Confidential Information Archives

SaaS Agreements – Confidential Information – FOIA and SARs

SaaS suppliers are increasingly dealing with subject access requests (SARs) and freedom of information requests (FOIAs) in relation to SaaS customers. Excessive time and costs can be spent dealing with such requests, unless a SaaS supplier’s obligation to comply with or assist a SaaS customer with such requests is clearly defined in the terms of the SaaS agreement.

Subject Access Request (SAR)

Under the Data Protection Act 1998 (DPA), an individual has the right to access personal data held by a SaaS supplier by making a SAR. Such requests for data usually relate to customer data held on behalf of SaaS customers. The SAR can be sent directly to a SaaS supplier or to the SaaS customer. This is not the same as a request for information under the Freedom of Information Act (FOIA).

FOIA

Under the FOIA members of the public are entitled to request disclosure of:

  • non-personal information;
  • held by public authorities.

Requests are made to the SaaS customer directly who often passes the request on to their SaaS supplier.

SAR or FOIA?

SaaS suppliers should not confuse a FOIA request with an individual’s right to request personal information under a SAR. The test for disclosure under the FOIA is to the world at large – not just the requester. This means that if a SaaS supplier mistakenly discloses personal data under an FOIA request, this could breach the DPA and result in a large fine as a substantial number of unauthorised persons may see the wrongly disclosed data.

SARs

The Information Commissioner’s Office (ICO) has issued a Subject Access Code of Practice which all SaaS suppliers should read. This provides useful advice on how to respond to a SAR.

For example, SaaS supplier’s should upon receipt of a SAR:

  • identify whether a request is actually a SAR;
  • ensure they have enough information to be certain of the requester’s identity;
  • consider whether any of the exemptions apply; and
  • provide a response in a permanent form where appropriate, stating whether a fee is payable.

The Data Commissioner has also issued guidance on how to deal with a FOIA request.

Contractual Provisions

SaaS suppliers should include specific provisions in their SaaS agreement setting out how disclosure requests will be dealt with. Note that these should not be limited to SARs and FOIAs, as there are other types of disclosure requests that can be made under English law.

The SaaS agreement should:

  • set out the extent of the assistance to be given by the SaaS supplier to SaaS customers when dealing with a disclosure request;
  • specify whether the consent of the SaaS customer is required prior to any data being disclosed; and
  • include relevant time limits for complying with any requests.

Additionally SaaS suppliers could have a data access policy setting out their specific obligations. This can be incorporated into the SaaS agreement by reference to it in the terms of the SaaS agreement.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To learn more about SaaS and cloud computing join me at the Berlin CloudConf 2013 on 5th of December.

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Social Media – Ownership of Accounts

Increasingly SaaS suppliers encourage employees to use social media accounts i.e. LinkedIn and Twitter to promote their products and business. However this often results in a conflict arising between claims of misuse of confidential information and “ownership” of accounts and contacts when the employment relationship comes to an end.

The High Court has recently highlighted the need for SaaS suppliers to have a clear policy on the ownership of such social media accounts and contacts when they are used by employees for business purposes.

Whitmar Publication Ltd

The High Court granted an injunction to Whitmar Publication Ltd against 3 ex-employees (and their newly established rival company) to prevent the individuals and the company from using 4 LinkedIn groups. One of the individuals had been responsible for dealing with the LinkedIn groups as part of her responsibilities at Whitmar Publication Ltd.

In a ruling using arguments similar to those used in the decision of the High Court against a former Hays employee in 2008 ordering him to hand over all of his LinkedIn contacts after leaving the company to set up his own consulting business, an injunction was granted on the basis that the individuals had misused confidential information belonging to the company, infringed the company’s database rights and breached duties under their employment contracts.

Ownership

This will depend upon who set up the account, why it was set up, whether it is also being used for private use and who is paying for and maintaining it.

In the Whitmar injunction the court determined that the following factors were key:

  • the extent to which the account or group was created for the benefit of the employer; and
  • the extent to which the account or group promoted the employer’s business.

Social Media Policy

The above emphasizes the need for SaaS suppliers to have a clear social media policy in place with their employees. This should cover:

  • ownership and use of accounts on termination of employment;
  • access details to accounts;
  • use of information collected through social media accounts.

If a SaaS supplier has a signed social media policy it will restrict what ex-employees can and cannot do with social media accounts and/or contacts after leaving the company.

Employment Contracts

Additionally, SaaS suppliers should include non-solicitation or non-compete clauses in all of their employment contracts which specifically prevent ex-employees from using social media accounts or contacts upon termination of their employment. Employment contracts should also include general clauses preventing employees from using confidential information.

Conclusion

In view of the above, SaaS suppliers need to consider “ownership” of social media accounts and contacts before encouraging employees to use these tools at work. There must be a clear written agreement governing what happens to such data when an individual leaves the company – usually set out in a social media policy and/or employment contracts.

Other measures that SaaS suppliers could consider taking are:

  • simply banning all use of social media accounts such as Facebook, LinkedIn and Twitter; or
  • ensuring that relevant employees add all new social media contacts to the company’s CRM database.

By considering the risks and taking necessary measures to prevent these issues arising SaaS suppliers should be able to avoid costly litigation when employees leave, potentially taking their contacts, accounts and followers with them.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Customer Lists – Social Media Contacts

If you actively encourage or allow your employees to use LinkedIn and Twitter to store or build up their business contacts you need to ensure that you have control over how this information will be used if the employee ceases to work for you, as most contacts will be your SaaS customers, other employees and SaaS suppliers.

In the last few years there have only been a handful of court cases in the UK (and the US) providing guidance on this issue and whether or not contacts in social media channels such as LinkedIn and Twitter can be used by ex-employees.

Twitter

In October 2011 a US company, PhoneDog Media, sued a former employee for taking 17,000 Twitter followers with him when he left the company. PhoneDog claimed that the followers constituted their client list which was confidential.

The BBC also had a similar problem last year when an employee with 60,000 Twitter followers moved to a rival TV channel and took all of her followers with her by simply renaming her twitter account.

LinkedIn

Back in 2008 the High Court ordered a former employee of Hays (the recruitment firm) to hand over all of his LinkedIn contacts when he left the company to set up his own consulting business. Hays claimed that the contacts were confidential information of the company and that the former employer had breached the terms of his employment contract by using this information for business purposes.

Social Media Issues for Employers

The above decisions highlight the dangers of encouraging employees to use social networking websites for work. The list of contacts of a SaaS sales consultant in LinkedIn will probably read like an A – Z of your SaaS customer base.  Once an employee leaves your employment you need to be able to deal efficiently with “ownership” or breach of confidentiality issues relating to the use of these contacts. This can only be achieved if you have already considered the “ownership” problems inherent in social media contacts and have agreed on what should happen if an individual leaves the company.

Who owns a Profile or Account

This will often depend upon who set up the account, why it was set up and who is paying for, and/or maintaining it.

Generally a LinkedIn profile or Twitter account belongs to the employee, even if you instructed the employee to create it – as it relates to an individual. It is “ownership” of the contacts in the profile that is important and this is what needs to be controlled to stop employees downloading SaaS customer contacts into their social media contacts database before leaving your employment.

Who owns Contacts or Followers

This is the wrong question to ask as no-one can “own” a contact. The question to ask is whether you have in place the correct safeguards to prevent employees from using the contacts including when they leave.

For example if you have non-solicitation or non-compete clauses in an employee’s contract of employment these could prevent the employee from using the contacts stored in their profile, as they will be confidential information.

Conclusion

In view of the uncertain legal status of social networking contacts it is advisable for companies to have employees sign a social media policy which sets out what use can be made of social media contacts once an employee leaves the company. Other measures that companies could consider taking are:

  • to simply ban all use of social media sites such as Facebook, LinkedIn and Twitter;
  • to ensure that relevant employees add all new LinkedIn contacts to the company’s CRM database;
  • to include non-competition and non-solicitation clause in employment contracts or other agreements;
  • to include social media clauses in all employment agreements.

By considering the risks and taking necessary measures to prevent these issues arising in the future you should be able to avoid costly litigation when key employees leave, potentially taking your SaaS customer contacts and followers with them.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Freedom of Information Act – Disclosure

Were you aware that if you supply SaaS software to public authorities they can be legally obliged to release details of your SaaS agreement to competitors?

Public Tendering and Disclosure

Atos won a major tender to supply an IT system to a Government department to handle information requests and transactions between Government departments and the public. Atos was the only bidder for the tender.

In 2007 an individual made a request under the Freedom of Information Act (FOI) for disclosure of particular details of the IT agreement. The details requested included information on the liability of Atos, benchmarking and prices. The Data Commissioner ordered the Government department to disclose the details requested.

Right to Refuse Disclose of Confidential Information

The Government department refused to disclose the information pursuant to its rights under section 43 of the FOI, namely that the information requested was a trade secret and that disclosure would damage the commercial interests of the parties. An appeal was made to the Information Tribunal, and last week the Tribunal agreed with the Data Commissioner’s office and ordered that disclosure of some of the details requested was in the public interest.

Are Prices Trade Secrets?

What may be reassuring to SaaS suppliers is that not all of the information requested had to be disclosed on appeal. The Tribunal agreed with Atos that its pricing model was a trade secret and disclosure of this “could undermine the owner’s business and give competitors a commercial advantage”.  The Tribunal also agreed that the exact location of the Atos data centre must not be disclosed, for security reasons, but that the country of its location should be disclosed to show that there was compliance with the Data Protection Act.

Protecting Confidential Information

The above illustrates the real dangers of confidential information being disclosed by a customer, by law. In order to limit and control the information which can be requested and disclosed under a FOI request ,it is essential that adequate clauses are included, not just in any NDA which is signed during the tendering process, but also  in the confidentiality sections of the final SaaS agreement.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS Agreements – Need for an NDA prior to signing a SaaS Agreement

Prior to a SaaS agreement being negotiated with a customer, SaaS suppliers are often required to provide prospects with internal business sensitive information about their prices, polices and software functionality (confidential information) as part of the public procurement, tendering or sales process.

Need for an NDA

If prospects do not sign a non-disclosure agreement (NDA) or confidentiality agreement prior to a SaaS supplier disclosing its business secrets and confidential information, the prospect will have no duty to keep this information confidential.  Confidentiality terms in the later SaaS agreement will only protect information disclosed after this is signed. If the prospect does not become a customer, they will be free to use your confidential information as they please.

An NDA should therefore be signed before providing a prospect with any sensitive information and this should include some basic legal clauses to protect your business if you win the sale and more importantly, if you don’t.

Mutual Protection

Often a prospect will require a SaaS supplier to sign their standard NDA prior to discussing a possible SaaS agreement. More often than not, the prospect’s NDA will only protect their confidential information and not provide the supplier with any protection. It is therefore essential that the NDA includes mutual rights to protect your confidential information.

If the prospect is a public authority this is essential, as under the Freedom of Information Act, your competitors can exercise their right to try to obtain access to your documents via a FOI request if their bid was unsuccessful. If you have an NDA in place with the public authority you may be able to block such requests.

What Information is Confidential?

All information provided by you to a prospect during the sales process should be treated as confidential information. This should also include any documents referred to in the documents you provide as part of your proposal.  You will probably have given the prospect copies of price lists,  functional descriptions of your software and other internal documents which you do not want third parties to see.

If the proposal does not lead to a sale and the prospect is speaking to your competitors…. it is imperative that you have made your definition of confidential information as wide as possible. Additionally the prospect should agree to keep all information confidential and to return or confirm the destruction of all confidential information, if no sale is agreed.

Who may Access the Confidential Information

If you are dealing with a multi-national prospect, you need to carefully state which companies or individuals within the prospect’s group of companies are entitled to see your confidential information. The prospect should undertake to apply the terms of the NDA to all such parties. Conversely, if companies or individuals within your group of companies need to see the prospect’s confidential information, ensure that you have these rights in the NDA.

Please note that these are just some of the basic clauses that need to be included in a NDA. There are many other clauses which have not been referred to here and legal advice should be sought when negotiating the terms of an NDA.

Help

Irene Bodle is an IT lawyer specialising in SaaS agreements with over 10 years experience in the IT sector. If you require assistance with any SaaS, ASP, software on demand contracts or any other IT legal issues contact me:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS, ASP Agreements – Transfer of Personal Data outside of the EEA

There are no restrictions on transferring personal data within the EEA.  However, due to the global nature of SaaS or ASP agreements personal data often needs to be  transferred outside of the EEA, for example to an IT outsourcing provider in India, a subsidiary of your company in China or a data centre or software development centre in Vietnam.

Restrictions on Export of Data Outside of the EEA

Under the 8th principle of the Data Protection Act 1998 before any personal data may be exported to any country outside of the EEA, you must ensure that there are adequate levels of protection in place. The European Economic Area consists of the 27 EU member states plus Norway, Iceland and Liechtenstein. There are four ways in which adequate levels of protection can be achieved:

  • consent
  • equivalent protection/ safe harbor
  • use of the EU model contract clauses
  • binding corporate rules

Consent

The easiest method of compliance is to obtain specific consent from the data subject before the transfer takes place. If the data subject consents to the transfer, you will comply with the Data Protection Act. Consent is usually obtained by having a data subject agree to the transfer of its personal data outside of the EEA and full details about the transfer itself should be set out in your privacy policy.

Equivalent Protection and Safe Harbor

Alternatively, the transfer is permitted if the non-EEA country to which the personal data is being transferred has equivalent data protection legislation. Currently only Switzerland, Canada and Argentina are recognised as having adequate protection. Certain companies in the USA are also recognised under the safe harbor process, provided that the company to which the personal data is being transferred has an up to date safe harbor registration.

EU Model Clauses

The European Commission has issued its own model clauses to cover transfers of personal data outside of the EEA. If these model clauses  are used in the SaaS agreement with the data subject and the agreement with the third party IT outsourcer, data centre or software developer to whom the data is being transferred, there will be adequate protection. However, these clauses are not ideal due to the different legal responsibilities of the data processor and the data controller which still remain unclear in the situation where there is a sub-processor.

Also, from the 15th of May, the new model clauses should be used – which replace the previous version.

Binding Corporate Rules

These are designed to cover transfers of personal data within multi-national companies where they have subsidiaries based in many countries. These rules only permit the inter-company transfer of personal data and do not cover transfers to third parties such as IT outsourcing providers or data centres. To date very few companies have adopted binding corporate rules due to the expense and time it takes for the rules to be recognised within the EU.

Help

For assistance with transfers of personal data within or outside the EEA, SaaS, ASP, software on demand contract  or any other IT legal issues contact:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

SaaS, ASP Agreements – FAQs – Confidential Information

What confidentiality provisions need to be included in a SaaS agreement?

Define Confidential Information

Parties will obtain and have access to the business critical information of each other as a result of entering into a  SaaS Agreement. For example, they may have access to customer lists, banking information, IPR, source code and object code or business secrets and processes. Confidential information should be defined in the SaaS agreement to make clear what is, and what is not, confidential. Do not simply refer to documents which are “marked as confidential” or “which should be treated as confidential”. Not all confidential information exists in a physical format, particularly in a SaaS scenario – so do not restrict your definition to just documents.

Restrictions on Disclosure

Confidential information should not be passed on to third parties or used by either party for any purpose other than performing their duties under the SaaS agreement. However, under certain circumstance parties may be legally required to disclose confidential information to a third party and such disclosure must be permitted. Additionally, employees and agents of the parties (accountants, sub-contractors) may need access to the confidential information for the purposes of the SaaS agreement. Such disclosure should be permitted, but must be restricted to named or defined groups of sub-contractors i.e. the supplier’s hosting provider or the customer’s named IT outsourcing providers. Disclosure to competitors of either party should be specifically prohibited. If any third parties are to have access to a party’s confidential information they must be bound by the same confidentiality duties as the party disclosing the information to them.

Return or Destruction of Data

Once the SaaS agreement is terminated, or expires, all confidential information of each party should be returned or destroyed. Confirmation of destruction of data should be required in writing. This is particularly important in relation to any personal data, as under the Data Protection Act 1998 no personal data should be kept longer than necessary. The length for which such personal data may be stored will depend upon the type of data and the purposes for which it was collected and stored.

Freedom of Information Request – FOI

If the customer is a public authority or another body subject to FOIs, both the supplier and the customer will need to comply with any requests for releases of information within strict time limits. Provisions should be added to the SaaS agreement to give the supplier control over what is, and what is not, released to prevent third parties having access to its confidential information pursuant to such requests.

Subject Access Request – SAR

Similar provisions are contained in the Data Protection Act 1998 which allow data subjects to request a copy of the personal data held on them which the supplier is processing on behalf of the customer. The request is made to the customer, who will need to ensure that there are provisions in the SaaS agreement obliging the supplier to release appropriate data.

Audit Rights

Sometimes customer’s will have a regulatory duty (i.e. under the FSA) to check the supplier’s security structures and data storage systems. Any third parties used by the customer during the audit should be bound by the confidentiality provisions of the SaaS agreement before being permitted access to any confidential information.  This can be easily achieved by having the third party sign a non-disclosure agreement.

Help

For assistance with any confidentiality issues, SaaS, ASP, software on demand contracts or any other IT legal issues contact me at:

irene.bodle@bodlelaw.com
www.bodlelaw.com

To register for my newsletter click here

______________________________________________________

Other related articles:

 

  
Bodle Law
Assign a menu in the Left Menu options.
Assign a menu in the Right Menu options.

This website uses cookies. You may not use this website, unless you agree to our use of cookies. For further details about the cookies we use please visit our Cookie Policy

The cookie settings on this website are set to "allow cookies" to give you the best browsing experience possible. If you continue to use this website without changing your cookie settings or you click "Accept" below then you are consenting to this.

Close