Doing Business With the Public Sector: Key Confidentiality Risks & 3 Risk Management Strategies
March 24, 2016
By David Fraser, Privacy Lawyer | Partner at McInnes Cooper,
Trent Skanes, Lawyer at McInnes Cooper
When a business responds to a public sector Request for Proposal or Expression of Interest (both of which we’ll refer to as an RFP for these purposes) or seeks government financing, it’s typically providing a significant amount of business information, some or even much of it highly confidential, to the public body. Most are rightly focused on the benefits of a successful proposal, but few consider the risk that their confidential information will end up in the hands of a direct competitor. And that is a very real – and potentially severe – risk of doing business with the public sector.
Here are the key confidentiality risks of doing business with the public sector and three strategies to help manage them.
Access to information (aka freedom of information) laws are intended to ensure transparency of and access to the public sector’s activities. These same laws are the source of the confidentiality risks to parties doing business with the public sector.
Access to Information Laws. Virtually every public sector body is subject to access to information laws:
The specific wording and scope of each access to information law varies, but there are substantial similarities in their scope and interpretation:
- Public Body. Generally speaking, access to information laws apply to any government department, Crown corporation, government agency or business or company of which any of these is a majority shareholder. And this includes the “MUSH” sector: municipalities, universities, schools and hospitals.
- “Information”. Access to information laws apply to all records and information in the public body’s custody or control. This goes well beyond the RFP proposal, financing application, resulting contracts or term sheets; it includes related information, like presentation materials and e-mails, too. And the “information” isn’t limited to RFP proposals or financing asks that succeed; information related to unsuccessful ones is still accessible “information”.
- Exceptions. Most access to information laws carve out several exceptions to the public’s right to access, including for third party business information disclosed in confidence when disclosure could reasonably be expected to harm the economic interests of the public body or the third party. Theoretically, this is a simple enough test to meet and practically, the first two prongs of it (third party business information that’s disclosed in confidence) are. But experience shows that the third prong – reasonable expectation of harm – is far more difficult to overcome. Generally speaking, the party resisting disclosure must prove a “reasonable expectation of probable harm or prejudice to [its] competitive position”. This requires the party resisting disclosure to show a cause and effect relationship between disclosure and the harm it asserts, and to prove more than a mere speculation of such harm occurring. Parties resisting disclosure have run up against two key hurdles meeting this requirement. First, since the Supreme Court of Canada established this test, some access to information laws have changed, leaving some courts questioning whether the test for the exception has also changed. Second, it’s the relevant access to information commissioner who applies the test and makes the decision in the first instance, and they seem to be leaning toward public disclosure.
Disclosure Risks. A private business responding to an RFP or seeking government funding typically discloses a broad range of business information to a public body – and should be concerned about the risks of public disclosure of that information. Some are obvious, and some are more nuanced; here are a few examples.
- Business & Financial Information. A proposal for a public sector RFP or financing typically includes business and financial (and possibly pricing) information. If this information were disclosed to a competitor, it would gain several competitive advantages ultimately leading to undue financial loss to the information owner. A competitor with access to a proposal could use the information in it to approach the very same public sector contractor and specifically undercut or undermine the original proponent. Similarly, the proposal could include significant information about the proponent’s business approaches, methodologies and strategies – often the result of significant investment to create a proprietary competitive advantage. Disclosure can reveal how the proponent designs strategic approaches and enable others to easily and more quickly duplicate them, unfairly disadvantaging the proponent by giving others access to its research and development investment. Another risk is the ability of a competitor to reverse engineer the proponent’s products or methodologies to present a competing or identical offer to the same or a different public sector contractor without the investment to develop them.
- Customer & Client Information. Proposals often include references from past customers and information about previous engagements to demonstrate specific expertise. For obvious reasons, most businesses would balk at the thought of handing over their customer list – generally considered highly sensitive and valuable commercial information to their competition – yet this information is at risk of disclosure.
- Employee Information. An RFP or financing proposal often details the business’s personnel, including their education, training, experience and respective role and contribution to the proposed deliverables or organization. The degree of information varies depending on the nature of the proposal but, for example, an RFP response for supply of a service might be rife with information about personnel. And even if the proposal doesn’t expressly provide much information on an individual proponent employee, its components could reveal a significant amount of information. Some personnel may choose to publicly disclose some of this information – but not necessarily all personnel would; the information could be incomplete, and some can only be disclosed with client/customer permission. Further, revealing information about the original proponent’s personnel could allow competitors to easily identify, even poach, the proponent’s personnel for their expertise. Finally, the manner in which a proponent staffs engagements is commercial information of great value to it – and to a competitor.
3 RISK MANAGEMENT STRATEGIES
The public sector is a significant consumer and investor. Completely eliminating the confidentiality risks inherent in doing business with the public sector means eliminating the public sector as a customer or an investor altogether, and that isn’t a viable or even a desirable strategy for most businesses. But the risk management strategy for such businesses must include consideration of the risk of disclosure of their confidential business information to the public or to competitors. No single risk mitigation strategy will be determinative, but employed together, they will strengthen an argument to resist public disclosure – and minimize the related confidentiality risks.
- Think hard about what information to give – and not to give – the public body. Obviously, it’s important to include sufficient information in the relevant proposal to achieve the desired outcome. But there’s a tension between giving the public body enough information to do so and the risk that the information could be publicly disclosed. We’re not saying not to disclose the information at all; we are, however, saying that a business should give careful consideration to what to include or exclude, weigh the risks of potential disclosure and of exclusion against the benefits of inclusion, and do so before submitting the proposal. Once it’s submitted, it’s too late.
- Separate the “secret sauce”. If a business weighs the risks and decides to include highly sensitive and confidential information in its public sector proposal, it should do so in a manner that makes that particular information easily identifiable – and easily severable. For example, the information could be included in a properly labelled appendix or exhibit.
- Use a confidentiality disclaimer & stamps. Include a clear general statement indicating the information is confidential and proprietary business information that is not subject to disclosure, and mark particularly sensitive information as “confidential”. However, do so carefully: stamping everything “confidential” makes it seem like none of it actually is confidential, and won’t help an argument that at least some of the information should be excepted from public disclosure.
Please contact your McInnes Cooper lawyer or any member of our McInnes Cooper Privacy Law Team to discuss this topic or any other legal issue.
McInnes Cooper has prepared this document for information only; it is not intended to be legal advice. You should consult McInnes Cooper about your unique circumstances before acting on this information. McInnes Cooper excludes all liability for anything contained in this document and any use you make of it.
© McInnes Cooper, 2016. All rights reserved. McInnes Cooper owns the copyright in this document. You may reproduce and distribute this document in its entirety as long as you do not alter the form or the content and you give McInnes Cooper credit for it. You must obtain McInnes Cooper’s consent for any other form of reproduction or distribution. Email us at email@example.com to request our consent.
- Share with others
- Stay informed with our legal updates by subscribing.