Covid 19: “massive data-sharing contracts”

Making the rounds on Twitter is news of the UK government’s release of the “massive data-sharing contracts” that it has entered into with various tech companies, relating to Covid 19.

According to the OpenDemocracy website, this release occurred only after pressure from openDemocracy, and “hours before” they were due to issue legal proceedings to demand their release.

The web page linked above has on it links to what are said to be the contracts that the UK government released. The contracts are with Google, Faculty, Palantir and Microsoft, respectively. According to openDemocracy, the contracts are concerned with an:

‘unprecedented’ transfer of personal health information of millions of NHS users to these private tech firms.

IP Draughts thought it would be interesting to take a look at these contracts and consider what, if anything, they tell us about the processing of health data, and more generally what they tell us about government contracts.

IP Draughts’ first reaction, having downloaded the four contracts, is “where’s the beef”?

Google

The first contract is with Google, and is described as a “confidentiality and consultancy agreement”. It is 3 pages, plus signatures. It says that Google will:

provide technical, advisory and other support (the ‘Support’) to NHSX [two national NHS bodies and the Department of Health] regarding efforts to tackle COVID-19 (the ‘Project’).

No further details of the Support are given. Clause 5 states, inter alia:

The parties acknowledge and agree that it is not their intention to collect, access, share, use or otherwise process any personal data…

Much of the rest of the contract consists of boilerplate clauses, eg on anti-bribery , disclaimer of warranties, etc.

If there is a scandal associated with this contract, it is not evident from the text of the contract.

Faculty

Faculty is allegedly a company that has connections with Dominic Cummings, and has received several government contracts. OpenDemocracy alleges that the disclosed contract is worth £1M.

The contract is headed with the “Crown Commercial Service” name and logo, and is described as a “G-Cloud 11 Call-Off Contract (version 4)” – whatever that means. It appears to be a typically turgid form of government contract, running to 48 pages. Most of it is boilerplate language.

The “call-off contract value” is stated to be “£930,000 excluding VAT”, and the “call-off contract description” is “provision of strategic support to the NHSX AI Lab”.

The main reference to data in the service description is a phrase (the 7th bullet point of 12 that describe the services) that reads:

Modelling and simulation: using data from across the healthcare system to model scenarios to better understand that impact of the spread of CODIV-19 on healthcare resources

This may or may not involve obtaining personal data from NHS records.

A later [template?] Schedule 1 – Services includes a narrative description of the NHS AI Lab and what it will do, and states that the NHSX “are looking for a partner to help share and deliver the NHS AI Lab”.

These brief descriptions certainly raise the possibility that, in helping to develop the AI Lab, the contractor will have access to personal data, but so far the contract does not say so in terms.

Part B – Terms and Conditions, sets out detailed boilerplate terms for the contract. Clause 12.1 requires the Supplier to

comply with the Buyer’s written instructions and this Call-Off Contract when Processing Buyer Personal Data… [and to] only Process the Buyer Personal Data as necessary for the provision of the G-Cloud Services…

Schedule 6 is a glossary and defines Buyer Personal Data as:

The personal data supplied by the Buyer to the Supplier for purposes of, or in connection with, this Call-Off Contract.

Schedule 7 is headed “GDPR Information” and sets out a familiar table that sets out the parties’ legal roles and responsibilities in relation to data processing. It states that NHX is the Controller and the Supplier is the Processor. Under the heading “Type of Personal Data” it includes:

1. Pseudonymised personal data
2. Aggregated personal data

Under the heading “Categories of Data Subject” it includes “members of the public” and “patients”.

So, the framework contract contemplates the possibility that the supplier may have access to personal data from NHS patients, but does not explain in detail what the data is and in what circumstances it will be provided and processed.

Palantir

This contract is in a similar form to the Faculty contract. In the interests of saving a few Norwegian forests, IP Draughts printed out only the Statement of Work that appeared at the end of the contract. But he did check the contract value, in case this was evidence of a scandal. Disappointingly, the contract value is stated to be £1.

The Statement of Work is written in almost impenetrable jargon, but some phrases look as if they might refer to accessing personal data, including:

Ingestion of mutually agreed data sources and further integration into a data ontology

The Customer is required to provide:

Timely access to or provisioning of relevant data

Microsoft

The “contract” that has been disclosed appears to be a set of standard Microsoft contract terms for various types of standard service, including “Azure Services” and Office 365 Services”. The document is headed “Volume Licensing: Online Services Terms April 2020”.

The document is only 16 pages long, but this is misleading: they have reduced the font of the text to about 8 point. IP Draughts now has a headache. [Correction: IP Draughts’ printer ran out of paper. The full document is much, much longer!]

IP Draughts is suprised to hear himself say this, but it was refreshing to turn to Microsoft’s turgid contract prose, after wading through the UK government’s very different turgid contract prose.

These terms are very light on the subject of personal data, but they do include a link to a web page where can be found Microsoft’s “Data Protection Addendum”.

Conclusions

Nothing in the Google or Microsoft documents appears to be evidence of a scandal.

Both Faculty and Palantir appear to have been engaged to support the development of a national AI Laboratory. One may speculate that the development of machine learning techniques in relation to Covid 19 – e.g. assessing how patients with a particular genetic sequence are likely to react to infection – could well involve processing personal data. One may also speculate that the UK population would mostly be happy for their personal data to be used, in a suitably controlled way, to support this important work.

Just looking at the contracts, there is very little about the nitty-gritty of GDPR compliance, and one might hope that other documents exist that will address in more detail what information is to be disclosed and how compliance will be ensured.

Is there a public scandal, and are these contracts “massive”? IP Draughts will leave that for others to decide.

 

IP rights in geospatial data

Several strands of information come together. On 14th December was published the latest court decision in the long-running saga between 77M Limited and Ordnance Survey Limited.

77M is a private company that has developed and is commercialising a database of UK land and properties and has, or at some time in the past had, a licence from the UK Land Registry (HMLR) to access one of the latter’s databases.

The Ordnance Survey (OS) was formed several hundred years ago and was originally part of the army. Nowadays it is a company owned by the government. It is best known for providing high-quality maps of the United Kingdom. When IP Draughts was at junior school, he was taught about the the OS’s 1 inch to 1 mile (or 1:36,360) map. Since metrication in the UK in the late 1960s and 1970s, this set of maps was discontinued, and the closest equivalent has been the 1:50,000 map. In other words, like HMLR, OS has developed so-called geospatial data in relation to the UK.

The case linked above is a decision of Mr Justice Arnold, who rejected an application for summary judgment by OS. OS sought to have a claim by 77M rejected, that OS had induced HMLR to breach a contract under which it supplied property-related data from its database to 77M.

The arguments in that case are only of passing interest, and anyway the underlying facts are not fully explained in this interim decision. Arnold J noted that the contract in question was described as a “contract schedule” (suggesting to IP Draughts that it might have originally been part of a larger master services agreement, although this is not stated in the decision) and provided for a fee of £2,500 in return for undertaking certain searches. 77M argued that this was an “ongoing” contract, while OS argued it was a one-off contract. After reviewing clauses of a “lamentably badly drafted” contract that pointed in either direction, Arnold J declined to hold that OS’s case was so strong that it should get summary judgment. The interpretation of the contract should await full trial of the action.

The larger dispute between 77M and OS has been rumbling through the courts, and has not finished yet. An earlier hearing considered the question of when it was appropriate to transfer cases between the low-cost Intellectual Property Enterprise Court and the High Court.

Standing back from the case, what is going on? IP Draughts has no inside information about the case, but he is aware that the UK government is pressing ahead with plans to develop a national strategy to commercialise the UK’s geospatial data, much of which has been developed by government bodies and agencies, including OS and HMLR.

To help formulate this strategy, the government is forming a Geospatial Commission. The appointments of the chair and vice-chair were recently announced. The deputy chair is a former CEO of OS. The announcement refers to the commission’s role being to “drive the use of location-linked data more productively, to unlock up to £11 billion of extra value for the economy every year”.

Other documents identify OS and HMLR as some of the main custodians of this data.

IP Draughts wonders whether small, private companies that are already using UK geospatial data may compete with the government’s ambitious plans. This doesn’t necessarily mean that it is wrong for a government agency to terminate a commercial licence agreement, or for another government agency to encourage it to do so. IP Draughts doesn’t have enough information (geolegal data?) to form a view on this question. But it is curious that this case is rumbling on at the same time as the Geospatial Commission is being formed.

 

Big data, big policy decisions

First of all, thanks to the many readers who have commented on the last posting on this blog, which ruminated on its future. Your comments were very helpful (and also very kind). IP Draughts has not yet taken any major decision, and for the time being will continue as before.

Today’s theme is “big data” and the policy decisions that accompany it (not them, please!).

IP Draughts has come across this subject in several contexts recently. There is health data, such as that held by the UK National Health Service (NHS) about its patients. Several of our clients have been involved in licensing-in or licensing-out such data, whether as a hospital, university or start-up technology company. These activities can raise some significant data protection issues, but fortunately several members of our team have become very familiar with this area of law, including Francis Davey and Stephen Brett.

On the public stage, there have been well-publicised initiatives to mine such data. Lord Drayson recently raised £60 million from investors on the AIM market, for his company, Sensyne Health, which has entered into agreements with several NHS Trusts. He is reported as saying:

The NHS has a “responsibility to society” to make money out of patient data rather than allowing the profits to be captured by US technology companies…

[there is] an “ethical imperative” to use anonymised data to improve care.

The national focus on big data is not confined to the health field. So-called geospatial data is also under the spotlight. In last Autumn’s Budget, the UK’s Chancellor of the Exchequer announced the formation of a Geospatial Commission, which would “maximise the value of all UK government data linked to location, and to create jobs and growth in a modern economy.” More recently, the government has declared:

From emergency services, transport planning, and 5G networks, to housing, smarter cities and drones – the UK’s geospatial infrastructure has the potential to revolutionise the UK’s economy.

The government is currently recruiting for members of this commission and for the civil servants that will support them. The commission will set a strategy for commercialisation of the nation’s geospatial data, working with the main agencies that currently hold the data, including the Ordnance Survey and the Land Registry.

National initiatives spawn national policies and codes of practice. Where personal data is involved, and where the custodian of the data is a public body such as the NHS, documents of this kind are perhaps inevitable. The latest one to cross IP Draughts’ desk is called “Initial code of conduct for data-driven health and care technology“. It sets out “10 key principles for safe and effective digital innovations, and 5 commitments from the government to ensure that the health and care system is ready and able to adopt new and innovative technology at scale.” The document’s introduction explains the government’s underlying thinking:

Today we have some truly remarkable data-driven innovations, apps, clinical decision support tools supported by intelligent algorithms, and the widespread adoption of electronic health records. In parallel, we are seeing advancements in technology and, in particular, artificial intelligence (AI) techniques. AI is being used on this data to develop novel insights, tools to help improve operational efficiency and machine learning driven algorithms, and clinical decision support tools to provide better and safer care.

This presents a great opportunity, but these techniques are reliant on the use of data that the NHS and central government have strong duties to steward responsibly. Data-driven technologies must be harnessed in a safe, evidenced and transparent way. We must engage with patients and the public on how to do this in a way that maintains trust.

AI, AI, Oh!

The 10 principles are not particularly surprising or radical for anyone familiar with GDPR and government policy generally; what is noteworthy is that the principles have been brought together and published for the circumstances of big health data. They are explained in more detail in the document itself, but the headings are:

1. Define the user
2. Define the value proposition
3. Be fair, transparent and accountable about what data you are using
4. Use data that is proportionate to the identified user need (data minimisation principle of GDPR)
5. Make use of open standards
6. Be transparent to the limitations of the data used and algorithms deployed
7. Make security integral to the design
8. Define the commercial strategy
9. Show evidence of effectiveness for the intended use
10. Show what type of algorithm you are building, the evidence base for choosing that algorithm, how you plan to monitor its performance on an ongoing basis and how you are validating performance of the algorithm

The possibilities of big data, artificial intelligence (AI) and algorithms seem to have captured the attention of the UK government. These developments should mean more work for IP and IT lawyers and for technology transfer managers –  and help to offset the likely negative effects for this part of the UK economy that will result from Brexit.

Blast from the past: is software ‘goods’?

Back in the 1980s, when brightly-coloured tracksuits were in fashion, IP Draughts took a part-time course in IT law at Queen Mary University. One of the subjects that he earnestly studied was whether the supply of software amounted to a sale of goods, for the purposes of the Sale of Goods Act 1979.

He was convinced that it didn’t amount to a sale of goods, and he carried this conviction with him into the 1990s, when he wrote his first book, Technology: the Law of Exploitation and Transfer (Butterworths, 1996). The third edition of that work, now called simply Technology Transfer (Bloomsbury, 2010), discusses at pages 461-466 the legal issues involved in this question, and in the related question of whether the sale of a patent could amount to a sale of goods. The discussion briefly mentions the 1995 case of St Albans District Council v ICL, in which the Court of Appeal considered (obiter) that the answer to this question might depend on whether the software was supplied on a disk.

IP Draughts has long felt that this is a ridiculous distinction to make, as the nature of software is not changed by the medium or method by which it is supplied. The value in the software depends on the electronic content, not the piece of plastic on which it is, or not, delivered. However, as mentioned below, this is a distinction that the courts have used to justify their decisions in subsequent cases.

The fourth edition of that book is now being written, and will mention a new case that continues the judicial debate on this subject. The Court of Appeal case of Computer Associates UK Ltd v The Software Incubator Ltd [2018] EWCA Civ 518, appeared on the BAILII website last week. The main question to be decided was whether, for the purposes of EU law on commercial agents, the supply of software (typically by download over the internet) amounted to a sale of goods.

At first instance, His Honour Judge Waksman QC had decided that it did amount to a sale of goods. In the Court of Appeal, Gloster LJ, giving a judgment with which her fellow judges agreed, decided that it did not.

Gloster LJ’s judgment considers certain English, EU and other case law in this field, including the St Albans District Council case. IP Draughts has a great deal of sympathy with Gloster LJ’s comment, at paragraph 45 that:

…I am somewhat uncomfortable with a conclusion that the tangible/intangible distinction leads to a construction of “goods” that excludes the Software, which seems artificial in the modern age. However, I consider this to be justified given the commercial context and notwithstanding the superficial attraction of the respondent’s arguments, which I next consider.

After considering the arguments and case law in further detail, including the fact that the Consumer Rights Act 2015 introduced a new concept of supplying “digital content”, she reaches the following conclusion:

I conclude that the judge was wrong in law in holding that the Software, which was supplied to CA’s customers electronically and not on any tangible medium, constitutes “goods” within the meaning of Regulation 2(1). I would therefore allow the appeal on this issue.

Hurrah!