For the majority of businesses, IT infrastructure is business critical; it is, therefore, crucial when considering the outsourcing of any particular element of your service that your contracts provide your business with the protection it needs from the outset.
If you are a provider of outsourcing facilities, we understand that it is essential to the operation of your business that your outsourcing contract suite is fit for purpose.
Whether you are looking to outsource all or part of your software or hardware service requirements or are an outsourcing provider, we are able to advise and assist on a range of matters.
For those clients who already have their own documents, we can review your current suite of contracts and advise you on how the contracts can be improved to best protect your position and interests. We can also act as your outsourced legal team and negotiate the legal terms of your contracts.
Outsourcing Agreements and Pre-Contractual Due Diligence
An IT outsourcing agreement usually governs the outsourcing of one or more of the IT functions of a business. This could be a combination of software provision, development and maintenance, hardware and network infrastructure provision and maintenance.
There are many different types of IT outsourcing agreements and options available to customers and suppliers and it is important to have a full understanding of what is required and what is suitable for your business before contemplating, preparing or entering into an IT outsourcing agreement. Some agreements cover particular service elements and some contain a range of different IT services. Data centre services are the most common form of IT outsourcing agreement, however, services could also include:
- helpdesk and call centres;
- desktop, voice and data network maintenance;
- communications services;
- applications support;
- IT and software development;
- IT procurement/contract management;
- fully managed IT systems;
- project management;
- and business continuity and disaster recovery.
IT outsourcing agreements can also cover the transfer of employees and assets as well as managed services.
Pre-contractual due diligence is key for both parties, especially when dealing with complex IT systems. Any due diligence should cover:
- software licences to be transferred to the supplier;
- software maintenance contracts;
- software source code;
- compliance with European rules and regulations;
- hardware infrastructure being transferred to the supplier;
- migration of data;
- data storage;
- system robustness;
- employment related matters;
Intellectual property (IP) rights are very important to IT outsourcing agreements, especially in relation to the use of existing third party software, applications and software developed in-house or by the supplier in the course of their appointment. Indemnities in relation to IP should be provided for in the agreement in case there are any infringements of third party rights.
Other provisions which should be considered include:
- change of control;
- data protection;
- warranties and indemnities;
- termination and exit management;
- service levels.
Fully Managed IT Systems
The term “managed service” distinguishes services from others where there is a clear transfer of administrative responsibility from customer to supplier.
The concept of a managed service can be applied to the whole of an IT system and infrastructure but is commonly used for network services. A customer will often appoint a single service provider to supply all required IT services as part of a larger integrated service.
When considering the merits of using a fully managed IT outsourcing system, issues such as service levels, risk management and end-to-end responsibility should be considered. Service levels are not always easy to negotiate and should be subjective to the specific services being provided to ensure that they are applicable and appropriate. Service levels can be crippling for a service provider if set too high, and ineffective for a customer if set too low.
It is also important to ensure that exit provisions are detailed, accurate and appropriate to facilitate a smooth transition away from a managed service provider when required.
Datacentres and Hosting
A datacentre is a central location for housing computers which host the customer’s servers and data. Many customers run their own datacentres; however, this has advantages and disadvantages.
As with many types of IT outsourcing, the services offered by datacentre suppliers range across a broad spectrum from the supply of physical facilities to the supply of a complete service package.
The customer may be given the use of dedicated computers (owned by the customer or the service provider), or may share the use of computers with the service provider’s other customers.
You may wish to consider the following when engaging a datacentre for hosting services:
- access to equipment and the datacentre;
- security and data protection;
- regulatory impact and compliance with regulators such as the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA);
- audit and testing;
- ownership of equipment on exit; and
- datacentre standards.
The cloud is the ultimate reduction of technology to a service. It enables a customer to buy (as a service):
- the use of hardware;
- the use of hardware and operating systems;
- or the use of specific applications only.
There are two main types of cloud: public cloud and private cloud.
Public Cloud: When the service in question is supplied over the internet and the customer has little or no knowledge of the ownership or location of the hardware, software and personnel who provide the service. Facebook is a well-known example.
Public cloud services can be provided cheaply, but the security of data can be a concern, as it is difficult the check and specify the location of data for regulatory purposes as well as standardisation across platforms.
Private Cloud: A private cloud negates the concerns of where data is stored as the service provider uses certain dedicated servers in an efficient, virtualised manner. The cost of the Cloud is also based predominantly on a more traditional model.
You should check if a cloud service is included in the IT outsourcing agreement you are seeking to enter into and be sure to know if it is public or private and where the data is stored.
There will be a relevant transfer of employees under the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE) where there is a “service provision change”.
Each of the situations listed below constitute a service provision change for the purposes of TUPE and are relevant to an outsourcing transaction.
- First generation outsourcing: when the provision of services is first outsourced from the customer to a service provider.
- Second generation outsourcing: when a provision of the outsourced services is transferred from the first service provider to a second service provider.
- Contracting-in: when the customer brings the provision of the outsourced services back in-house.
TUPE transfers the contracts of employment of employees involved in the outsourced business to the service provider, the replacement service provider or back to the customer (as relevant). Many issues arise during the process as a result of TUPE - for example, which employees are employed in the undertaking, what happens to those who choose not to transfer and what liabilities are transferred.
“Entry provisions” are typically included in outsourcing agreements and relate to the initial transfer of services from the customer to the supplier. “Exit provisions” are also typically included and relate to the termination of the provision of services by the supplier and the subsequent transfer of the services to either a subsequent supplier or back in-house to the customer.
Service Level Agreements
Service levels and service descriptions are closely linked.
The service description sets out how the services provided by the supplier will satisfy the customer’s requirements. It must be clear on what the supplier is providing and what the customer expects to receive. It should contain a detailed description of the services and set out divisions of responsibility between the customer and the supplier.
In addition, all outsourcing agreements should require the supplier to perform the services in accordance with a set of service levels. Variance from the required level of performance can then be made subject to a service credit regime.
Customers must consider carefully what is required of the supplier and be sure that they are setting the levels of performance at a sufficiently high standard. If you have too few service levels, the supplier may provide a low standard of service which cannot be effectively measured. If, however, you use too many service levels, this can cause confusion and obstruct effective monitoring.
Business hours, out of hours, response times (physical and virtual), reporting and disaster recovery procedures should all be considered when deciding which service levels are to be measured under the outsourcing agreement and to which the service credit regime may apply.
The service credit regime is usually found in the service level schedule in any IT outsourcing agreement under which the supplier accounts for any failure to deliver or perform the services resulting in a rebate of fees paid by the supplier to the customer. This will enable the customer to seek redress for poor service without the need to pursue legal action or even terminate the agreement.
Termination and Exit Management
IT outsourcing agreements should contain detailed provisions on termination and exit management. It is important that termination provisions are carefully drafted.
A customer should be able to terminate for a fundamental or persistent breach of the agreement
on the insolvency of the supplier and possibly, the change of control of the supplier.
In addition, the customer may wish to be able to terminate at its own convenience. The customer should also consider the possibility of requiring a partial termination where all or some of the service elements may be brought back in-house or transferred to another supplier.
If the supplier is in material breach, the customer will want to be able to exercise clear termination rights. The customer should be mindful that a termination may result in the customer having to re-procure the services which could be costly, so the breach and possible remedies, should be carefully considered before terminating. One option could be to issue warning notices to the supplier highlighting the breach, falling short of termination whilst maintaining the relationship.
The supplier will also want to be able to terminate the agreement, for example in the event of non-payment of fees by the customer. These provisions need to be carefully considered and negotiated.
With regards to exit management, it is essential to have an exit plan in place, whatever the remaining term under the IT outsourcing agreement is. This plan should deal with all specific rights that the customer will require on termination.
It should include:
- the continuation of provision of the services for the duration of the notice period and any run-off period;
- the return or transfer of assets and software (if required);
- compliance with any relevant TUPE obligations;
- the provision of information and know-how to the customer or a new supplier; and
- the preservation of continuity between suppliers and general assistance and co-operation.
Consideration should be given, and clauses drafted specifically, to allow for the services to be taken back in-house or transferred to another supplier. Furthermore, the agreement should contain provisions to ensure the plan is updated and maintained throughout the term of the agreement.