Archive for February, 2013

Increased drug testing in the UK?

A consultation by the UK Government and the UK Intellectual Property Office has found widespread support for an extension to what is known as the “bolar” exemption. This exempts certain drug testing/research activities from liability for patent infringement in the UK. For many years the current UK exemption was seen as narrower and less liberal than most other European countries with the fear that this meant that more and more clinical research trials were taking place outside the UK due to the fear that those instructing and/or carrying out the research faced liability for patent infringement in the UK in relation to tests related to new or non generic drugs.  This was claimed to have resulted in a depleted skill base and increasing delays in getting new drugs to the market in the UK. 

Although no concrete assessment has been carried out there is a legitimate concern that the current position is placing the UK at a competitive disadvantage in the field of clinical research trials resulting in significant financial loss. Clearly a key issue in the assessment of where and who to instruct to carry out such trials will be the potential risk of liability for patent infringement. It is not surprising then that 94% of responses supported a wider exemption.

The consultation results conclude that Section 60(5) of The Patents Act 1977 should be widened and amended to include an exemption from infringement for activities involved in preparing or running clinical or field trials involving innovative drugs for the purpose of gaining regulatory approval in any country (i.e. not just for obtaining drug or regulatory approval in the UK or EU). It is likely that this will also extend to health technology assessment activities for example in compiling data to support assessment by organisations such as The National Institute for Health and Clinical Excellence (NICE).

The next step is legislative reform and given the clear support from both government and the related pharmaceutical and clinical research industries it is anticipated that the revisal could be in place in 12 months time.  At a time when there are wider initiatives such as the Patent Box (offering a very attractive rate of tax in the UK as from April 2013 for revenue generated from qualifying patents) aiming to encourage more innovation and investment in research and development in the UK, this proposal is to be welcomed. Hopefully this will result in more home based trials which should benefit pharmaceutical and life sciences organisations as well as clinical research organisations – all of whom are key players in the Scottish economy.

Robert Buchan


Cloud computing and “data ransom” – it’s not a myth

Here on TechBlog we have mentioned on a couple of occasions (here and here) that one of the biggest risks arising out of the use of cloud computing/third party hosted services is the concept of “data ransom”.

That is, in the event that the contract terminates or the supplier becomes insolvent the customer is unable to get its hands on its data without handing over a chunk of cash.

According to a story in Computing Weekly last Friday about the insolvency of acquisitive data centre operator 2e2, that risk is no longer a hypothetical one.

Last week, the administrators of 2e2 contacted its customers (including a number of NHS Trusts) and told them that they required its customer base to provide nearly £1m of funding in order for the business to continue providing services. This is presumably in addition to the charges that the customers are obliged to pay.

The joint administrators’ letter to customers states that this funding is required in order to enable 2e2 to continue trading and allow customers to access their data and migrate to another provider:

As you will understand, we have received a number of requests from customers seeking to gain access to their data immediately and to transition services to alternative providers. Unfortunately, the levels of data held in the Companies’ Data Centres are such that this process could take up to 16 weeks and we will need to ensure that the integrity of third party data and security is maintained.

If its customers do not pay then:

We will be unable to maintain the datacentre infrastructure and we will have no alternative, other than to cease all operations without any managed wind-down of those operations.

For “without any managed wind-down” read “we will switch off the service without notice and without any assistance to help you access your data and transition elsewhere.” For any business that depends on the operation of the data centre for its livelihood, that’s a pretty frightening prospect.

Warning signs
In the case of 2e2, it seems that it had been suffering financial problems for some time.

In 2012, it was in court twice following the late payment of debts. It was also revealed that the annual interest payments on its debt were more than £20m a year (as against a turnover of around £40m).

A fortnight before the adminstrators were actually appointed, Channel Register also reported that 2e2 had breached its banking covenants in December and had reached its credit limits with suppliers.

These should all have acted as warning signs to customers that things weren’t looking good, and that action was required.

Contracting for cloud services
So what can you do?

  • First of all, don’t use a traditional IT services contract to contract for critical cloud/hosting services. It will likely be deficient. As will the supplier’s standard terms. It’s also essential that your lawyer understands how the cloud works, terminology, and why the risk profile is different to that for other ICT. If not, then your contract is unlikely to deal with those risks.
  • Carry out financial diligence on your supplier (and its parent company). How solvent is it? How much debt is it carrying? Can you get a parent company guarantee? Does the supplier actually own its kit/premises or is it leased? What happens if the supplier defaults on lease payments and the lessor wants its kit back?
  • Keep financial diligence under review by carrying out regular checks on the supplier.
  • Ensure that the contract allows you to terminate in the event that things look bad. Once a supplier has entered insolvency it will be much harder to transition away from the supplier. If the business isn’t viable as a going concern then the administrator is unlikely to be interested in your problems.
  • Ensure that your contract includes exit assistance provisions and that a draft exit plan is actually developed (and maintained) whilst things are going well.
  • Ensure that you have internal business continuity plan in place to deal with supplier insolvency. How critical is the supplier? What is your strategy? How do you mitigate the risks? Do you have dual suppliers (potentially expensive)?
  • Consider other technical measures. Source code escrow is pretty pointless for cloud (your immediate requirement is the object code and data, not the source code). How about ensuring that you get a regular of the data or a copy of virtual server?

Finally, think about auditing your existing contracts for cloud services. What do they say? Are you comfortable that you can quickly (and safely) transition away from the supplier? If not, now is the time to review them and ensure that you have appropriate provisions in place. Remember – the time to repair a roof is when the sun is shining.

Martin Sloan

Riding on the #sandwichvan – some lessons for enterprise use of social media

Last week I read a very interesting guest post on the new Scottish Public Sector Digital Group blog. The blog was posted by an e-government manager at Aberdeen City Council, and recounts the Council’s experiences in using a recent trending story on Twittter to push out information to citizens in Aberdeen.

The blogpost is a essential reading for any organisation that uses social media – not just those in the public sector.

The background
The backdrop to the story is the so-called “Sandwich Van” email, where last month an employee at an engineering company in Aberdeen accidentally copied an embarassing email exchange between her and her fiancé to the entire office (with the subject line “Sandwich Van”). That email was then sent out of the organisation by another employee and within a matter of hours had made its way around the world. As is the way these days, the email was also posted on Twitter, and the hashtag “#sandwichvan” quickly started trending.

The e-government manager at the Council saw this, and used a bit of ingenuity when posting a tweet (using the council’s official twitter account) with a link to information about road gritting in the Aberdeen Council area:

Whether you drive a #bus #car or #sandwichvan in Aberdeen you’ll find useful gritting + snow clearing info here:

The reaction
The tweet didn’t link directly to the original story (or tell you anything about it), but was (I think) an innocent and fun attempt to widen local awareness about road conditions that night by riding on the tails of a trending hashtag. According to the blog post, initial analytics suggest that this was successful.

However, another employee at the Council (not familiar with social media) was apparently nervous about the tweet and the Council’s association with a story that ultimately led to the people involved resigning from their jobs, and decided that the tweet should be deleted. It appears that no discussion took place with the original poster before the tweet was deleted.

The reaction on Twitter (as evidenced by the healthy and informed debate in the comments section of the blogpost) was equally split:

  • Some people commended the Council for actively engaging in social media in an entertaining way – something that many large organisations are not always very good at.
  • Others felt that it was not appropriate for the Council, as a public body, to (or to be seen to) be capitalising on the public embarassment of two of its citizens.
  • Some felt that the tweet breached Twitter’s house rules as it was unrelated to the #Sandwichvan hashtag (although given the vagueness of Twitter’s guidance on this, in my view this is a moot point in relation to this particular tweet).
  • Others were equally outraged that having posted the tweet the Council then deleted it, something that is often considered as bad online etiquette.

What can we learn?
I’ll leave it up to you to decide whether or not it was appropriate for the Council to post the tweet.

For any organisations that use social media, this story provides a number of issues to think about:

  • Who should have access to a social media account within an organisation? Do you even know who has access to your social media account? HMV certainly didn’t.
  • An inappropriate tweet can have a big impact on an organisation’s reputation. Do you have a policy on what sort of tweets are appropriate and what are not? Do you give your staff sufficient guidance?
  • A third party approval process for tweets isn’t practical. It’s therefore essential that those empowered to use an official social media account know what the organisation considers appropriate and that they are responsible for ensuring that the tweets they issue comply with those requirements. If you don’t think that person is capable of making that assessment, then they probably shouldn’t have access to the official social media account.
  • What is you policy on utilising hashtags? Is the organisation happy to be associated with trending stories? Do your staff know about Twitter’s house rules on behaviour that might lead to accounts being blocked?
  • If you subsequently decide that a tweet might not have been appropriate, what is your policy for dealing with that? How do you resolve differences of opinion internally? Who has authority to delete tweets? Is it better to simply issue an apology rather than delete it and pretend the original tweet hadn’t been posted?

These are all issues that should be addressed in an organisation’s social media policy, and should be communicated to all staff involved in the use of social media.

If you’d like to discuss your organisation’s use of social media, or would like assistance in developing a social media policy, please get in touch.

Martin Sloan

Information Commissioner reveals methodology for calculating monetary penalty notices

Last month, the Information Commissioner’s Office (ICO) successfully defended the first appeal against a monetary penalty notice issued by the ICO for a breach of the Data Protection Act.

The appeal was by Central London Community Healthcare NHS Trust, which appealed against a fine of £90,000 issued for repeatedly faxing a list of pallaiative care in-patients to the wrong fax number.

The most interesting aspect of the appeal is that as part of the ICO’s defence of its decision, the Tribunal was presented with information on the ICO’s internal methodology for calculating monetary penalties.

The ICO’s methodology
The process comprises three stages.

Firstly, a decision is amade as to whether or not to issue a monetary penalty.

Secondly, the case is placed in one of three bands, depending upon the seriousness of the contravention:

  • Serious – in which case the fine will be between £40,000 and £100,000
  • Very serious – in which case the fine will be between £100,000 and £250,000
  • Most serious – in which case the fine will be between £250,000 and £500,000

Finally, the ICO selects the mid point of the applicable banding (so, for a “very serious” fine, £175,000) and then assesses the aggravating factors to see if the fine should be higher and the mitigating factors to see if it should be lower. The aggravating and mitigating factors create an overall weighting, which is then applied to the fine.

Applying this methodology to the Central London Community Healthcare NHS Trust decision, we can see that the ICO viewed this breach as being a “serious” breach with a number of aggravating circumstances (it was towards the top of the £40,000 to £100,000 banding for a “serious” breach).

Interestingly, in its decision the Tribunal queried whether the breach in this case should actually have been classified as a “very serious” breach, given the nature of the breach, the information involved and the fact that the Trust was also in breach of the well established Caldicott Principles.

Early payment discount
In its decision, the Tribunal also upheld the ICO’s decision to permit an early payment discount only if the organisation does not appeal.

Whilst the Tribunal’s decision is not binding on subsequent tribunal hearings, the guidance does provide organisations faced with a notice of intention to impose a monetary penalty notice with more information on how the ICO has calculated the proposed fine. This should in turn help organisations to ensure that any challenges to the size of a monetary penalty can be made by reference to the ICO’s own methodology.

Martin Sloan

ICO revisits approach to cookie law consent – what does this mean for other organisations?

Last month, the Information Commissioner’s Office (ICO) announced that it was going to change the way that it sought to obtain consent from users to the use of cookies on its website, as required under laws that came into force in May 2011 (known as the cookies law). Those changes were implemented on Friday.

What’s changed?
Firstly, the ICO’s website now sets certain non-essential cookies automatically upon arrival. This is a big change from the old approach and marks a shift from prior, explicit, consent to implied consent.

After moving to prior, explicit, consent, recorded traffic to the ICO’s website dropped by 90% as a consequence of users failing to accept cookies (including a Google Analytics cookie used to analyse traffic). Reinstating implied consent will mean that those figures will go shooting back up, giving the ICO a much better idea about how people use itse website. According to the ICO’s news release, this was one of the main drivers behind the change to its cookie consent policy.

Secondly, the ICO has updated its banner notification. The old one looked like this:
Screenshot of ICO website in 2012

The new one looks like this. The banner has now moved to the bottom of the screen (but not the bottom of the page) and is a bit more subtle (no contrasting text colour or box shading to make it stand out):
Screenshot of the ICO website. 4 February 2013

The banner message has been amended to maked it clear that the website has “placed” cookies (as opposed to “will place”), and provides a pointer to allow users to change settings. Notably, the banner will remain until the user clicks “don’t show this message again” or moves to another page.

Surprisingly, the banner message still says that cookies are used to “make this website better”. Given the ICO’s otherwise very strict adherance with the cookie law rules, I’ve always thought that this was a very ambiguous basis upon which to obtain user consent – better for whom? The user? The ICO?

Thirdly, the ICO has shifted information on the use of cookies to a new standalone cookies page.

Finally, on that page (but not on the banner itself) is an option for users to delete non-essential cookies and not set them again:
Screenshot of cookies opt out button on ICO website
This allows users who do not wish cookies to reject them, notwithstanding that they were automatically placed upon arrival at the website. Unsurprisingly, this cookie control tool relies upon a cookie to remember the user’s setting.

What does this mean for other organisations?
Whilst the ICO argues that its revised approach is consistent with its own guidance, other organisations will take some comfort from the ICO’s new approach to cookie consent:

  • The ICO is of the view that knowledge about cookies amongst internet users is much greater than it was 8 months ago.
  • Explicit consent is therefore no longer considered necessary by the ICO for low risk, but non-essential, cookies.
  • Setting cookies on arrival, based upon implied consent, can be appropriate depending on the potential intrusiveness of the cookie. Pre-setting an analytics cookie is one thing; doing the same with a behavioural advertising cookie is quite another.
  • Banners or other methods used to notify users about the use of cookies may not need to be as prominent (design intrusive) as perhaps previously thought.
  • Using a cookie to identify a user that has opted out of other cookies is considered by the ICO to be an appropriate approach, provided users are notified about this.
  • Pointing users to third party websites for further information on third party cookies (such as those used for embedded YouTube clips on the ICO’s website) remains the ICO’s method of dealing with third party cookies.

If you would like to discuss how your website or mobile app deals with cookie law, or would like to understand the implications of the ICO’s revised approach for how you currently handle cookies, please visit our cookies page or get in touch.

Martin Sloan

Twitter: @BrodiesTechBlog feed

February 2013
« Jan   Mar »

%d bloggers like this: