DEMYSTIFYING DATA: POINTERS AND PITFALLS FOR CONTRACTING WITH DATA

By: Janet Ozembloski



More and more, commercial lawyers are working with a data component in a wide array of contracts that come across their desks. Finding a commercial arrangement where data is not a component of the contracting discussion is a rarity. The principles that inform contracting with data generally hold true for all contracts, and so this is a primer to assist with all contract creation and negotiation.


This post aims to provide a handful of high-level pointers and considerations for both lawyers and their clients who contract with data. Information security and privacy are two of the major enterprise risk management issues that organizations face in the public and private sector in Canada, and the pandemic has only amplified this risk.


Ten principles to inform contract creation and negotiation:

(1) Contracts are not set in stone. They generally favour the party who writes them.

Negotiation for terms that are fair for both parties is the end goal.


(2) If you don’t ask, you won’t receive. Working with large vendors with large complex contracts can be daunting, but it doesn’t hurt to ask, and you may be surprised that many large organizations will agree to amendments. Choose strategically, and don’t nitpick.


(3) All contracts are not created equal. Contracts are an exercise in risk allocation and relationship rules, and reading the fine print is a must.


(4) Get it right the first time. Have the hard conversations before the paper is inked. Preparing for worst case scenarios in agreements is always the best course.


(5) Do the legwork. If an organization is providing or sharing data with another organization,

leaving no stone unturned is the only path to responsible data governance.


(6) Follow the data. Organizations need to determine who and how data will be accessed at a granular level from beginning to end.


(7) Don’t fall prey to pressure tactics. Many large vendors will provide much better pricing if a deal is signed quickly. While it’s tempting to rush into a deal, be careful and be sure the contract has had sufficient scrutiny and discussion.


(8) Is it a Picasso or a finger painting? Shoddy contracts can often signal a shoddy vendor. When dealing with data and privacy, there is no room for sub-par vendors to service an organization. When data is being shared unilaterally or bilaterally, a properly drafted contract is critical.


(9) Commercial contracting is a team effort. A commercial lawyer who works with data in contracts needs to have a very close working relationship with the business and IT folks. Many clients make the mistake of thinking that a contract should be the responsibility of “legal”, but input and scrutiny by the technical and business stakeholders of an organization are imperative.


(10) Don’t get taken down the rabbit hole. Embedded links in contracts can be landmines, and are always subject to unilateral change by the vendor. The less of these, the better.


Ten areas to pay attention to when contracting with data:

(1) Length of term and renewals. Pay close attention to how long the contract locks in an

organization, and pay close attention to auto-renewals and notice periods to terminate

contracts.


(2) Termination. Clients may want the ability to terminate for breach of confidentiality/privacy

without necessarily giving the vendor the ability to remediate, if the vendor has committed a

breach involving sensitive data or personal health information.


(3) Limits of liability. Ensure these are appropriate to the risk, type of data, insurance available, and size of organization.


(4) Indemnity. Ensure the indemnity matches the risk profile of the type of data and quantity of data being processed or exchanged.


(5) Insurance. Ensuring there are sufficient limits of appropriate insurance is mission critical.


(6) Governing Law and Jurisdiction. Many vendors will request a jurisdiction in another country or province, and care must be taken to negotiate a suitable jurisdiction clause.


(7) Notification provisions pertaining to security incidents or privacy breaches. Transparency and timeliness are critical when it comes to demanding appropriate notification provisions.


(8) Compliance with relevant laws. Basket clauses, while helpful, are not as useful as specific legislation and regulation being called out as applicable.


(9) Statements of Work are critical documents and sufficient time must be spent on these by the business with legal assistance to ensure that clear timelines and distribution of responsibilities are clearly articulated.


(10) Service Level Agreements. These agreements usually form a part of a main agreement, and deserve careful scrutiny.


Top data contracting issues:

(1) Use of the data. Watch very carefully for what the vendor wants to do with your data -

sometimes they want to use for their internal QI purposes - this may very well be ok, and good or you at the end of the day as the product/service improves. BEWARE of any ability of the vendor to use your data for other purposes, including commercializing it or disclosing to third parties for research purposes.


(2) Ownership of data. Ensure that it is crystal clear that your organization owns the data, and make clear that the vendor’s access to your data gives them no license to use it except as expressly set out in the agreement.


(3) Subcontracting clauses/Subprocessors. Make sure the vendor accepts complete responsibility and accept liability for the negligence or acts of all of its subcontractors.


(4) What type of data is being shared, transmitted, stored, used? The guiding principle is that the less data a vendor stores or has access to, the better. Where possible, anonymize or aggregate. Have as few people with access to data as possible, and do your diligence to know as best you can who will be handling your organization’s data.


(5) The more sensitive the information being shared (health information, financial information, the more robust you want the privacy and security protections to be, including training of staff, monitoring of compliance, audit log capabilities. If your organization works with health data, you will be governed by PHIPA.




70 views0 comments