In a new blog series, Assistant Director of Procurement in our Corporate, Clinical and Regulation division, Ruth McColl, lifts the lid on things anonymous NHS buyers don’t know but are too embarrassed to ask.
Written by Ruth McColl, Assistant Director of Procurement – Corporate, Clinical and Regulation
If you’ve ever worked in NHS procurement, you’ll know that it’s a world of equal parts strategy, firefighting, detective work, emotional resilience and creative problem solving, with a dash of ‘don’t tell anyone how we actually got this over the line.’
This blog lifts the lid on the quiet truths of procurement. The things we find hard, the corners we might occasionally smooth over, the processes we ‘should’ know but secretly ask Ai and the moments where we mutter, ‘I did not sign up for this’ whilst smiling politely on a Teams meeting.
I recently spoke with an NHS buyer who shall remain unnamed, who listed some of the things that go through their head but has never said outloud:
“Is there a polite way of saying ‘I know the spec is terrible but I can’t rewrite your entire service model for you’?”
“When a colleague suggests a creative procurement solution and all you think is ‘This will land us in the Evening News’.”
“We pretend to love a competitive tender but deep down, we would rather do literally anything else.”
“I live in fear of someone asking, ‘What does it say in the regulations?'”
“Procurement and contracting are the unsung heroes of the NHS!”
“I don’t ask questions because I know the truth would be far scarier than staying ignorant.”
“Somewhere in a parallel universe, Heads of Procurement don’t handle FOIs. I dream of living there.”
The answers to all your questions
What is the difference between a DPIA and a DTAC, and when should we be requesting these from providers?
A DPIA is needed whenever a project involves processing personal data in a way that is likely to result in a high risk to individuals. This is a legal requirement under UK GDPR. A DPIA should be completed by internal information governance (IG) colleagues and signed prior to contract signature.
A DTAC is required when you are buying, procuring or deploying digital health technology in the NHS. This should be completed by suppliers and assessed by internal IG colleagues prior to contract signature.
When is a DPST needed as well as Cyber Essentials?
In short, ask for a DPST when you need assurance that goes beyond cyber security.
For example, include:
- When the supplier will access, handle, store and process NHS patient data
- If the service involves identifiable patient data
- If the supplier is providing any system or service that connects with NHS systems
- If you need full data-security and IG assurance.
Under PPN 014, Cyber Essentials Plus is now required for IT and digital service providers across NHS Supply Chain.
For below-threshold contracts, I’ve heard the contract modification limit of 50% is not applicable?
Below-threshold contracts are not considered ‘public contracts’ and therefore fall outside the scope of a covered procurement under Section 1 of the Procurement Act.
The legislation specifically states that below-threshold contracts may be freely modified and do not need to meet one of the ten statutory grounds for contract modification that apply to a covered procurement.
That being said, the aggregated value of modification and the original contract must be less than the threshold amount for the type of the contract. If the new contract value exceeds the threshold amount, it creates a ‘convertible contract.’
What are the minimum insurance requirements that should be applied under an NHS contract?
Public liability insurance is not legally compulsory, but it is standard in NHS tenders because it protects against claims from the public.
Employers liability insurance is required by law for any businesses employing staff. The statutory requirement for this is £5 million.
Professional indemnity insurance is not legally compulsory, but is advised when the contract involves advice, consultancy, design, digital services, clinical services or technical expertise.
There may be other insurance requirements relevant to the nature of the contract and the nature of the contract may impact the value of the insurance.
If I am using a framework to direct award, what terms can I change?
You cannot renegotiate or alter the core terms of the framework including the pricing structure (unless it allows for configurable pricing), the specification or the contractual risk allocation.
You can change the terms that are configurable at call-off stage, such as the term, KPIs, volume and invoicing arrangements. You can also change elements that are labelled as ‘to be agreed at call-off’, and add additional terms that do not contradict the framework (on a case-by-case basis withing the framework limits).
Modification ground under the Provider Selection Regime (PSR) still confuses me.
If the modification is stated for in the original contract, is it allowable under PSR regardless of value?
Yes, if the modification is clearly and unambiguously provided for in the original contract, it is allowable under PSR regardless of value. A transparency notice must be published.
Is there a limit with regards to volume or value when the modification is due to external factors beyond control (such as changes to patient volume)?
No a specific limit isn’t imposed in the guidance. Providing the modification is due to external factors such as changes to patient or service user volume and/or allowed uplift, it does not materially alter the contract and is allowable. A transparency notice is not required in these cases.
If the modification is not stated in the original contract and isn’t due to external factors, is the limit 25% or £500,000?
Where the modification is directly linked to the relevant authority AND isn’t stated in the original contract, then either 25% or £500,000 is the limit of of the increase to the original contract value. Additionally, the value increase MUST NOT be inked to change which renders the contract materially different.
How do I know which CPV code I should use as the primary one?
When going out to tender, you should look to use the lowest level CPV code to provide the market the easiest route to search for relevant contracts. You do have the ability to include additional CPV codes within the notice. This is where you could include the higher-level code as well as any other sub-categories.
Under PSR, do I need to publish my contract if it’s over £5 million?
No, this is not a requirement under PSR. This only applies to contracts governed by the Procurement Act 2023.
Should Pipeline Notices under the Procurement Act 2023 be done individually or can I do one that covers all upcoming tenders in the next 18 months?
Pipeline Notices should be completed per procurement. Regulation 15 sets out the minimum information that must be published ‘for each procurement contained in the pipeline notice.’ It therefore implies that one notice may contain more than one procurement.
However, in practice, a Pipeline Notice will need to be published for each individual procurement making up a contracting authority’s pipeline. This is so that subsequent notices about that procurement can be linked to those details.
Get in touch
Do you have questions about procurement regulations, or want to make your own confession? Contact [email protected].