On 23 February 2022, Scotland’s Serious Organised Crime Strategy was published. The strategy has four strands: divert; deter; detect; and disrupt and is about all of Scotland working together to reduce the harm caused by SOC. It is about detecting and disrupting SOC Groups, but it is also about preventing it at source: cutting off the markets, the recruits and the opportunities on which SOC relies.
This includes preventing companies with links to SOC bidding for, securing and profiting from public sector contracts by using the measures available through public procurement legislation, policy and tools.
Law enforcement intelligence shows that those involved in SOC use semi-legitimate companies to gain contracts available from the public sector. The profits they gain from these contracts are then used to fund organised crime, including drug dealing, people trafficking and money laundering.
Police Scotland advice is that organisations engaged in SOC tend to be chaotic in their nature and may find it difficult to maintain consistent systems and processes to the extent expected from bona fide companies. More information on SOC is available from the Crime Prevention page of the Scottish Government website.
Some of the greatest risks arise in the private security industry. The Security Industry Authority (SIA) is the independent organisation responsible for regulating the private security industry, under the terms of the Private Security Industry Act 2001.
The SIA Approved Contractors Scheme (ACS) comprises a set of operational and performance standards for suppliers of private security services. Those organisations that meet these standards are awarded Approved Contractor status, and may advertise themselves as such.
Any contractor or sub-contractor performing security industry services under a Scottish Government contract is required to be registered with the ACS for the category of security service being provided/performed under the contract. Public sector organisations are encouraged to adopt an equivalent approach for relevant contracts.
The cyber resilience of suppliers is increasingly important as the number of cyber-attacks targeting suppliers to the public sector has grown in recent years. Attacks can (intentionally or otherwise) disrupt and damage both suppliers’ services and public services.
The Scottish Public Sector Supplier Cyber Security Guidance Note was published to help the public sector consider cyber security and resilience of supply chains. The guidance for buyers includes more information on how to assess and manage cyber risks as part of the procurement process.
A Cyber Security Procurement Support Tool has been developed to help public sector organisations embed appropriate and proportionate cyber security assurance in their procurement process, and improve the cyber security of the supply chain. It may be relevant to ask bidders to use the Cyber Security Procurement Support Tool as part of their bid. Guidance for suppliers has also been produced.
Cyber resilience advice and support for individuals, businesses and organisation is available from the Cyber Resilience advice and support page of the Scottish Government website and also through the CyberScotland.com website.
Cyber security arrangements for systems processing personal data form a key aspect of compliance with the UKGDPR, which took effect on 25 May 2018. The data protection obligations placed on organisations and their supply chains by UKGDPR go wider than technical measures to protect personal data. See the Information Commissioner’s Office (ICO) Guide to Data Protection for more information.
A buyer should determine whether any personal data processing is involved as part of a contract or framework agreement, for instance by a third party supplier, and also the technical protections that might be needed as a result. There should be a legally binding contract with that supplier that includes certain mandatory terms from the UK GDPR as to the roles and responsibilities of each party for data protection.
When personal data is no longer needed, it needs to be destroyed securely. If outsourcing this work to a shredding service or other disposal contract, ensure that data will be handled and disposed of securely.
In order to prevent public money from ending up funding SOC, and to allow legitimate businesses to thrive, it is important that we do all we can through procurement legislation to prevent companies who launder money, evade taxes or cut corners, from competing for and securing public contracts.
The Procurement Reform (Scotland) Act 2014 (the Act) places a sustainable procurement duty on a contracting authority before they buy anything, to think about how they can – though their procurements - improve the social, environmental and economic wellbeing in Scotland, with a particular focus on reducing inequality, and act in a way to secure this. For example through the appropriate use of the sustainability test and its associated tool; the prioritisation methodology, and the application of relevant and proportionate contract requirements.
The Act also requires obligated organisations to develop a corporate procurement strategy and report against its delivery at the end of each year. This should include a statement of its general policy on the procurement of fairly and ethically traded goods and services, and this could include their approach to serious organised crime.
The public procurement regulations allow, and sometimes require, a contracting authority to exclude companies from tendering for public contracts for not meeting certain conditions, and select the most suitable bidders based on technical ability and previous experience in relation to the subject matter of the contract. This is done through the Single Procurement Document (SPD).
Regulation 19(4) of PC(S)R 2015 places a legal obligation on contracting authorities to include relevant clauses in their contracts to ensure those they contract with comply with environmental, social and employment law obligations.
Regulation 57(2) of PC(S)R 2015 allows contracting authorities to reject bids that do not comply with applicable obligations in the fields of environmental, social and labour law established by EU law, national law, or collective agreements.
Regulation 69(5) places a legal obligation on contracting authorities to reject bids that have been found to be abnormally low because they do not comply with applicable obligations in environmental, social or labour law.
The public procurement regulations also permit contracting authorities to ask for tenderers to be registered under a certain label scheme - as long as the circumstances outlined in Specification apply. For example, Cyber Essentials or Cyber Essentials Plus is a Government backed scheme to help businesses of any size protect themselves against a range of the most common cyber attacks, and to demonstrate their commitment to cyber security, IASME and ISO/IEC 27001 (allowing also for equivalent standards).
The relevant National Outcomes and Indicators within the National Performance Framework focus our activity around ‘creating a more successful country, with opportunities for all of Scotland to flourish, through increased wellbeing, and sustainable and inclusive economic growth’. The relevant National Outcomes and Indicators for security and crime are:
Scotland was one of the first countries in the world to sign up to the Sustainable Development Goals which have developed to achieve a better and more sustainable future for all. Many of the Goals align with Scotland’s National Performance Framework.