informing OGC'.
Schedule 2.5 (Security Management Plan)
Schedule 2.5 (Security Management Plan) is the schedule mandated by the Cabinet Office's Data Handling Report of June 2008 for central government contracts. Formerly the 'Security Plan', it has now become the 'Security Management Plan'.
A number of changes to this schedule are to bring it into line with ISO 27001 and ISO 27002. Also, the first full version of the Security Management Plan is to be produced by the Service Provider within 20 Working Days of the "Effective Date" (paragraph 8.2.1 of Schedule 2.5).
Other key changes
Many of the changes to the body of Version 2.3 are minor drafting improvements or to take into account some commonly requested and fair changes e.g. such as the addition of 'as soon as reasonably possible' language.
More significant changes to the body of Version 2.3 include the addition of sub-contractor flow-down requirements relating to data handling, and clauses which enable the authority to require direct agreements with key sub-contractors (new Clause 23.8).
1 Security Management Plan (Schedule 2.5)
Schedule 2.5, formerly called the 'Security Plan', has now become the 'Security Management Plan'. The change of name reflects the changes to Schedule 2.5 to further bring it in line with ISO 27001 and ISO 27002. This schedule is one of the parts of the model contract mandated for central government by the Cabinet Office's Data Handling Report of June last year.
Other key changes to Schedule 2.5 include:
1.1 Breach of security:
The definition 'Breach of Security' has been extended to cover loss or disclosure of information as well as unauthorised access to information, systems or premises.
As part of its deliberations on Version 2.3, OGC considered whether Schedule 2.5 provisions should apply to loss of copied data in the same way as it applies to loss of original data, but in the end concluded that it should apply to original data only and that loss of copied data will be covered by provisions on confidential data.
1.2 Information Security Management System (ISMS) audit/certification:
The ISMS (rather than the Security Plan as was previously the case) is to be tested and audited (Schedule 2.5 paragraph 10) in accordance with ISO 27001 (Schedule 2.5 paragraph 11).
New guidance within Schedule 2.5 (at paragraph 11 "Compliance with ISO/IEC 27001") states that the provisions of paragraphs 11.1 and 11.2 (certification of the ISMS to ISO/IEC 27001 and notification of the authority of any parts of the ISMS which are non-compliant), which address certification of the ISMS, should be included if "the security management obligations in the project in question are in the opinion of the Authority sufficiently complex, extensive or critical to justify the extra assurance (and delay and expense) of obtaining certification. If in doubt, the Authority should consult their Senior Information Risk Owner". If such certification is not sought, the guidance at paragraph 11 states that the Authority will need to confirm that the service provider complies with the principles and practices of ISO/IEC 27001.
The guidance note at paragraph 11 goes on to say that in circumstances where there is no independent certification ".... then compliance to the principles and practices of ISO/IEC 27001 should be confirmed by the Authority. This should include examination of the Statement of Applicability to ensure that it is adequate and is consistent with the Authority's Security Policy, and, as such meets the "Mandatory Requirements" in the Security Policy Framework".
1.3 Security framework policy:
References to 'Information Assurance Standards' and the 'Manual of Protective Security' have been changed to references to the Cabinet Office's 'Security Framework Policy' (stated to be available from the Cabinet Office Security Policy Division).
The minimum levels of security (Tiers 1-4) of that policy are to be complied with if the tier 1 - 4 provisions are not fully incorporated into the authority's security policy (which the service provider is also required to comply with) (see paragraph 8 of Schedule 2.5 (Principles of Security). The intention is, however, that these security levels should be incorporated into the authority's security policy.
1.4 Changes to principles of security:
The security requirements listed in paragraph 8 of Schedule 2.5 (Principles of Security) - including for example the security framework policy, Schedule 2.1 (Service Description) security requirements and the authority's security policy - are to be applied as replaced, updated and developed from time to time.
1.5 Security policy:
The security policy annex which the parties are to complete has moved from Appendix 2 to Appendix 1 of Schedule 2.5. New guidance at Appendix 1 clarifies that the security policy should be "based on the business's security policy, including those elements that are relevant to the project".
It also goes on to say that the security policy is "likely to include a number of security reference documents which together comprise the Authority's guidance and operating procedures which will include and/or take full account of the Her Majesty's Government security Policy Framework, IA Standard No.6 "Handling Personal Data and Managing Information Risk" and the Cabinet Office's Mandatory Minimum Measures".
1.6 Security management plan:
The security management plan (previously an 'Outline Security Management Plan') has moved from Appendix 1 to Appendix 2 of Schedule 2.5. Appendix 2 now contains a list of proposed contents for the Security Management Plan, which is derived from ISO 27002. The first full version of the Security Management Plan is to be produced by the Service Provider within 20 Working Days of the "Effective Date" (paragraph 8.2.1 of Schedule 2.5).
1.7 Security breach notification:
Security breaches are now to be notified in accordance with an agreed security incident management process which is to be set out in the ISMS, rather than, as previously required, "immediately" (see paragraph 12 (Breach of Security) of Schedule 2.5).
2 Financial Distress (Schedule 7.4)
A new 'short form' financial distress Schedule has been issued and the financial distress 'short form' as opposed to 'long form' provisions will apply unless the:
- Contract value is likely to exceed £150 million;
- Projected annual value of the contract exceeds 5% of the service providers annual turnover; and/or
- The contract is vital to the authority meeting its statutory duties.
- Guidance has been added to the effect that authorities should bear in mind, however, that full financial distress provisions may take longer to negotiate and agree.
The financial distress 'short form' provisions encompass only 'Level One' triggers and consequences from the 'long form' version of Schedule 7.4.
Key changes to the 'long form' Schedule 7.4 are:
2.1 Group companies:
New guidance has been added at Section B of Schedule 7.4 explaining when a group company guarantor should be subject to financial distress provisions. It is envisaged that the financial distress provisions will likely apply either to the service provider itself (if no PCG is provided) or to the guarantor (if a PCG is provided); however, the guidance urges authorities to carefully consider with their advisors whether, in their particular circumstances, the financial distress provisions should apply to both.
2.2 Offshore companies:
New guidance at Section B of Schedule 7.4 also acknowledges that organisations with shares listed overseas may legitimately require changes to financial distress events, in which case financial and legal advice should be sought by authorities as soon as possible in the relevant jurisdictions.
2.3 Primacy of credit ratings:
Where credit ratings are used as a measure of financial health, this takes priority over other financial health indicators (see new paragraph 10 (Primacy of Credit Ratings)).
2.4 Other trigger events:
The guidance at Section B of Schedule 7.4 continues to recognise that, while credit ratings should be used 'where possible', it may be that other measures of financial health need to be used. New guidance has been added to the existing guidance which highlights that, if alternative measures are used, Schedule 7.4 drafting will need to be changed and negotiated to reflect this, as early on in the process as possible.
Escrow account provisions to hold back charges to cover the costs of re-competing if the authority has to terminate as a result of insolvency (ie level 3) have been replaced by a 'retention fund'.
2.6 Service continuity plan trigger:
The automatically applicable obligation for service providers to implement a service continuity plan in response to a level one trigger has been modified so that it only need be invoked if the authority reasonably believes that the risk event could impact on the provision of the services. Previously, Schedule 7.4 appeared to allow only three attempts at the service continuity plan before escalation - this has now been extended to allow for repeated submissions until it is approved by the authority or, at the authority's discretion referred to the escalation process under paragraph 6.3 of Schedule 7.4.
2.7 Maintaining service continuity plans:
Service continuity plan drafting has been clarified around maintenance of the plan (i.e. no less than monthly reviews) (see paragraph 6.5 of Schedule 7.4). However, if the plan is found to be out of date, the updated plan needs to go through the whole approval process again as if it were a new plan.
Also, termination of service continuity plan obligations has been clarified (paragraph 6.6 of Schedule 7.4); however, once the financial distress event goes away - the service provider is required to notify the authority and the parties 'may' agree that the contractor is relieved of its service continuity plan obligations.
2.8 Key sub-contractors:
Financial distress of a key sub-contractor will now trigger obligations on the service provider, to attend meetings with the authority and procure attendance by key sub-contractors and also submission of key sub-contractors service continuity plans following consultation with the authority (new paragraph 12 added to Schedule 7.4 drafting).
2.9 Sub-contractor non-payment reports:
Obligation on service providers to include a sub-contract provision requiring key sub-contractors to report material non-payments or late payments has been moved to Clause 23.7 of the OGC ICT Model Contract.
3 Other key changes overview
3.1 Key amendments to body of the contract
A number of amendments have been made to the body of the model contract, many of which are minor drafting improvements, legislation updates, or to take into account some commonly requested and fair changes e.g. such as the addition of 'as soon as reasonably possible' language in a number of places.
The most significant changes to the body of the OGC ICT Model Contract are:
- Carbon reduction: Services improvement obligations are now to encompass reporting on means of reducing energy consumption (Clause 14.1.5). This is, says the guidance note below Clause 14.1.5, to help the authority plan its response to the Carbon Reduction Commitment. As for other existing service improvement areas to be reported on further to Clause 14.1, any changes which result are to be agreed by the parties through the change procedure (Clause 14.4).
- Direct agreements: Additional drafting to allow for direct agreements between the authority and subcontractors (Clause 23).
- Data handling: Flow-down of data handling provisions to key-subcontractors involved in the processing of personal data (Clause 23) and data protection clause provisions to all sub-contractors who come into contact with personal data (Clause 23.7.4).
- Sub-contractor financial distress: Application of reporting, meeting and service continuity plan provisions to tie in with new requirements of Schedule 7.4 (see paragraph 2.8 above for details) in the event of key sub-contractor financial distress (Clause 23).
- Transfers of personal data outside of the European Economic Area (EEA): More precise drafting around when personal data can be transferred outside of the EEA and subject to what processes (change control) and conditions (including putting in place directly with the relevant data processor European Commission approved model contract clauses for transfers of personal data to data processors outside of the EEA) (Clause 41).
- Individual confidentiality undertakings: Addition of new guidance at Clause 43 explaining that direct confidentiality undertakings with individuals can, whilst it 'reinforces the importance attached to safeguarding Authority data' be onerous and should only be required 'in exceptional cases where there is particular sensitivity regarding the Authority Data'. The guidance goes on to say that, in most cases, Clause 43.5 should suffice.
- Need to know only access to information: A new clause has been added to contractually require service providers only to disclose confidential information to contractor personnel who 'are aware of, acknowledge the importance of, and comply with these obligations as to confidentiality' and requiring the service provider to take and demonstrate to the Authority that it is taking 'action as may be appropriate in the circumstances, including the use of disciplinary procedures in serious cases' in the event of confidentiality breaches (Clause 43).
- Reclaimable milestone payments: Addition of a new definition for 'Reclaimable Milestone Payments' and amendments to the drafting at Clause 55.5.2 to clarify that return of Reclaimable Milestone Payments shall be if and to the extent the Authority demands.
- Return/destruction of data: Addition of new drafting at Clause 57 to remove potential conflict between general obligations to return or destroy data and obligations under the exit plan (i.e. general provisions will now be 'subject to' the exit plan provisions).
3.2 Key amendments to schedules
- Schedule 2.1 (Services Description): The inter-relationship between this schedule, Schedule 3 (Authority Responsibilities), Schedule 2.3 (Standards) and Schedule 4.1 has been clarified in Schedules 2.1, 3 (Authority Responsibilities) and 4.1 (Contractor Solution). New service provider requirements have been added to this schedule in relation to information asset registers and business process manual as well as new references to the asset register and the configuration management database (both of the latter were previously referred to in Schedule 8.5 (Exit Management) and have merely moved from Schedule 8.5 to Schedule 2.1).
- Schedule 2.3 (Standards): BS15000 now updated to ISO 20000 together with obligations to, within three months of the effective date, prepare and deliver for authority approval, the processes listed at paragraph 1.4.2 and 1.4.3 (which list service support and service delivery processes).
- Schedule 4.1 (Contractor Solution): New guidance in this schedule warns against incorporating requirements on the authority other than in Schedule 3 (Authority Responsibilities) and against including obligations on the service provider which should not be contractualised (i.e. where the service provider's discretion to make changes should not be fettered).
- Schedule 7.1 (Charging and Invoicing): New wording at the end of paragraph nine (Delay Payments) has been added so that the maximum total charges payable over the term are set out in this schedule.
- Schedule 8.2 (Change Control Procedure): Additional guidance now clarifies that the change control procedure should not be used for pricing and approval of catalogue items (which should instead be subject to a separate call-off procedure). Also, provisions have been added to bring the service provider's ability to refuse change requests in line with the approach used for PFI contracts, as reflected in SoPC4.
4 Still to come
Version 2.3 will by no means be the last version of the OGC ICT Model Contract and we understand from the OGC that an agenda for Version 2.4 is already forming. We anticipate that Version 2.4 may well address the following issues:
- Open source: The Open Source Software Government Action Plan and consequences for the OGC Model ICT Contract.
- Schedule 2.5 (Security Management Plan): The OGC has invited further comments on this schedule so that it might further improve its effectiveness and ease of use.
- Authority employment indemnity: The inclusion of an authority indemnity against 'Employee Liabilities' arising from the authority's action or inaction remains outstanding.