Warmworks contract information: EIR release

Information requested

1. Confirmation of the governance arrangements in place to ensure that delivery partners, such as Warmworks, comply with Scottish Government policies and legal obligations regarding personal data.

2. Copies of the Data Processing Agreement, Data Protection Impact Assessment, and any Information Sharing Agreements or Protocols between the Scottish Government and Warmworks relating to the Warm Homes Scotland programme.

3. Details of the internal procedures or mechanisms used to monitor, escalate, and address instances where delivery partners’ handling of personal data may not align with these obligations.

4. Clarification on the formal route for raising concerns regarding governance or conduct failures relating to oversight of delivery partners.

Response

I enclose most of the information you requested below and attached.

Confirmation of the governance arrangements in place to ensure that delivery partners, such as Warmworks, comply with Scottish Government policies and legal obligations regarding personal data.

1. Warmworks are subject to contractual requirements to comply with data protection obligations these are set out at MSC section 14, schedule 9 – Data Protection and schedule 11 – Cyber Security requirements.

2. These form part of the full contract that has been provided to you in a separate objective connect link for EIR 202500495509. Please contact me if you have any issues accessing the documents.

3. The Scottish Government has monthly operational boards and quarterly strategic boards as well as more regular meetings where performance and adherence to contractual obligations can be raised and discussed.

4. An independent quality assurance contract is in place through which the Scottish Government can audit any aspect of Warmworks and their sub-contractors compliance with the contract.

Copies of the Data Processing Agreement, Data Protection Impact Assessment, and any Information Sharing Agreements or Protocols between the Scottish Government and Warmworks relating to the Warm Homes Scotland programme.

• Relevant documents held include a Data Protection Impact Assessment (DPIA) and Privacy Information Notice.
• The DPIA and the Privacy Information Notice for the scheme have been attached. Personal data has been redacted underRegulation 11(2) of the EIRs. The reasons why that exception applies are explained in the Annex to this letter
• While our aim is to provide information whenever possible, in this instance the Scottish Government does not have data processing or information sharing agreements held between the Scottish Government and Warmworks beyond the contractual information that has been provided. Therefore we are refusing your request under the exception at regulation 10(4)(a) of the EIRs. The reasons why that exception applies are explained in the Annex to this letter

Details of the internal procedures or mechanisms used to monitor, escalate, and address instances where delivery partners’ handling of personal data may not align with these obligations.

• The Warmer Homes Scotland Contract clauses - 14.12 – 14.14, state that:
• 14.12. The Service Provider must:
• 14.12.1. provide such information as is necessary to enable the Purchaser to satisfy itself of the Service Provider’s compliance with this clause 14; 14.12.2. allow the Purchaser, its employees, auditors, authorised agents or advisers reasonable access to any relevant premises, during normal business hours, to inspect the procedures, measures and records referred to in this clause 14 and contribute as is reasonable to those audits and inspections; and 14.12.3. inform the Purchaser, if in its opinion, an instruction from the Purchaser infringes any obligation under Data Protection Laws. 14.13. The Service Provider must maintain written records including in electronic form, of all Processing activities carried out in performance of the Services or otherwise on behalf of the Purchaser containing the information set out in Article 30(2) of the UK GDPR. 14.14. If requested, the Service Provider must make such records referred to clause 14.13 available to the Information Commissioner on request and co-operate with the Information Commissioner in the performance of its taskslogged and made available if requested, and Schedule 11 (Cyber Security Requirements).
• Further information is provided at Schedule 11, Cyber Security requirements:
• 3.1 The Service Provider shall notify the Purchaser immediately as soon as it knows or believes that a Cyber Security Incident has or may have taken place and shall provide full details of the incident and any mitigation measures already taken and intended to be taken by it and (where applicable) any mitigation measures recommended by it to be taken by the Purchaser. Where such initial notification is not in writing, then the Service Provider shall provide the Purchaser with a written notification setting out the details required under this paragraph 3.1 promptly and in any case within twelve (12) hours from the initial notification. 3.2 Following a Cyber Security Incident, the Service Provider shall: (a) use its best endeavours to mitigate the impact of the Cyber Security Incident; (b) investigate the Cyber Security Incident completely and promptly, and shall keep the Purchaser fully informed of the progress and findings of its investigation; (c) where required to do so, inform any applicable regulator of the Cyber Security Incident; and (d) take any action deemed necessary by the Purchaser in the circumstances, including complying with any additional security measures deemed appropriate by the Purchaser.
• The options available where Warmworks or their suppliers have breached data protection requirements are also set out in Schedule 11 at section 5.

Clarification on the formal route for raising concerns regarding governance or conduct failures relating to oversight of delivery partners.

• Where a third party is concerned regarding governance or conduct failures relating to oversight of delivery partners this can be addressed in the first instance to contactus@gov.scot.

Annex A - Reasons for not providing information

The Scottish Government does not have the information

Under the terms of the exception at regulation 10(4)(a) of the EIRs (information not held), the Scottish Government is not required to provide information which it does not have. The Scottish Government does not have some of the information you have requested because we do not have data processing or information sharing agreements between the Scottish Government and Warmworks beyond the contractual information that has been provided.

This exception is subject to the ‘public interest test’. Therefore, taking account of all the circumstances of this case, we have considered if the public interest in disclosing the information outweighs the public interest in applying the exception. We have found that, on balance, the public interest lies in favour of upholding the exception. While we recognise that there may be some public interest in information about data sharing agreements, clearly we cannot provide information which we do not hold.

Regulation 11(2) provides that where the information requested includes personal data about a person other than the applicant and disclosure would contravene the data protection principles in Schedule 1 to the Data Protection Act 1998, the public authority shall not make that personal data available.

Information Already available

Some of the information you have requested is available as part of the response to FOI 202500471397. As this information is too large to host online you have been provided with a link to access the Warmer Homes Scotland Contract Documents, if you have problems accessing this please let me know and I will try to support you.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at https://www.gov.scot/foi-responses.

EIR 202500495801 - Information Released - Documents

File type

PDF

File size

407.7 kB