Archive for the 'Outsourcing' Category

What the proposed data protection regulation means for outsourcing by UK organisations

Published January 25, 2012 Data Protection , In the Media , Outsourcing Comments

John will be blogging separately on the draft data protection regulation published by Commissioner Reding earlier today, but I thought I’d share some thoughts in relation to its impact on outsourcing in the UK.

To date, data controllers in the UK have had a degree of flexibility when entering into outsourcing agreements that involve the processing of personal data outside the EEA.

Under the Data Protection Act 1998, which implemented the 1995 EU directive in the UK, transfers outside the EEA may broadly take place in the following circumstances:

  • Where the European Commission has made a finding of adequacy in relation to the level of protection offered to personal data in the country or territory in question (including, for example, the US Safe Harbor scheme);
  • Where the transfer is made pursuant to contract on terms approved by the European Commission (AKA the EU model clauses for data transfers);
  • Where the organisation has put in place binding corporate rules that have been approved by the relevant data protection regulators; and
  • Where the data controller has made a finding of adequacy in respect of the proposed transfer.

Findings of adequacy
The ability to make a finding of adequacy is particularly useful for data controllers, as it allows the data controller to make a reasoned decision based upon its diligence on the proposed data processor and the actual contractual terms that are put in place.

In particular, it allows the data controller to deviate from the approved model clauses without needing to go through the administrative burden of having those clauses approved by the Information Commissioner. For example, the data controller may wish to outsource a service through a single contracting entity on behalf of various group data controllers, rather than enter into multiple model clause agreements between each data controller and the end data processor.

The ability to make a finding of adequacy is not carte blanche to do anything – the data controller still needs to be able to justify its actions to the Information Commissioner, but it does provide some significant commercial flexibility.

The position outside the UK
But that permissive and flexible approach in the last bullet does not apply everywhere in the EU. In a number of EU member states, any deviation from the model clause agreements needs to be notified and approved by the national data protection regulator. In some member states even the use of the model clause agreements needs to be notified to the regulator.

So what will happen under the new law?
If passed as it stands, the regulation would have direct effect. Unlike a directive, there would be no need for local implementation by individual member states. The intention of the regulation is to have a uniform data protection law across the whole of the EU – a law that is not subject to local variations and differing interpretations by different parliaments, regulators and courts.

The consequence of this is that the rules on cross-border data transfers will be unified.

Under the draft regulation there is no ability for the data controller to make a finding of adequacy. If the data controller wishes to vary from the terms of the model clauses, the data controller will need to obtain the consent of the relevant data protection regulator.

Whilst not unexpected, confirmation of this restriction is disappointing and will substantially increase the red tape involved in entering into outsourcing agreements – particularly where there are complex inter-group arrangements and multiple data controllers.

The UK Information Commissioner has already issued a press release questioning this requirement, presumably with half an eye to the increased (and unnecessary) administrative burden that it will incur, when its resources are already stretched.

Of course the irony here is that as all seasoned data protection lawyers will tell you, the data processor has no direct obligations under data protection laws – it is the data controller that is responsible (contractually) for ensuring that data is securely processed. National legislation is irrelevant. Approved form processing contracts are not required within the EEA, so why should transfers outside the EEA be treated differently?

Why not simply leave it to the data controller to ensure that it has carried out its diligence and has an appropriate contract, as the law requires for outsourcing within the EEA? I’m not aware of major problems having arisen from data controllers deviating from the model clauses, so why try to fix something that isn’t broken?

It must be hoped that this change does not make it into the final draft. Those involved in outsourcing may wish to support the UK Information Commissioner in ensuring that a workable mechanism is in place for cross border outsourcing.

BIS consultatation on the effectiveness of TUPE regulations

Published January 6, 2012 Contract Law , Outsourcing Leave a Comment

The Department for Business, Innovation and Skills (BIS) launched a consultation before Christmas on the effectiveness of the Transfer of Undertakings (Protection of Employment) Regulations 2006 – in particular concerns that the UK implementation of the Acquired Rights Directive is “gold-plated”.

The consultation asks covers a number of areas that are of relevance to organisations that either outsource services or provide outsourced services to third parties:

  • whether the amendments introduced under the 2006 Regulations have been effective in providing greater clarity and transparency as to the application of TUPE?
  • have the 2006 Regulations reduced the need for legal advice and/or the number of tribunal claims?
  • should TUPE apply to the provision of professional services?
  • is the absence of a mechanism to harmonise terms and conditions across a workforce post transfer a burden? If this right is desired, how should it work?
  • should more be done to clarify the application of TUPE upon an insolvency situation?
  • is the guidance on the application of the economic, technical or organisational reason sufficiently clear?

The consultation is open until 31 January 2012. You can access the papers here.

e-update on government’s response to ICB recommendations on banking reform

Published December 22, 2011 Contract Law , IT Law , Outsourcing Leave a Comment

We have today published an e-update on the government’s response to the ICB’s recommendations on structural reform of the banking sector.

The government stated on Monday that it will adopt the recommendations in full. As John mentioned in a previous blog, the proposals to ring fence retail banks will have an impact on the way in which banks structure their key IT and outsourcing contracts to ensure that the ring fenced bank’s access to key infrastructure is protected.

You can read the e-update in full here.

If you’d like to discuss the impact of the recommendations and how you might be able to structure your key IT and outsourcing contracts, then please contact Grant Campbell or John Mcgonagle, or your usual TIO Group contact.

Independent Commission on Banking – contractual consequences of the ICB’s recommendations

Published November 29, 2011 Contract Law , In the Media , IT Law , Outsourcing Comment

This is an abridged version of an article that I have written for the Society for Computers and Law.

The Independent Commission on Banking (“ICB”) published its Final Report on 12 September, setting out recommendations on structural and non-structural reforms to improve stability and competition in UK banking. 

The recommendations broadly suggest that:

  • Banks need to improve their loss absorbency, by achieving more equity relative to their assets;
  • Competition needs to be encouraged; and
  • Retail banks should be ring-fenced from any wider corporate group and/or financial organisation of which they form part.

Earlier this month my Banking colleague Derek Arnott and I delivered presentations in Brodies’ Glasgow, Edinburgh and Aberdeen offices discussing the recommendations. 

Derek (a lawyer of formidable experience in this field, and a former Head of Group Legal Services at The Royal Bank of Scotland Group) discussed the recommendations from the perspective of a banking solicitor, while I focused on the implications of the retail ring-fence from the perspective of an IT/outsourcing/commercial contracts lawyer.

Recommendations of most significance to the IT/outsourcing/commercial contracts lawyer

I believe that the retail ring-fencing recommendations will have a direct impact on any lawyer who advises on corporate governance or commercial contracts.

The particular recommendations which are of most direct significance to the IT/IP/commercial contracts lawyer are broadly summarised in the following list:

  • Ring-fenced banks should be separate legal entities.
  • Ring-fenced banks should be prohibited from offering certain services and/or carrying out certain activities.
  • Any financial organisation owned or partly owned by a ring-fenced bank should conduct only activities permitted within a ring-fenced bank. Such a financial organisation’s balance sheet should also contain only assets and liabilities arising from these services and activities.
  • The wider corporate group should be required to put in place arrangements to ensure that the ring-fenced bank has continuous access to the entire infrastructure required to continue provision of its services and activities, irrespective of the financial health of the rest of the group.
  • All transactions (including secured lending and asset sales) between a ring-fenced bank and all other entities forming part of a wider corporate group should be conducted on a commercial arm’s-length basis.

Far-reaching consequences

These recommendations, and the overall concept of a ring-fence, are directly at odds with the present day corporate structures of many large banks and financial institutions.

Most financial institutions operate some form of shared service model, with one group entity contracting with suppliers on a basis that allows other group members to benefit from that contract.

The ring-fenced bank will either have to possess its own infrastructure or, if it is shared, then such infrastructure will have to be identified (which may be by no means a straightforward task) and then made available formally to the ring-fenced bank, via:

  • direct agreement with the supplier;
  • direct agreement with another member of the group; and/or
  • a member of the wider group, which contracts with suppliers, but is “bankruptcy-remote”.

Infrastructure separation of the type that is likely to be required by the ICB recommendations may feasibly involve:

  • drafting agreements to formalise supply of infrastructure services to the ring-fenced bank;
  • renegotiation of existing agreements to separate provision of infrastructure services;
  • novation or assignation of agreements to a well-capitalised, bankruptcy-remote shared service subsidiary (without assets or liabilities) to provide infrastructure services on behalf of the separated entities; and/or
  • partial or wholesale outsourcing of infrastructure provision.

Implementation

There are many questions still to be answered regarding the ICB recommendations.

The deadline that the ICB has set for implementation of its’ recommendations is 2019. George Osborne, the Chancellor of the Exchequer, has indicated that he intends to implement the recommendations and will “seek a legislative slot” in the 2012-13 parliamentary session.

What seems certain is that some sort of separation or segregation of retail banks is inevitable and, in this context, the deadline of 2019 is not that far away. Whether acting for financial institutions or their suppliers, from now on the IT/IP/commercial contracts lawyer should keep in mind what is on the horizon when negotiating or renegotiating agreements.

News International and hard drive shredding – why its good information security practice

Published November 21, 2011 Confidentiality , Data Protection , Geek Stuff , In the Media , Outsourcing Leave a Comment

I read in the papers at the weekend that, following an office move, News International last year “shredded” most of the computers used by a large number of News of the World staff.

Leaving aside whether this was a prudent thing to do given the phone hacking allegations and court cases, shredding a hard drive is one of the best ways of securely destroying information. (I love the photos on that website – you really can shred metal).

I blogged about this last year. The problem with erasing data from a drive is that the data recovery people are becoming ever cleverer at reconstructing data. It’s essentially an arms race between data destruction and data reconstruction.

So if you want to make sure data definitely has been deleted then you need to either shred the drive or follow something like the US Department of Defense erase/rewrite standard.

Destruction of disks is something that should be addressed in an organisation’s information security policy, and appropriate requirements specified (or referenced) in any outsourcing or services agreement under which a supplier is processing personal or confidential information.

So whatever the News of the World’s other failings might have been over the years, it’s good to see that their information security policy is robust and ensures that data is properly and completely destroyed, such that it cannot ever be reconstituted.

Bribery Act 2010 – have you reviewed your policies and procedures?

Published May 27, 2011 Contract Law , IT Law , Outsourcing Leave a Comment

When the Bribery Act finally comes into force on 1 July 2011 it will be the most substantial change to the UK’s corruption laws since 1916. The Bribery Act creates a new offence for commercial organisations. This is a key development for companies and other commercial organisations as an organisation will be guilty of an offence where a person “associated” with it bribes another person to obtain business or a business advantage.

Why is the new Act relevant to procurement?
The new Act is relevant not just to the “sales” side of businesses, but also to procurement, where those involved in tendering, purchasing, and procurement need to be aware of what might constitute the receipt of a bribe (and therefore an offence) under the new legislation.

Importantly, the commercial organisation will be presumed guilty if they do not have “adequate procedures” in place designed to prevent bribery.

What should we be doing?
Businesses should put in place “adequate procedures” now to minimise the risk of criminal prosecution when the Act comes into force. Your adequate procedures should set out clearly your company’s approach to, amongst other things, the giving and receiving of corporate hospitality and the rules governing your procurement processes (which may need to be updated to reflect the new laws).

How can Brodies help?
Our Regulatory Compliance team can help your organisation to plan for the Bribery Act, for example by assisting with the development of internal policies and providing training to help ensure your business is protected when the Act comes into force. If you would like to discuss this further then please send me an email or get in touch with your usual TIO Group contact.

For more information, see my colleague Susheela Math’s blog post over on Brodies’ PublicLawBlog, or our Regulatory Compliance team’s recent legal update.

Interim report on the banking industry published

Published April 15, 2011 Contract Law , Data Protection , In the Media , Outsourcing Leave a Comment

This week’s interim report by the Independent Commission on Banking caught the headlines in terms of the economic and regulatory implications of its recommendations and conclusions.

Beyond these headlines, though, there were some interesting views regarding the structuring of operational services for banking groups which, if adopted, will require careful thought and planning for banking operations and those dealing with them. This includes reviewing the sourcing arrangements and contracting structures currently used by banking groups for outsourcing and procurement of services, intra-group arrangements, and the way in which they hold and process data.

You can read more about this in our Legal Update.

Seminar on TUPE and outsourcing

Published March 24, 2011 Outsourcing Leave a Comment

Our colleagues in Brodies’ top rated employment & pensions department are holding a seminar at our Edinburgh office next Tuesday on outsourcing and TUPE – from “Bathgate to Bangalore”. The seminar is free, and will give some practical advice on how to deal with some of the trickier people issues involved with outsourcing and offshoring.

If you are interested in attending, then you can sign up here. Note the seminar will also be repeated in Glasgow and at our new Aberdeen office.

The wisdom of Clouds?

Published November 24, 2010 Cloud , Outsourcing Leave a Comment

If, like me, you’re suffering from Cloud-fatigue, you may not be keen to read another post about it.   However, like it or not, the Cloud hype of recent years is turning into Cloud reality as the mist clears.

Is The Cloud maturing?

Yesterday there was an announcement that the Cloud Industry Forum has released it’s code of practice for cloud computing services.  The wild frontier of “Cloud” is being tamed it seems as the industry grows up.  Amazon, Google, Microsoft and other cloud platform and services providers have been upping their game, publishing extensive security white papers to give comfort to larger corporate and public sector organisations.  Toes that have been dipped into using Cloud services have been followed by ankles and knees and in some cases have gone right up to the neck – or maybe they’ve got their head in the clouds (sorry).

Just another decision

So where have we got to with the Cloud?  Well, hopefully there’s more pragmatism and sense being applied now in that people realise it’s not so much a revolution as just another way of delivering technology.  As I saw a commentator recently put it, “Going into the cloud is nothing more than a make vs. buy decision” in an article called, provocatively, “Why ‘the cloud’ doesn’t matter“.  The point being, it’s just another purchasing/procurement/planning exercise – i.e. where are we going to put this new system, on site or in the cloud?  The difference is that you’re buying a service rather than a software licence, so you need to take the appropriate approach.

Due diligence

This chimed with a great presentation from our very own Grant Campbell a few weeks back, entitled “Navigating through the Cloud…a guide to the legal issues”.  To paraphrase Grant, “going into the Cloud” is basically outsourcing, so you should treat it as such, approach it carefully, do your due diligence and consider the implications: where is our data going to be, who controls it, what are the risks, what will the service level be, what happens if it all goes wrong, how do we exit/get our data back, and so on.

Ever increasing circles

I’ll be speaking at The Cloud Circle Forum tomorrow on a similar topic – sharing a platform with Mimecast - and providing a customer’s perspective on Cloud.  I’ll be talking about what we’ve done when considering moving services to the cloud, and borrowing liberally from taking inspiration from Grant’s presentation regarding the legal questions to consider.  Will it live up to the Cloud hype?  Probably not, but then the delivery is always more difficult and more mundane than a sales pitch and we’re really looking at bringing the Cloud back down to earth.

Contact centres – OFCOM guidance in relation to disabled customers

Published June 7, 2010 Outsourcing Leave a Comment

OFCOM has published some guidance which helps operators of contact centres to better understand their obligations under the Disability Discrimination Act 1995/the forthcoming Equality Act 2010 (which replaces the DDA later this year).

The guidance is relevant both to businesses that operate contact centres in relation to their own business (whether in-house or through an outsourced service provider), and also to those who operate contact centres on behalf of other clients, whether as a core service or ancillary to a wider outsourcing contract. Whilst the latter may not have direct obligations to customers under anti disability discrimination legislation, they may well have obligations to their corporate clients under the outsourcing contract. Similarly, just because you have outsourced the operation of a contact centre does not mean that you have delegated your legal obligations to a third party.

The guidance emphasises the steps that operators of contact centres should take to help them to comply with their obligations not to discriminate on the grounds of disability, and their duty to make reasonable adjustments in respect of the provision of services. The guidance includes tips for both contact centre staff and for businesses that operate contact centres.

The advice to businesses highlights the importance of disability awareness training for contact centre staff, and of properly considering the needs of disabled customers when constructing IVRs, call routing menus and other parts of the contact centre infrastructure.

Note that the guidance appears to focus on voice-based contact centres. However, I would add another tip to the list – consider how your voice-based contact centre fits in with your other customer touch points. For example, can your service be made more accessible to customers with hearing impairments by offering access by email, a web-based service centre, or by an accessible web-based chat service?

If you have outsourced operation of any contact centres to a third party, then now might be a good time to review the accessibility of those contract centres and to check that your service provider is adhering to best industry practice.

See: OFCOM: Disabled customers and call centres (21 May 2010)

Next Page »

Twitter: @BrodiesTechBlog feed

 

February 2012
M T W T F S S
« Jan    
 12345
6789101112
13141516171819
20212223242526
272829  
Follow

Get every new post delivered to your Inbox.

Join 135 other followers