28.06.2023
This call for tenders concerns the provision of consultancy services to the UPU from September 2023 to April 2024 in order to:
- conduct a survey on UPU member countries’ regulatory frameworks with regard to data collection and protection (at regional, national and sectoral levels), and publish the results thereof;
- assist and guide UPU member countries (in cooperation with restricted unions) in establishing their own regulations at national or sectoral level or, at least, in becoming parties to current optional multilateral frameworks, such as the UPU multilateral data sharing agreement (MDSA) framework or other regional data sharing agreements (DSAs); and
assess the capacity of the UPU to manage and protect the personal data handled in its various systems, and provide recommendations for improvement
The deadline for the submission of tenders is 11 August 2023 at 18.00 CEST.
Can you please clarify whether bidders can send a proposal for a specific country only (namely Jordan), to answer this request from UPU?
In order to establish a minimum set of requirements for the collection, storage, treatment and transmission of personal data, as well as remedies in the event of data breaches, the UPU needs to gather and analyze information on the national or regional regulations of its member countries in this area.
In accordance with sections 2.5 and 4.1 of the published call, the contractor will develop the foundational knowledge and substantive contents for a regulatory database. One of the objectives of the project is to obtain relevant information from as many countries as possible. As specified in section 4.1, the contractor will draft the survey. The UPU International Bureau will support the contractor by distributing the survey to all UPU member countries and will consolidate the responses received. These IB will upload the information received onto its regulatory database* and will share the member countries’ responses to the survey with the contractor for the purpose of the analysis (phase 2 – section 4.1.3 deliverables) and publication of the study (phase 3).
The work by the contractor should therefore not be limited to one member country only. The project scope is global (i.e. national frameworks) and UPU specific.
* Note: the International Bureau is launching a web-based regulatory database in 2024 – the member countries’ responses to the survey on data protection is among the data that will be uploaded on the future regulatory database
Could you please provide us a pdf or the link to your T&C?
Do they need to be accepted without changes or it is possible to send you comments we will then discuss at a later stage?
The terms and conditions must be accepted without changes.
They are provided on the UPU website: https://www.upu.int/en/Universal-Postal-Union/Procurement (see reference documents)
Scope of Data Assets: Data protection policies and regulations may affect digital services as well as physical transactions (such as mail delivery). Could you please clarify whether physical transactions are included in the scope of the planned assessment? (Chapter 2.3 Bullet 1; Chapter 4.1.1)?
Postal services are increasingly data driven while these services need to comply with data protection regulations and policies that concern all personal data related to postal services (e.g. traffic data, delivery data, billing data and address data). Sections 2.4 and 2.5 specify that the services of the external consultant concern data collection and protection regulations in respect of the postal sector, particularly with a view to safeguarding the safe processing and transmission of personal data between Union member countries in the context of international postal operations. International postal operations concern primarily the physical transactions which are supported and facilitated by data exchange, such as the aforementioned data elements – including electronic advance data as well as other data particular to the origin, destination and content of the physical items exchanged.
Stakeholders for Survey and Interviews:
Does the UPU aspire to run the survey with all ~192 member countries? (4.1.3 Deliverable 1a and other)?
Yes, the survey should be developed by the contractor and distributed by the UPU/IB to all 192 member countries. The UPU/IB will collect the responses and make them available to the contractor for further analysis.
Is our assumption correct that the interviews will focus on a representative subset of UPU stakeholders and those of selected member countries, and that the UPU will assist in identifying the most appropriate stakeholders (Chapter 4.1.3 Deliverable 1c)?
That is correct, interviews can be organized with a subset of UPU or sector stakeholders. The contractor will describe its approach to conduct these interviews and in coordination with the UPU International Bureau, the list of interviewees can be reviewed. It is foreseen that regular meetings (remote/ online) are held to discuss progress of work and support that the UPU/ IB can provide in relation to the study, e.g. the abovementioned survey data collection processes, review of list of interviewees, review of texts and analysis, contacts with experts within the UPU IB and the UPU network (DOs, Ministries, etc.), etc.
Scope technical & organizational capabilities of UPU: The description in Chapter 4.1.3 Phase 4 seems to focus mainly on organizational means to monitor privacy and standards and to provide assistance to member countries. Further services are to include an assessment of the technical means required to operationalize any related tasks. Is our understanding correct that the UPU is also seeking assistance in assessing its overall technical model for suitability to handle PII as described in Chapter 2.3 bullet 3?
The services concern 1) the development of a knowledge basis (through surveys, analysis, interviews, desktop and other analysis) in the form of a database (note that the UPU/IB will develop by next year the technical (i.e. IT) infrastructure of an online regulatory database that includes regulatory information on various policy aspects relevant to postal services) as well as a study (report) that summarizes and analyzes the various regulatory regimes relevant to the postal sector in terms of data collection and protection; 2) the development of a foundation of the UPU/IB’s regulatory evaluation/ advisory capacity, a function that is currently not existing. The advisory/ evaluation function is aimed at enabling the UPU/IB in supporting member governments and designated operators in terms of the implementation of the recommendations drawn from point 1 (knowledge base). These points are summarized under phases 1 through 5 under section 4.1.3 (deliverables).
Technical framework: Are there any specific standards or frameworks related to data governance and protection that UPU advocates to its members? e.g., CSA (cloud security alliance), AFNOR, etc.? Are there any expectations from the bidder to create such a technical framework?
The UPU currently provides to its members data sharing agreements (DSA). DSAs contain specific obligations relating to the exchange of personal data (e.g. physical and electronic security of the infrastructure and operating environment, use of industry-standard technology and international security standards, notification of security breaches), the framework is not mandatory. The recommendations of the study are specific to the further development of such agreements as well as developing a foundation on which basis the UPU/IB can support its members in safeguarding the safe processing and transmission of personal data between Union member countries in the context of international postal operations, including the aforementioned foundation for an advisory/ evaluation or monitoring function to certify and validate the secure and lawful treatment of subject’s data (subject as the users of the postal service). In this context, technical requirements and/or standards may be envisaged as part of those recommendations as well as part of the evaluation framework that the UPU/IB could provide to its members in support of the implementation of said recommendations.
- Is this the first UPU member country survey of its kind? Are there any past surveys that the UPU may want to inform the process?
UPU/IB: this will be the first UPU member survey on data collection and protection policies. The UPU regularly conducts surveys among its 192 member countries on various regulatory (and/ or operational) topics. The contractor would draft the questions and the UPU/International Bureau will review with the contractor the questionnaire and suggest changes, if any.
- Who will be responsible for reaching out to member countries and inviting them to participate in the survey?
UPU/IB: after agreeing (contractor and UPU/IB) on the questionnaire, the UPU/IB will distribute the survey to its 192 member countries. The UPU/IB will also collect the responses and make them available to the contractor for analysis.
- Will any part of this project (e.g., communications with member states, survey questionnaire) need to be translated into other languages? If so, which ones?
UPU/IB: the survey will be translated by the UPU in-house translation service into 6 languages (including EN review of the draft survey). Some further communication, material, etc. – as relevant - may also be translated on an ad hoc basis (mindful of the resources, these requests need to be moderate). The final study will be published in English, with the executive summary and key recommendations translated into French, Arabic, Russian, Spanish and Portuguese.
- Will the survey need to be disseminated on paper via direct mail or can the entire process be online?
UPU/IB: the survey will distributed both physically by post as well as by email according to the standard UPU distribution procedures.
- Is the UPU interested in the report being accompanied by a dashboard for data visualization? If so, how many UPU members would require access to it? (Or, alternatively, would it be public?)
UPU/IB: the collected data will feed into a regulatory database that the UPU/IB will develop next year alongside other sector data, such as the country-specific data collected on the universal postal service provision, ETEO policies, etc. The CFT does not include the development of a dashboard (as IT project), but data visualization – in the report or otherwise is valuable as it may be useful to communicate complex information about different data collection and protection policy regimes.
- Does the UPU have a preference as to whether the vendor attends the CA session of April 2024 in-person or remotely?
UPU/IB: it is preferred that the final study is presented in-person at the CA. Remote participation facilities are available, but ideally, the presentation is made in-person at the CA Committee 2 meeting in April 2024.
Not included in the CFT, but the contractor will also be invited to make a short introduction of the work and outline the steps taken (or in progress) at the CA Committee 2 meeting in November 2023. The idea is 1) to familiarize the UPU members with the project; 2) to encourage the UPU member countries to respond to the survey (i.e. those that have not responded by that date) and 3) to give visibility to the project which may be useful to facilitate contacts for case studies. Although the provisional timeline in 4.1.3 (deliverables) indicate that these activities have been concluded by then, additional input that may be resulting from the presentation at the CA C 2 in November 2023, could be useful to the project. This presentation is optional, would be short and can be done remotely.
- In regard to the databases mentioned in the RFP, how often will the records be updated for each country and will a history of the change status need to be retained?
UPU/IB: Within the scope of this call for tender, the survey is done once and the data is collected by the UPU/IB and shared with the contractor for analysis. The UPU/IB will feed the data collected from the survey in the future UPU regulatory database. That database will be maintained and continuously updated by the UPU/IB with updates and new information provided by the UPU member countries. The tendered project excludes future updates in relation to the survey. The tendered project foresees one UPU membership wide survey (additional surveys by email to a subset of countries and other stakeholders is possible to collect additional information or for a deep dive/ case study) and is time limit (until April 2024).
N°. | RFP Section Reference | Clause | Question | Answer |
1 | General | N/A | To what extent does UPU have an existing database of applicable regulation across its members? | UPU has several databases in use, such as one on the universal postal service: https://www.upu.int/en/Members-Centre/Policies-Regulation/Universal-Postal-Service . It is likely that a similar database (compendium) will be provided for the responses to the data protection survey. By next year, the UPU will develop an IT database that consolidates UPU member information on various subjects, such as the universal postal service, data protection, ETOE policies, etc. |
2 | General | N/A | To what extent are we expected to collaborate with contact persons in the respective UPU member countries? | The Contractor is expected to conduct research and collect information from various sources, including interviews with relevant parties to obtain information for specific case studies. |
3 | General | N/A | What is your defintion of data collection and protection? To what extent should this cover data security standards and/or norms? | Postal services are increasingly data driven while these services need to comply with data protection regulations and policies that concern all personal data related to postal services (e.g. traffic data, delivery data, billing data and address data). Sections 2.4 and 2.5 specify that the services of the external consultant concern data collection and protection regulations in respect of the postal sector, particularly with a view to safeguarding the safe processing and transmission of personal data between Union member countries in the context of international postal operations. International postal operations concern primarily the physical transactions which are supported and facilitated by data exchange, such as the aforementioned data elements – including electronic advance data as well as other data particular to the origin, destination and content of the physical items exchanged. |
4 | General | N/A | Is the survey sponsored by a UPU member? | The study is part of work proposals adopted by all UPU member countries at the 2021 Abidjan Congress and specifically mandates the conduct of this study. |
5 | 2.3 | conduct a survey on UPU member countries’ regulatory frameworks with regard to data collection and protection (at regional, national and sectoral levels), and publish the results thereof | Will the survey be conducted for all the UPU member states or has UPU already identified who will be surveyed? | The contractor will draft the survey and the UPU/IB will review the survey. The final agreed version will be distributed by the UPU/IB to all UPU member countries. The UPU/IB will collect the responses and make these responses available to the contractor for analysis. |
6 | 2.3 | conduct a survey on UPU member countries’ regulatory frameworks with regard to data collection and protection (at regional, national and sectoral levels), and publish the results thereof | It is our understanding that establishing communication and setting up the context for the survey with the member countries is to be done by UPU and not the bidder. The bidder shall only be responsible for conducting the survey. | The UPU/IB will formally distribute the survey and collect the responses. The Contractor will be in direct contact with any relevant stakeholders, including, possibly, a subset of respondents to the survey. The UPU/IB will distribute the survey as this is done centrally and therefore most effective. Follow-ups, interviews and supplemental surveys are done by the contractor in direct communication with the interviewees/ addressees. |
7 | 2.3 | conduct a survey on UPU member countries’ regulatory frameworks with regard to data collection and protection (at regional, national and sectoral levels), and publish the results thereof | Please confirm if the bidder is required to visit any or some of the member countries in order to conduct the survey. Incase its going to be a ground visit, please clarify how the bidder can quote the cost of the travels and other relevant expenses. | Site visits are not foreseen. The contractor is invited to present the final report at the CA in April 2024 in-person. Remote participation facilities are available, although in-person presentation is preferred. The contractor will communicate with the IB via email, phone and MS Teams or other remote platforms. The contractor will agree with the interviewees/ addressees the preferred means of communication, which does not require site visits. Any costs related to travel by the contractor are for the contractor’s expense. |
8 | 2.3 | conduct a survey on UPU member countries’ regulatory frameworks with regard to data collection and protection (at regional, national and sectoral levels), and publish the results thereof | Please elaborate what are the main objectives of conducting the survey, with respect to the objectives of UPU? | See above, personal data is increasingly subject to data protection policies in various jurisdictions. The UPU exchanges a large volume of items on which personal data is collected and used, for delivery, billing, postal security purposes (EAD), etc. There is a need for knowledge and information on this subject and to ensure compliance as well as improved postal process that use data lawfully, purposefully and with consent. |
9 | 2.3 | assess the capacity of the UPU to manage and protect the personal data handled in its various systems, and provide recommendations for improvement | 1. Is the bidder expected to assess only the IT systems of the UPU from a Technology and Solution perspective (involving IT Architecture, Blueprint documents, Databases, Security protocols, Solution Architecture) or the bidder also has to assess the Infra/Hosting & People/capacity aspects of UPU and provide recommendations? | The bidder is expected to review all UPU processes relevant to the collection of data, processing of data and protection of data and to develop a knowledge base that supports the UPU IB in developing its capacity-building and advisory capacity to UPU member countries. So the objectives of the study are twofold: 1) develop knowledge base and 2) support UPU/IB with the foundation of the advisory capacity in terms of data collection and protection |
10 | 2.3 | N/A | Regarding the point "assist and guide UPU member countries (in cooperation with restricted unions) in establishing their own regulations at national or sectoral level" could you please elaborate what level of assistance you are referring to here? | The knowledge base and recommendations are to support the UPU/IB in developing its advisory capacity which means that the UPU/IB can advise its member countries on data protection policies. That advisory capacity can manifest itself in different ways, e.g. the UPU/IB to organize workshops in the field (with support from the restricted unions) on the importance and elements of data protection (and how the postal processes, regulations and policies can be developed at a national level to be compliant), to provide one-on-one member country support; drafting multilateral data sharing agreements, etc. etc. |
11 | 3.6 | Bidders shall provide an all-inclusive pricing structure applicable throughout the contract period. The term “all-inclusive” shall be understood to mean that all costs that may be incurred by the consultants in their completion of the assignment are factored into the price stated in the proposal. | 1. Please clarify if the Bidder is required to submit the Pricing in any particular format. If so, please share the format. | Bidders shall not include VAT in their pricing structure (see section 2.11). All pricing information shall be set out exclusively in Swiss francs (CHF).
Detailed breakdown may be useful, but is not required.
Price to be part of the same proposal. There is no template for pricing. The bid to contain the proposed methodology and approach as well as the price for those services. |
12 | 4.1 | Ensure the substantive contents of a database containing the personal data collection and protection policies and regulations of UPU member countries (as applicable to the operation of international postal services), to create a source of information on the current status of data protection within international postal networks. A standard structure for each UPU member country’s file shall be applied to ensure consistency between the different country files. The country files will feed into an electronic regulatory database that the UPU will develop in the year 2024. | 1. Please clarify which database is being referred here? Is this a distinct databse for each member country? Or is this the Database of UPU? |
The UPU/IB will develop in-house the IT platform to host all relevant information at country level on sector policies and regulations, including information on the universal postal service, ETOE policies, sustainable development, etc. The present CFT excludes the development of such IT platforms and concerns the development of content for such a database.
The contractor will draft the survey questions and the IB will review and provide feedback. Together, the survey will be finalized and distributed to the UPU member countries. Ideally, the survey is drafted in such a way that it contains structured answers to questions (which would allow for database querying in the future) but is likely to include more open questions as the data collection and protection regimes between countries.
The member-wide survey will use the same questionnaire (i.e. same structure, same questions) for all member countries. A supplemental survey could be considered among other means (desktop research, interviews, …) to collect additional information on a subset of countries/ regions that are of interest for building case studies in the report. Those supplemental surveys could be customized to the specific national or regional context and could allow for more detailed information, if required.
The database will allow for the downloading of a country file (i.e. the member country response to the survey – going forward, this information can be updated by a member country at any time in the future) and have basic filters to look at sub-level questions and compare with other countries/regions. The specific details of the database still need to be developed and while of interest to have this in mind, it should not limit or restrict the bidder in terms of defining its methodology, approach and proposed services in response to the present call for tender. |
13 | 4.1.1 | N/A | Does the desktop research need to be conducted for all member states? | Desktop research, interviews and other data collection and analysis techniques are expected for the purpose of the analytical study. This does not require desktop research for each and every member countries, but only to the extent that such research and analysis contributes to a comprehensive analytical report on data collection and protection relevant to the postal sector. |
14 | 4.1.1 | N/A | Is there a technology stack in place for creating the database or do we need to include that as part of the proposal? | The tender only concerns the development of the contents and knowledge basis. The member country responses to the survey are likely to be made available as country files in a simple database form (similar to the one on the universal postal service: https://www.upu.int/en/Members-Centre/Policies-Regulation/Universal-Postal-Service )
In 2024, the UPU will look at building a database in which all contents of all kinds of surveys and information about sector relevant policies and regulations will be accessible. That database should have additional tools to query, search and filter the contents. The database development is outside of the scope of the present tender. |
15 | 4.1.2 | Evaluate the capacity of the IB and its contact points to assist UPU member countries and their relevant postal stakeholders with regard to personal data collection and protection, e.g. organizational functions, infrastructure, financial and human resources, standards and technologies; | It is our understanding that the following would need to be covered | The objective is 1) to develop a knowledge base so that the UPU International Bureau (IB) will be in a better position to support its member countries in their capacity to be compliant in the processing of (international) postal items with the data collection, processing and protection requirements in place and 2) to establish a minimum level of data collection and protection regulations, at least in respect of the postal sector, particularly with a view to safeguarding the safe processing and transmission of personal data between Union member countries in the context of international postal operations and 3) to define a methodology or solution through which the UPU IB would be able to monitor and determine levels of compliance with data collection and protection requirements (i.e. measurement against those UPU minimum standards under point 2)).
The project does not include the IT development of any systems.
|
16 | 4.1.3 | Draft a publication on the study on personal data pro-tection in international postal services | 1. Is the bidder expected to publish the result of the study or would this be done by UPU? | The study will be published with a UPU overlay (cover page and layout) and published on the UPU website. The contents of the study are delivered by the contractor. The contractor will be mentioned by name in the study
The company name of the contractor will not be published on the cover page or mentioned where the study is published. The contractor will be mentioned in the credits and in the foreword. |
17 | 4.1.3 (1c) | N/A | What is the expection from the case study collection? How many interviews are envisioned to be conducted for development of case studies? | The bidder needs to estimate the number of interviews and case studies are to be part of the study. This is based on experience of the bidder with similar projects. There are no directions specific to a minimum number of interviews and case studies that would be required. |
18 | 4.1.3 (2) | N/A | Is a separate report excepted for Phase 2b or can this be combined in the publication of 3b? | At the end of phase 2, a report is expected on the key elements and essential aspects of regulatory frameworks on personal data collection and protection. At the end of phase 3, a report on data protection relevant to international postal services is expected. Ultimately the different outputs of phases, 1 to 4, need to be consolidated in a final study to be published.
In the final study, national, regional and sectoral policies would be discussed, including recommendations for the data collection and protection in respect of the postal sector, particularly with a view to safeguarding the safe processing and transmission of personal data between Union member countries in the context of international postal operations |
19 | 4.1.3 (4) | N/A | Are separate reports expected for the elements of Phase 4 or can they be combined into one report? | The reports under phase 4 can be combined.
|
20 | 4.1.3 (3a) | N/A | In what format do you expect the country files to be delivered? (pptx, word, etc.) | The tender does not specify a specific format. Word is most commonly use and appropriate for updating. This format and allows for conversion to PDF. |
21 | 4.4 | Composition of the team and experience of the team leader | Please clarify the nature of the team members and team leader requested by UPU. | It speaks mostly to the relevance of experience of the proposed team. Experience in working in the field of data collection and protection policies; experience in similar type of studies; experience with the postal sector; years of professional experience are elements that weigh in the appraisal of bids. |
22 | 4.6 | The Vendor or its assigned consultant shall liaise and work closely with the UPU (as instructed by the latter) and may be required from time to time to carry out certain tasks from the headquarters of the UPU in Berne, Switzerland. | Please clarify how the bidder can quote the cost of the travels and other relevant expenses. | No travels are foreseen, other than the presentation of the final study at the UPU council of administration in April 2024. The UPU uses remote meeting platforms, like MS Teams, which allow for effective communication and meetings with the contractor so that travel is not required. |
23 | 3.7 | Payment shall be made in four equal instalments of 25% of the total amount, upon completion of all respective | Please confirm if the payment will be made on successfuly acceptance of the deliverable as per milestones 1,2,3 and 5 or on monthly basis of equal amount on monthly basis. | The amount quoted in the successful bid would be paid in equal parts of 25% for the completion of each of the different phases. The payments are subject to the validation of the content by the UPU within The UPU may contest the Vendor’s deliverables within 10 business days of receipt thereof. It is however envisaged that the UPU/IB will work with the contractor on the deliverables and that drafts are submitted for review and comments with a view to come to a good output. The bid may specify, in relation to the timeline in section 4.1.3 add additional steps for the review of the provided reports. |