New PPN 03/22 for data protection - Changes focus on international transfers and protective measures for data securityGlobal Government Contracting: Insight Series
At the end of last year, as the world turned its sights onto festive decorations and well-packed stockings, the UK’s Crown Commercial Service provided Government Departments, their Executive Agencies and Non-Departmental Public Bodies with a Christmas gift of their very own… a new Procurement Policy Note for data protection.
Action Note PPN 03/22, as it is formerly known, replaces PPN 02/18 which (together with its predecessor PPN 03/17) was the original procurement policy note providing guidance on the application of the General Data Protection Regulation (GDPR) into government contracts. While the PPN does not introduce any radical change of approach, particularly for those who have been keeping track of subsequent changes to the UK Gov’s Model Services Contract (the last iteration of which was published in April 2022), both the guidance and the model clauses attached to it demonstrate a renewed focus on data security, and tailor offshoring clauses to the post-Brexit age.
What does PPN 03/22 do?
In brief terms, the purpose of the PPN is to provide Government Departments, their Executive Agencies and Non-Departmental Public Bodies with guidance on the incorporation of data protection rules into their contracts, and provides template legal clauses which can be used for that purpose. This will be particularly helpful for those less familiar with the rules contained within the GDPR, and in particular Article 28, which stipulates which clauses a contract should contain when a service entails personal data processing between a controller and a processor.
While the contractual requirements of the GDPR did not undergo any substantive changes as a result of the UK’s exit from the European Union, the adaptation into a UK version of the GDPR did have a particular impact on provisions relating to offshoring of personal data outside of the UK. This included the approval by UK Parliament of a new International Data Transfer Agreement in place of the EU’s Standard Contractual Clauses, for use when offshoring data outside of the UK. In addition, the Schrems II judgment cast doubt on the lawfulness of making data transfers to the US (particularly under the now defunct EU-US Privacy Shield), and put in motion a swathe of additional protections in order for transfers to be lawful, including the requirements to conduct a risk assessment when transferring personal data to “non-adequate” jurisdictions. These changes are reflected in the PPN which also includes specific guidance around international transfers and updates data offshoring contract clauses to reflect UK-specific rules.
What are the main changes since PPN 02/18?
While a fair amount has changed to both the guidance and the attached model clause since 2018, much of those changes, particularly introducing the UK version of GDPR since Brexit, will already be familiar to those using the government Model Services Contract (“MSC”). The latest v2.0 of the MSC made the most substantial set of changes to government’s model clause, correcting EU references, drawing a distinction between data offshoring under the UK GDPR and EU GDPR and changing the guideline figure for a separate data protection liability cap. While those changes have been reflected in PPN 03/22, the PPN goes further in a number of ways:
- New definition of Protective Measures – the government standard controller-processor clause requires the supplier/ processor to have Protective Measures in place to meet GDPR security requirements. While this requirement is not new, the enhanced definition is, accompanied by an entire annex designed to describe a minimum standard of security measures which meet the “technical and organisational measures” requirement of Article 32 GDPR. The annex, which encourages a proportionate approach to the level of security applied, provides a detailed list of minimum security measures which the supplier should adopt, including having in place:
- External certifications (e.g. ISO 27001:2013 and Cyber Essentials Plus)
- NCSC minimum standards for end user devices
- Use of a CHECK or CREST certified supplier to perform penetration testing
- Pre-employment checks for relevant personnel security
- Operation of an access control regime
- Security audits and protective monitoring
- Procurement and implementation of security patches.
- Simplified approach to use of offshoring safeguards – users of the MSC will notice that this new clause drops the distinction between UK GDPR and EU GDPR regimes when describing offshoring requirements, stipulating instead the safeguards required to offshore data under UK GDPR. Thankfully, the clause also removes the previous incorporation of the International Data Transfer Agreement and EU Standard Contractual Clauses into the schedule, making it some 80 pages lighter in the process! This is clearly a welcome move, as those clauses can be incorporated by reference, namely in the data processing table in Annex A, which provides a new line item requiring parties to detail their use of international transfers and related legal gateways.
- Requirements to record the protective measures and offshoring of the entire supply chain – first introduced in the MSC in April 2022, the template data processing schedule now requires suppliers not only to record the protective measures they are using, but also those of their supply chain. This, coupled with the separate requirement to describe the location of their data processing, will be something of an onerous obligation on suppliers, particularly those with complex supply chains with personal data processing taking place throughout the chain.
While the guidance states the requirements “are intended to supplement, not replace security schedules”, contracting authorities may find it easier to simply point their definition of Protective Measures into the pre-existing security schedule where security requirements can be fleshed out, as necessary, to reflect the new requirements outlined above.
Practical next steps for government
Public sector organisations familiar with the previous PPN 02/18 and/or the MSC are likely to already have GDPR-compliant data protection clauses contained within their contract. The extent to which those clauses will need updating will depend upon the latest version of the template clauses used.
- For those contracts based upon the clauses originally contained within PPN 02/18, these are likely to need updating to reflect the post-Brexit changes discussed above. The new PPN suggests that such changes can be made when a contract comes to be naturally renewed, although advises that for those contracts involving a substantial volume of personal data, in-scope organisations may want to introduce the new clauses sooner.
- For those contracts based upon the last version (v2.0) of the MSC, data protection clauses will already contain the distinction between EU GDPR and UK GDPR and are unlikely to require changes to reflect the new PPN clauses. However, contracting authorities should cross-check the new Protective Measures against their existing security schedule to ensure requirements provide adequate protection for personal data.
- For new contracts going forwards, the new clauses in PPN 03/22 should be used. The PPN suggests that the MSC will also be updated to reflect the new clauses in due course.
While many of the changes brought about by PPN 03/22 merely consolidate changes which have been gradually finding their way into the MSC clauses since Brexit, the most important change, in our view, will be the introduction of a new, granular description of Protective Measures. This description represents a definitive minimum standard of technical and organisational measures (TOMs) and will be a useful reference point for both the public and private sectors.
The PPN is also notable for its focus on international transfers, which provides useful guidance on offshoring post-Schrems II. However, users of the PPN should note that this remains a fast-changing area. With new EU-US and UK-US international transfer agreements expected imminently, together with the UK’s commencement of its new adequacy assessment regime (which has recently found South Korea to be "adequate" under Article 45 UK GDPR), the provisions of this PPN will be quickly out of date. However, the model clause, for now, will be the best example of a data protection clause for those contracting with government, and will also be a useful tool for those agreeing data protection obligations elsewhere.