There are a range of legal issues to be considered when institutions merge. Areas relating to employment, procurement, health and safety, finance and taxation will all need careful planning and management. This paper, however, will limit itself to the main legal areas associated with IT. Contract, data protection, ownership and freedom of information will all be considered.
The merging process is likely to involve entering into multiple contracts with different parties such as service providers, various rights holders, other institutions, and commercial partners. Within this context, issues may arise relating to ownership, licensing and liability, and these areas will be analysed in more detail in the paper.
Terms and conditions within contracts usually determine what responsibilities and liabilities different parties will have. Prior to signing 'on the dotted line', it is vital for institutions to assess and clarify:
- Agreed aims, objectives and expectations
- Current and future legal obligations, ensuring these are consistent with agreed aims and can be realistically met
- Risk – both operational and financial
Without due diligence, a college or university may be binding the merged institution to policies, agreements and contracts that are overly restrictive, financially onerous and difficult to manage, where stated outcomes or timescales cannot realistically be met.
In this simplified example, due diligence was not carried out and, without some form of renegotiation prior to the contract period, the new institution will have to, in effect, run multiple licences to prevent a breach of the licensing agreements. This will have both financial and practical implications for a new institution that may well be trying to streamline operations within a limited budget.
In any proposed merger, pre-existing contractual obligations must be considered. Where inconsistent, previous arrangements may become unworkable and an exit strategy will be required. However, changing contract terms unilaterally or abandoning a contract early may have significant financial penalties for an institution.
In this case University B could easily have avoided any penalty if it had fulfilled the existing contract. Reading the small print is a must.
Checking pre-existing agreements prior to carrying out a merger provides certainty and prevents potential breaches.
Here additional permission is likely to be required to host works off-site in the cloud, and make them available to all students and staff.
Similarly, in drafting new contracts on behalf of the merged institution, parties should ensure that key issues and liabilities are addressed within the agreement. If not, this could lead, at best, to uncertainty in the event of something going wrong.
The new institution, as data controller, is clearly liable for any data breach. However, this does not prevent the institution having a contract, such as a data processing agreement, in place detailing liability in the event of data loss. In the absence of any provision, the institution is unlikely to receive compensation without lengthy arbitration/litigation.
Clarifying existing contractual obligations early on will enable institutions and their partners to make informed decisions. Extensive negotiation may be necessary to reach a mutually acceptable agreement.
Top tips for contracts
- Decide on agreed aims and objectives and reflect them in both the merger arrangement and subsequent contracts
- Carry out due diligence to clarify existing obligations and make sure these are compatible with any proposed merger or new agreement
- When negotiating contracts, ensure relevant costs and payment dates are addressed as well as indemnity clauses; this includes any funding arrangements, outlays, overheads, procurement, technical support, storage and penalty clauses
- Before signing, make sure you are aware of, and agree to, terms and conditions relating to ownership of assets, legal responsibilities and liabilities
- Ensure all parties have signed the agreement
- Check that the contract period is in line with the new institution’s expectations and preferences, make sure you are not tied in longer than necessary
- Know what the procedure is, and what the consequences may be should one party wish to change or terminate a contract at a later date ie think through a suitable exit strategy before entering any agreement
- Ensure appropriate dispute resolution measures are in place
- Re-assess insurance implications for an institution by virtue of this new contractual relationship
When institutions merge, they may decide to share common platforms, storage facilities, servers, processes and/or infrastructure. Issues such as cost, access and ownership should be addressed contractually. In a merger situation the personal information of individuals is likely to be shared between the merged institutions and this sharing is regulated by data protection law. This will not cause difficulties where the purpose of processing is the same, or at least not substantially different.
The new EU General Data Protection Regulation, at the time of writing, is still be ratified and will not come into force until 2 years after the date of its publication ie 2018. The relevant law, therefore, remains the Data Protection Act (DPA) 1998. The DPA will apply where personal data is shared as part of the merger itself, or where it is shared with a third party. This might occur via an internal network such as Janet, or over an external platform like the cloud.
Personal information, or data, is defined in the legislation as significant biographical information that either relates to an identifiable living person, or which in combination with other information would identify them. In general terms, processing must be carried out fairly and lawfully. Usually, at the time of collection, data subjects (eg staff and learners) are told what information will be processed, for what purpose and to whom it will be disclosed. This is generally achieved by way of a fair processing notice.
The DPA is not a barrier to sharing personal information provided it is done lawfully and the sharing is considered ‘fair’. Institutions will already share data with other organisations, either when required to by law or where this relates to the operational business of the college or university. There are also specific circumstances where consent will not be required to share, but generally staff and learners should know that sharing is taking place and that specific parties will have access to their personal information.
In a merger, there are also likely to be changes to the registration (notification) previously submitted by the separate institutions to the Information Commissioner’s Office. The DPA requires every data controller (with a few exceptions) processing personal information to register with the ICO. This includes a college or a university. Registrations can be amended in writing for free. Where this involves a change of legal entity, as is the case in a merger, the new institution will be required to submit a new application within 28 days and pay an annual fee. Any data breach complaints will transfer to the new institution.
When sharing personal data, an institution must ensure:
- There is a clearly identified and lawful purpose for distributing and sharing
- The sharing is fair
- An adequate notice period has been provided
- The rights of data subjects are not compromised
Where an institution (either alone or in consultation with others) determines the purposes for which and the manner in which any personal data is, or is to be processed, that institution is designated the “data controller” for the purposes of the DPA. The institution, as data controller, has responsibility for acting in line with data protection legislation and is subject to all the legal obligations. In a merger, this responsibility will transfer to the new institution. Making data protection liabilities clear contractually, in line with the law, will help prevent confusion.
Many data protection policies contain an express clause that envisages the sharing of personal data when a change in the data controller occurs. A fair processing notice is not expected to cover every situation but should contain enough detail so that a data subject (learner or staff member) has a reasonable expectation that their data will be processed in that manner eg a clause stating that personal data of all subjects will be available to the new body in the same way as before.
So, provided individuals were not led to believe that their personal data would never be disclosed in this way, and the purpose of the processing remains consistent, the DPA is complied with where subjects are informed of the merger. It may also be argued that the sharing of non-sensitive personal information is in the legitimate interests of the data controller or third party under Schedule 2 of the DPA.
Even at the negotiation stages, proposed mergers will undoubtedly involve disclosing data. This may include personal data of staff and students and possibly third parties. Assurances will be required in these circumstances as to anonymity, security, limited uses, confidentiality, disclosure and deletion.
The DPA ensures ‘fairness’ of processing and safeguards the rights of data subjects. These will apply equally to a merger situation.
It is not uncommon for employers to ask for attendance information of employees attending institutions. However, this example of sharing was not part of Louise’s processing agreement or fair processing notice, nor was it part of any agreement between the employer and the college. Disclosing this information without consent is likely to be a breach of the DPA.
The crux of the issue is what the staff and learners were told or expected at the time of collection. This particular processing of personal information by the IT company has not been disclosed to staff and learners, nor is it part of a processing agreement. Without consent, this will be an unauthorised use of personal data and a breach of the DPA. In addition, direct marketing of this kind is regulated by The Privacy and Electronic Communications (EC Directive) Regulations 2003. Sending unsolicited emails without permission is likely to constitute a breach.
Regardless of any merger, in order to comply with the DPA and protect the privacy of the learner, the library cannot disclose the information as this is personal data that is collected purely for specific records purposes.
Where a merger is confirmed, there will be changes to the way and/or to whom personal data will be shared. The institution must decide how and when it will make everyone aware that this will be going ahead.
In this example, College B should identify what personal data it actually holds and for what purposes. Providing individuals with a new privacy notice, or reminding them of an existing one should suffice as long as the purposes for processing are the same. However, where this involves sensitive data, all students and members of staff should be contacted individually to ensure this information is passed on directly. Any notification provided should identify the new institution and remind individuals what information is held and how it may be used. At the very least, your data subjects should understand who holds their data and be reassured as to the continued purpose and security of that information.
Top tips for sharing personal data
- Adopt a ‘privacy by design’ approach to data sharing
- Consider the potential benefits and risks to individuals
- Where possible anonymise information that is being shared
- Only share what is necessary
- Check you can satisfy one or more conditions for processing
- Make sure all personal information is shared securely and on a need-to-know basis
- Identify who will be doing what with the information, clarify roles, obligations and liabilities
- Have a formal data sharing agreement in place
- Ensure that any personal information shared is accurate, relevant and not excessive
- Take appropriate steps to ensure records are accurate and up to date and kept in line with a consistent retention policy
- Define the purpose of sharing and decide whether this is:
- In line with expectations (no consent)
- An entirely new purpose (consent)
- Involves sensitive personal data (explicit consent)
- Ensure data subjects can exercise all of their rights under the Act
- Continue to provide an adequate level of protection for information
- Consider technical support implications for any data sharing
- Make sure the institution and any third party, with whom the data is shared, can meet their data protection obligations
- Record what was shared, with whom, when it was shared, why it was shared and whether you have consent
The outsourcing of services is likely to involve the new merged institution contracting with a third party to process personal data. However, this does not lessen a data controller’s legal responsibilities under the DPA.
Following a merger, the new institution will become the data controller and will be liable for any breach. Here, even though the security breach was carried out by Help Co, University X is liable under the DPA as the data controller. Any outsourced processing of personal data must be adequately and securely processed with particularly high safeguards in place for this type of sensitive data. Using a reputable organisation that offered guarantees of secure processing might have prevented the breach and would certainly mitigate X’s liability in terms of damages payable.
In this situation, a detailed data processing agreement should be in place making all roles, responsibilities and liabilities clear.In determining what ‘appropriate and adequate security measures’ are required will, to some extent, depend on particular circumstances but factors such as the nature of personal information being processed, the likely harm that would result from any unauthorised disclosure or access, the technology available and the costs involved will be relevant.
Another popular form of outsourcing is to use the ‘cloud’. However, again in these circumstances, there are legal obligations the data controller must meet.
Principle 8 of the Data Protection Act 1998 states that personal data shall not be transferred to any country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
So, in assessing the risks related to processing data in the cloud, one of the first questions to consider is where is the data being stored? Unfortunately, sometimes it can be less than straight forward to answer this, particularly where numerous data centres or subcontractors are being used.
If the transfer is within the EEA, this is more straightforward. However, where information is transferred outside the EEA, to the United States, for example, specific safeguards must either be put in place by the data controller, or guaranteed by the provider. As a result of the Schrems case, institutions cannot rely exclusively on a ‘Safe Harbor’ agreement where data is transferred to the United States, as this is no longer valid.
A note for institutions on how an adequate level of protection for personal data can be ensured, when processed in the United States following the Safe Harbour judgment, is available on our Community site.
A useful practice code on outsourcing and a guidance document on cloud computing are available on the ICO’s website.
Top tips for outsourcing
- Choose carefully; contract with well established, reputable organisations that offer guarantees of security, robust policies and procedures as well as trained staff
- Have a data processing/sharing agreement in place that clearly identifies roles, responsibilities and liabilities
- Check that the agreement states what security measures and back up systems are in place to fit the nature of the personal data being processed and that these meet agreed consistent standards
- Ensure that any data processing/sharing agreement is enforceable in the UK and the country in which the organisation is located
- Make sure the organisation is obligated to report security breaches
- Check that your own procedures allow you to act effectively and swiftly where any breach of security occurs
Ownership is not always a straightforward issue; it might relate to existing assets of an institution, materials being used under licence or future content generated.
There will be ownership of, or rights in, teaching and learning materials, research data, software development, patents, designs, databases and a lot more besides. Intellectual property rights will attach to such works and can be of significant value over both the short and longer term. There will also be physical objects to be considered, that will be ‘owned’ by one/multiple parties with cost implications for institutions in either leasing them or maintaining them.
It is vital, therefore, that before a merger takes place, assets are accurately assessed and contracts are in place to clarify who owns what. Equally, any new content generated as a result of a merger, will need to be addressed in agreements that are fit for purpose.
In this section we will address ownership issues in relation to intellectual property and IT law.
Copyright protects specific original works. A copyright holder has the right to control any copying, adaptation, publishing, performance and broadcast of works and under what conditions this may be done. Further information is available in our guide on copyright.
Colleges and universities, as employers, will usually be the copyright owners of materials created by employees unless there is an alternative agreement in place. This situation is different for learners though, who will usually own the copyright in their own work. It is also very likely that in the normal running of an institution, use will be made of other people’s materials, which will normally mean having appropriate licences in place.
Where a change, such as a new partnership, contract or merger takes place, existing licences will need to be checked to ensure adequate permissions are available for the intended use.
Many licences, including some software licences issued by Microsoft and Adobe do allow transfer in a merger situation. Where the language of a licence is clear there is no further need for interpretation. However, where a licence makes no such provision, there will be a risk for any institution which continues to make use of those works in a merger.
Although strictly in legal terms, additional permission may be required to prevent infringement, it is likely to prove particularly onerous and potentially very costly for institutions to check each individual licence and contact every rights holder where required. In most cases, the intention of the copyright owner will be satisfied by making materials available to learners and staff within colleges and universities regardless of whether the works are available in a single institution or a merger. However, use of commercial works beyond the terms of a licence such as one based on the number of users, is likely to increase the risk of potential claims. Ultimately some form of risk management will be required.
Where an institution has the CLA licence, the CLA must be informed when a merger is to take place. Each merger will be dealt with on a case-by-case basis. However, it is very likely that where the merger involves institutions from the same sector, colleges or universities will be covered through their existing licences until the end of the Licence Year (31 July). If by that time, the merger has happened, one single licence agreement will be issued. Cross sector mergers may be less straight forward and institutions in this position should contact the CLA for further assistance.
Complex ownership issues may arise even in what seems to be a relatively simple arrangement.
The situation, as a result of the merger, has now changed. Professor Plum’s materials were produced in the course of his employment, so University A will own the copyright (as his employer) and these can be uploaded. Terms of licences attached to third party works in the recordings will need to be checked to ensure that permission includes storage on an off-site VLE and access by students other than those attending University A. Professor Plum is likely to own performance rights in his lectures so his consent may be required to copy the ‘performance’ and make it available in this way. Permission will also be required to allow students’ materials to be hosted in the new environment.
Ownership can be decided through agreement ie a licence. This is not always obvious and, without reading terms and conditions carefully, rights holders can be legally bound to terms they might otherwise avoid.
In this situation, the new university will lose out financially; having already provided a licence to the provider, exclusivity cannot be granted. Checking terms and conditions relating to ownership, prior to signing an agreement is essential to enable institutions to make an informed choice, and where appropriate, negotiate a less restrictive contract or seek an alternative.
Top tips on ownership
- Check existing licences to see what permission your college or university has regarding specific works
- Where the licence does not cover the intended use, seek additional permission to avoid risk of infringement
- When generating content, clarify ownership through formal agreement and protect your interests
- Check terms and conditions of contracts and only agree after due consideration of all aspects
- Be particularly vigilant where contracting with external parties
- Seek advice to clarify each party’s obligations and terms of agreement
- Carry out due diligence prior to negotiation and consider long term implications
UK institutions, as public authorities, are already familiar with their legal duty and obligations under freedom of information (FOI) legislation. If a request is made to a college or university and they ‘hold’ the information, then unless an exemption applies it must release it to the requestor within 20 working days. Personal information may escape disclosure under the relevant legislation. Further information on FOI is available in our guide on data protection and research data.
FOI law applies to individual institutions and, upon a merger, to the new institution. Every institution has to adopt and maintain a publication scheme to publish information on a proactive and routine basis. This must be done in accordance with the ICO model publication scheme and should be kept under review and updated where appropriate.
Following the merger, a new publication scheme should be issued, replacing all previous schemes. The new scheme should clearly include information from previous schemes as well as any applicable additions. During any period of change, it might also be useful to include a statement explaining that the current publication is being updated and where any information is required that is not listed, to make a Freedom of Information request to FOI@merged-institution.ac.uk.
Outsourcing does not prevent the application of FOI; the law will apply in the same way. So in this situation, even where data is stored in the cloud, on behalf of the college in effect, the institution is still deemed to ‘hold’ the information requested. Where emails have been deleted but are still recoverable, this argument is also likely to fail.
Mergers, as described above will involve different areas of law. What is most important, in terms of compliance, consistency and meeting expectations is to clarify contractual and legal obligations and any restrictions imposed. Due diligence is also key, not only to ensure that pre-existing obligations can be met but also that any future agreements are fit for purpose without unworkable limitations and onerous liabilities.
It is important to ensure that relevant licensing agreements cover the sharing of content and materials, proposed data sharing is fair and lawful, subsequent contracts are consistent with agreed outcomes and obligations, and so on.
By following our top tips, and thinking through areas carefully and thoroughly, a college or university can be confident in carrying out a merger that is not only legally compliant but one that meets the agreed aims and objectives of all parties.