Offshoring policy for DWP contractors
Updated 9 July 2024
1. Overview
All services performed by contractors on behalf of Department for Work and Pensions (DWP) must comply with His Majesty’s Government (HMG) policies and standards and in particular the Cabinet Office Security Policy Framework (SPF) - Mandatory Requirement 31 which mandates that government departments must have an information security policy setting out how it and its delivery partners, including those who offshore comply with the SPF minimum requirements.
In compliance with this requirement, DWP has implemented the DWP Offshoring Policy which details controls and recommended practices for those responsible for awarding and managing contracts for DWP, and contractors or its sub-contractor who are considering hosting or accessing DWP systems, services, or official information (also known as ‘authority data’) outside of the UK.
The DWP Offshoring Policy outlines the steps required to identify, assess, respond, mitigate, control, monitor and report on the additional security risks from offshoring so that an informed decision can be made against the benefits. It considers the various legal and regulatory obligations including the Data Protection Act 2018 and its implementation of the UK General Data Protection Regulation (UK GDPR).
The UK’s exit from the European Union and changes to the data protection legal framework required updates to the data processor clauses that are a requirement under Article 28 UK GDPR. Regarding international transfers of personal data and the approval by Parliament of a new UK International Data Transfer Agreement (IDTA) governing the export of personal data from the UK. Further information can be found on the Information Commissioners Office website. Suppliers should ensure that they take the time to read the detail held here.
2. Offshoring
Definition of offshoring
The government Senior Information Risk Owner (SIRO) defines offshoring as “Any arrangement where the performance of any part of the services or a solution under a contract may occur outside the UK for domestic (UK) consumption.”
The DWP Offshoring Policy controls apply when a contractor or sub-contractor wishes to:
- host DWP systems, services or official information outside the UK; including using non-UK locations as contingency, failover or backup locations and providing support or administrative functions
- allow staff based outside the UK to have access to DWP systems, services or official information
- bring foreign nationals (“landed resources”) to the UK to provide services including, but not limited to, applications development and support, testing and other similar activities
- develop system applications outside the UK
- send diagnostic data to an organisation outside the UK as a result of break or fix activity
3. Example scenarios
The following examples illustrate some typical offshoring scenarios (note that this is not an exhaustive list):
(When we refer to contractor this also includes sub-contractors.)
- contractor staff outside the UK access DWP official information or systems hosted in the UK
- contractor staff outside the UK access DWP official information or systems hosted outside the UK
- contractor staff in the UK access DWP official information or systems hosted outside the UK
- a contractor causes foreign nationals to be brought to the United Kingdom, for the purpose of delivering services to DWP in the UK, and these members of staff have access to DWP official information or systems
- a contractor staff outside the UK are utilised for systems applications development, regardless of whether personal data is directly involved in that work
- contractor staff outside the UK are utilised for IT support or administration
The following examples are not offshoring:
(When we refer to contractor this also includes sub-contractors.)
- a contractor provides services to DWP, and systems or data is hosted outside the UK but this does not include DWP official information or systems
- a contractor provides services to DWP, and this involves contractor staff outside the UK, but these staff do not have access to any DWP official information or systems
- a contractor causes foreign nationals already living in the UK to provide the services
- a contractor causes foreign nationals to be brought to the United Kingdom, for the purpose of delivering services to DWP, and these members of staff do not have any access to DWP official information or systems
4. Offshoring process and approval
Offshoring (including landed resources) is subject to the DWP offshoring approval process. This process ensures that DWP is sighted on instances of offshoring and allows an assessment of risk to be made. The contractor is responsible for informing DWP prior to offshoring any services which include access to or storage of DWP official information and systems or making provision for offshoring should primary locations or processing facilities become unavailable.
If bidders are planning to offshore they will be required to complete the relevant questions within the Information Security Questionnaire (ISQ) and include with their bid. The relevant questions can be found at Annex A. Additional information may be sought by DWP to enable a robust risk assessment to be undertaken.
An existing contractor can request approval for any offshoring after award of contract by submitting a change request notice to their contract manager.
In all cases approval must be obtained from DWP prior to the commencement of any offshoring. Contractors who fail to inform DWP prior to offshoring will be in breach of their contract and action may be taken on a contract-by-contract basis.
The DWP offshoring approval process requires a proportionate technical risk assessment to be performed to determine the nature and level of security controls to be applied to offshored DWP business.
The decision to decline an offshoring proposal will be risk based, and wherever possible DWP will take all reasonable steps to work towards an acceptable proposal with the contractor taking into account the government guidelines and regulations.
5. Sub-contractor assurance
The lead contractor is responsible for informing DWP of offshoring by sub-contractors and seeking approval from DWP prior to commencement of offshoring.
Appendix A: DWP offshore questions contained within the Information Security Questionnaire (ISQ)
The following information is required at the tendering stage. This information will allow DWP to determine the process that is required to approve the offshoring proposal. Approval must be obtained from DWP prior to the commencement of any offshore activity (including landed resources).
Please describe the service you will be offshoring
Summary of service to be provided to the Authority.
Does the offshoring involve bringing people to the UK to work?
The process of bringing staff to the UK for the purpose of supporting the contract is called onshoring.
Offshore locations from which the service, including support, will be delivered from, including the access, processing and storage?
Confirm locations from which the service, including support, will be delivered from, including the access, processing and storage in the ‘Supporting Comments’ column.
Provide further detail ‘Supporting Comments’ column regarding any planned off-shoring.
The Authority Assets must not be accessed, processed, transmitted and/or stored outside of the United Kingdom without the prior written consent of the Authority and must at all times comply with Data Protection Legislation.
Offshoring Definition:
DWP conform to the Cabinet Office definition of offshoring as:
“Any arrangement where the performance of any part of the service or a solution under contract may occur outside the UK for domestic (UK) consumption”.
This includes:
- data hosted outside the UK
- data hosted within the UK but with the potential for access to data from outside the UK
- data temporarily made available offshore for support or diagnostic purposes (Breakfix)
- data used for design, build and development activities undertaken outside the UK, including, but not limited to, software code, project management information and solution designs
- foreign nationals brought to the UK for the purpose of fulfilling a central government contract (Landed Resources)
If you are offshoring personal data of DWP customers, has the country you are offshoring to been deemed adequate to protect this data, in line with Information Commission Office Requirements?
There is a requirement for a Transfer Risk Assessment (TRA) to be completed if a country is not deemed adequate prior to DWP data being offshored.
(If a TRA has been completed then please provide this has evidence.)
What type of offshore access will you require to support the contract?
Privileged Users are accounts for those that require elevated access rights.
Please provide details relating to your privileged user requirements in the ‘Supporting Comments’ column.
Will there be a connection from offshore between supplier’s, sub-contractor’s and/or third parties’ networks to the Authority network?
Provide a description of the proposed offshore connection between supplier’s, sub-contractor’s and/or third parties’ networks to the Authority network.
Will the service offshored involve the use of subcontractors and/or third parties?
Please provide details of any subcontractors or third-parties that will support contract delivery, including access, processing, storage or transmission.
Please confirm the services they will be providing and what they will have access to.
Will the offshore service be providing software development support to the Authority?
Security is most effective if planned and managed throughout every stage of software development life cycles (SDLC).
Please describe the intended software development support to be provided to the Authority.
Will the offshored service be cloud based?
If Cloud Services are to be used, please specify the type of cloud service.