Part One

© 2007, Deeth Williams Wall LLP. All Rights Reserved. By: Amy-Lynne Williams Outsourcing is not new – it used to be variously called data processing management, facilities management and service bureau processing. Regardless of what it is called, basically it involves a customer giving responsibility to an outsourcer for the operation and maintenance of all or part of the customer's IT operations or the operation of a business unit. The term of the agreement with the outsourcer can run from 3 to 10 years, depending on the needs of the customer and the price. The outsourcer may take over all or a part of the computer systems, premises and staff of the customer in the business unit in question. In effect, for the part of the business outsourced, the outsourcer steps into the shoes of the customer. The customer must of course, have a tremendous amount of faith in the ability of the outsourcer to do the work and because of the scope of what is involved, the deals themselves can become very complex, necessitating careful due diligence and negotiation of some tricky IP issues. Some of the major stumbling blocks in the negotiation of an outsourcing transaction can arise around the use, licensing, sharing, upgrading and return of intellectual property – simply because the customer has a suite of software, databases, trade secrets, trade-marks, processes, patents and know-how (all of it referred to here as IP) that it has used in its business for many years - and the outsourcer needs access to all this in order to run the outsourced business. What complicates things is that some of the IP may belong to a third party licensor; some of it may be subject to confidentiality restrictions that prevent even the agreement from being shown to the outsourcer; and some of it will be contributed by the outsourcer over the life of the contract – which can span several years. There are many layers of IP in any outsourcing arrangement and they need to be carefully separated, sorted and examined. From an IP perspective, the parties must not only deal with what gets transferred to the outsourcer at the start of the relationship, they must also think ahead to the ongoing operation, maintenance and upgrading of the various systems and databases involved, the confidentiality challenges that will arise and the inevitable overlapping of the IP rights of the customer and the outsourcer, as their businesses become entwined. Perhaps even more importantly, they need to agree on what happens when the relationship ends and the customer wants everything back – including IP developed by the outsourcer. It is important to remember that each party brings valuable IP in some form or other to the outsourcing relationship and each party will continue to create new IP during the term of the agreement. The process of working all this out can be time-consuming and a bit tedious, but it is imperative that it be done before anything gets moved to the outsourcer or the parties get committed to any future relationship.

TEN LAYERS OF IP

To help simplify all this somewhat, the IP that is relevant in an outsourcing deal can be grouped into the following levels:
  1. IP developed and owned by the customer that the outsourcer needs to use.
  2. IP licensed to the customer by a third party that the outsourcer needs to use.
  3. IP previously developed and owned by the outsourcer and used to process the customer's data or run the outsourced business.
  4. IP previously licensed to the outsourcer by a third party and used to process the customer's data or run the outsourced business.
  5. Confidential information, including trade secrets, owned by the customer or belonging to a third party and in the control of the customer. This could also include personal information in the custody of the customer that relates to its own customers or employees and that may be subject to federal or provincial privacy legislation.
  6. New or add-on IP developed by the outsourcer specifically for the customer's account and paid for by the customer.
  7. New or add-on IP developed by the outsourcer primarily for use in the outsourced business but that may have applications for other customers of the outsourcer.
  8. New or add-on IP developed by the customer during the term of the agreement and provided to the outsourcer to run the outsourced business.
  9. New, upgraded or add-on IP licensed by the outsourcer specifically for use in the customer's business.
  10. New, upgraded or add-on IP licensed by the customer during the term and provided to the outsourcer for use in the customer's business.

IP CHECKLIST FOR OUTSOURCING

For each level of IP, the parties need to:
  • identify the component parts of the IP;
  • sort out who owns what;
  • determine whether the third party agreements with the customer can be disclosed to the outsourcer. Many third party licenses for example, provide that the terms of the agreement are confidential and consent must be obtained from the third party to disclose the terms of the agreement to the outsourcer;
  • determine what can and cannot be transferred to the outsourcer;
  • list contracts to be assigned to the outsourcer;
  • determine what rights will be granted to the outsourcer to use proprietary and third party IP. Will the outsourcer obtain a full assignment of the license or a limited right to use the third party IP for the term of the outsourcing agreement?
  • determine which party is responsible for:
    • notifying third party licensors of the outsourcing transaction - usually the customer;
    • seeking consents to assignment or use – usually the customer;
    • ongoing maintenance management and upgrades to the IP – usually the outsourcer;
    • handling any migration to new technology during the term of the contract – usually the outsourcer after obtaining the customer's consent to the change;
  • decide who pays any transfer fees charged by the third parties to assign the licenses to the outsourcer or allow limited use of the IP;
  • determine how non-transferable software will be replaced;
  • decide who owns any new IP – will it be the customer alone, the outsourcer alone or joint ownership;
  • decide what use the customer and outsourcer can make of the existing and new IP after termination. The outsourcer may agree that the customer can obtain a license from the outsourcer for future use of the outsourcer's IP, but may strenuously object to the customer providing that IP to a new outsourcer.
  • decide to what extent the outsourcer can leverage the customer's existing IP for use with outsourcer's other clients
  • carefully sort out the various confidentiality obligations of the parties:
    • for the customer's confidential information
    • for third party information in the customer's control that will have to be shared with the outsourcer
    • for personal information in the control of the customer that will be accessed and used by the outsourcer. Keep in mind that the various statutes for the protection of personal information will usually provide that the customer remains liable for the protection of that information even if it is in the hands of an outside contractor. Obtain assurances from the outsourcer that it will comply with the customer's privacy policies and the relevant legislation and that it will indemnify the customer from the outsourcer's failure to do so.
    • for personal information, determine whether it can be disclosed to the outsourcer at all without the necessity of the customer obtaining new consents and decide whether the disclosure of the information to the outsourcer fits with the customer's privacy policy
    • determine whether prior head's up to the relevant privacy commissioner would be advisable
  • determine what level of security will be required at the outsourcer's premises to handle personal information, software and systems security, third party and customer confidential information
  • determine what level of access the customer will have to data and confidential information. The customer will want access 24/7, but the outsourcer will have to weigh this against its obligations to its other clients who may also have sensitive data and software on the outsourcer's premises
  • decide how data and other sensitive information will be returned to the customer on termination or expiration
  • on termination, decide what access the customer can give to its new outsourcing partner to IP licensed to the customer by the current outsourcer
  • determine the ability of the customer to audit the security measures taken by the outsourcer to protect the customer's IP. Compare to the obligations the customer already has with its third party suppliers and make sure there are no gaps.
  • determine the respective liability of the parties for infringement actions caused by their own and third party IP used in the outsourcing.

Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.

E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.

Amy-Lynne Williams
By Amy-Lynne Williams
October 4, 2007
Editors
Outsourcing