Confidentiality Agreements

There’s a topic header for this over at the University & Industry Innovation Forum. I’ve put a summary there. Here, I’ll post a fuller discussion. As with other areas of discussion on industry-university arrangements, confidentiality triggers cascades of reasoning. This alone–that there is a cascade rather than a clear decision both sides can see–means that interactions will tumble along to a surprise rather than make for an efficient exchange.

Confidentiality agreements present tremendous challenges for universities. Universities generally operate open laboratories and conduct open research, drawing on students, volunteers, and faculty from various parts of campus, including foreign nationals. Only in isolated circumstances do universities implement the control systems necessary to handle confidential information in research. For instance, a university may operate a laboratory for the Department of Energy or Department of Defense subject to security classification requirements. Typically, such a laboratory is in its own building, does not permit students in its classified research, and faculty are permitted only by request. Universities may justify such work as being an important contribution to national security. Most company research will not benefit from similar arguments.

In addition to lacking, by choice, control systems for research information, universities generally do not contract to preclude publication or to require it. Publication is an academic, not administrative, choice. Since university contracts are administrative in nature, it is the general case that a research contract will not be an appropriate instrument to handle publication matters. Even trying to restate in administrative terms the nature of academic freedom is bound to create problems. Similarly, universities generally do not permit faculty or students to enter into private agreements on university matters (such as university-managed research) or to represent the university in administrative matters such as contracts. Thus, it is not generally an option to seek private side agreements with university personnel with regard to university research unless permitted by the university, as otherwise it would appear that the company is interfering in the employment and contracting relationships of the university.

Export control regulations apply when technical information is restricted, either in being supplied to a university research environment, or when the research itself is subject to publication restrictions. Universities have worked hard to maintain exceptions from export control laws, such as exceptions for fundamental research, library deposit, and classroom instruction. “Deemed export” requirements are of particular concern, as these apply to information transactions in the United States where the receiving party is a foreign national who is not a permanent resident, a US national who is an agent of a foreign government, or is an employee of a company not registered to do business in the United States. Complying with these regulations represents a huge problem for universities. The problem arises not merely because of the lack of controls for confidential information, but because to implement such controls, a university would not only have to close its laboratories and research, but also would have to create a multi-tiered system under which foreign nationals would not have access to various laboratories or research unless they first cleared export control licensing requirements imposed by the federal government. Universities are not willing to give up the positions they have preserved over the years, nor to undertake the expense of implementing a control system, nor to transform their open research culture, simply to have a sponsored research relationship with a company.

The typical confidentiality agreement restricts disclosure of confidential information and places controls on its use. A stand alone agreement may identify the nature of the information to be exchanged, limit the extent to which such information is subject to confidentiality requirements, provide a protocol for exchange, set standards for reasonable controls, and offer a set of remedies and risk language pertaining to breaches of the agreement. In the context of sponsored research agreements the confidentiality clause is often perfunctory, sometimes stating nothing more than each party will not disclose any confidential information received from the other party. While general and apparently simple, such clauses represent substantial compliance problems for universities, if information is ever provided in reliance on them. Since such clauses rarely provide specifics on what information is provided that is subject to confidentiality, the university has little chance of identifying the information as administrative assets, even if it wanted to implement a control environment for confidential information. With regard to export controls, unless the company provides the ECCNs associated with the information and whether the information is U.S. or foreign origin, a university will have a difficult time identifying the information controls and implementing a screening process. It is even worse if the research agreement elsewhere aims to make compliance with export control laws a university obligation, since the decision to provide confidential information is otherwise strictly a supply-side matter. For these reasons, a university is more than justified in resisting general confidentiality agreements related to its research.

Company representatives often fail to appreciate that a university environment is not a command and control situation. At times, university faculty forget this as well. The university is a governance structure, not a control structure. Administrators adjudicate competing interests; they do not order faculty and students about, supervise their work, and re-assign and fire folks at will. A university does not badge its employees, it does not restrict access to its research labs, it does not contract to prevent its researchers from publishing or from discussing their research. A company seeking to provide technical information under confidentiality has to be careful to set up the transaction so that a university may continue to operate open laboratories and research, publish in a usual manner, and not trigger export control requirements. There are ways to do this, but folks have to pay attention to detail. A typical industry-grade confidentiality agreement will not do it. It makes little sense to say “that’s the university’s red tape again, standing in the way of innovation, corporate collaboration, and international competitiveness”–that’s just not the issue. That an industry contracting officer has got caught up in administrative wrangling on this matter indicates a fundamental problem with understanding the nature of the relationship.

A starting point is for companies simply not to provide confidential technical information to a university for research purposes. This may be a total bother but it comes with being involved in university research and it cannot be changed by trying to negotiate “better terms” in a research agreement. Even if one were to get a change of language sneaked through, all one has done is made the agreement at greater risk for breach, since a university generally will be unable to comply. The cascade of contractual apparatus that recognizes this—upping the ante for remedies, holding the university accountable for breach—only serve to make it clear that the obligations and threats associated with taking the company’s funds far outweigh any possible public benefit for getting involved.

There are ways to provide information to a university research project without disclosing a company’s trade secrets. For instance, a parallel research problem may be set up, so that an answer in an open model environment provides the company with the information it needs to make a corresponding change in its proprietary environment. Thus, the company can provide hypothetical data rather than specific proprietary data. The company can also break apart a complex problem into parts, so that no one university has full access to the complete—and proprietary—picture. While these approaches take additional work, doing so eliminates the need for a confidentiality agreement.

If there still exists a need to provide controlled information, the company should reduce the information to written form and rely on copyrights, review, and collaboration protocols for control rather than a confidentiality agreement. Copyright includes the right to exclude public display, the making of copies, and distribution of a work in copies. Copyright does not prevent access or disclosure, but does go a long way to limit any public release. If information is so sensitive that such controls are not adequate, it is also probable that the information is not suited to enter a university research environment in the first place. In addition to copyright, a company can request a time limited (typically 14 to 60 days) pre-publication review of scholarship in the form of articles, conference presentations, or poster sessions. These reviews should be restricted only to patentable subject matter and inadvertent use of company-controlled copyright works (not “information”). A review does not prevent private disclosure of information within the lab, but it does provide a check on public access to company materials.

The general rule is: use copyright to provide information, and use patent to manage results.

Attempting to force all private disclosure to a prior review or approval point once again suggests that the company does not comprehend the nature of an open research environment. Graduate students are going to talk. Faculty and visitors are going to talk. People should want this to happen. It is one of the great strengths of university research. It is one of the distinctive things most companies cannot do for themselves, because of their proprietary positions on information assets and law on competition. The effect of a demand for total review is the sequestration of a university lab from most interaction with other labs, which runs against the strength of research in most university settings, and against the administrative capacity to provide compliance infrastructure. Again, extra control requirements increase the probability of a breach; they do not change behaviors.

Finally, as an alternative, a company can introduce a collaborative element. This has other overhead, but with regard to managing information it means that company personnel are participants in the research and can reasonably expect to co-author any publications that may result. As scholarly co-authors, the company personnel have the opportunity to review manuscripts and request the deletion of company proprietary materials, without requiring the university to manage this as a compliance step in a contract. As such, a collaboration element, whether indicated expressly by a research contract or not, allows the company to engage an academic control—co-authorship—rather than an administrative one—confidentiality clause in a research contract. The practice aim is not to require as an administrative condition that the company be a co-author of all scholarly works, but rather to create the collaborative environment in which shoulder-to-shoulder lab work can take place.

Beyond these controls, there are ways to manage non-disclosure to mitigate. One is to limit the kind of disclosure rather than placing an absolute prohibition on disclosure. This approach aims to prevent private disclosure of designated technical information, while allowing disclosure as part of making the results of research available to the public. The message is: “we’re providing this information to you, and if it turns out to matter for publishing results, then you may do so, but we’re not handing this to you so you can broadcast it to the world merely because you got it from us.” Doing so allows university researchers to publish in the normal course of their scholarship the information they may receive, while restricting direct re-disclosure of company-supplied information independent of scholarly publication. That is, the confidentiality agreement requires that supplied information only be published and not made available through private transactions other than those with a need to know who accept the conditions of the industry sponsored research. This approach still may challenge university compliance infrastructure but will allow the university to remain within the fundamental research exception to export control regulations, as the research is not restricted with regard to publication of results, even if those results include company-supplied information not otherwise generally available. This approach also may help researchers meet deposit requirements for data and tools associated with claims made in scholarly publications.

If confidential information simply must be provided as part of the research, universities generally place a great deal of importance on whether the confidential information is essential to the research or ancillary. For instance, providing the details of a company project–internal budget, staffing decisions, time frames, potential products– may be important for framing up a research protocol, but may have little to do with the reporting of results. Proprietary information may, however, be fundamental to the research, and limitations on the disclosure of the information are also then limitations on the publication of results. Universities hate that outcome. Nothing good happens. The university sees it as a trade on research integrity–if results are favorable to a company’s interests, then they get published; if not, then the confidentiality clause kicks in and nothing comes out–which in effect *is* a kind of publication, and *isn’t* what universities contract to do. If a company wishes a university lab to test a prototype product, for instance, the results of the research may necessarily reveal otherwise non-public specifications of the product. While such testing—including beta testing of software—may be perfectly well formed in restricting publication, it should be pretty clear how a university contracting office will see the confidentiality restriction as limiting publication. A useful drafting technique then is to identify the confidential information, state that it is not intended that the information be fundamental to the reporting of research results, and that if the information does prove to be bound up in the reporting of results, then to the extent that research reports do not also copy company documents without permission, and to the extent the company has a limited right of prior review, the investigators will not be prevented in publishing the information in the normal course of their reporting research results. Otherwise, take the testing outside of the university research environment. Some universities set up centers to support testing–sometimes in conjunction with access to sophisticated equipment, sometimes to give students service learning experiences, and sometimes to provide faculty with a “clinical” or “extension” setting in which to practice their professional skills. These centers may take the form of a professional services plan, an affiliated non-profit company, or an internal structure (like a cost center) in which policy has been adjusted to handle industry needs (especially for standard transactions, fee for service). A company might see if such a setting is available before trying to negotiate confidentiality terms for a generalized research agreement. Location and purpose matter.

To handle confidential conditions, effective practice includes using stand-alone agreements outside the research relationship, limiting the extent of confidentiality, describing a protocol for provision of information, and limiting remedies in the case of a breach or other dispute. A stand-alone agreement allows information to be identified at the time it is needed, to develop specific handling instructions, and to allow research to proceed under a separate contract while any particulars pertaining to confidential elements are worked out. Doing things this way makes it clear that the information is not essential to the research, and the research relationship itself is not being held as leverage on specific clauses such as confidentiality—which again sends the message that confidentiality is in fact more important than the research, raising doubts whether the university should be participating in such research at all. A working protocol may include having the receipt of confidential information subject to the discretion of the university’s principal investigator, directing that all such information be received by the principal investigator from the company’s primary technical contact—to prevent confidential information from moving informally from other company personnel to, say, graduate students or others at the university who may not, in the judgment of the principal investigator have a need to know. That is, if there is to be a compliance matter with regard to confidential information, it should be a matter for a principal investigator to decide first, and then for the university administratively to concur with the investigator’s request. If either is a “no” then the information can’t come in. Other elements for a protocol include reducing confidential information to written form, allowing “residuals” from the exposure to the confidential information, and limiting the term of confidentiality to no more than one to three years.

If the information is so valuable that the company would be moved to sue for damages, then the research should be done some other way, such as bringing university personnel into the company as consultants or while on leave from the university. A theme of this discussion has been to change the manner by which information is provided rather than raising the stakes with regard to accountability for an otherwise untenable requirement. In keeping with this theme, a company can reduce the apparent liability for the university by limiting remedies to injunctive relief for disclosure in violation of the confidentiality agreement and termination of any research contracts that may be affected by an unauthorized release of information or use of company works protected by copyright. At least then the threat of liability does not implode administrative interest in completing the negotiation. Company folks forget this, thinking that if the threat is huge, then the compliance will follow. But if there’s nothing valuable in the research contract for the university–starting with serving broad public missions–then it was only a courtesy that the university considered the industry sponsored research in the first place. From the university perspective, upping the threat for non-compliance is more in the way of insult and disregard than a barter over terms. There’s a huge compliance engine in universities already–when companies learn to rely on it–and provide it with the resources it needs to do its job–then the need for forcing remedies into research contracts diminishes. One does not have to contract for what is already there and practiced, or if one does, it is at the risk that it defeats its own purpose–isolates the lab, raises the overhead, forces stuff into a special bin, and generally throws off the whole enterprise. Why would a university do this for some small bit of action? If a company, or better, a group of companies, can make a case for a multi-million dollar center, that the public will be served by its outputs, that participation in its efforts are voluntary, and that it will provide the funding to manage the administration of compliance for things like confidential information, then there’s a good chance a university, or a group of universities, will see the point in setting up custom services responsive to the purpose. Scale matters, along with location and purpose. This is a big problem with university administrators using statements of “principles” to guide their forays into the unknown. Principles would appear to operate regardless of scale, or they aren’t really principles are they. Just convenient assertions, or temporarily stable whims. The very notion that university research contracting should be driven by principles doesn’t make sense. Where’s the principle in that? This is something that takes some sophistication to set aside. One way is to invoke “diversity” of values as enriching a university, moving then to the research context, and from there saying, let’s focus on the collaboration that will benefit students, faculty, the public, and the sponsor, and from there let’s look at what principles support what we’ve agreed to do.” There are other ways, but it isn’t so good to ask an administrator to “violate” the principles they have set up. Generally, principles in a university policy setting are there to provide leverage for saying “no” and not for mobilizing resources. Principles statements are patches on bad behaviors, bad experiences, and bad outcomes. Folks wanting to get past the principles are assumed to be in favor of more of that badness, even when their aims are altogether beneficent.

In general, universities are set up to promote open scholarship. Confidentiality agreements are not merely a matter of paper negotiation, but often require special facilities and infrastructure to be in place. Universities generally are not able to set up such special resources to support any particular sponsored research agreement. No amount of negotiation pressure will change this. At best, a university may choose to accept greater liability—which fails to reflect a real company interest in information security, makes the relationship with the company appear more as a liability than a benefit, and makes the research appear to be primarily a matter of private interest rather than public benefit. All of this suggests that such an arrangement, even if accepted once, will not serve as a precedent, and may in fact work against repeat relationships with the company sponsor.

To summarize: Rather than using confidentiality, a company should consider relying on copyrights for provision of information and patents for managing research results. If confidentiality is still necessary, then the company should restrict information to business information, not technical information; and if technical information, prefer information that is not essential to the reporting of research results. If the information truly is essential to the reporting of research results, then engage university personnel another way (such as through personal consulting or a center set up to handle the arrangements), or be willing to permit publication of the information in the normal course of scholarship, even if not permitted through disclosures that merely would report the information itself and not as part of reporting research results. Avoid trying to impose accountability standards that would raise the financial exposure (via penalties or defensive litigation costs) of administrating the arrangement, separate the confidentiality contract from research contracts generally, and select information for which inadvertent release is not so consequential that the loss of trade secrets represents irreparable harm or significant economic loss to the company. If a company has no confidence in the diligence of the principal investigator to handle its information with reasonable care, there is no point in raising the issue by adding penalty clauses in a research agreement or confidentiality agreement.

This entry was posted in Sponsored Research and tagged , , . Bookmark the permalink.