In a March 2020 LawFlash, we highlighted that restrictions on service delivery locations and remote work could become key issues during the pandemic. Remote work was one of our five key issues in outsourcing and managed services in a follow-up article in June 2020. Our experience has since proven both articles to be correct. This Contract Corner will review the specific provisions that need to be reviewed based on continued remote work arrangements.
Service Delivery Locations
Service agreements (including templates) may specify service delivery locations from which the supplier is permitted to provide the services, or at which certain levels of personnel must be maintained. Those agreements frequently provide that no service provision is permitted if not from specified services locations, except by waiver or amendment. The length of time in which the remote work model has been adopted and will likely continue at least in some form renders this approach unsustainable.
Remote work arrangements may be drafted into service delivery locations provisions, permitting “the provision of Services [or specified ‘Remote Services,’ if not all services] to the Customer through remote work arrangements of Personnel, provided that such arrangements are undertaken by those Personnel from within the Territories.” Customers may wish to require notice of remote work arrangements at signature, minimum advance notice of planned remote work arrangements where possible, and/or periodic updates of the supplier’s remote work arrangements in its provision of services, including any service or personnel issues.
The provision of devices is key to enabling remote work. Any limits on the number of devices or other equipment, or onerous change control procedures to amend equipment provisions, could inhibit flexibility to maximize value from remote work. Instead, customers want to ensure that the supplier provides sufficient and adequate equipment to personnel in order to achieve the relevant service levels and any other standards of service, and structured equipment utilization provisions may be an option.
In some countries, there may be a limit to the number of laptops that are available for personnel. Suppliers may request that personnel can utilize personal devices and perform services through Citrix and other remote work technologies. Risks to the customer arising in this scenario should be addressed expressly within provisions permitting equipment for specified tasks, confidentiality obligations, and data and security policies.
Service levels commonly cover availability requirements, response times, and volume capacity. Remote work arrangements may heighten risks of breaching these through connectivity and other issues. In order to maintain the integrity of contracts, it may be worth considering whether margins and consequences for material service-level failure could be adapted to incorporate solutions (such as enhanced governance, reporting).
Data security and data protection obligations and policies may contain restrictions on the locations, personnel, and technologies used to access and process customer data, including personal data. As with service delivery locations, account should be made of remote work arrangements in which customer data may be accessed and processed. Safeguards and controls must be built around such access and processing to ensure continued compliance with data protection obligations, possibly including system monitoring, system or portal perimeter controls, and confidentiality restrictions. Parties may also need to review their disclosures to data subjects to ensure that they are not expressly or impliedly prohibitive of remote processing of personal data.
Regulators have highlighted these security concerns. The US Securities and Exchange Commission highlighted in August 2020 that, among other issues, registrants should modify their practices to address risks of communications or transactions occurring outside of firms’ systems due to remote work and use of personal devices, and risks of remote oversight of trading. The UK Financial Conduct Authority similarly warned in January 2021 that increased use of unmonitored and/or encrypted communication applications for sharing potentially work-sensitive information may present compliance risks with firms’ recording obligations under the Senior Management Arrangements, Systems and Controls sourcebook (SYSC 10A).
It is important in cases such as these that service delivery and scope can be adapted within contracts to reflect the customer’s remote work arrangements as well as the supplier’s, that both parties are as transparent about their arrangements as practicable, and that compliance with law obligations within outsourcing agreements are not unwittingly breached due to a supplier’s lack of visibility over a customer’s remote work arrangements.
Other provisions requiring review against remote work arrangements may include the following:
- Subcontracting requirements
- Use of premises
- Business continuity planning and disaster recovery
- Availability of personnel and key personnel provisions
- Customer policies and procedures and supplier code of conduct
- Insurance policies (do they exclude remote work arrangements?)
- Governance structures and notice provisions