outsourcing –is it right for my business and if so, what legal … › export › sites › win...

19/03/2015

1

Outsourcing – Is it right for my business and if so, what legal issues do I need to consider?

Peter Jones

DLA Piper

19 March 2015

Outsourcing – definition

Transfer by a business (the "customer") to a third party provider (the "supplier") of the provision of a specific function or service currently being provided by the customer itself.

In-House Counsel Day 2015 2

19/03/2015

2

Is your organisation outsourcing?

Source: the Australian (17/02/15) citing ITNewcom which surveyed 200 organisations from Australia and 50 from New -Zealand each with a IT spend of at least $20 million a year.


"AUSTRALIA and New Zealand’s top 250 IT shops will spend about $42 billion on technology and related services in the 2015 financial year, new research shows …

…. In an ominous sign for in-house IT departments, more than 50 per cent of participants plan to outsource more infrastructure and applications services this year."

51%46%

3%

Infrastructure

Insource More

Outsource More

No Change

Not sure 57%38%

5%

Applications

Insource More

Outsource More

No Change

Not sure

Outsourcing Intentions

Why do organisations outsource?

Reduce operating costs

Transfer assets from the balance sheet

Convert expenditure

Engage "best-practice" services

Allow internal resources to focus skills on other areas

Reallocate business and regulatory risks


19/03/2015

3

Types of outsourcing

1. Facilities Management

2. Call/Contact Centre Services

3. Network Services

4. Infrastructure Outsourcing

5. Application management/maintenance


Session Summary

1. What you need to think about before going to market

2. Preliminary questions regarding how the outsourced solution will work

3. Constraints that exist from a privacy perspective

4. Provisions you should consider to protect you in relation to security


19/03/2015

4

Due Diligence

What is due diligence in outsourcing transactions?

the investigation into a customer's IT environment, business processes, assets, contracts and employees that occurs prior to signing an agreement for the provision of outsourced services

Why is it often critically important?


Due Diligence

In an outsourcing arrangement:

A customer will want a service provider to conduct due diligence to understand theservices and the infrastructure currently in place.

A service provider will want to satisfy itself that:

(1) it will be able to provide the services to the level required

(2) it has properly priced the services

(3) it understands the scope of the services / infrastructure in place


19/03/2015

5

Due Diligence

What are the contentious issues that may arise?

A working example …


Due Diligence – areas of investigation

Full scope of the services

Assets

Third party contracts

Employees

Regulatory issues

Physical premises requirements

"In-flight" projects


19/03/2015

6

The "Expectations Gap"?


Interesting feature of outsourcing

agreements


Outsourcing contracts are 'long term contracts of varying levels of interdependence'

As a result, effective management of change is critical

19/03/2015

7

Not all change should be managed

equally


Customer-requested

change

Changes must be mutually agreed

Supplier must implement

change

Effective Supplier veto

IF adverse cost impact, variation in

charges to be agreed

If agreed, implement

through change control

If not agreed, pre-determined interim pricing implemented until agreed

- AND -

Scenario 1

Scenario 2

Possible principles for dealing with

costs?

The Supplier must use its reasonable endeavours to comply with the requirement at no additional cost through the use of existing resources.

If the Supplier is unable to comply with the requirement without incurring additional cost, Supplier must provide:

an explanation of why compliance with the requirement is not possible without incurring additional cost

a reasonably accurate estimate of the additional cost likely to be incurred.

The Customer will have the right to adjust, reprioritise or waive the requirement to perform specific services or other activities.

To the extent additional effort is required, the charges for such additional effort will be calculated using [discounted time and materials rates]

To the extent additional materials are required, the Customer will be liable for the cost of such additional materials with no margin (provided as well that where the Customer has paid for such additional materials it will own such materials).


19/03/2015

8

Possible principles cont.

The Supplier will:

ensure that any additional charges or costs are reasonably and equitably determined, including by ensuring that where other customers of the Supplier are similarly impacted, any allocation of charges or costs is fair and equitable

at all times use its reasonable efforts to mitigate the amount payable by the Customer

provide information reasonably necessary to validate any amounts claimed from the Customer under this clause (for example, through the provision of timesheets or receipts for discrete items of material)


Australia v The Rest of the World


Should all changes in laws (incl. taxes) be treated the same?

How best to position for this?

19/03/2015

9

The key legal considerations

1. Privacy constraints

2. Security of your systems


Privacy constraints – new privacy

laws

While cost pressures are pushing organisation's to outsource -privacy is a major concern.

High profile breaches in 2014

More and more data is being collected

• …. all companies are "data processing companies"


19/03/2015

10

Is privacy relevant?


Legal privacy constraints will be relevant in most outsourcing arrangements.

Preliminary question:

• What part of the business is to be outsourced and what is the particular outsourcing arrangement?

How the proposed solution will work?


Ma

na

ge

d b

y t

he

clie

nt

Application

Data

Runtime

Middleware

O/S

Virtualisation

Servers

Storage

Networking

Packaged(off-the-shelf-

Software)

Infrastructure(as-a-Service)

Platform(as-a-Service)

Software(as-a-Service)

Ma

na

ge

d b

y t

he

clie

nt

Application

Data

Runtime

Middleware

O/S

Virtualisation

Servers

Storage

Networking Ma

na

ge

d b

y t

he

su

pp

lie

r

Ma

na

ge

d b

y t

he

clie

nt

Application

Data

Runtime

Middleware

O/S

Virtualisation

Servers

Storage

Networking Ma

na

ge

d b

y t

he

su

pp

lie

r

Ma

na

ge

d b

y t

he

su

pp

lie

r

Application

Data

Runtime

Middleware

O/S

Virtualisation

Servers

Storage

Networking

19/03/2015

11

A new privacy regime in Australia


Effective from 12 March 2014

Personal Information

Liable for actions of a supplier

Key Australian Privacy Principles ("APPs"):

APP 1; APP 5; APP 8; APP 11

Practical considerations:

updating privacy policy

notifications and consents

sufficient contractual provisions

Key security provisions

• Security requirements will be relevant in most outsourcing arrangements

• As with privacy - this often depends on what part of the business is to be outsourced


19/03/2015

12

Key security provisions

• Warranties & indemnities

• Unlimited liability for breaches of security

• Notification of breaches of security

• Protocols for breaches of security

• Compliance with specific security policies

• Insurance for breaches of security


Key security provisions – Government

Government outsourcing

• Federal Dep. of Finance draft cyber security clauses

• Model clauses (draft form)

Requirements:

o Overarching obligations to protect the customer data

o The Commonwealth Data Protection Plan (CDPP)

o Notification requirements for breach incidents

o Insurance requirements


19/03/2015

13

Other emerging trends/issues?

• Increasing multi-sourcing equals increasing complexity. The rise of Service Integration and Management solutions?

• As corporate venture funds increase, a corresponding increase on requirements for service providers to work with start ups / to share facilities/tools / to co-invest along side the customer?

• Will the increasing power of data analytics allow true outcome-based service levels to be deployed e.g. customer satisfaction which measured not via surveys but actual data?

• Will the international community develop effective cross-border cybersecuritymeasures or will data protection continue to be primarily a domestically regulated issue (against the backdrop of the internet which pressures traditional concepts of statehood)?


4. Summary & Questions

Takeaway points:

Outsourcing is increasing rapidly – organisation's battling to stay competitive

Proper due diligence is vital

Privacy issues must be considered

Security obligations under the agreement are key

Questions?


19/03/2015

14

Key Contacts


Peter Jones

Partner

T: 02 9286 8356

E: [email protected]

outsourcing –is it right for my business and if so, what legal … › export › sites › win...

Documents