Monday, October 25, 2010

Now for the Flip Side


So a few weeks ago I posited in “Don’t Need It, Don’t Want It” that service providers should not be the sacrificial lamb regarding handling of personal information (“PI”), or personal health information (“PHI”), where the service provider does not need access to this type of information to provide the services. Now for the flip side.

If the services that a service provider is providing do in fact necessitate an entity entrusting this type of information to it, then the service provider does have to accept more stringent controls and security that are legislated in a number of jurisdictions – e.g. Personal Health Information Protection Act, 2004 (Ontario), Personal Information Protection and Electronic Documents Act (Canada) etc..

By way of examples: service providers to the health care industry who have to have access to the PHI in a client’s care should have in place, as a matter of course, use and security standards that meet regulatory requirements for the handling of PHI. Service providers to the financial services industry who have to have access to the PI in a client’s care should have in place, as a matter of course, use and security standards that meet regulatory requirements for the handling of PI. As part of their business model these standards should be “baked into” the services provider’s fees.

What becomes tricky is if a particular client stipulates a stricter standard than industry standards or regulatory requirements. In these instances the client needs to be prepared to lose some of the cost benefits of using the service provider’s standard services, and the service provider needs to evaluate the extra cost associated with it accommodating the special requirements. Both parties have to work together to address their respective concerns in these circumstances.

To quote the philosophical geniuses that are The Rolling Stones (Mick Jagger and Keith Richards),

“…You can’t always get what you want
But if try sometimes you just might find
You get what you need…”

Monday, October 18, 2010

Employee Provisions in Outsourcing Agreements

Note: This posting first appeared at http://www.slaw.ca/2010/09/16/employee-provisions-in-outsourcing-agreements/.

The provisions of outsourcing agreements relating to employees have grown more complicated. There was time, in the early 1990s, when the obligations of the service provider under the Outsourcing Agreement focussed almost exclusively on describing in detail the services to be performed. There was little mention of the service provider employees used to perform the services (or privacy, software or subcontractors for that matter). The times have changed however: in my experience at least, it is now customary for outsourcing agreements to include extensive provisions relating to the personnel used by the service provider to perform the services.

In this blog posting, I want to consider the different perspectives with which customers and service providers approach the employee provisions of an Outsourcing Agreement. If each party understands the interests and objectives of the other, it may be easier to reach an agreement that will support the long term health of the outsourcing arrangement and avoid creating a standard that the service provider will never be able to satisfy or that will leave the customer unprotected. I have also included, as part III and for completeness, some provisions from a sample outsourcing agreement.

One preliminary point is in order. The provisions being discussed here deal with the service provider’s employees who will be providing services after signing. In that sense, these provisions are concerned with the future relationship. Many outsourcing agreements also involve a transition of employees from the customer to the service provider. There is a separate set of issues around employee transitions, e.g. pre-and post-transition liabilities, the service provider’s concerns about the ability and experience of the transitioning employees and the customer’s obligations to disclose past misconduct, that also need to be considered but that are beyond the scope of today’s posting.

I. The Customer Perspective

The customer’s objectives in negotiating the employee provisions of the Outsourcing Agreement depend of course on the circumstances of the specific outsourcing. It is not uncommon for the customer’s concerns to include the following:

(1) Avoid a bait and switch: The customer may be looking for certainty around the employees who will be providing the services to it. The customer does not want to contract with the service provider on the basis that the services will be provided by the “A team” indentified in the service provider’s RFP response only to discover, some months later, that the A team is now working on the next pursuit and it is the candidates for the service provider’s C team who are actually attempting to deliver the services to the customer. To avoid this outcome, the customer is likely to require that key service provider personnel be identified in the Outsourcing Agreement and that such personnel not be replaced (except in circumstances beyond the service provider’s control) without the customer’s consent.

(2) Risk mitigation: The customer may attempt, through the employee provisions in the Outsourcing Agreement, to mitigate the risk that the service provider will be in breach of the agreement or, even if not in breach, that the services will be sub-standard or only barely rise to the level of acceptability. This interest involves the customer trying to impose an additional set of obligations on the service provider that, if complied with, will increase the likelihood that the services will be satisfactory and will achieve the customer’s objectives. This is equivalent to focusing on a building’s foundation, on the basis that, if the foundation is solid, the building is less likely to fall down. These obligations may include provisions that: (i) the personnel performing the services will have the knowledge, skills and experience necessary to perform their responsibilities under the agreement or even that such employees have specific certifications; (ii) the personnel will comply with customer’s policies; (iii) the employees will perform the services to the standards set out in the agreement; and (iv) the service provider will provide the employees with regular training on critical issues to ensure the employees’ knowledge and skills remain current.

(3) Maintenance of control: Notwithstanding that the services have been outsourced, the customer may continue to want significant control over how the services are to be performed. In effect, the customer is demonstrating a concern about whether the service provider will be sufficiently proactive in identifying issues or, if an issue is identified, whether the service provider will respond appropriately and in a timely fashion. And, in the customer’s mind, if the service provider cannot be relied upon to take the appropriate action, then the customer needs to retain the ability to do so. I have heard this expressed by one counsel as wanting the ability “to have the train track repaired without having to wait for the train wreck to happen”.

The desire to maintain control can manifest itself, in the employee context, by requests for control over employee screening, the number or location of the employees used to perform the services or the training to be received by them. It can show up in the customer’s insistence on the right to require that individual employees be prohibited from providing services to the customer. It can even be translated into requirements for input on employee base or bonus compensation (which may or may not be funded by the customer). In the government context, this emphasis on maintaining control can reveal itself in the establishment of whistleblower hotlines and requests that the employees provide direct confidentiality or other covenants in favour of the government customer.

(4) Competitive Concerns: The customer may well understand that the service provider delivers services to other customers in the same industry segment. Indeed, one of the critical factors in the customer’s selection of the service provider may well have been the service provider’s deep industry knowledge and experience. That does not mean that the customer is willing to have the service provider use the knowledge and experience it gains in delivering services to the customer for the benefit of other clients of the service provider, whether in the same or different industry segments. Nor does it mean that the customer will be satisfied with the standard confidentiality and non-disclosure provisions of the Outsourcing Agreement. The customer will focus on the service provider employees who are performing the services for the customer and try to limit their ability to perform work for the customer’s competitors. These limitations may take the form of restrictions on the service provider’s ability to transfer its employees. In some cases however, the customer’s competitive concerns may be such that the customer requires that the limitations be flowed down to and accepted by the employees who are providing the services.

The customer will certainly have other interests and concerns that it will attempt to address through the employee provisions of the Outsourcing Agreement, e.g. ensuring that any commitments or employment guarantees made by the customer are honoured by service provider. Rather than attempting to enumerate all of customer’s issues however, I now want to consider the some of the countervailing interests of the service provider.

II. The Service Provider Perspective

The customer tries, through the employee provisions in the Outsourcing Agreement, to restrict the service provider’s freedom and flexibility in order to prevent the service provider acting in a manner detrimental to the customer. In contradistinction, the service provider is generally attempting to minimize the customer’s control over the service provider’s employees and to preserve as much freedom as possible to determine how and by whom the services are provided. The service provider’s objectives may be based on the following interests:

(1) Limiting Control over how the Services are provided: The service provider’s fundamental responsibility to the customer is to deliver the “Services” and the service provider wants the freedom to direct and manage its resources – the ability to re-align, rationalize, replenish or even reduce resources as it deems appropriate – to achieve this objective. From the service provider’s perspective, it has the knowledge, experience and expertise to know how best to deliver the services, at least as compared to the customer, and it will bear the financial or other consequences under the Outsourcing Agreement for any failures to comply. Therefore, the service provider will be focused on preserving its ability to manage the services and minimizing the control of the customer. Employee provisions that the customer sees as necessary or beneficial to its interests will be viewed through the service provider lens of whether they restrict the service provider’s ability to manage the services and fulfill its responsibilities under the Outsourcing Agreement. If they do, the service provider may well object to the employee provisions on the basis that they constitute “micro-management” by the customer. For example, if the customer’s interest in having dedicated service provider employees who are focused on providing services to the customer restricts the service provider’s ability to develop a planned leveraged service offering, the service provider will object on this basis. Accommodating any controls requested by the customer is problematic for the service provider because, in evaluating any such limitations, the service provider needs to consider both the immediate impact and how such controls will play out in the future when the employees, technology, environment and business will have changed.

(2) Maintain control over costs: Under most Outsourcing Agreements, the service provider is delivering cost savings to the customer: there are very few customers who are really interested in entering into an agreement with a service provider where the cost of the services will be greater than the amount the customer is currently spending. If the service provider is going to turn a profit on an outsourcing transaction, the service provider will need to manage its costs. As personnel costs will be a significant component, if not the most significant component, of the service provider’s costs, it will be important for the service provider to retain the ability to manage these costs. This means that the service provider is likely to resist any employee provisions requested by the customer that will impose additional costs on the service provider (e.g. the costs of additional employee screening) or limit the service provider’s ability to manage its costs (e.g. limitations on the personnel reductions), unless such costs have been explicitly included as part of the service provider’s cost model or can be passed through to the customer.

(3) Manage the Work Force: The service provider will be fundamentally concerned to maintain the ability to manage its workforce and will view many of the employee provisions requested by the customer as unreasonable or counter-productive attempts to restrict its ability to do so. For example, the service provider wants the ability to promote or provide new challenges to high-potential employees and to allow its employees to seek new opportunities without the employees having to terminate their employment relationship and go elsewhere. (Some service providers have even established personnel policies that allow employees to request a transfer to a new account or to a different position after a certain period of time.) The service provider is likely to resist provisions that require employees to be dedicated to a customer indefinitely or for more than some reasonable period of time. From the service provider’s perspective, these provisions will make it difficult to attract qualified employees and will not likely achieve their objective of retaining skilled resources on the customer account: such employees, faced with what they perceive to be a life sentence to a specific account, will look elsewhere to the detriment of both the customer and the service provider.

In a similar vein, it is important for the service provider that its employees be focussed on the service provider’s business objectives and that they understand that their career and compensation depend on their level of performance at the service provider. But it is exactly this principle that the customer is seeking to counteract when it asks for input on employees’ base or bonus compensation: the customer is seeking to undermine the employment relationship and to motivate the service provider employees to act in the best interests of the customer, not the service provider. It is analogous to the situation in which a bank is asked to determine the compensation of a bank loan officer based on how pleased borrowers are with their borrowing experience and not with the loan officer’s adherence to prudent lending practices. Not surprisingly, it may be problematic for the service provider to allow the customer to provide input into any employee assessment programs or to impact the employee’s base or bonus compensation.

(4) Grow the Business: The service provider wants to be able to grow its business. This requires the flexibility to respond to new situations and to pursue new opportunities using its available resources including those employees who are currently providing services to the customer. Employee provisions such as those requiring the customer’s consent before key service provider personnel can be transferred or that impose a “cooling off period” before the employees can provide services to a competitor of the customer undermine the service provider’s ability to grow. The service provider can also argue, not completely disingenuously, that such restrictions are not in the interests of the customer. This is because the larger the service provider’s customer base in a specific industry segment, the more likely the service provider is to be able to develop leveraged tools or leveraged service offerings or make investments in providing the services.

III. Sample Provisions

Without attempting to define what the appropriate balance between the interests of the customer and service provider is (something that is impossible to do in the abstract), the employee provisions in an Outsourcing Agreement may be similar to the following:

(a) The Service Provider shall ensure that all Service Provider Personnel performing the Services shall:
(i) possess knowledge, skill and experience appropriate to the tasks to which they are allotted and the performance including service levels which they are required to achieve and that such personnel have received appropriate training (which training shall be regularly updated during the term of this Agreement);

(ii) perform the Services to the standards set out in this Agreement; and

(iii) strictly comply with all Customer’s policies and guidelines applicable to the Service Provider’s obligations under this Agreement and of which notice has been given to the Service Provider, as such policies and guidelines may be revised from time to time.

(b) The Service Provider shall not transfer or re-assign individuals filling Key Service Provider Positions to other positions with the Service Provider during the period set out in the Key Service Provider Positions Schedule, except: (i) with Customer’s consent; or (ii) where forced to do for reasons beyond its reasonable control such as employee sickness, disability, resignation or death. In the event of the transfer of any Key Service Provider Personnel a suitable replacement must be approved by Customer.

(c) The Service Provider shall not permit any individuals: (i) filling any Key Service Provider Positions; or (ii) having access to Customer Confidential Information in the course of performance of their responsibilities for the Service Provider; to perform services for any Customer Competitor for a period of two years after such individuals cease to be involved in any manner whatsoever in the Services provided to the Customer.

(d) Upon written request by the Customer setting out reasonable grounds, the Service Provider shall promptly, and in any event within ten Business Days, replace any Service Provider Personnel with another individual, acceptable to the Customer, of suitable ability and qualifications. Notwithstanding the foregoing, where the Customer notifies the Service Provider that the Customer has determined that the concern is of such a serious nature that such Service Provider Personnel should be removed immediately from the Customer’s account, the Service Provider shall immediately remove such individual from the Customer’s account.

IV. Conclusion

Reaching agreement on the employee provisions of an outsourcing agreement involves reconciling the customer’s desire for control over the employees providing services to it and the service provider’s insistence on having the flexibility to manage how and by whom the services are provided. This reconciliation can best be accomplished if each of the customer and the service provider understand the interests and objectives of the other. While the customer and service provider interests that are identified above can in no sense be regarded as a complete list, they provide an indication of the nature of the interests that need to be taken into account to reach agreement.

Wednesday, October 6, 2010

Don’t Need It, Don’t Want It

I understand that enterprise - both private and public – has obligations with respect to the handling of personal information, including special standards for health care information.

But if a party advises that it does not need, nor does it want, access to such information in order to engage in business with the enterprise, then is it not incumbent upon the enterprise to ensure they don’t get give it?

Most entities have standard confidentiality and security practices – commercially available firewalls, virus protection etc. - that are suitable for their industry as a whole. It is not a viable business model to have to continually change these standards – different levels of encryption, special screening programs etc. - to comply with the differing requirements of each client. Unless of course the client is willing to pay all associated initial and ongoing costs for these measures.

I cannot see how an enterprise would be fulfilling its responsibilities with regard to the proper handling of personal information if all they do is insist that the other party agree to comply with its often amorphous standards of care regarding handling personal information, that the enterprise also reserves the right to change from time to time at its discretion.

I have been pleasantly surprised when enterprise has understood this. It agrees that it is not going to provide the personal information, but if it inadvertently does the other party’s obligation is to advise when they become aware of having received such information and to return and/or destroy it as soon as possible. This is a reasonable solution that both parties can live with.