In an outsourcing arrangement, the parties will often share confidential information with one another. Such information might include details of their pricing structures or internal processes, technical data, or proprietary intellectual property. Whatever the nature of the information, the party disclosing it (usually the customer) will want to ensure that it is protected from further disclosure. It is therefore common for a customer to ask the supplier to sign a non-disclosure (or confidentiality) agreement (a “NDA”). A NDA may be a separate side agreement or it may form part of the main outsourcing agreement. Either way, it is often an important element of the parties’ relationship that requires careful consideration at the outset.
When drafting a NDA, the parties will have to consider, among other things, what information is confidential, to whom it can and cannot be disclosed, how it will be treated, and how long it will be retained. All of these points are open for negotiation. However, both parties should remember that, whatever terms they agree, they must be capable of practical application. There is no point in a customer pressing for the highest possible standards of confidentiality if they unnecessarily restrict the supplier’s ability to use the information at the expense of business efficacy and operational efficiency.
This article gives some guidelines for parties when negotiating the terms of a NDA to ensure that it achieves its purpose in a reasonable and practical manner.
What information should be considered confidential?
If there are categories of information that the customer knows that it will definitely share with the supplier and which it wants kept confidential, then those should be listed at the outset. However, sometimes in a multi-year arrangement covering a range of outsourced services, it will be difficult to define at the beginning all the different kinds of confidential information that will end up passing between the parties. It is therefore important to have a catchall provision to ensure confidential information that does not fall within the list is still protected. One good way of doing this is to draft a definition of “Confidential Information” that includes an objective standard.
For example, in addition to any specific categories listed, “Confidential Information” may be defined to include “all information that the customer provides or makes available, directly or indirectly, to the supplier that: (i) is marked confidential, for limited distribution, or with a similar warning; or (ii) if unmarked, is of a nature that the supplier should reasonably know is confidential.”
While sub-section (ii) is intended to capture information that should be treated as confidential, even if it is not marked as such, it is obviously open to interpretation what information falls within this clause. A prudent customer would, therefore, put processes in place to ensure that all confidential information is appropriately marked as such when it is being passed to the supplier, and a customer would only rely on sub-section (ii) as a last resort.
What information is not confidential?
Even though the customer will often want the definition of confidential information to be as wide as possible, there are some common exceptions that the supplier will insist on. For example, it is usual to agree that the following is not confidential:
information that is in the public domain at the time of disclosure;
information that becomes known to the public through no fault of the supplier; and
information that becomes known to the supplier from a third party that has a lawful right to disclose such information.
These are non-controversial exceptions to the definition of confidential information that the customer can usually agree to without prejudicing its own position. Equally, if the customer is the recipient of confidential information from the supplier, it will want to ensure that it does not have to treat the above categories of information as confidential.
How should confidential information be treated?
The ultimate goal of a NDA is to ensure that information passing from one party to the other remains confidential and that it is not used for any improper use or shared with third parties.
The NDA should set out the standard by which the parties will handle the confidential information. Usually, the receiving party will be expected to treat the other’s confidential information in the same way that it treats its own. However, this is only an acceptable standard if the supplier has proper procedures in place for handling its own confidential information, such as limiting access to the information, password protecting it and other methods for preserving secrecy.
A prudent customer should investigate the supplier’s practices for maintaining the secrecy of its own information. If those practices are sub-standard or even nonexistent, it will not be enough to simply require the supplier to treat the customer’s confidential information in the same way that it treats its own. Instead, the NDA should contain specific provisions concerning how the information will be treated in practice (e.g. limiting access to named individuals or functions, use of password protection and encryption software, locking up hard-copies etc).
When can the supplier disclose the information?
It will not be practical to expect a supplier to never share confidential information. For example, it is reasonable to allow the supplier to disclose the information if the disclosure is required under applicable law.
The supplier may also want to disclose the information to related third parties in the course of its regular operations (e.g. to its employees, consultants, sub-contractors, professional advisors, financiers, parents or affiliates). Whether or not the customer will be comfortable giving a blanket permission to the supplier to disclose confidential information to these related parties will depend on the nature of the information. If it is particularly sensitive, the supplier may have to seek the customer’s specific consent to disclose it to named employees, sub-contractors or advisors.
One way to balance the customer’s desire to protect the information against the supplier’s need to disclose it is to agree that it may be disclosed to related third parties, but only under certain circumstances, for example:
only on a “need to know” basis;
only if the supplier agrees an NDA with the third party that has terms and conditions that are substantially the same as the NDA between the customer and the supplier; and
the supplier remains responsible to the customer for the performance of the third party.
In addition, for extra comfort, the customer could ask that it is named as a beneficiary in any NDA between the supplier and the third party to whom it is making onward disclosure. This would give the customer the right to enforce such confidentiality obligations directly against the third party.
What happens to the confidential information upon expiration or termination of the outsourcing agreement?
Upon the expiration or termination of an outsourcing agreement, the related NDA often requires the supplier to return or destroy any confidential information it holds belonging to the customer. Whilst requiring the blanket return or destruction of all confidential information might seem like a neat way of dealing with things when drafting the contract, the reality is quite different.
In the digital age, such provisions can prove difficult to comply with in practice. The information may have been copied and saved on to the supplier’s storage systems in several formats (e.g. on backup tapes, within the supplier’s email systems, on individual laptops, and in hard copy form). It may be impossible for the supplier to locate and delete all copies of the customer’s confidential information. Nor is it clear what the benefit in doing so is.
The real concern should be to ensure the ongoing protection of the confidential information, even after expiry or termination of the outsourcing agreement. This can be achieved by the parties agreeing that the confidentiality provisions will survive the termination of the outsourcing agreement for a reasonable period of time.
In addition, the parties should identify any confidential information that absolutely must be returned or destroyed at the end of the outsourcing agreement. This will often be a very small sub-set of the total confidential information passed to the supplier. Identifying this sub-set at the outset means that, during the life of the relationship, it can be treated in such a way that makes its collection and destruction at the end much easier (e.g. by restricting who can email or print it, or by storing it on a special server).
What about personal data?
Sometimes confidential information is defined to include the personal data of the customer’s employees or its own customers. It is important to remember that such personal data is subject to local data protection laws and may require special protection. The inclusion of personal information within the definition of confidential information in a NDA does provide a layer of protection. However, the standard exceptions could undermine the special protection that should be provided to personal data. It is often better to have a separate provision dealing with personal data in which the customer’s own statutory obligations to protect the personal data of its employees or customers are flowed down to the supplier.
Customers often want the broadest definition of confidential information and the strictest terms for its treatment and protection, without thinking about how such provisions work in practice. Where there is a need to hold the supplier to the absolute highest standards of confidentiality, then customers should, of course, insist on that. However, as with any aspect of an outsourcing agreement, the customer’s own interests will often be best served by placing reasonable and practical confidentiality obligations on its suppliers. It is therefore worth the customer taking the time to think through what information it wants kept confidential and how, in practice, it expects the supplier to protect that information. Having that clarity at the outset will ensure that the supplier is able to put the appropriate measures in place to preserve the secrecy of the information, which is, after all, the customer’s primary concern.
Caroline Doherty de Novoa