ProcureIT is the NSW government’s standard suite of contracts for the acquisition of information and communications technology-related products and services.
ProcureIT version 3.2 is the first major change in ProcureIT since version 3.1 was released in June 2013. This bulletin provides an overview of major changes that agencies and suppliers will need to be aware of when using ProcureIT.
1. Scope of changes
ProcureIT v 3.2 is a step change, and not a wholesale rewrite of ProcureIT.
The changes are primarily focused on updating and enhancing the data security and privacy terms and ensuring compliance with legislation and government policy. There are changes to intellectual property principles, particularly in relation to open source software, as well as escrow and audit provisions. Version 3.2 also better addresses the acquisition of a “system”, addressing issues that agencies purchasing systems previously had with the very modular approach of ProcureIT.
The changes introduced by version 3.2 are primarily contained in the Customer Contract Terms and Conditions and the Dictionary. Consequential amendments have been made to the Head Agreement and Schedules, including the General Order Form. The Modules have had minor drafting updates only, and the ProcureIT short form ICT agreement has not been amended at this stage.
ProcureIT version 3.2 is available now on ProcurePoint for use by agencies. However, using version 3.2 does not become mandatory until 1 September 2017. Agencies with inflight projects will need to think about which version of ProcureIT they should be using.
3. Other changes to come
A further more extensive review of ProcureIT (version 4) has been contemplated, but no timing has yet been announced. One of the main future changes that has been discussed is revision of Module 10 (“As a Service”).
The Department of Finance, Services and Innovation (DFSI) has also recently released a Request for Information contemplating a project to digitise the ProcureIT documents and processes. The project is to provide a guided user interface to enable contract construction with an embedded decision support and management tool that utilises existing knowledge bases. The aim is to provide mechanisms that can be used by non-legal users to support them in contract development.
4. DFSI approval for changes
NSW government agencies are obliged to use the ProcureIT framework when entering into arrangements with suppliers for the procurement of information and communications technology related goods and services.
Ministerial Direction 2012-05 introduced a rule that government agencies were not permitted to amend the standard terms of the ProcureIT framework without the written approval of DFSI. This included amendments that might benefit agencies by improving their legal rights or adding additional obligations on the contractor. This position has led to a practice whereby agencies submitted long lists of additional conditions to DFSI for approval.
The proposal as part of ProcureIT v3.2 is to remove the need for agencies to seek approvals for beneficial variations to the ProcureIT framework which improve the customer’s legal position. Instead agencies would now only be required to seek approval for changes which are detrimental to the Government’s position. For beneficial variations, agencies would be able to proceed without seeking approval but would still be required to provide prior written notification of the variations by letter in writing to DFSI legal, supported by legal advice. Changes to the Customer Contract have been made to permit this, subject to a further Ministerial Direction. A requirement that Contractors receive a copy of any DFSI approval to variations has been removed from the Customer Contract.
Since the inception of ProcureIT, the focus on data and the use of cloud based systems have increased exponentially. ProcureIT version 3.2 introduces enhanced data protection for Government including:
- consistent with Government cloud policy, there is confirmation that agencies retain ownership of Customer Data. The Contractor only has rights to Customer Data as set out in the Customer Contract (cl. 7.4).
- Customer Data that is a State Record cannot be transferred outside of NSW and the Contractor cannot transfer possession without the Customer’s prior written consent or unless specified in the General Order Form. The Contractor must comply with any conditions of the Customer’s consent (cl 7.5).
- The Contractor must only retain the Customer Data that the Customer has agreed the Contractor may retain, and only for the period and in the volumes agreed by the Customer. After the agreed date, the Contractor must destroy or return the Customer Data at the Customer’s election (cl 7.7).
- Customer Data must be sufficiently masked or de-identified if it is to be used for testing purposes (cl 7.8).
- If required in a Module Order Form, the Contractor must back up Customer Data that is loaded into a Deliverable (cl 7.9).
ProcureIT version 3.1 required Contractors to comply with security requirements set out in the General Order Form. The new provisions in ProcureIT version 3.2 enhance that requirement by including baseline requirements:
- The Contractor must maintain, enforce and continuously improve security measures against unauthorised access, use, destruction, loss or alteration of the Customer’s Data and Confidential Information (cl 7.10(a)).
- The Contractor must keep the Costumer notified of security procedures and safeguards (cl 7.10(b)).
- The Contractor must immediately advise the Customer of any actual, alleged or suspected breach of security requirements and must conduct an investigation into such breach and report back to the Customer within 48 hours of notification.
- The Contractor has 24 hours from the conclusion of an investigation to remedy any security breach and notify the Customer.
7. Intellectual Property
The intellectual property terms have been updated to reflect the nature of the software and services being acquired, particularly in the context of cloud services. The main terms are :
- Open Source Software is not prohibited, but can only be included in Deliverables with the written consent of the Customer. This is designed to enable Customers to make an informed choice about the nature and extent of open source software being used in their environments. Where a Customer consents to the introduction of open source software, that must not diminish the Contractor’s obligations under the Customer Contract or result in the Customer having an obligation to disclose, license or otherwise make available any part of the Customer’s environment, data or confidential information to a third party (cls 13.14 – 13.16).
- The licence for Existing Material that already existed in ProcureIT version 3.1 has been clarified in the context of online services procured under Module 10 (As a Service) (cl 13.6(e)).
- Licences granted to the Customer for the Contractor’s Existing Material used in Deliverables are made perpetual and irrevocable to enable the Customer to receive the benefit of the procured Products and Services (cl. 13.9).
- ProcureIT version 3.1 contained a licence back from the Customer to the Contractor for New Material. That has been modified in ProcureIT version 3.2 so that the has a discretion to grant the Contractor a licence in respect of the IP rights in New Material on its own terms. This is only where it is agreed that the IP in the New Material is vested in the Customer, and the default position is still that IP is vested in the Contractor.
8. Regulatory updates
ProcureIT version 3.2 includes a number of updates for compliance with laws that have changed since 2013, including the Privacy Act 1988 (Cth), Privacy and Personal Information Protection Act 1988 (NSW), Health Records and Information Privacy Information Act 2002 (NSW) and Government Information (Public Access) Act 2009 (NSW).
The ProcureIT framework is often used for the procurement of systems. However, the modular nature of the separate software and hardware modules, and the way the warranty and liability regime worked, did not lend itself to system acquisition. For example, customers often added system specific warranties as individual warranties for the component parts of the system were not sufficient.
A new definition of a “System” has now been included, being the system described in the Contract Specifications, made up of the Products and Services procured by the Customer pursuant to the Customer Contract (cl. 27.118). The definition of “Deliverable” has also been updated to include reference to a System where applicable (cl. 27.40).
If the Customer specifies on the General Order Form that the Products and Services procured comprise a System:
- the Contractor must develop specification documents for the proposed system and design, develop and build the System (cl. 5.11); and
- the Contractor warrants that the System will comply with the Specifications, be properly installed and be compatible and integrated with the Designated Environment (cl. 9.3(b)).
Where a System is being procured, the Customer Contract now provides that final acceptance of the System will not occur until all components of the System pass all acceptance tests.
A new cap on liability has been introduced capping liability for a System at two times the Contract Value for the Non-Recurring Service or Product comprising the System.
The ProcureIT audit terms have been updated to reflect Government policies in relation to ICT, in particular the:
- NSW Government Digital Information Security Policy
- NSW Government Cloud Policy
The existing ProcureIT record keeping clauses have been expanded to permit the Customer to conduct annual audits to ensure compliance with the Customer Contract and the accuracy of the Contractor’s invoices. An alternative audit regime may be agreed in the General Order Form or otherwise in writing.