Confidentiality Obligations in Outsourcing Agreements

By Richard Austin, Deeth Williams Wall LLP Confidentiality obligations are a fundamental part of all outsourcing agreements. As part of an outsourcing transaction, the customer and the service provider each agree to make Confidential Information available to the other but subject, in each case, to the limitations on use, disclosure and retention that are agreed to in the contract. Unfortunately, customers and service providers don’t always get it right and the parties sometimes find, after signing the agreement, that information intended to be kept confidential need not be or that information intended to be freely available is subject to unwelcome restrictions that limit its usability. In this posting and the one to follow, I want to discuss a potpourri of issues relating to confidentiality obligations where care and attention may be needed to ensure that the parties achieve the results they are intending. 1. Return or destruction of Confidential Information on expiration or termination The confidentiality obligations of many outsourcing agreements require each party to return or destroy the Confidential Information of the other party on expiration or termination of the Agreement, in words similar to the following:

Upon the expiration or termination of the Agreement or on completion of a party’s obligations under the Agreement, the party shall return or destroy, as the other party may direct, all material in any medium that contains, refers to or relates to the Confidential Information of the other party.

Such provisions are problematic. First, in the digital age in which we now live, it will be economically impractical if not virtually impossible for a party to return or destroy all copies of the Confidential Information of the other party made during the term of a multi-year outsourcing agreement. Copies of the information will be located across the enterprise in storage systems, on backup or archival tapes, in the email systems, on individual laptops, on flash drives and in hard copy form. It is not clear that the customer or the service provider could ever locate and expunge all copies of the other’s Confidential Information. Nor is it clear that, so long as the information continues to be subject to the confidentiality obligations of the outsourcing agreement, there is any significant benefit to be gained from so doing. This is the reality of the digital age. Second, and this has long been the case, there may well be legitimate reasons for a party or its advisors to retain a copy of the other’s Confidential Information after expiration or termination of the Agreement. Either party may be subject to statutory obligations requiring it to keep copies of the Confidential Information for a specified period of time or, in the course of performance of the agreement, need to provide the information to professional advisors such as auditors whose professional obligations will require them to retain copies. The customer may require use of Confidential Information of the service provider in connection with its re-procurement activities. And the service provider could potentially be involved in disputes with its subcontractors that survive the term of the outsourcing agreement and for which it requires copies of the customer’s Confidential Information. The real issue is how to treat Confidential Information at expiration or termination and this is not being properly addressed in outsourcing agreements: many contracts still require the return or destruction of all Confidential Information at end of term. However there are ways of dealing with the issue that recognize the parties’ interests in protecting the confidentiality of their information including, perhaps, through the following two-pronged approach. As a first step, the parties should agree to the obligations that will apply generally on expiration or termination of the outsourcing agreement. (A sample provision is set out below.) Next, the parties should identify any Confidential Information for which the general provision is not adequate and that must absolutely be returned or destroyed at end of term. For any such information, once it has been identified, the parties should discuss: (i) how such information will be collected, used, processed and stored during the life of the agreement so that it is capable of being returned or destroyed at end of term; and (ii) their respective responsibility for the costs thereof. If the customer and the service provider are realistic and reasonable in negotiating the general provisions, there may well not be any Confidential Information that requires such special treatment. This approach to the return or destruction of Confidential Information may be based on a general provision such as the following:

Upon the expiration or termination of the Agreement or on completion of a party’s obligations under the Agreement, the party (the “Expunging Party”) shall use all commercially reasonable efforts to return or destroy or cause to be returned or destroyed, in a prompt manner, all materials in any medium that contain, refer to or relate to the Confidential Information of the other party which are in the Expunging Party’s possession or control or in the possession or control of any of the Expunging Party’s permitted representatives. The Expunging Party’s obligations under this section include the obligation to use all commercially reasonable efforts to expunge all Confidential Information of the other party from any systems or equipment in the possession or under the control of the Expunging Party or into which the Confidential Information of the other party was programmed or inserted by or on behalf of the Expunging Party or its permitted representatives. Notwithstanding the foregoing, each of the Expunging Party and any of its permitted representatives shall be permitted:

1. to retain and use one copy of the Confidential Information of the other party for the sole purpose of compliance with and to the extent and for so long as required by: (1) any law applicable to it; (2) any court, regulatory agency or authority to which it is subject; or (3) the professional standards of its professional governing body (to the extent in possession of the Confidential Information in a professional capacity); and
2. to retain any electronic records and files containing Confidential Information of the other party which have been created pursuant to the automatic or normal course archiving and back-up procedures of the Expunging Party or its permitted representatives.

Any Confidential Information of a party that is not returned or destroyed pursuant to this section shall continue to be subject to the confidentiality and non-disclosure provisions of this Agreement notwithstanding any expiration or termination of this Agreement.

2. Including Agreement terms and conditions within the definition of Confidential Information It is not uncommon to see a provision equivalent to the following in an outsourcing agreement:

Confidential Information shall also include, whether or not designated as ‘Confidential Information’:

(a) the terms and conditions of this Agreement, any schedules or exhibits thereto or any Statement of Work;

This provision leaves me feeling a little confused. While the provision confirms that the terms and conditions of the outsourcing agreement are confidential, it does not spell out precisely whose Confidential Information it is. Presumably we are to infer that the terms and conditions of the Agreement are the Confidential Information of both parties. Presumably we are also to infer that, just because the Agreement is the Confidential Information of a party, that does not entitle the party to use or disclose the information as it sees fit. Since the Agreement is also the Confidential Information of the other party, the consent of the other party is required for any disclosure of its terms. If, for example, the customer or the service provider wanted to disclose the outsourcing agreement in connection with an M and A transaction or to disclose pricing to a third party, it would require the consent of the other party to do so. Even so, the consequences of declaring the terms and conditions of the outsourcing agreement to be confidential may still be unclear. In particular, precisely which terms and conditions are confidential? Are the “boiler plate” provisions? Or is it only the provisions describing the fundamentals of the deal? What if the outsourcing agreement were to have been developed based on the template of one of the parties? Do the confidentiality obligations applicable to the outsourcing agreement now trump any proprietary rights the drafter may have in its template agreement? Or can the party rely on the exceptions to the confidentiality obligations for information previously known to it to claim that anything developed by it independently of the other is not the confidential information of the other party? There are other ways of dealing with the Confidential Information in an outsourcing agreement than by simply specifying that the entire agreement (terms and conditions, schedules, exhibits and statements of work) is confidential. It is open to the parties to identify the specific components of the agreement that are confidential, whose confidential information it is and any special circumstances under which the information may be disclosed. While this may appear to be an extraordinary amount of work, it will avoid the situation in which the customer or service provider discovers, after the fact, that it requires the consent of the other to the use or disclosure of the outsourcing agreement (which consent may not always be forthcoming or be given subject to restrictions that make it unworkable). There is one other further aspect of this issue – declaring the outsourcing agreement to be confidential – that private sector service providers entering into outsourcing transactions with government entities should be aware of: it usually doesn’t work, at least with respect to the government entity. Regardless of what the outsourcing agreement says about the confidentiality of the Agreement terms and conditions, it will be extraordinarily difficult for the service provider to prevent the terms and conditions of the agreement being disclosed in response to third party access to information requests. Moreover, such disclosure is unlikely to be a breach of the agreement because most outsourcing agreements with government entities will carve out of the confidentiality obligations any disclosures required by freedom of information legislation or applicable law. By way of example, in Ontario, under section 17(1) of the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, c. F.31, the head of a government institution is required to refuse to disclose scientific, technical, commercial, financial or labour relations information supplied in confidence if the disclosure could reasonably be expected to have one of the consequences set out in paragraphs (a) – (d) of the section. However, as service providers have discovered in attempting to prevent the disclosure of their agreements, the question of whether disclosure will engender one of the consequences set out in paragraphs (a) – (d) is largely academic. The investigation usually never gets beyond the petard of “information supplied in confidence”. Because outsourcing agreements are negotiated by the parties, they can almost never satisfy the condition of having been supplied in confidence. Order PO-2018 (2002) of the Office of the Information and Privacy Commissioner (Ontario) (available at http://www.ipc.on.ca/images/Findings/Attached_PDF/PO-2018.pdf) indicated:

Because the information in a contract is typically the product of a negotiation process between two parties, the content of contracts involving an institution and an affected party will not normally qualify as having been “supplied” for the purposes of section 17(1) of the Act. Records of this nature have been the subject of a number of past orders of this office. In general, the conclusions reached in these orders is that for such information to have been “supplied”, it must be the same as that originally provided by the affected party, not information that has resulted from negotiations between the institution and the affected party. The fact, however, that a contract is preceded by little negotiation, or that the contract substantially reflects terms proposed by a third party, does not lead to a conclusion that the information in the contract was “supplied” within the meaning of section 17(1). The terms of a contract have been found not to meet the criterion of having been “supplied” by a third party, even where they were proposed by the third party and agreed to with little discussion (see Order P-1545).

(See also, by way of example: (i) Office of the Information and Privacy Commissioner (BC), Order F09-04, available at http://www.oipc.bc.ca/orders/2009/OrderF09-04.pdf; (ii) Office of the Information and Privacy Commissioner (BC), Order F08-22, available at http://www.llbc.leg.bc.ca/public/pubdocs/bcdocs/156693/2008/orderf08_22.pdf; and (iii) Office of the Information and Privacy Commission (British Columbia), Order F10-39, available at http://www.oipc.bc.ca/orders/2010/OrderF10-39.pdf.) 3. Definition of Confidential Information Confidential Information is sometimes defined in an outsourcing agreement as:

any technical, business, financial, personal, employee, operational, scientific, research or other information or data in whatsoever form or media, whether in writing, electronic form or communicated orally or visually that, at the time of disclosure or within thirty days thereafter is designated as confidential (or like designation). (emphasis added)

The provision entitling a party to designate information, for a period of thirty days after its disclosure, as Confidential Information is a hangover from the world of standalone NDAs and is of dubious value. It leaves open the question of what the impact of this ex post facto designation of information as confidential is in respect of any pre-designation disclosures. Is a party prohibited from disclosing confidential information for a period of thirty days lest it subsequently be determined to be confidential? Are the third parties to whom such information has been disclosed free to use the information without restriction but the party to the agreement (who now realizes the information is confidential) is prohibited from doing so? There is a serious issue here, namely how to deal with the disclosure of information that, while confidential, is not specifically identified as such at the time of disclosure. In these circumstances, it may be preferable to address the issue by resorting to an objective standard, e.g.:

“Confidential Information” shall mean all information provided or made available, whether directly or indirectly, by one party to the other that: (i) is marked confidential, limited distribution or with a similar designation; or (ii) if unmarked, which the receiving party should reasonably know is confidential.

In my next posting, I will continue to look at issues relating to confidentiality obligations in outsourcing transactions where special attention may be needed including with respect to designating personal information and intellectual property as confidential and in respect of third party beneficiaries. First posted at http://www.slaw.ca/.