The recommendations about data handling within Government that relate to contractors and suppliers are being taken forward in a number of areas across the Ministry of Justice (MOJ).
Cabinet Office were updated on 19 September about progress taking forward these recommendations and continuing work to review data security provisions within contracts and to seek the necessary assurances from contractors and suppliers.
The following action has been taken which updates the position reported to Cabinet Office:
The National Offender Management Service (NOMS) carried out an analysis of their current non IT contracts following receipt of the data security directive. 519 contracts required inclusion of the additional clauses and letters were sent to all suppliers concerned requesting the integration of these new terms and conditions. To date, 66 contractors (13 per cent.) have responded and confirmed that the additional clauses have been integrated into their contracts. The work stream is being monitored on a monthly basis at senior management team level.
The Office for Criminal Justice Reform (OCJR) has asked their suppliers to adopt an approach consistent with Ministry of Justice data handling and security requirements and has amended its Security Aspects Letters (SAL), which sets out these security requirements. To date, three of their four key suppliers have formally adopted the new protocols.
Research unit has 10 contracts in place where suppliers have confirmed compliance with the new data security arrangements and two contracts have been awarded since June 2008 that already include the new security requirements.
Democracy, Constitution and Law have one contract in place that complies with departmental data handling and information security requirements.
Work is continuing with suppliers responsible for non IT contracts awarded by ex DCA Procurement, which includes contracts negotiated for Access to Justice, to put in place a standard contract amendment based on OGC terms. IT suppliers to MOJ (excluding NOMS) have been written to, reminding them of their obligations under the Data Protection Act 1998 and specifically drawing their attention to the two issues that arose in the data handling review: one, the encryption of laptops, and two, restrictions on the use of removable media for transporting personal data. 31 suppliers were contacted and 59 per cent. of those suppliers have confirmed that they are compliant. This includes the two major IT providers.
NOMS ICT supplier contracts have been reviewed, and appropriate standard wording identified to address data security issues. Work is in hand to negotiate these changes with suppliers.
MOJ standard terms and conditions of contract are currently being reviewed and amended to address the data security issues raised by the Hannigan Report. The revised terms will be introduced shortly across the MOJ. In the meantime, standard wording addressing the data security provisions has been issued for inclusion in new contracts awarded prior to the adoption of the new standard terms.