Liverpool City Procurement Standards - Cloud & Cyber

Liverpool, England requires suppliers of cloud and cyber services to meet procurement and information-security expectations set by the city council. This guide summarises the applicable procurement rules, typical contractual security obligations, routes for inspection and complaint, and practical steps suppliers should take when tendering for city contracts in Liverpool, England.

Scope and Applicable Instruments

Primary instruments governing supplier requirements at the municipal level are the council's Contract Procedure Rules and its procurement guidance for businesses. These documents set mandatory procurement steps, pre-qualification requirements and compliance expectations for suppliers providing cloud, IT and cyber services to Liverpool City Council.^[1][2]

Key Requirements for Cloud and Cyber Suppliers

• Follow data protection and information-security clauses typically required in tenders, including secure hosting location and access controls.
• Provide evidence of cyber standards where requested (for example Cyber Essentials or equivalent) if set as a contract requirement.
• Supply audit/assurance reports and cooperate with contractual audits or security assessments.
• Meet deadlines for certificate submission, contract milestones and notification of incidents.

Penalties & Enforcement

Liverpool City Council enforces procurement and contract compliance through contractual remedies and the mechanisms set out in the Contract Procedure Rules and procurement guidance. Specific monetary fines for suppliers are not listed on the cited council pages; detailed financial penalties are therefore noted as not specified on the cited page.^[1][2]

• Monetary fines: not specified on the cited page.
• Escalation: first, repeat and continuing offences are addressed through contractual default processes and potential termination; specific escalation fine ranges are not specified on the cited page.
• Non-monetary sanctions: contract suspension, formal notices to remedy, termination for default, withholding of payments, and claims for damages.
• Enforcer: Procurement and Commercial Services together with the council's Contract Monitoring Officers administer remedies and compliance; complaints and issues are raised via the council procurement contact routes.^[2]
• Inspection and complaints: suppliers or members of the public may report breaches or service failures using the council procurement contact page or by contacting the responsible service area.
• Appeal/review: contractual disputes are handled under the contract's dispute resolution clause and the council's constitution; specific appeal time limits are not specified on the cited page.
• Defences/discretion: the council typically allows contractual processes such as notice to remedy, representations and potential mitigations; explicit statutory defences are not detailed on the cited procurement pages.

Common Violations

• Failure to disclose subcontractors or cloud-hosting locations.
• Non-provision of required security certificates or audit reports.
• Late notification or inadequate handling of security incidents.

Applications & Forms

The council publishes procurement and tendering instructions and submission portals for suppliers; where a specific application or form is required it is provided through the council's procurement pages and e-tendering platform. If a published form number or fee applies it will appear on the relevant tender page; otherwise no separate public form is listed on the general procurement guidance pages.^[2]

Action Steps for Suppliers

• Review the Contract Procedure Rules and tender documents before bidding and keep copies of awarded contract clauses.^[1]
• Prepare and upload required security evidence (assurance reports, Cyber Essentials, SOC/ISO certificates) to the tender portal at time of submission.
• Notify the council immediately of any data breach or major incident as required by the contract.
• If disputed, follow the contract dispute route and use the council's published contact for procurement to request review.

FAQ

Do Liverpool procurement rules require Cyber Essentials?

The documents state that specific security standards may be required by individual tenders; Cyber Essentials is often accepted evidence but requirements are set per tender and are not universally mandated on the general pages.^[2]

Who enforces contract compliance?

Contract Monitoring Officers and Procurement & Commercial Services enforce compliance, using measures in the Contract Procedure Rules and contract terms.^[1]

Where do I report a supplier data breach affecting the council?

Report incidents to the contact shown in the contract and to the council procurement contact; national reporting to the Information Commissioner's Office may also apply.

How-To

1. Review the tender notice and download all specification documents from the council tender portal.
2. Compile required security evidence, including certificates, test reports and incident response plans.
3. Submit evidence via the e-tendering portal before the tender deadline and retain proof of submission.
4. If awarded, confirm contact points and reporting obligations with the Contract Monitoring Officer.

Key Takeaways

• Check tender-specific security requirements early.
• Maintain audit-ready evidence and incident logs.

Help and Support / Resources

• Liverpool City Council - Procurement
• Liverpool City Council - Contract Procedure Rules
• Liverpool City Council - Planning & Building
• Information Commissioner's Office (report data breaches)

1. [1] Liverpool City Council - Contract Procedure Rules
2. [2] Liverpool City Council - Procurement