My previous posting examined three issues relating to confidentiality obligations in an outsourcing agreement where care and attention may be needed to ensure that the parties achieve the results they are intending. I want to continue along the same path in today’s posting, looking at four more issues relating to confidentiality obligations in outsourcing agreements that the customer or the service provider do not always get right.
4. Restrictions on the disclosure and use of Confidential Information
Confidentiality obligations frequently limit the ability of a party to use or disclose the confidential information of the other party in terms similar to the following:
“A party may use, disclose or make available relevant aspects of the other party’s Confidential Information:
(a) only to its personnel and subcontractors to the extent that: (i) the use, disclosure and making available thereof is necessary for the performance of the receiving party’s rights or obligations under this Agreement; and (ii) such persons have an actual need to know such information and have signed non-disclosure agreements as required by this Agreement;”
However there are many reasons for which a party may wish to use the confidential information of the other party that involve disclosure to persons other than its personnel or subcontractors or that transcend performance of the party’s rights or obligations under the outsourcing agreement including:
(i) to permit disclosures required under applicable law;
(ii) in connection with audits, reviews, investigations or disputes under the outsourcing agreement;
(iii) to its legal counsel, auditors or other professional advisors in order to obtain their advice;
(iv) internally or to its parent or affiliated entities as part of the party’s internal approval processes;
(v) to banks or other financial institutions in connection with the party’s financial arrangements;
(vi) in the event of an amalgamation, merger or acquisition or proposed amalgamation, merger or acquisition affecting a party;
(vii) to other service providers where the customer has adopted a multi-sourcing strategy; and
(viii) as part of a re-procurement where the customer is not renewing the outsourcing agreement.
Some of these situations are likely to be covered by express provisions of the outsourcing agreement, e.g. outsourcing agreements normally provide that it is not a breach of the confidentiality obligations for a party to disclose confidential information to the extent required by applicable law. Other circumstances, such as disclosure in connection with a party’s internal approval processes, may arguably be shoehorned into agreement provisions relating to “performance of the receiving party’s rights or obligations” (so long as the reviewers or approvers fall into the permitted class of individuals to whom information may be disclosed under the agreement).
This does not mean though that all uses or disclosures of confidential information can be justified on the basis that they are necessary for performance of a party’s rights or obligations. To avoid having to seek consent in the future, each of the customer and service provider should identify, before the outsourcing agreement is signed, the various circumstances in which it may wish to use or disclose the confidential information of the other party. It should then review the outsourcing agreement to ensure that such use and disclosure of the other’s confidential information is permitted.
5. Including Personal Information within the definition of Confidential Information
Customer Confidential Information is sometimes defined in outsourcing agreements along the following lines:
“Customer Confidential Information” means any technical, business, financial, personal, employee, operational, scientific, research or other information or data of the Customer … and including any Personal Information … .
Unfortunately, without more, the confidentiality obligations of the outsourcing agreement may provide poor protection for any personal Information that the customer entrusts to the service provider. This is not just because traditional exceptions to the scope of information required to be retained in confidence (e.g. information that is in or subsequently becomes part of the public domain) may serve to exclude personal information from the protective cloak of the confidentiality obligations. There are also issues uniquely associated with the service provider’s possession of personal information that should be identified, discussed by the customer and service provider and, if appropriate, dealt with in the outsourcing agreement. These issues include:
(i) restrictions on the transfer of personal information outside Canada or the access to such information from a location outside Canada;
(ii) requests received by the service provider directly from individuals for access to personal information about them collected by the service provider in performing the services;
(iii) data breach notification;
(iv) in the context of business process outsourcing, limitations on the service provider’s ability to develop “consolidated views” of individuals, i.e. to link personal information about the individuals from different sources that may well have been collected by or on behalf of the customer for other or restricted purposes; and
(v) responsibility for compliance with existing statutory obligations relating to privacy, personal information and personal health information and for dealing with any changes to such laws.
The inclusion of personal information within the definition of Customer Confidential Information in an agreement does provide a short hand way of addressing certain of the customer’s personal information obligations. However the Customer also needs to review the confidentiality obligations to ensure that standard exceptions do not vitiate whatever protection is provided and to identify any additional obligations relating to the types of personal information to be made available that should be flowed down to the service provider.
6. Including Proprietary Materials and/or Intellectual Property Rights within the definition of Confidential Information
Very often, one of the thorniest issues in negotiating an outsourcing agreement (after limits of liability) involves the ownership of and rights to use work product, e.g. systems, IT and business processes and related materials developed during the performance of the outsourcing agreement. From the customer’s perspective, it is paying the service provider for the services including for development of the work product: therefore, it should have the ownership of and the exclusive rights to exploit anything that may be developed in performance of the outsourcing agreement. The service provider sees the issue through a different proprietary lens: in developing the work product, the service provider is leveraging its existing expertise and knowledge and the amount the customer is paying does not compensate it fully for this expertise and knowledge, nor for the risks of non-performance being assumed. The customer’s rights to the work product are not pre-ordained but, rather, need to be agreed to by the parties. In all events, at least according to the service provider, it should not be precluded from using the work product in its business.
One of the ways that the ownership of work product issue can be resolved is to provide that: (i) the customer owns work product developed under the outsourcing agreement; and (ii) the service provider has the right to use in its business any residual knowledge (ideas, concepts, know-how, skills and experience) retained by it in intangible form. Regardless of the exact basis on which the ownership issue is resolved however, the customer and the service provider should take care to ensure that their intended resolution survives the intersection of the intellectual property provisions and the confidentiality obligations of the outsourcing agreement. Often, the definition of Confidential Information will include wording similar to:
“Confidential Information shall also include, whether or not designated as “Confidential Information” … the Proprietary Materials of either party.”
If this is the case and the definition of Proprietary Materials includes work product developed under the agreement, there may be a conflict between: (i) restrictions on the service provider’s ability to use customer confidential information imposed by the confidentiality obligations; and (ii) the residual rights or other ownership provisions of the outsourcing agreement. The customer and the service provider should trace the residual rights and ownership provisions through the confidentiality obligations to confirm that the result reflects their intended agreement.
7. Third Party Beneficiaries
As indicated in item 4 above, there are many different situations in which one party may wish to disclose the confidential information of the other to a third party, e.g. the service provider may wish to disclose confidential information of the customer to its subcontractors or the customer may need to disclose confidential information of the service provider to other entities providing services to it in order for the various services to inter-operate. The outsourcing agreements will normally allow for such disclosures (sometimes with prior approval), so long as: (i) the receiving party has a need to know such information; (ii) the receiving party agrees to terms and conditions substantially the same as or equally protective as the confidentiality provisions of the outsourcing agreement; and (iii) the party disclosing the information remains responsible for the performance of the receiving party.
These provisions may provide the customer or the service provider with some comfort concerning the disclosure to third parties of its confidential information. This comes from the expectation that the other party to the outsourcing agreement will be exercising diligence in selecting and monitoring the entities to which confidential information is disclosed because the other party is responsible for any breaches by the third party.
These provisions do not however provide the customer or service provider with the ability to enforce the third party’s compliance with the confidentiality obligations flowed down to it or a direct right of action against any third party for the third party’s breach of such confidentiality obligations. To achieve this result, it will be necessary to specify in the outsourcing agreement that the customer or service provider is a third party beneficiary of any agreement entered into by the other under which the customer or service provider’s confidential information is disclosed, e.g.:
“All agreements entered into by the customer or service provider under which the Confidential Information of the other party (the “Owner”) is disclosed or made available to a third party in accordance with this Agreement shall … include the following:
(i) provisions under which the third party agrees to and is bound by the confidentiality obligations set forth in this Agreement in respect of the Confidential Information of the Owner; and
(ii) provisions naming the Owner as an intended third party beneficiary of such confidentiality obligations set forth in the agreement with the third party, with the right to enforce such confidentiality obligations in respect of its Confidential Information directly against the third party and providing for the delivery by the third party of a certificate to such effect to the Owner on request from the Owner.”
It should not be taken for granted however that each party will automatically agree to include such a third party beneficiary provision in the outsourcing agreement. Either the customer or the service provider may not agree, as a matter of business philosophy, to allowing the other to have a direct right of action against its subcontractors or other service providers, or the arrangements it has implemented with the subcontractors or other service providers may not provide for such arrangements. If the inclusion of a third party beneficiary provision is important to a party, the issue should be raised early in the negotiations.
There is one additional item with respect to confidentiality obligations in outsourcing agreements that is worthy of comment: the standard of care that the parties must meet in protecting the confidential information of the other. That concern will be the subject of a future post.