It is now commonplace for companies to enter into non-disclosure or confidentiality agreements before they share confidential information with other organisations. It is a good precaution to take, in particular if companies also clearly mark their confidential documents as “confidential”, leaving no doubt as to whether the obligations of confidentiality apply to them. Putting in place the protections needed upfront are among the issues to be considered by the chief information officer when dealing with outsourcing contracts or projects, especially when valuable intellectual property or trade secrets are involved.
When contracting with organisations subject to the Official Information Act (OIA)1, entities should also consider addressing the OIA directly in their non-disclosure, confidentiality and other commercial agreements. This applies even where both contracting parties are subject to the OIA, as each party will have its own reasons for wanting to protect information from unwanted disclosure.
An organisation that is subject to the OIA is compelled to release information upon receiving a valid OIA request, unless there is “good reason” not to. The “good reasons” are prescribed by the OIA and are quite narrow.
When it comes to the release of commercially sensitive information, the two main good reasons for withholding the information are that it is a trade secret or its release is likely to “unreasonably” prejudice the commercial position of the person who supplied the information. Even then, the information must be disclosed if the “public interest” for disclosure outweighs the reasons to not disclose.
Because of this, it is up to the party providing the information to the OIA organisation to ensure it has a say in what information is a trade secret or would unreasonably prejudice the com-pany if it were to be released. If there is no contractual framework around how information may be released; the OIA organisation has no obligation to consult with the party providing the information, before it is released to the public under an OIA information request.
A typical non-disclosure agreement will allow a party to release information if it is required to by law (or worse, will provide information that is not “confidential” if it is required to be disclosed by law). This would mean that an OIA organisation would be permitted to release confidential information when it receives a valid OIA request, without first discussing the release with the other party.
As the party supplying the information will be in a much better position to assess whether the information is a trade secret, or whether it will unreasonably prejudice the company if the information is released, an entity entering into a contract with an OIA organisation should seek to:
• Obtain an acknowledgement that the other contracting party is subject to the OIA and may be required to release “confidential information”.
• Require the contracting party who is subject to the OIA to consult with the party who supplied the information before releasing it.
• Ideally (although this is not often possible), require that if the non-OIA party objects to the release of the information, the information will not be released until the OIA party is definitively required to release it by law — such as following a decision of the Ombudsman.
It is important to note that an OIA organisation is subject to the legislation and it cannot contract out of its obligations. However, including a process that must be followed before information can be released pursuant to the OIA request, will put pressure on the OIA organisation to pay heed to its confidentiality obligations — especially if there are consequences for the release of information where the process set out in the contract is not followed.
Thinking about whether a contracting party is subject to the OIA upfront and, if so, accounting for the OIA in contractual documents may well save a lot of grief down the line.
1 The OIA has sweeping application, the extent of which is not always appreciated. It applies, for example, to all State-Owned Enterprises (SOEs) as well as educational institutions and government organisations.
Ascertaining whether the party you are sharing information with is subject to the OIA is, in itself, a bit of a daunting task.
The Directory of Official Information July 1999 is posted on the Ministry of Justice website. It is theoretically an alphabetised list of all organisations to which the OIA applies.
However, the directory is out of date and potentially misleading. Here are a few examples:
• Organisations that go by more than one name are only listed under one of those names (Te Mangai Paho is listed under Te Reo Whakapuaki Irirangi (Te Mangai Paho)).
• New organisations have been added since the directory was printed and therefore appear on a separate list. In order to find “Mighty River Power” you would need to look on the “Organisational Changes” list under Mighty River Power’s old name – Waikato SOE Limited.
• Companies related to State-Owned Enterprises are not listed on their own, even though they, too, are subject to the OIA. So you need to know the parent company name in order to search the directory.
Heidi Leslie is a Senior Associate with law firm Bell Gully. She specialises in technology and commercial law. She can be reached at email@example.com
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.