Skip to content

Update MOU #2528

Closed
theseanything wants to merge 11 commits intomainfrom
theseanything/update-mou
Closed

Update MOU #2528
theseanything wants to merge 11 commits intomainfrom
theseanything/update-mou

Conversation

@theseanything
Copy link
Contributor

@theseanything theseanything commented Feb 2, 2026

This pull request updates the Memorandum of Understanding (MOU) text shown to users in the app/views/mou_signatures/_mou_version_current.html.erb file. The changes clarify the agreement's start conditions, notification periods, and responsibilities regarding security, data management, and access. The language is simplified and some sections are condensed for clarity and to reduce prescriptive technical detail.

Key changes include:

Agreement terms and notifications:

  • The agreement now starts when a user agrees to the MOU on behalf of their organisation, rather than when 'Organisation Admin' accounts are created.
  • The notification period for updates to the agreement is reduced from 30 to 7 calendar days.
  • References to upgrading users to Organisation Admins upon agreement have been removed.
  • The definition of "Organisation Admin" has been removed from the glossary.

Security and access responsibilities:

  • Security requirements for users are now described in general terms, focusing on maintaining appropriate safeguards, rather than listing specific practices and technical standards.
  • The responsibility for managing user access is clarified, including promptly removing access for users who no longer require it.
  • The responsibility for the security and configuration of systems used to receive form response data (including email, APIs, and cloud storage) is made explicit, with a requirement to comply with government secure email policy.
  • The duty to validate form response data, including email addresses, is clarified as the organisation's responsibility.

Other clarifications:

  • The statement about the service being free is simplified, with rationale and context removed.
  • The suggestion regarding Data Protection Officer access is reworded to focus on ensuring appropriate access rather than specifying account types.

@theseanything
Make version 4 of the MOU
3ef1105
@theseanything
Update notification period for MOU agreement to 7 days
40baa61
@theseanything
Update when MOU agreement starts
55379cc 
Clarify that it begins when a user accepts the agreement on behalf of their organisation, rather than tying to the concept of Organisation Admin.
@theseanything
Generalise the MOU to remove the concept of Organisation Admin
c809655 
This decouples the MOU from our specific way we model permissions.
@theseanything
Remove explanation on why Forms is free in MOU
1163b6e 
This eliminates unnecessary details, we don't need to explain why in the MOU.
@theseanything
Remove note about not replying to submission emails in MOU
40d33df 
This doesn't define any responsibilities and something that can be in the product documentation.
@theseanything
Remove redundant note about DPO access in MOU
9f020b0 
This simplifies the text, as organisation can generally provide access themselves without needing to get in touch.
@theseanything
Clarify user access responsibilities in MOU
377ac66 
Updated the text to specify that organisations are responsible for managing user access to GOV.UK Forms, including the prompt removal of access for users who no longer require it.
@theseanything
Revise user access security guidance in MOU
8b6632e 
Updated the text be more general and remove specific examples.
@theseanything
Revise security guidance in MOU to emphasize general responsibilities
bc5d94b 
Updated the text to clarify that users are responsible for the security and configuration of systems receiving form response data, while removing specific examples and redundant notes.
@theseanything
Clarify user responsibility for validating form response data in MOU
f2cfb18 
Updated the text to emphasize that users must validate any form response data, including email addresses, to ensure accuracy and suitability for its intended purpose.
@sonarqubecloud
Copy link

sonarqubecloud bot commented Feb 2, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
87.4% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link

github-actions bot commented Feb 2, 2026

🎉 A review copy of this PR has been deployed! You can reach it at: https://pr-2528.admin.review.forms.service.gov.uk/

It may take 5 minutes or so for the application to be fully deployed and working. If it still isn't ready
after 5 minutes, there may be something wrong with the ECS task. You will need to go to the integration AWS account
to debug, or otherwise ask an infrastructure person.

For the sign in details and more information, see the review apps wiki page.

DavidBiddle
DavidBiddle reviewed Feb 5, 2026
View reviewed changes
Copy link
Contributor

@DavidBiddle DavidBiddle left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changes all look sensible, they're clearly written, and well explained in the commit messages 🎉

I think the Last Updated date needs changing but once that's done I think this all looks good.

@theseanything
Copy link
Contributor Author

theseanything commented Mar 19, 2026

Out of date now.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DavidBiddle DavidBiddle DavidBiddle left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@theseanything @DavidBiddle