Guidance

Offshoring policy for DWP contractors

Updated 18 March 2016

This guidance was withdrawn on

This guide has been withdrawn because it is out of date. New guidance is being drafted and will be published at a later date.

© Crown copyright 2016

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/guide-for-dwp-contractors-dwp-offshoring-policy/a-guide-for-dwp-contractors

Overview

1. All services performed by contractors on behalf of Department for Work and Pensions (DWP) must comply with His Majesty’s Government (HMG) policies and standards and in particular the Cabinet Office Security Policy Framework (SPF) - Mandatory Requirement 31 which mandates that government departments must have an information security policy setting out how it and its delivery partners, including those offshore comply with the SPF minimum requirements.

2. In compliance with this requirement, DWP has implemented the DWP Offshoring Policy which details controls and recommended practices for those responsible for awarding and managing contracts for DWP, and contractors or its sub-contractor who are considering hosting or accessing DWP systems, services or official information (also known as ‘authority data’) outside of the UK.

Offshoring

3. Definition of offshoring

The government Senior Information Risk Owner (SIRO) defines offshoring as “Any arrangement where the performance of any part of the services or a solution under a contract may occur outside the UK for domestic (UK) consumption”

The DWP Offshoring Policy controls apply when a contractor or sub-contractor wishes to:

  • host DWP systems, services or official information outside the UK
  • allow staff based outside the UK to have access to DWP systems, services or official information
  • bring foreign nationals (“landed resources”) to the UK to provide services including, but not limited to, applications development and support, testing and other similar activities
  • develop system applications outside the UK
  • send diagnostic data to an organisation outside the UK as a result of break or fix activity

Example scenarios

4. The following examples illustrate some typical offshoring scenarios:

(When we refer to contractor this also includes sub-contractors)

  • contractor staff outside the UK access DWP official information or systems hosted in the UK
  • contractor staff outside the UK access DWP official information or systems hosted outside the UK
  • contractor staff in the UK access DWP official information or systems hosted outside the UK
  • a contractor causes foreign nationals to be brought to the United Kingdom, for the purpose of delivering
  • services to DWP in the UK, and these members of staff have access to DWP official information or systems
  • a contractor staff outside the UK are utilised for systems applications development, regardless of whether personal data is directly involved in that work
  • contractor staff outside the UK are utilised for IT support or administration

5. The following examples are not offshoring:

(When we refer to contractor this also includes sub-contractors)

  • a contractor provides services to DWP, and systems or data is hosted outside the UK but this does not include DWP official information or systems
  • a contractor provides services to DWP, and this involves contractor staff outside the UK, but these staff do not have access to any DWP official information or systems
  • a contractor causes foreign nationals already living in the UK to provide the services
  • a contractor causes foreign nationals to be brought to the United Kingdom, for the purpose of delivering services to DWP, and these members of staff do not have any access to DWP official information or systems

Offshoring process and approval

6. Offshoring (including landed resources) is subject to the DWP offshoring approval process. This process ensures that DWP is sighted on instances of offshoring and allows an assessment of risk to be made. The contractor is responsible for informing DWP prior to offshoring any services which include access to or storage of DWP official information and systems.

7. If tenderers are planning to ofshore they will be required to complete the DWP Offshore Proposal Questionnaire and include with their bid. Additional information may be sought by DWP.

8. A contractor can request approval by initially submitting a completed DWP Offshore Proposal Questionnaire - Appendix A - to their contract manager, for assessment by DWP.

9. In all cases approval must be obtained from DWP prior to the commencement of any offshoring. Contractors who fail to inform DWP prior to offshoring will be in breach of their contract and action may be taken on a contract by contract basis.

10. The DWP offshoring approval process requires a proportionate technical risk assessment to be performed to determine the nature and level of security controls to be applied to offshored DWP business.

11. The decision to decline an offshoring proposal will be risk based, and wherever possible DWP will take all reasonable steps to work towards an acceptable proposal with the contractor.

Sub-contractor assurance

12. The lead contractor is responsible for informing DWP of offshoring by sub-contractors and seeking approval from DWP prior to commencement of offshoring.

Appendix A - DWP Offshore Proposal Questionnaire (including landed resource)

The following information is required when notifying DWP of an intention to offshore. This information will allow DWP to determine the process that is required to approve the offshoring proposal. Approval must be granted prior to the commencement of any offshore activity (including landed resources).

1 Description of business to be offshored
Please provide a summary description of the work that is to be Offshored in business terms.
 
1.1 Timescales and releases
For development and testing activities, or other work of a limited lifecycle, please estimate the timeframe for the offshore work, and the relevant releases/phases for the systems involved.
 
1.2 Number of staff
Please provide the estimated number of offshore staff who will be involved in this work, and describe their different roles.
 
2 DWP information, systems or services
Please provide details of DWP information, systems or services including expected quantities. Include the accreditation or assurance status of each system or service if known.
 
2.1 Solution details
Please describe the method of working that is proposed. This should be provided principally in terms of DWP information, systems or services involved, and how they are handled, stored, viewed, protected, etc. The aspect of DWP information, systems or services storage should consider permanent storage (such as a designated long-term repository), temporary storage (such as working on a checked out file before checking it back in), and transient storage (such as short term residence in communication devices).
 
2.2 Network
Please provide details of the network at the offshore locations, and of any network connectivity used to transfer DWP information, systems or services to and/or from the offshore locations. Where possible, please provide diagrams that show where these are stored and transferred in terms of these networks.
 
2.3 Processes and systems used across sites
Please describe how the procedures and systems used by offshore staff interact with those onshore.
 
3. Offshore locations
3.1 Offshore addresses
Please provide the full address of the offshore locations. Where home-working is proposed, please provide the estimated number of home workers, and also describe the process for managing home- workers. Note that the actual addresses of home-workers need not, and should not, be provided.
 
3.2 Other work at the sites
Please provide a description of any other DWP work, and any non-DWP work, that is conducted at the sites. If this information cannot be provided, then please describe how DWP can be assured that any other work at the sites will not compromise their security.
 
3.3 Staff clearance
Please provide details of the security clearance and employment checks for staff at the offshore locations. This should consider all staff at the site and not just those directly involved in the proposed work.
 
4 Legal Assessment
Please identify any known local conditions that may impact the security of DWP information, systems or services or the enforcement of security requirements. Also detail whether there are any legal constraints, which need to be considered such as computer misuse, use of encryption, confidentiality statements. If personal information (staff or customer) is to be stored or accessed in the offshore location, then the contractor must also provide details of arrangements made to ensure that comparable protection is provided as required by the Data protection Act 1998
 
5 Governance
Please identify the person within the contractor organisation with responsibility for the offshoring. This person may be required to provide additional detail to support the offshoring request, and may be contacted directly by the DWP Security and Resilience team.
Role
Address
Name
Telephone no.
Responsibility
E-mail
Organisation
Back to top