PPN 03/22 (PCR 2015)

Updated guidance on data protection legislation

In: Procure > Finalise and publish procurement pack

Overview

The contents of this PPN apply to all central government departments, their executive agencies and non-departmental public bodies (collectively referred to as ‘in-scope organisations’).

This PPN emphasises the importance of including data processor clauses in contracts, as required under Article 28 UK General Data Protection Regulation (UK GDPR). It explains the roles and responsibilities of Controllers and Processors, where Controllers determine the purposes and means of processing personal data, and Processors act on behalf of Controllers. The document also addresses Crown to Crown data agreements, specifying that a Memorandum of Understanding suffices for such internal agreements.

Regarding compliance, the PPN advises against routinely accepting contract price increases from suppliers due to compliance costs. It warns of the risks of non-compliance, including potential fines and enforcement orders from the Information Commissioner’s Office (ICO). It also details contract liabilities; advising that in-scope organisations should not accept liability clauses that indemnify Processors against fines or claims under UK GDPR.

The PPN also includes: guidance on protective measures and security requirements for data processing contracts; provides detail on the legal framework for international data transfers, including the new UK International Data Transfer Agreement, and; conditions for transferring personal data outside the UK.

Lastly, the PPN provides a comprehensive set of standard UK GDPR clauses (in Annex A) for inclusion in contracts, alongside a schedule for processing personal data.

Objective at this commercial stage

Relevant data processor clauses should be included in the contract when finalising the procurement. On the basis that the UK GDPR now gives Processors responsibilities and liabilities in their own right, liability and indemnity provisions should be considered on a contract-by-contract basis; depending on the nature of the procurement, the appetite for risk and the type of personal data involved in the contract.

Key considerations at this commercial stage

In-scope organisations should:

  • consider incorporating the data processor clauses in the contract (including call-off contracts), as per this PPN (i.e. PPN 03/22) at Annex A
  • consider liability and indemnity provisions on a contract-by-contract basis, depending on the nature of the procurement, the appetite for risk and the type of personal data involved in the contract. This is because the UK GDPR now gives Processors responsibilities and liabilities in their own right
  • be aware that different legal obligations apply depending on the nature of the relationship with the supplier as explained further in this PPN.

This PPN should be read alongside the relevant parts of the legal framework but it is not designed to provide guidance on a particular clause or regulation from the Public Contracts Regulations 2015 (PCR 2015).

Additional support and guidance

Make sure you:

  • read the PPN and any supporting implementation guidance
  • seek legal and commercial advice in the context of specific procurements
Read the PPN

This applies to