Procure IT 3.2Guidance 1 July 2017CopyrightThis Procure IT v.3.2 Guidance has been prepared for and on behalf of the Crown in right of the State of New South Wales (NSW Department of Finance, Services and Innovation).

© State of New South Wales (Department of Finance, Services and Innovation) 2017.

This Guidance may be displayed, downloaded, printed and reproduced for the purposes of use in

relation to Procure IT contracting arrangements, without formal permission or charge. All other rights

reserved.

Department of Finance, Services and Innovation

Address: McKell Building2-24 Rawson PlaceSYDNEY NSW 2000

Contact: NSWbuy@finance.nsw.gov.au

Phone: TTY: 1300 301 181

www.finance.nsw.gov.au

Procure IT 3.2 Guidance 1 July 2017 1

1 Introduction

The NSW Procurement Board has approved release of a revised Procure IT v.3.2 framework.

Version 3.2 replaces version 3.1 and is applicable to all ICT procurement on or after1 September 2017.

Key changes (compared to the v3.1 Customer Contract) include amendments:

· for compliance with applicable laws (including in relation to the Privacy Act 1988 (Cth) (the Privacy Act), Privacy and Personal Information Protection Act 1998 (NSW) (PPIPA), Health Records and Information Privacy Information Act 2002 (NSW) (HRIPA) and Government Information (Public Access) Act 2009 (NSW) (GIPA Act))

· to assist industry and Government in complying with relevant Government policies, including:

· NSW Government Digital Information Security Policy

· NSW Government Cloud Policy

· State Records Authority for transferring records out of NSW for storage with or maintenance by service providers based outside the State (GA35)

· in relation to issues discussed with industry and Government during consultation

· updating various definitions and clauses.

Procure IT v.3.2 also addresses various cross-referencing and other minor drafting issues, including consistency of terminology.

Broadly, the amendments fall within the following themes:

· data

· security

· systems

· liability

· termination for convenience

· escrow

· audit

· regulatory compliance

[Fact sheet title here] | May 2017 2

· intellectual property rights.

The Procure IT Modules have also been revised to address minor drafting issues and to rebadge Procure IT v.3.0 Modules 13 and 13A as Procure IT v.3.2 Modules, but otherwise remain unchanged.

2 Background

The Department of Finance, Services and Innovation (DFSI) conducted industry and agency-based consultation in 2015-2016 in relation to Procure IT v3.1. DFSI received detailed feedback on both Procure IT v.3.1 and a consultation draft reflecting a broad range of feedback received from industry and agencies in the period since v3.1 came into effect on 13 June 2013.

Procure IT v3.2 does not address all of the feedback received by DFSI from industry or Government in the course of consultation to date. Instead, Procure IT v3.2 takes an incremental approach to issues raised during the consultation and is in the nature of an update or refresh.

DFSI's review of the Procure IT framework is an ongoing project. DFSI intends to issue a new version of Procure IT, more comprehensively addressing issues raised during feedback and other emerging issues in the future.

DFSI welcomes feedback from industry and Government in relation to any issues or concerns in relation to Procure IT v.3.2 as part of our ongoing review of Procure IT.

3 Purpose of this Guidance

This Guidance identifies and explains the key changes to the v3.1 Customer Contract. It is to be read in conjunction with DFSI's "Procure IT Version 3.1 User Guide, issued 24 October 2013". This Guidance takes precedence if there is any conflict with the Procure IT Version 3.1 User Guide.

Defined terms in this Guidance have the meaning given to those terms in the v3.2 Customer Contract.

4 Data

4.1 Background

Increased innovation and use of cloud-based services by Government have seen an increase in the amount of data disclosed to service providers by Government in connection with the procurement of ICT services and a corresponding increase in data risk for Government.

The absence of a definition of "Customer Data" or any obligations on Contractors in relation to Customer Data in the v3.1 Customer Contract led to a requirement for Government to include standard clauses relating to protection of Customer Data to assist agencies to comply with NSW Government policies and to impose a baseline standard for Contractors in relation to digital security and regulatory compliance.

[Fact sheet title here] | May 2017 3

4.2 Clauses

New definition of "Customer Data".

Clause 7.4 clarifies the ownership of the Customer Data by the Customer.

Clauses 7.5 and 7.6 impose an obligation on the Contractor not to transfer outside of NSW any Customer Data that is a State Record without the Customer's prior written consent or as specified in new Item 25A of the General Order Form.

Clauses 7.7 to 7.9 include provisions relating to retention and destruction of Customer Data, and if applicable, use of Customer Data for testing and maintenance of backups.

Clause 25.9 imposes requirements on the Contractor to provide the Customer Data to the Customer or delete the Customer Data and Confidential Information on termination of the Customer Contract.

4.3 Rationale and practicalities

The overarching policy requirement in relation to Customer Data under the NSW Government Cloud Policy is that agencies should retain ownership of information assets and that all data will be maintained, backed up and secured until returned on termination of the arrangements.

DFSI acknowledges that both industry and Government require a degree of flexibility in taking steps to maximise the benefits of digital transformation at the same time as complying with NSW Government policies and applicable laws. The new clauses will assist both industry and Government with policy and regulatory compliance without being overly prescriptive.

For example:

· Clauses 7.5 and 7.6 include qualifications enabling the Customer to provide consent to transfers of Customer Data outside NSW.

· Clause 7.7 enables the Customer to notify requirements to the Contractor in relation to retention and destruction of Customer Data.

· Clause 7.9 provides for the parties to specify arrangements with respect to backups in a Module Order Form.

GA35 provides that NSW public offices may transfer records outside of NSW for the purpose of storage with or maintenance by service providers based outside of NSW in certain circumstances. Provided that agencies assess and address the risks involved in taking State Records outside of NSW in accordance with GA35, the revised clauses in the v3.2 Customer Contract broadly satisfy the requirements specified in GA35 to ensure safe custody and preservation of records and retention and ownership of records by Government.

[Fact sheet title here] | May 2017 4

5 Security

5.1 Background

The v3.1 Customer Contract includes a mechanism for Customers to specify secrecy and security requirements in the General Order Form. However, DFSI received feedback from Government Agencies requesting inclusion of baseline standards relating to security and inclusion of an obligation on the Contractor to notify breaches of the secrecy and security requirements to the Customer for closer alignment with the NSW Government Digital Information Security Policy and NSW Government Cloud Policy.

5.2 Clauses

Clause 7.10(a) imposes a baseline standard of security to protect against unauthorised access, use, destruction, loss or alteration of Customer Data and the Customer's other Confidential Information.

Clause 7.10(b) imposes a requirement on Contractors to notify the Customer of any amendments to its procedures and safeguards that are made from time to time.

Clause 7.12 imposes obligations on the Contractor in relation to an actual, alleged or suspected breach of secrecy and security requirements (including to notify the Customer). There is some flexibility for the Customer to agree additional or alternate Security Issue notification timeframes and procedures in Item 25 of the General Order Form, however such arrangements must be approved by the Customer’s CIO and comply with applicable legislative and policy requirements, as indicated in the guide note in Item 25.

5.3 Rationale and practicalities

The amendments impose a baseline standard for security and requirement for data breach notifications in accordance with the NSW Government Digital Information Security Policy and NSW Government Cloud Policy. However, these amendments do not restrict the parties from agreeing additional security and secrecy measures to address the circumstances of a particular procurement in the General Order Form.

6 Systems

6.1 Background

DFSI received feedback suggesting that the absence of system requirements in the v3.1 Customer Contract created difficulties in procurements involving the acquisition of a system made up of components that are covered by different Modules. As an example, there was concern that individual warranties under the Modules were insufficient in circumstances where Contractors have "end-to-end" responsibility for a system.

6.2 Clauses

New definition of "System".

[Fact sheet title here] | May 2017 5

Clause 5.11(a) imposes an overarching obligation on the Contractor to implement the System in accordance with the Customer Contract and the relevant Modules.

Clause 5.11(b) clarifies that final acceptance of the System will not occur until the System as a whole passes all Acceptance Tests.

Clause 9.3 is a warranty in respect of the System from end to end in order to avoid gaps between Modules in respect of the Products and Services comprising the System.

6.3 Rationale and practicalities

DFSI received feedback from industry acknowledging that whole of system concepts are appropriate for the Procure IT framework and that industry would prefer to see these amendments dealt with in the relevant Modules. DFSI will give further consideration to the most appropriate location for these provisions within the Procure IT framework in the course of developing future iterations of Procure IT.

7 Liability

7.1 Background

DFSI received feedback from industry regarding the approach to liability under the v3.1 Customer Contract, including a need for greater consistency in relation to references to "loss, damage and expense".

The remaining elements of the feedback from industry remain under review and may be addressed in future iterations of Procure IT

7.2 Clauses

All references to "loss", "damage" and "expense" have been updated to "loss, damage and expense" for consistency.

7.3 Rationale and practicalities

The amendments are self-explanatory.

8 Termination for convenience

8.1 Background

The provisions of the v3.1 Customer Contract required clarification to reflect the principle that if a Customer terminates the Customer Contract for convenience the Customer must indemnify the Contractor against liabilities or expenses which are reasonably and properly incurred by the Contractor as a result of termination or pay the Contractor the amount specified in the General Order Form.

[Fact sheet title here] | May 2017 6

8.2 Clauses

Clause 25.4 has been amended to reflect the principle described in paragraph 7.1.

8.3 Rationale and practicalities

The amendment is for clarification to prevent the interpretation of clause 25.4 as permitting "double-dipping" by Contractors.

9 Escrow

9.1 Background

DFSI received feedback suggesting that requiring the Parties enter into escrow arrangements with escrow agents on the terms of the Escrow Agreement in Schedule 5 of the Customer Contract created practical difficulties, for example, where escrow agents provide services under standard terms.

9.2 Clauses

Clause 6.42(a) has been amended to provide that if a Contractor is required to enter into an escrow arrangement, the terms of the Escrow Agreement may be as set out in Schedule 5 of the Customer Contract "or such other document reasonably acceptable to the Customer".

9.3 Rationale and practicalities

The qualification provides flexibility regarding the terms of escrow arrangements that may be entered between the Contractor, Customer and escrow agent.

10 Audit

10.1 Background

The v3.1 Customer Contract required amendment to support compliance with the policies set out in paragraph 1 (which require, for example, provisions allowing the auditing of data and security in line with policy and legislative requirements).

10.2 Clauses

Clauses 23.5 to 23.10 build upon the existing provisions regarding record keeping to include audit rights to permit Customers to conduct audits to enable them to confirm a Contractor's compliance with the Customer Contract.

Clause 23.11 permits the Customer and Contractor to agree an alternative audit mechanism to the Customer audit mechanism provided in clause 23, such mechanism to be specified in new Item 40A of the General Order Form.

[Fact sheet title here] | May 2017 7

10.3 Rationale and practicalities

The existing requirements in relation to record keeping in the v3.1 Customer Contract have been built upon in clauses 23.4 to 23.10 to include a mechanism for the Customer to conduct audits to determine the Contractor's compliance with the Customer Contract and the accuracy of its invoices. These rights support Government audit and security requirements under the policies identified in paragraph 1 and applicable laws. Audit rights are subject to a notice period of at least 5 Business Days and are qualified by reference to reasonableness. Flexibility is provided for an alternative audit mechanism to be agreed in the General Order Form.

11 Regulatory compliance

11.1 Background

The v3.1 Customer Contract required amendment to:

· reflect regulatory changes since it came into effect on 13 June 2013 (for example, amendments to the Privacy Act 1988 (Cth) that impact on industry); and

· support Customer obligations to ensure that Government information is accessible to the public under the GIPA Act.

11.2 Clauses

New definition of "Privacy Laws" and amended definition of "Personal Information".

Clause 15.1 has been amended for compliance with Privacy Laws.

Clauses 26.12 to 26.16 have been inserted to broadly reflect requirements under the GIPA Act and other relevant obligations.

11.3 Rationale and practicalities

Where applicable, Contractors must comply with the Privacy Act in connection with the collection, storage, access, use and disclosure of Personal Information by them in connection with the provision of Services.

Amendments were required to clause 15.1 of the v3.1 Customer Contract to reflect obligations under relevant Privacy Laws including under the PPIPA and HRIPA.

These amendments reflect mandatory laws and the types of contractual measures that Government is required to include in contracts under the policies identified in paragraph 1 and applicable laws.

Clauses 26.12 to 26.16 are included to facilitate compliance with the GIPA Act and other relevant obligations. These clauses adopt a similar approach to the NSW Information and Privacy Commission template contract wording in relation to section 121 of the GIPA Act.

[Fact sheet title here] | May 2017 8

12 Intellectual Property Rights

12.1 Background

The principles relating to ownership of Intellectual Property Rights under clause 13 of the v3.1 Customer Contract and the licensing arrangements in relation to Existing Material have not changed. However, DFSI received feedback that agencies would prefer discretion regarding licensing of Intellectual Property Rights of Customer owned New Material.

The amendments relating to Open Source Software are intended to address concerns from Government Agencies that it did not have enough control over the use of Open Source Software in relation to Deliverables, and that the use of Open Source Software may potentially undermine the licensing regime in the Customer Contract.

12.2 Clauses

New definition of "Online Service".

Amended definition of "Open Source Software" consistent with the Commonwealth Government's Source IT ICT procurement templates.

Clause 13.5(c) is amended to ensure the Customer’s sublicence rights reflect repeal of previous public sector employment legislation and introduction of the Government Sector Employment Act 2013 (NSW).

Clause 13.6(e) sets out the scope of the Contractor's non-exclusive licence in respect of Existing Material that is an Online Service procured under Module 10 (As a Service).

Clause 13.9 clarifies that, unless expressly agreed otherwise in the General Order Form, the Customer’s rights in respect of Existing Material are perpetual and irrevocable but only to the extent required for the Customer to receive the benefit of the Products and the Services.

Clause 13.11(b) has been amended such that, if it is agreed that the Intellectual Property Rights in respect of New Material that are vested in the Customer, the Customer has discretion as to whether to grant a licence back to the Contractor and to determine the terms of any such licence.

Clause 13.14 provides that Open Source Software may only be included in Deliverables with the written consent of the Customer. This is not a prohibition, it simply serves to create a trigger for the Customer to assess the impact of Open Source Software on Deliverables where this is under consideration.

Clause 13.15 seeks to preserve the Customer's rights under the Customer Contract where the Customer consents to the use of Open Source Software in a Deliverable by providing that the Contractor's use of such Open Source Software does not have unintended consequences from a security point of view or diminish the Contractor’s obligations under the Customer Contract.

[Fact sheet title here] | May 2017 9

Clause 19.5 is amended to require the Contractor to indemnify the Customer for IP claims caused by Contractor-approved uses of Deliverables with other products, equipment, business methods, software or data, or by Contractor-approved modifications of Deliverables.

12.3 Rationale and practicalities

The clarification to the licence in relation to Existing Material addresses a concern that Government clarify its right to use Deliverables on the basis set out in the Customer Contract notwithstanding that those Deliverables may incorporate Existing Material, particularly in the context of cloud services and more complex ICT procurement.

The amendments to clause 19.5 align with the amendments to clause 13 and take account of Contractor-approved uses and modifications to Deliverables.

The amendments relating to licensing of Intellectual Property Rights in Customer owned New Material are required to provide control and flexibility to Government regarding licences back to the Contractor. Clause 13.11 will only apply where the Customer and Contractor expressly agree in the General Order Form. The default position continues to be that Intellectual Property Rights in relation to New Material vest in the Contractor.

The amendments relating to Open Source Software do not prohibit its use in relation to Deliverables, but are intended to create a trigger for Open Source Software to be identified so that its use can be fully assessed by Customers.

[Fact sheet title here] | May 2017 10