Asked by: James Gray (Conservative - North Wiltshire)
Question to the Department for Work and Pensions:
To ask the Secretary of State for Work and Pensions, what the value of her Department's cloud-hosting contracts with (a) Amazon Web Services, (b) Oracle Fusion, (c) Microsoft Azure, (d) Vodafone, (e) DXC, (f) SCC and (g) UKCloud was in financial years (i) 2012-2013, (ii) 2013-2014, (iii) 2014-2015, (iv) 2015-2016 and (v) 2016-2017.
Answered by Kit Malthouse
The table below shows current spending and the dates covered for each line of information. Unfortunately the information is not available in the exact format requested. Prior to 2016 there was no spend on cloud hosting with the companies mentioned in the question.
Oracle Fusion, SCC and Vodafone were all nil spend. DWP does not have cloud hosting contracts with those companies.
| Description | Dates covered | Spend |
Amazon Web Services | G-Cloud 6 – IaaS (Information as a Service) | 10/6/16 to 09/06/18 | c£1.0m |
G-Cloud 7 – Professional Services | 10/06/16 to 09/06/18 | £1.2m | |
G-Cloud 8 – Hosting | 01/06/17 to 31/05-18 | c£1.0m | |
G-Cloud 9 – Cloud compute | 01/08/17 to 31/07/19 | £3.9m | |
Microsoft Azure | Server Cloud Enrolment (SCE) agreement | 01/01/17 to 31/12/19 | £40k |
DXC | G-Cloud 7 - MVS Mainframe platform as a Service hosting | 12/12/16 to 31/12/17 | £12m |
G-Cloud 8 - VME mainframe platform as a service hosting | 01/05/17 to 31/12/17 | £5m | |
G-Cloud 7 - x86 midrange platform as a service hosting | 01/05/17 to 31/12/17 | £4m | |
UK Cloud | G-Cloud 8 – Hosting | 15/07/16 to 31/08/17 | £3.0m |
G-Cloud 9 – Hosting | 01/09/17 to 31/12/17 | £0.63m | |
G-Cloud 8 – Children, Health and Pensions Systems | 16/04/17 to 15/04/18 | £0.8m | |
CAN001 – Date extension to G9 Hosting | 01/01/18 to 01/06/18 | Nil spend |
Asked by: James Gray (Conservative - North Wiltshire)
Question to the Department for Work and Pensions:
To ask the Secretary of State for Work and Pensions, how many and what proportion of her Department’s cloud hosting contracts have been awarded to (a) hyperscale cloud providers and (b) UK SMEs; and what the value was of those contracts in each of the last three years.
Answered by Kit Malthouse
DWP does not centrally collect the specific data requested.
Information regarding contracts above the value of £10,000 is published on Contracts Finder on GOV.UK, available at https://www.gov.uk/contracts-finder
The Interception of Communications Commissioner and the Information Commissioner’s Office also have responsibilities in this area.
Asked by: James Gray (Conservative - North Wiltshire)
Question to the Department for Work and Pensions:
To ask the Secretary of State for Work and Pensions, what estimate she has made of the volume of UK citizens’ data held by companies (a) supplying cloud services to her Department and (b) contracted to deliver cloud services on behalf of her Department that is subject to information requests from US Government bodies.
Answered by Kit Malthouse
The information requested is not collated centrally and could only be provided at disproportionate cost.
Asked by: James Gray (Conservative - North Wiltshire)
Question to the Department for Work and Pensions:
To ask the Secretary of State for Work and Pensions, what security measures his Department has in place relating to the receipt by his Department of incoming post and parcels; and what discussions he has had with the British Forces Postal Office on providing such services.
Answered by Caroline Dinenage
The vast majority of inbound mail for the Department is delivered by Royal Mail to two centralised ‘Mail Opening Units’ (MOUs) operated by Engie, and this response is specific to the way these suppliers handle the departments inbound mail.
Royal Mail
Royal Mail operates a comprehensive range of policies and procedures to protect and maintain the integrity of our customers’ mail, services and employees. These processes are applied consistently to all outbound and inbound mail carried on behalf of the DWP and citizens. These policies and operating procedures underpin Royal Mail’s operating licence and universal service obligation. Where contracted to do so, Royal Mail also undertakes Security Screening services to identify any potential threats to specific Department sites prior to final delivery. This extends to the security screening services specifically provided to the Department’s Caxton House site in London.
The majority of the Department’s inbound mail (posted by citizens of the UK) is diverted to two central processing locations in the West Midlands. While there are no additional measures in place prior to the consolidation of inbound mail, each and every item of mail is subject to the same rigorous standards and duty of care as it is handled through the Royal Mail network from physical collection at DWP sites (or Post Boxes & Post Offices) through to outward processing and final delivery.
All items carried by Royal Mail on behalf of the Department and citizens are subject to ‘Inviolability & Interception of Mail Policy’ which dictates that once a postal packet is in the transmission of post (i.e. from posting until delivery) it cannot be delayed, opened or removed from the course of post. This policy is underpinned by the following legislation.
Royal Mail’s security procedures cover each and every activity undertaken within the Royal Mail pipeline.
Royal Mail deploys a rigorous vetting process for new recruits. This process includes pre-employment checks including a criminal record check before employment commences. Royal Mail provides all of its people with mail security induction training and regular security communications around compliance with security procedures, policies and standards.
In addition to preliminary recruitment processes and on-going coaching to all employees, Royal Mail also supports its service obligations through maintaining a dedicated security team, experienced in security risk management, intelligence gathering, criminal investigation and prosecution. This team also works with a number of law enforcement agencies, Government bodies and industry groups to protect the integrity of the mail.
Royal Mail actively encourages its people to be vigilant for any suspicious activity and report any cases where they believe letters may have been intercepted to both Royal Mail and the Police.
Engie
Engie receives mail from Royal Mail and processes on behalf of the Department at two centralised MOUs. These MOUs have external and internal security systems in place that are subject to annual review and approval by the Department and include systems for both physical and information security.
External security - Both MOUs meet and exceed the accreditation standard required by the Department. Each of the MOUs are audited annually by an external independent company and are accredited to ISO27001 from an information security perspective, which covers client information as well as the physical security of both MOU sites.
The units feature external perimeter fencing with remote controlled access for all inbound and outbound deliveries or collections, which run alongside a centrally controlled access swipe access system for all staff. External CCTV is monitored 7 days a week, 24 hours a day.
Internal security - All staff are cleared through Disclosure Scotland checks prior to commencing work. CCTV is operational 24 hours a day. All visitors must provide identification on arrival and are escorted by an MOU staff member at all times during the visit.
Suspect Packages - Training and guidance is provided to all mail handling staff, with remedial training completed annually. X-Ray screening facilities are available should any envelope or package be deemed as suspect, with the relevant training and instruction provided to all staff using this equipment.
British Forces Postal Services
DWP does not have responsibility for British Forces Postal Services, so we are unable to provide the information requested for this element of the question.