Archive for April, 2013

Survey higlights key issues for senior IT professionals in IT outsourcing contracts

Supply Management, the official journal of the Chartered Institute of Purchasing and Supply, yesterday published details of a report by outsourcing consultancy Alsbridge into customer satisfaction with IT outsourcing arrangements.

According to the report, just over a quarter of the 250 senior IT professionals canvassed were unhappy with at least one of their IT outsourcing contracts, with 76% considering renegotiating or retendering two or more of their IT outsourcing contracts before the end of the term.

The reasons for this are telling, if unsurprising.

Too much left to be agreed post signature
40% of respondents said that they had left too many important details in the contract to be confirmed at the point at which the deal was signed.

There is often a push to sign a contract by a certain date, come what may.

However, that can be dangerous. Once a contract has been signed, the balance of power shifts hugely in favour of the supplier, meaning that the customer will usually be in a very weak position when it comes to reaching agreement on the outstanding issues.

If things are left to be agreed, it is therefore essential that the contract sets out a clear process for agreeing those outstanding points (with appropriate remedies if agreement can’t be reached) and that key commercial issues are resolved prior to signature.

Changing requirements
54% of respondents said that their IT outsourcing contracts failed to keep up to date with changing technology needs, with 46% saying that the contract also failed to keep up with changing business needs.

These are classic problems, particularly in long term outsourcing contracts. IT quickly dates, and the requirements of the customer’s business are always changing. It’s therefore essential that the contract includes a process for ensuring continuous improvement obligations. This might include IT refresh obligations, obligations to keep up to date with industry best practice or to adopt industry standards, and an obligation to regularly propose ways in which the services can be improved or delivered at better value.

Combined with this, it’s also important to ensure that the contract contains a robust governance and change control procedure, which allows the customer to ensure that issues are managed and to introduce changes to reflect the changing needs of its business. This might also include clear processes for ramping up or ramping down service provision or the scope of the services in the event of changing business requirements.

Value for money
Another theme coming out of the survey was value for money. 49% of respondents cited diminishing returns on their IT outsourcing investments, whilst 36% highlighted problems with complacent suppliers. A further 46% of respondents said that they were under pressure to cut costs.

Benchmarking provisions can help a customer to keep tracks on whether its outsourcing contracts are delivery value for money. However, a bechmarking regime is only effective if it encourages the supplier to keep its service provision competitive. Key to that is ensuring that the customer has adequate remedies in the event that the benchmarking findings show that the supplier is out of step with the market. This might include mandatory price reductions or ensuring that the customer can break the contract and move to another supplier (albeit the latter is not without cost, given the expense involved in carrying out a new procurement exercise and transition to another vendor).

Long term, not short term
If these issues are properly addressed in the contract then the outsourcing arrangement is likely to be more productive and rewarding for both the customer and the supplier.

Whilst there is always a pressure to sign deals as soon as possible (particularly against articial deadlines such as the end of a calendar year or the supplier’s quarter), this survey just goes to show that spending more time on the contract (and involving legal input at an early stage in the procurement process) can lead to a more satisfactory outsourcing relationship in the long term.

Which, ultimately, is what outsourcing is all about.

Martin Sloan

European guidance on mobile apps and privacy

The Article 29 Working Party (the “A29WP”), a grouping of representatives from the various European data protection regulators, recently issued an opinion on apps on smart devices.

There are two constants with the A29WP’s opinions:

  • Firstly, although often presented as such, they are not an authorative statement of the law. They simply set out the collective (sometimes aspirational) interpretation of the European data protection directive.
  • Secondly, the opinions set out a far stricter interpretation of the directive than that usually taken by the UK’s Information Commissioner’s Office (ICO). This reflects the fact that the ICO usually takes a more business friendly/pragmatic approach to interpreting the law than some of its European counterparts.

That said, the latest opinion provides some useful guidance for app developers, and builds on previous guidance from California’s attorney general and the GSMA, which I summarised in this blog post last year.

The guidance also follows on from the so-called Cookie Law, which (contrary to popular opinion) also applies to mobile apps.

Why do mobile apps raise privacy concerns?
As I noted in that blogpost, there are a number of reasons for the current privacy deficiencies with mobile apps:

  • The market is immature, with many apps developed by individuals or small companies not familiar with privacy laws, but whose products have become hugely popular.
  • The distribution model is fragmented and apps frequently incorporate third party services (for example, mapping providers) into their functionality. SDKs and OS developer rules impose strict controls on developers, yet they don’t provide the necessary tools to ensure that developers adopt privacy by design.
  • The mobile app market has developed at the same time as a vast expansion in the data created by devices, such as geolocation data.
  • Many app developers are located outside the EU and are therefore unfamiliar with European privacy rules, despite the fact that they are selling their apps to users in the EU.

A29WP’s recommendations
The opinion imposes a number of requirements on app developers. These include:

  • App developers must understand their obligations as data controllers when they process data from and about users.
  • Freely given, specific and informed consent must be sought before an app is stalled.
  • Granular consent must be obtained for each specific category of data that the app will access.
  • The user must be provided with well-defined details of the purposes for which data will be processed before the app is installed. General purposes such as “product innovation” or “market research” are, in the A29WP’s opinion, not sufficient.
  • The purposes for which data is processed must not be changed without obtaining new consent from the user.
  • Users must be provided with a readable, understandable and easily accessibile privacy policy, which includes
  • Allow users to revoke their consent and uninstall the app and delte data where appropriate.
  • Incorporate data minimisation and privacy by design/default.

Part of the problem with these requirements is that some of them are impossible to achieve in practice as they are dependant upon the design of the app store and OS ecosystem. For example, the way in which most smart device operating systems install apps means that there is no opportunity in the app purchase system to notify users about data use and obtain consent. This could be set out in the app licence terms of use, but given the low profile given to such licence terms in the app store purchase process, this wouldn’t meet the A29WP’s own recommmendations on obtaining consent.

This is presumably why the opinion also sets out a number of requirements on app stores and OS and device manufacturers, even though there appears to be little base in law for such requirements (the neither party is a data controller in relation to data primarily processed by the app/the app developer).

These requirements, for example, oblige app stores to check that app developers have incorporated appropriate consent mechanisms, and obligations on OS manufacturers to build additional controls into their OS APIs to facilitate consent to access data on the device.

The practical approach
In my view, given these technical limitations, it is more pragmatic to recommend that app developers design apps so that the privacy policy is displayed, and consent obtained, when the app is first opened, and that no data is captured until this takes place. This way, app developers can be sure that they do not inadvertently collect data without consent.

The opinion also skims over one of the other big issues with mobile apps – the use of third party services. In many cases, I suspect that app developers simply aren’t aware of which party is responsible for data protection compliance. Where third party services are utilised (for example, mapping or geolocation), there will often be multiple data controllers. However, the app developer is the party that controls the primary interface with those third parties and therefore needs to flag the terms on which such third parties will use the data collected.

Given the opacity of the policies provided by many third party service providers (and the lack of clear guidance from regulators when the revised cookie law came into force), working this out is often difficult.

You can read the A29WP’s opinion in full by following this link (PDF). If you are an app developer and would like to discuss how your app collects data, and what you can do to ensure that it complies with EU data protection law, please get in touch.

Martin Sloan

Court of Appeal overturns previous decision on obligations of good faith

Last year, the English courts ruled that an obligation could be implied into a contract that the parties would not exercise a discretion under that contract in a manner that was arbitary, capricious or irrational.

The case related to an outsourcing contract between an NHS Trust and catering company Compass, trading as Medirest. The contract contained a service level regime, but unusually the “Service Failure Points” (SFPs) awarded for a breach of the service levels, which in turn could lead to a right to terminate, appeared to be determined at the discretion of the NHS Trust (the customer).

As the relationship broke down, the NHS Trust allocated apparently disportionately high SFPs for individual breaches. Amongst the examples quoted by the judge was the award of over 30,000 SPFs and a deduction of £46,000 from the charges for an out of date box of tomato ketchup sachets found in a store room. By way of comparison, the fees were around £180,000 a month, and only 1,400 SPFs were required in a six month period to trigger a right to terminate.

The court held that the Trust had a discretion under the contract and therefore, in accordance with previous case law, a term should be implied not to act in a manner that is arbitary, capricious or irrational. The court in turn held that the Trust was in breach of that obligation and that Medirest was intitled to terminate for breach.

You can read a full summary of the original judgment in this previous blogpost.

The Court of Appeal’s decision
The Trust appealed on a number of grounds. On appeal, the Court of Appeal overturned the lower court’s decision, holding amongst other things that there was no need for the implied term.

Whilst the SFPs and deductions made were clearly absurd, the Court of Appeal took the view that the Trust had misinterpreted and misapplied the SPF and deduction procedure, but that it had not acted dishonestly.

If the Trust awarded itself execessive SFPs or deductions then that would be a breach of clause 5.8 (which dealt with the application of SFPs and deductions) – no further implied term was required to make that work. Indeed, clause 5.8 stated that SFPs and deductions that were not justified were deemed to have been cancelled.

As the SFPs had expired and the Trust had refunded the excessive deductions, the breach had been cured. Medirest was not, therefore entitled to terminate the contract for material breach.

The Court of Appeal’s judgment clarifies a number of points:

  • An implied term not to act arbitarily, capriciously or irrationally will only be applied where the part in question has genuine discretion about how to exercise a right under a contract, and where there is a range of options. In this case, the Court of Appeal held that the discretation was simply whether or not to exercise a contractual right.
  • Jackson LJ’s view was that any attempt to exclude such an implied term where it might otherwise apply would have to be explicitly stated and agreed by the parties (it could not be excluded by a general exclusion of implied terms).

The case serves also as a general reminder to organisations to ensure that their contractual arrangements are clear and unambiguous. In this case, the contract comprised a standard NHS contract and a procedure from a PFI contract for service failures and deductions. The two did not sit well together. Had the contract been properly drafted, then it is possible that the Trust may not have acted in the way it did, and that the relationship between the parties may not have broken down quite so irrepairably.

The case should also act as a warning to parties to think before terminating for material breach. In this case, it appears that Medirest was already in breach of contract, and that the Trust had also served notice to terminate. However, wrongfully claiming repudiatory breach and ceasing to perform your obligations is likely to lead to a substantial damages claim from the other party. This is particularly so where the terminating party is the supplier under an outsourcing arrangement, where the sudden cessation of the services could cause substantial damage.

Martin Sloan

Twitter: @BrodiesTechBlog feed

April 2013
« Mar   May »

%d bloggers like this: