New legal superhero (or supervillain) is born: the Motivated Intruder

The man on the Clapham omnibus should not be confused with Hector the Tax Inspector

English law is full of fantastical creatures.  Pride of place goes to the Reasonable Man who is, by all accounts, an ordinary and prudent person, who is bowler-hatted and most commonly found on the Clapham omnibus.

He gets everywhere (he has cousins on the Bondi tram and the Shau Kei Wan tram).  He is free from over-apprehension and from over-confidence.  He provides a neutral standard that assists the bemused lawyer to assess whether or not any particular act is negligent.

Contract lawyers know the Officious Bystander well.  He occasionally interrupts proceedings to suggest terms for inclusion in contracts which are so obvious that they can be implied and do not need to be stated.

The Man on the Bondi Tram retired in 1960.

There is the Informed User who is something more than a consumer, knowing a fair bit about the existing design corpus but who is most definitely not an expert in the field.  He helps us to establish the boundaries of individual character in registered designs.  Or there is his close friend from the world of patents, the Person Skilled In The Art (aka the Nerd With No Imagination).  He is widely read in his field but has no imagination.  If he wouldn’t have thought of it, an invention satisfies the requirement of novelty necessary for the grant of a patent.

Less impressive is the Moron In A Hurry.  If two items are so different that they would not confuse even the Moron In A Hurry then there is no confusion and no passing off or trade mark infringement.

IP Draughts confesses that he had not heard of the Shau Kei Wan Tram

There is now another character to add to the fold: the Motivated Intruder.

The Information Commissioner’s Office highlighted his existence in November 2012, although some sightings date back to 2008.  He (or quite possibly she) has been quietly permeating the vexed topic of effective anonymisation.  This is more interesting than it sounds and currently matters a great deal to academic researchers although I predict it will soon matter just as much to insurance companies.

Old Etonian classics scholar, and Mayor of London, demonstrates the correct use of the masculine dative plural of “omnis”

Under UK law, information about a living and identifiable person can only be processed in accordance with the terms of the Data Protection Act.  To generalise, if you don’t have the individual’s consent (informed and freely given), you can’t use their data.  This is an issue for researchers keen to use the huge repository of data collected by the National Health Service (NHS).  The NHS holds a treasure trove of useful information but it was collected for clinical care purposes, not for research.  Obtaining individual consent permitting personal data to be used for research purposes just isn’t practical.  Cue much gnashing of academic teeth at the wasted opportunity.  But there is hope.  If the data is anonymous, it does not qualify as personal data and the restrictions of the Data Protection Act fall away.

Consent is not necessary in order to perform the act of anonymising personal data.  However, the question that now looms is just how anonymous information has to be to ensure that it is no longer classed as personal data.  The Data Protection Act is concerned with the likelihood of re-identification rather than with the possibility.  It boils down to needing to know whether any given method of anonymisation renders the information so secure that it is not reasonably likely that individuals, even individuals with rare medical conditions living in sparsely populated regions, will be re-identified.

How can the researcher be confident that the data has been effectively anonymised and therefore is not personal data?  Enter the Motivated Intruder.

This character has no prior knowledge but wants to identify an individual from an anonymised dataset.  The Motivated Intruder is competent, has access to resources such as the internet and public documents, and, will take all reasonable steps to try to re-identify an individual from the anonymised dataset.  But the Motivated Intruder does not have specialist skills and will not break the law.  He sits somewhere between the inexpert member of the public and the skilled specialist.  If the statistical method used would defeat the Motivated Intruder then the data can be treated as anonymous and used with confidence by the researcher.

Unfortunately, the Motivated Intruder is still a youngster.  There are few examples of his work.  In some cases, it has been enough to defeat the Motivated Intruder to redact certain aspects of the dataset such as the dates and locations of medical incidents.  In others the likelihood of identification was low enough that statistical information relating to same sex adoption and (in a separate case) to school entrance exams was effectively anonymised and could be released.  In another case, the raw data from a clinical trial could not be effectively anonymised and therefore should not be released.  There are questions that remain to be answered: just how hard will the Motivated Intruder try?  What sort of information does the Motivated Intruder care most about?  How much embarrassment or anxiety can the individual who is identified be expected to tolerate?

As with the Loch Ness Monster, we need a clearer picture…

As time goes on and the Motivated Intruder is cited (sighted… geddit? Unfortunately, yes. Ed) more often so we will have a clearer picture and so researchers can proceed with greater confidence.

In fact, the Motivated Intruder has the potential to play a starring role in an information debate coming to your screens in the very near future.  The care.data project has been put on ice because of growing public concern that anonymised health data could find its way into the hands of unscrupulous insurance companies who would promptly and easily re-identify it and use it to push our premiums up.  Time to call for the Motivated Intruder to restore public confidence?  Or is it too late for that?  The Motivated Intruder focuses on the likelihood of re-identification.  Public opinion might well be focussed on the possibility of re-identification.

PS IP Draughts is curious to know if there are any other fictional legal characters, not mentioned above, in readers’ jurisdictions.  He wonders whether the woman on the Edinburgh tram could be a candidate. Please let us know via this blog’s comments.

Research results: more moonbeams in a jar?

I embarked on this post with trepidation.  It’s always worrying when you start out thinking that you have a problem and that you disagree with IP Draughts.  The problem involves know-how: how should you deal with it, when it is part of the output of a research project?

Many research projects produce identifiable and protectable IP. There may be negotiations over who should own that IP, and the law gives us a set of rules that explain who is the first owner if different terms are not agreed.

But research projects also produce interesting things that are not obviously classified as identifiable and protectable IP – the ill-defined stuff that is sometimes called ‘know-how’.  Partners in the research want (demand, in some cases) rights to continue to use the know-how or to stop other people from using it.   Research funders want to own it as an output of the research.   IP Draughts says it is not something that can be assigned. [Don’t take any notice of his maunderings.  Ed.]

Two examples of know-how occupy my world:

Results – actual hard data.  As explained elsewhere, there is no property in information itself.  If it is to be protected, it needs to be covered by confidentiality or fixed as an acknowledged piece of IP.  It could be recorded as a copyright work or entered into a database.  But that approach doesn’t really deal with the whole problem.  The copyright owner can prevent the copyright work from being copied without permission but the data probably also exists outside of the copyright work (eg the difference between a publication and the data it is based on).  As for databases, it is the database, and the investment in creating the database, that is protected by database right and not the data itself.  Database right gives the owner of the database the right to control the use of the database rather than the content of the database.  Neither protects the data itself.  Conclusion: confidentiality is the best bet to protect the data.

Methods – specifically, refinements to established surgical methods that arise in the course of clinical trials.  Again, there is no property in the information itself.  Patenting is unlikely to be the answer (cost, difficulty in demonstrating novelty, exclusion of certain methods from patent protection).  Copyright offers some hope but the same arguments apply.  Conclusion (again): if the method is to be protected at all, confidentiality is the best bet.

Daguerrotype stereotype

The researcher will want to be able to continue to use the know-how.  The funder, stereotypically, will want to protect, restrict and commercialise.  And so we turn to the law to find out who owns the know-how and who can control it and, potentially, how to transfer it.

We know that know-how is practical information that is secret, substantial and identified (EU Tech Transfer Reg (772/2004)) and we know that know-how is not property and cannot be assigned (IP Draughts commentaries).

English law protects trade secrets but will not protect know-how of itself (Faccenda Chicken).  Know-how is treated as a lesser being than a trade secret and needs to shelter behind confidentiality.  The EU is currently considering a draft Directive introducing specific protections for trade secrets (EU draft Dir 2013/0402) that would impose penalties for the unlawful acquisition, disclosure or use of trade secrets.  A trade secret is defined as information that is secret, has commercial value because it is secret and has been the subject of reasonable steps to keep it secret.  On that definition, know-how might amount to a trade secret in some cases.  But again we see that confidentiality is key.  We also see a requirement for that confidentiality to protect a commercial value.

So, it looks like the answer to my problem is that no one really owns know-how, although you can expect to control it if you have the benefit of a confidentiality obligation that covers it.  There might be property in related IP rights but my sense is that these IP rights will often not catch the guts of the know-how – the data or the method.  Phew, I agree with IP Draughts.

And the lessons for our researcher?  Read the definitions in the research agreement and read them carefully.  Then see where and how those definitions are used.  If know-how is referred to in the definition of Confidential Information and the funder controls the Confidential Information, the researcher’s right to use their general know-how may be restricted.  If the definition of Intellectual Property includes data or methods, we may have ‘category confusion’ particularly if that data and those methods are not protected by any recognised form of IP.

A good (?) example of this is the EU’s Horizon 20/20 programme, whose contract terms define Background as follows:

‘Background’ means any data, know-how or information — whatever its form or nature (tangible or intangible), including any rights such as intellectual property rights — that: (a) is held by the beneficiaries before they acceded to the Agreement, and (b) is needed to implement the action or exploit the results.

Faced with a definition like this, which mixes up know-how, information and IP rights, you need to look very carefully at where the defined term is used and how it affects you.

When will they learn?

Software commercialisation. If they want to learn about Software Commercialisation, they will learn if they attend the course offered by Isis Enterprise (and featuring our own Stephen Brett) on 28^th November.  If they do attend, they will learn about things such as copyright and patent protection for software and about the different software licensing models that might be appropriate for different business models.

Further details are available from Isis Enterprise, here.

Contract drafting. If they want to learn about contract drafting they could do much worse than to attend one of the three courses scheduled to be given by Mark Anderson in London this Autumn.  The course details are available on the Anderson Law website, here.  An overview of the various courses on offer, and dates, appears on this blog here.

Practical licensing. Or, if they want to learn about Practical Licensing, they should sign up to Stephen Brett’s course planned for 7^th November and which is also outlined on the Anderson Law website, here.

IP licensing for professionals. Learners who prefer their licensing training to come in one-hour chunks while they look at their office computer screens, should consider signing up for Mark Anderson’s series of four “virtual classroom” lectures on licensing.  These lectures will be run on four successive Monday lunchtimes, in November and December.  Organised by the European Patent Academy (part of the European Patent Office), they cover the main provisions of a licence agreement including grant, payments, performance, warranties, law and jurisdction.  The course is designed for professional managers who have no experience of licensing.  Details here.

Project management. Finally, if they want to learn about pharmaceutical project management, they should consider signing up to the Autumn Meeting of PIPMG – the Pharmaceutical Industry Project Management Group.  Titled Discovery through to Market – Stage 1: Turning Ideas into Projects, the course will be held at the London Clinic on 19th and 20th November.  Details here.  Anderson Law LLP is proud to sponsor PIPMG by providing legal support.

Happy learning!

What’s so bad about… assumption of responsibility? Indirect loss under English law

Some months ago, this blogger wrote a piece about indirect loss (the blog post is here  and the full article is here).  Recent and robust discussions with BigPharma over the terms of a CDA have led me look at the position again and to wonder whether the judgment of the House of Lords (as it then was) in 2008 in Transfield Shipping v Mercator Shipping deserved the critical response it received.

  There is also a note on the Anderson Law website here that looks in more detail at the issues discussed in this blog article.

The first thing to note is that there is no need for panic.  The Transfield case has not effected any major change in the law.  Subsequent cases have largely confined it to its facts rather than treating it as a new rule of general application.

The facts of the Transfield case were relatively simple.  A ship, the Achilleas, was late returning from a charter with the result that the following charter had to be renegotiated.  The ship’s owner claimed damages for the period of delay and for the reduced value of renegotiated charter.  The original terms of the following charter were especially lucrative.  The House of Lords awarded damages only for the period of delay and did not allow the owner to recover in respect of the following charter.

Hadley v Baxendale is the starting point for any consideration of a question of remoteness of damage.  That case tells us that damages for breach of contract are recoverable in respect of any loss that flows naturally from the breach or in respect of any loss that could reasonably be supposed to have been in the contemplation of the parties at the time the contract was made.  However, the House of Lords in the Transfield case appeared to conclude that loss could not be recovered based merely on what was in the contemplation of the parties at the time of the contract.  The implication of the judgments was that the defendant also needed to have assumed responsibility for a loss before any damages would be awarded.

Five Law Lords gave five judgments in the Transfield case and each appeared to take a slightly different approach.  The most eye catching judgment was that of Lord Hoffman who decided that the determining factor was whether or not the party in breach had agreed to assume responsibility for losses of the type claimed.  If this statement represented the true position at law, then the consequence would be that claimants could only recover damages for a loss where the defendant had assumed responsibility for that specific risk.

Five Law Lords gave five judgments….

In the immediate aftermath of the case, this caused a great deal of concern.  However, as is often the way with the elastic English law, subsequent decisions have quietly distinguished the Transfield case and things have carried on largely unchanged.  Most notably, the Court of Appeal in 2010 concluded that Hadley v Baxdendale remained the standard test, albeit that it had been “rationalised”.

To return to the discussions with BigPharma, I wonder whether Lord Hoffman’s concept of no liability without an assumption of responsibility would be such a bad thing.

Consider this scenario:  BigPharma wants to talk to Research Institute about a possible collaboration and to do this effectively will need to disclose sensitive information.  BigPharma is adamant that any breach of confidence will destroy absolutely all of the value in the information.  But BigPharma is unable (or unwilling) to give any hint of what that value might be, what the potential loss might be or what particular risks are causing concern.   Research Institute is pushed towards a CDA with no limitation of liability, no exclusion of indirect loss and no information that it can use to quantify the potential loss.

Leaving aside the point that much of the information will probably find its way into a patent application and be published in time anyway, Research Institute is in a bind.  It wants to talk but the CDA exposes it to theoretically unlimited liability, something which it cannot accept.  Research Institute gets no immediate benefit from the evaluation and indeed it may never benefit.  It is, on one reading, being asked to accept a massive risk for no return.

Lord Hoffman’s concept of the assumption of responsibility would give Research Institute some hope.  It would force BigPharma to provide a proper explanation of the risks they have in mind and would promote a considered apportionment of risk.  This would allow Research Institute the chance to negotiate and to avoid the spectre of unlimited liability which gives research institutions, universities and other PSREs such a headache.  Research Institute could control its exposure by specifically listing the types of loss it was prepared to assume responsible for.  If BigPharma cannot elaborate on its concerns, Research Institute cannot be expected to assume responsibility.

Seen in that light, the Transfield case has a promising ring to it.