Outsourcing (legal and commercial issues)

Question 1

Who may be involved in service specification?

Answer 1

o The customer and supplier may both be involved in the drafting of the services specification, depending on their previous level of experience.

Question 2

When is detailed specification agreed to?

Answer 2

o The parties may agree to develop a detailed specification of the services after the signing of the contract in which case the customer’s requirements can be attached to the contract as a separate schedule.
 In these circumstances there will usually be an obligation on the supplier to ensure that the service description or specification is developed to reflect the customer’s requirements and a statement included that the customer’s requirements take precedence over the service description.

Question 3

How should service specification be?

Answer 3

o Need to reflect measurable steps that you set out at a measurable level – should be detailed what the process is an how it should be performed

Question 4

What happens when there are changes in service specification?

Answer 4

o Parties should include a change control procedure which includes details of how the extra costs of any changes should be allocated.
o For longer-term contracts, parties may also wish to provide for enhanced termination rights or break clauses in case of changes in circumstances which may undermine the basis of the contract.

Question 5

Customer remedies availible in outsourcing?

Answer 5

 Damages
 Specific performance/injunction (available at the discretion of the court)
 Termination

Question 6

Protection measures during outsourcing?

Answer 6

 Service credits
 Indemnity from the supplier
 Other forms of financial penalty, such as the right to withhold payment
 Step-in rights allowing the customer to take over or to appoint a third party
 A requirement for the supplier to hold insurance
 A parent company guarantee
 Warranties
 An appropriate governance or escalation structure
* To try and manage the contract on an on-going basis – informal resolution procedure rather than taking someone to high court
o Want to make sure the relationship is good as it will be long-term

Question 7

o Service levels?

Answer 7

The parties usually identify and agree a set of objective, measurable criteria to measure performance, known as service levels or key performance indicators
* (KP|s) e.g. telephone calls to a customer helpline will be answered within a set time

Question 8

What are service credits?

Answer 8

 The service levels should be combined with a process for recording and reporting on performance against the targets and a formula for the payment of compensation, referred to as service credits (or liquidated damages) when targets are not met.
 Usually, service credits are offset against the fees otherwise payable to the supplier and fairly modest, as there could otherwise by issues of enforceability. The purpose is to encourage the meeting of the set targets without having to go through a separate claim process. They should be expressed to relate to the particular failure and not prevent a claim for wider, more serious breaches.
 Usually not large amounts so they are not seen as penalties – more a liquidated damages clause

Question 9

Your client (‘Company A’) is finalising the negotiation of an outsourcing agreement with a supplier (‘Company B’). Company A wants to ensure that, as far as possible, Company B has responsibility for liability of employees following transfer and that this is provided for in the supplier obligations in the agreement. Company A has expressed that, whilst wishing to protect its own position appropriately, they do not wish to put forward wording which would be unacceptable to Company B.
What is the best advice to give to your client in relation to appropriate wording for the obligation in relation to liability of employees?
* Company A, as the customer, would be required to indemnify Company B against the historic and future liability relating to employees transferred as part of the outsourcing.
* Company A should require Company B to indemnify it against historic liability relating to employees transferred as part of the outsourcing.
* Company A should require Company B to indemnify it against historic and future liability relating to employees transferred as part of the outsourcing.
* Company A should require Company B to indemnify it against future liability relating to employees transferred as part of the outsourcing.

Answer 9

• Company A should require Company B to indemnify it against historic and future liability relating to employees transferred as part of the outsourcing.

Correct
This answer is correct. When negotiating obligations in an outsourcing agreement, the supplier is likely to agree to indemnify the customer in relation to future liability because the employees will be under its control. Answer B is incorrect because historic liability would be within the control of the customer not the supplier and the question makes clear that Company A does not wish to put forward unacceptable wording. Answer C is incorrect because although future liability would be within the control of the supplier, historic liability would be within the control of the customer not the supplier and the question makes clear that Company A does not wish to put forward unacceptable wording. Answer D is incorrect because there is no requirement for the customer to provide such an indemnity to the supplier; this would be subject to agreement between the parties. See Introduction to Outsourcing – Transactions.

Question 10

Your client (‘Company A’) is proposing to set up an outsourcing (the ‘Outsourcing’) with a supplier (‘Company B’). A number of Company A’s current employees will transfer automatically across to the Outsourcing (the ‘Employees’). Company B has asked for information on the Employees to be provided to the Outsourcing as part of its due diligence process prior to finalising the arrangements. Company A has come to you for advice on how it might best comply with the retained UK version of the General Data Protection Regulation (‘UK GDPR’) when disclosing information about the Employees to Company B.
What is the best advice to give to your client in relation to the application of UK GDPR?
* If the data relating to the Employees is ‘anonymised’ before it is shared with Company B, the provisions of UK GDPR will not apply; in order to ‘anonymise’ the Employee information, Company A just needs to remove the names of the Employees.
* Company B will be a data processor in relation to the personal data about the Employees provided to it as due diligence by Company A: therefore, Company A as the data controller should enter into a data processing contract with Company B to ensure compliance with UK GDPR.
* As the Employees will automatically transfer to the Outsourcing, there is a legal requirement for their personal data to be shared and so the provisions of UK GDPR will not be relevant.
* Both Company A and Company B will be data controllers in relation to the personal data that is shared during the due diligence in relation to the Employees, so they must both consider whether they are in compliance with the principles relating to the processing of personal data under UK GDPR.

Answer 10

• Both Company A and Company B will be data controllers in relation to the personal data that is shared during the due diligence in relation to the Employees, so they must both consider whether they are in compliance with the principles relating to the processing of personal data under UK GDPR.

This answer is correct. In a due diligence exercise, both companies will be data controllers in relation to the data shared, so they must both consider whether they are in compliance with UK GDPR (this is also why Answer A is incorrect). Answer B is incorrect because the provisions of UK GDPR would still be relevant to sharing of the information prior to the transaction and Answer D is incorrect because it would not be sufficient just to remove the names of the Employees. See Data Protection – Due Diligence.

Question 11

Your client (‘Company A’) is proposing to set up an outsourcing with a supplier (‘Company B’) and requires advice on the negotiation of the agreement. Company A wants to include protection against poor performance by Company B and has asked for your advice on appropriate measures to include in the agreement.
What is the best advice to give to your client in relation to appropriate protection measures?
* Company A can agree with Company B that a modest level of service credits will be payable if overall performance is poor and this is not likely to cause an issue with enforceability.
* Company A should ensure that if service credits are used as a measure in the agreement with Company B that they relate to a set target and are offset against fees otherwise payable to the supplier, otherwise they may not be enforceable.
* Company A should ensure that if service credits are used as a measure in the agreement with Company B that they relate to overall performance and are offset against fees otherwise payable to the supplier, otherwise they may not be enforceable.
* Company A can agree with Company B that a modest level of service credits will be payable if service levels are not met but this will not be enforceable.

Answer 11

• Company A should ensure that if service credits are used as a measure in the agreement with Company B that they relate to a set target and are offset against fees otherwise payable to the supplier, otherwise they may not be enforceable.

Correct
This answer is correct. When setting up an outsourcing agreement, service credits must relate to a set target and be offset against fees otherwise payable to the supplier. Answer B is incorrect because service credits should be linked to service levels not overall performance, although it is correct that the level of service credit should be modest. Answer C is incorrect because this is likely to be enforceable, providing it is offset against fees otherwise payable to the supplier. Answer D is incorrect because service credits should be linked to service levels not overall performance, although it is correct that they should be offset against fees otherwise payable to the supplier. See Introduction to Outsourcing – Transactions.

Question 12

Is it common for each party to appoint one or more contract representatives to deal with operational issues as they arise?

Answer 12

Yes for contractor and supplier

Question 13

How do the parties appoint one or more contract representatives to deal with operational issues as they arise?

Answer 13

o This may be through formal meetings and reporting requirements or less formal contact between the parties, depending on the relationship.

Question 14

“change control” procedure?

Answer 14

o The outsourcing contract will usually contain a “change control” procedure, which allows either party to request a change.

Question 15

How do outsourcing contracts react to change?

Answer 15

o The outsourcing contract will usually contain a “change control” procedure, which allows either party to request a change.
o There may also be certain mandatory changes, such as those required to comply with changes in the law.
o There should be a clear procedure for agreement in relation to requested changes, with it being important to specify which party will bear the cost of the change.
o It is important for there to be an escalation process in place for issues that cannot be dealt with in this way
o Useful, by appointing representatives there is open dialogue between the parties
 Can better identify issues at early stages and notice if there are issues

Question 16

When can an outsorucing agreement be terminated?

Answer 16

o Immediate termination may be justified in the event of:
 A particularly severe breach.
 A breach that indicates that the counterparty no longer wishes to continue with the contract.
 The other party’s insolvency, so that it is unable to perform its duties under the contract.
 The parties would usually specifically provide for termination events in the contract.
o Will usually be a provision for voluntary termination

Question 17

Exit arrangements in outsourcing agreements?

Answer 17

o Customers will often wish to include provisions requiring the supplier to:
 Prepare an approved exit plan.
 Provide reasonable assistance and cooperation with migration to a new service provider.
 Continue to provide some or all services for a certain period following termination to allow migration to be completed.
 Return any customer assets and delete copies of customer data (subject to it firstly being provided to any new service provider).
 Provide for buy-out of any assets developed during the service and their transfer to the customer or new service provider.
 Use reasonable endeavours to novate or transfer any key agreements with subcontractors in favour of the customer or new service provider.
o Important – dealing with these issues in advance will enable you to give seamless service

Question 18

Charging methods in outsourcing agreements?

Answer 18

o The approach taken to charging will depend on a number of factors including:
 The type of services being provided
 Whether the supplier is appointed on an exclusive basis
 Allocation of risk between the parties
o Generally, an outsourcing contract will adopt one, or a combination, of the following:
 Cost Plus (actual cost plus agreed profit margin)
 Fixed price
 Pay as you go

Question 19

Typical customer obligations in outsourcing agreement?

Answer 19

 Make assurances in respect of assets transferred to the supplier
 Indemnify the supplier against historic liability relating to employees
transferred to the supplier as part of the outsourcing

Question 20

Typical supplier obligations in outsourcing agreement?

Answer 20

 Perform the services with reasonable skill and care in accordance with good industry practice
 Indemnify the customer against harm suffered due to the supplier’s actions (can be limited or extended)
 Indemnify the customer against future liability in respect of employees transferred to the supplier as part of the outsourcing

Question 21

Obligations for both parties in outsourcing agreement?

Answer 21

 Confirm entitled to enter into the agreement and perform its obligations
 Confirm that the information provided during the pre-tender and tender stages is accurate, complete and not misleading

Question 22

Other key provisions in outsourcing agreements?

Answer 22

Compliance provisions including data protection
 Do not want to harm reputations
o Confidentiality
o Force majeure
o Limitations/exclusions of liability
 Generally supplier wanting to limiting their liability – but won’t be a simple one-way issue
o Dispute resolution
o Other boilerplate clause

Question 23

Data subject?

Answer 23

an identified or identifiable natural person (a living individual) to whom personal data relates.

Question 24

Personal data?

Answer 24

any information relating to a data subject that identifies that person or makes them identifiable – for example, information such as birth dates and addresses could make a person identifiable

Question 25

Controller?

Answer 25

someone who decides the purposes and means of the processing of personal data. The controller is subject to the key obligations in the DPA and UK GDPR

Question 26

Processor?

Answer 26

someone who processes personal data on behalf of a controller. A processor is subject to some direct statutory obligations, but will also have contractual obligations to the controller

Question 27

Processing?

Answer 27

defined very widely and includes any operation or set of operations performed on personal data (including simply holding or deleting data)

Question 28

o All processing of personal data must comply with the six principles set out in Art. 5 of UK GDPR:

Answer 28

 ‘Lawful and fair processing’ principle - personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject
 ‘Purpose limitation’ principle - data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
 ‘Data minimisation’ principle - personal data must be limited to what is necessary in relation to the purposes for which the data is processed
 ‘Accuracy’ principle -personal data must be accurate and, where necessary, kept up to date
 ‘Storage limitation’ principle - personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes of the processing.
 ‘Integrity and confidentiality’ principle - personal data must be processed in a manner that ensures appropriate security of the personal data

Question 29

o In order to process data lawfully, the controller must satisfy one of the legal processing grounds in Art. 6 UK GDPR?

Answer 29

o These grounds include (i) where the data subject has given consent to the processing (Art. 6(1)(a)) - which must be freely given; and (ii) where the processing is necessary for the purposes of the legitimate interests pursued by the controller (Art. 6(1)(f)).
o Note: Processing of certain ‘special categories’ of personal data is only permitted if one of the conditions set out in Art. 9(2) UK GDPR is satisfied – in most cases, this will require explicit consent to the processing for one or more specified purposes.
o These categories include data that reveals a subject’s racial or ethnic origin, religious beliefs, health or sexual orientation.

Question 30

• Key Obligations of a Controller…

Answer 30

o A controller must comply with (and document compliance with) UK GDPR
o Comply with data protection principles (Art 5)
o Implement technical and organisational measures to ensure compliance (Art. 24(1) - compliance must be ‘by design and by default’ (Art. 25)
o Where a processor is involved, ensure that they comply with a written processing contract (Art 28)
o Carry out a data protection impact assessment (DPIA) for operations that present specific risks to data subjects due to the nature or scope of the processing (Art. 35)
o Maintain a record of its processing activities (Art. 30(1))
o Appoint an independent data protection officer if the business involves large scale (i) monitoring of data subjects or (ii) processing of special categories of information (Art. 37)
o Implement appropriate data protection policies (Art. 35)

Question 31

o In addition to the general obligations as to how their data is processed, data subjects also have certain specific rights under UK GDPR, which include:

Answer 31

 A right to be informed of certain information relating to the processing of their data (Arts. 13 and 14)
 A right of access to their personal data (Art. 15)
 A right to rectification and/or erasure of personal data (Arts 16 and 17)

Question 32

• Right to Information - Privacy Notices?

Answer 32

o Data subjects have a right to be provided with certain prescribed fair processing information.
o In particular, the data subject will need to be informed:
 of the fact that their data will be processed, and
 of the purpose for which their data will be processed.
o The required information is often provided by way of a privacy notice. If the controller uses a well drafted privacy notice, this should be wide enough to cover both the immediate use of the data and other potential uses.
o Where data is collected from the data subject, the information must be provided at the time the data is obtained (Art. 13) - where data is received from a third party, the new controller has up to a month to provide the information (and it may be possible to delay further in confidential circumstances) (Art. 14)

Question 33

o Controllers have an obligation to report personal data breaches to the ICO and potentially also to the data subjects impacted by the breach:

Answer 33

 UK GDPR:
* Breaches must be reported to the ICO without delay and where feasible within 72 hours of the controller becoming aware of the breach UNLESS the breach is unlikely to result in a risk to the rights and freedoms of the data subject(s) (Art. 33).
* Data subjects must also be informed of a breach without delay IF the breach is likely to result in a high risk to their rights and freedoms (Art. 34).
 PECR
* Under the PECR, certain controllers – such as internet service providers - must notify the ICO of a personal data breach within 24 hours.
* Data subjects must also be informed of a breach without undue delay IF the breach is likely to adversely affect their personal data or their privacy.

Question 34

• Consequences of Breach – Art 83?

Answer 34

o The ICO can levy a fine of the higher of £17.5 million and 4% of the total worldwide annual turnover of the undertaking being fined. For breaches of key provisions, such as the data provision principles or the data subject’s rights.
o The ICO can levy a fine of the higher of £8.7 million and 2% of the total worldwide annual turnover of the undertaking being fined. For breaches of other provisions, such as record keeping.
o Data subjects also have a right to compensation for non-material damages, including distress (Art. 82(1)) AND The reputational damage to a business can cause even greater issues.

Question 35

• Application of Data Protection in Practice?

Answer 35

o The data protection rules will impact all UK businesses, but the extent and practical impact of the rules on a particular business will depend on the sector in which it operates and the relationships with individuals that underpin its operations.

Question 36

• Data protection – application to due diligence?

Answer 36

o Where the transfer of information or data as part of a due diligence exercise is made by a UK entity, and where it includes personal data relating to a data subject, it will amount to processing by a controller and will be subject to the legislative framework which protects the rights of that data subject.
o Giving personal data to prospective buyers during due diligence will amount to ‘processing’ as ‘controllers’ by both:
 (1) the seller processing the information by providing it as due diligence; and
 (2) the prospective buyer(s) who receive such information and use it to carry out their due diligence investigation.

Question 37

 In order to process data lawfully, it must satisfy one of the legal processing grounds in Art. 6 UK GDPR:

Answer 37

• These grounds include
  o (i) where the data subject has given consent to the processing (Arts. 6(1)(a)); and
  o (ii) where the processing is necessary for the purposes of the legitimate interests pursued by the controller (Arts. 6(1)(f)).
   Where does the balance of convenience lie

Question 38

In considering which of these legal grounds they might rely on to share personal data during due diligence on a corporate transaction, the parties need to consider the following:

Answer 38

 · Obtaining consent from all employees/individual customers before completion of a confidential commercial transaction is impractical. The GDPR sets strict rules on what will constitute valid consent, including the need to show that consent has been freely given. This may also be difficult to show – particularly where there is an imbalance of power, as there will be in an employment relationship. It might be practicable in relation to senior employees/directors.
 · The legitimate interest condition allows for disclosures which are in the legitimate interest of a controller or third party, providing that such interests are not overridden by the interests and fundamental rights and freedoms of the data subject which would require protection of that personal data. This is the ground that is usually relied on in a corporate transaction – but the parties must actually carry out and document an assessment of (i) the purpose and necessity of the disclosure, and (ii) the balance of this against the individuals’ interests (ICO Guidance) - so it cannot just be assumed.

Question 39

‘purpose limitation’ principle (Art 5(b) UK GDPR) requires

Answer 39

requires that data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The parties must therefore consider if the sharing of data during due diligence is incompatible with the purpose for which it was collected: if the seller uses a well drafted privacy notice for employees/customers, this should refer to processing in respect of a potential sale

Question 40

‘data minimisation’ principle (Art 5(c) UK GDPR) requires

Answer 40

that the minimum of personal data necessary for the purpose should be shared. For example, during due diligence, it is generally not necessary to share employee data in such a way that individuals (other than senior individuals) can be identified

Question 41

‘integrity and confidentiality’ principle (Art 5(f) UK GDPR) requires

Answer 41

that data must be processed in a manner that ensures appropriate security of the personal data. So due diligence information should be shared in a secure manner, and the seller should place obligations on the buyer(s) as to its security and confidentiality

Question 42

Anonymisation?

Answer 42

If data is amended so that all personal identifying details are removed and the recipient cannot re-identify the data subjects from what they are given (for example, this would include deleting office location and/or department if there are fewer than 5 employees who would fall into that category), then the ICO’s current position is that this information is anonymous in the buyer’s hands – so it would no longer be personal data and would fall outside the provisions of UK GDPR – SO the principles considered above would cease to be directly relevant

Question 43

Pseudonymisation?

Answer 43

Instead of removing all identifying details, data could instead just be amended to remove the obvious details (such as names and job titles). Although UK GDPR would still apply to the information, this would act as a security measure, helping the parties demonstrate that they are ensuring data minimisation and also appropriate security for the data.

Question 44

approach taken to data when seeking to anonymise it is to ‘redact’…

Answer 44

o The approach taken to data when seeking to anonymise it is to ‘redact’ (i.e. cover up or remove) identifiers including names and/or to provide data in a composite format.

Question 45

Information Notices?

Answer 45

o To comply with UK GDPR, controllers must also provide the data subjects with certain prescribed fair processing information. The required information is often provided by way of a privacy notice.
o In particular, the data subject will need to be informed of the fact that their data will be processed, and of the purpose for which their data will be processed.
o This obligation will apply to both the seller (who will be processing data for a new purpose) and the buyer(s), and has obvious issues for maintaining the confidentiality of the transaction.
o If the seller uses a well drafted privacy notice for use when collecting data from employees/customers, this should already refer to processing in respect of a potential sale: in which case the data subject would already have the information (see Art. 13(4) UK GDPR).
o As the buyer(s) will have obtained the data indirectly, they have up to a month to give the notification – or they may postpone notification until the transaction becomes public, relying on Art 14(5) UK GDPR, which applies where a notification would ‘render impossible or seriously impair’ the objectives of the data processing.

Question 46

• Data protection at completion of a transaction?

Answer 46

On a share sale, only the shares will transfer and so the identity of the data controller (the target company) will not change. Therefore, no additional processing of personal data will occur.
o · Data protection is therefore unlikely to be a further issue at the completion stage on a share sale.
o · On an asset sale, however, the Transfer of Undertakings (Protection of Employment) Regulations 2006 (‘TUPE’) which govern the transfer of employees ALSO require personal data about the employees to be transferred from the seller to the buyer at completion. Both the provision and the receipt of this information will amount to processing, so both parties will be under a duty to inform the employees that a new controller is now holding the personal data.
o · In practice, it is enough for one party to inform the data subjects. It is normally the buyer who will do this. The seller will, however, want some assurance that this will be done - so the acquisition agreement will often include an undertaking that the buyer will inform all relevant data subjects of the transfer.