Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Not sure if this should be in Geek Day or not, but does anyone know the legalities (or worse case situation) of who owns the data (info/data that the client has entered into the app) in the situation that a client has been using a web application (created/designed/hosted by us) in a semi trial/production phase but hasn't paid for it?
If it goes belly up and they pull out (or we shut it down for non-payment), do we have to hand over the data or do we have the rights to hang on to it? And if we do have to hand it over, i'm guessing that we just have to hand over the data in some legible form?
Cheers for any help on this 
[Edited on 07-06-2010 by Dom]
|
Bart
Member
Registered: 19th Aug 02
Location: Midsomer Norton, Bristol Avon
User status: Offline
|
Its a difficult one which should be layed out in your EULA.
If its not listed, I would let them have it for now.
Its a question thats been going back and forth, but to put into perspective, do you own your Facebook content, or do they own your family photos?
Theres your answer for now (imho).
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
As said, depends on the Ts and Cs.
|
gravesy
Member
Registered: 21st Apr 10
User status: Offline
|
What sort of data is it? Is any of it classed as 'personal' under the DPA? Is it a single/multiple corporations or people that have added the data.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
What i'd say if I was hosting/maintaining an app is say the EU owns the content (i.e.the text, content and any original images they provide e.t.c.) but the app belongs to you. In the event of non payment they could request that for a fee, or at the end of an agreement it could be provided free of charge in some unprocessed state...
|
Steve
Premium Member
Registered: 30th Mar 02
Location: Worcestershire Drives: Defender
User status: Offline
|
if its personal data they will always be able to request a copy under dpa
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
The individual will be able to get back the data about them, but if there is other stuff there or it's a company wishing to recover a batch of data then it's more tricky...
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
They have added the data (not us or 3rd parties), it's personal in the sense that it contains peoples names, addresses, telephone numbers etc of their clients.
I only got involved a few months down the line (after the contract was sorted with the client), but the issue is that it was meant to be a tiny little project (few weeks works) and no T&Cs/EULA were originally drawn although the contract states that everything will be handed over on sign off of the project. However it's spiralled out of control, the client seems to be dragging it out and we're now considering pulling the plug on the project. If this happens they'll obviously want the data back (the client will be arsey as usual and want us to hand the DB over), but I’m wondering whether we can hold the data and use it as some form of leverage.
Edit - The data also includes contact details of a number of businesses and calendar/booking information.
[Edited on 07-06-2010 by Dom]
|
Half Pint
Member
Registered: 25th Mar 02
User status: Offline
|
the industry i'm in we would always own all data and in the specific instance we are talking customer data i cannot see how you would be able to 'own' it.
however if you are talking manuals, designs and alike then through non payment typically you would own it.
as has been said you should have a contract in place to deal with this.
|
ed
Member
Registered: 10th Sep 03
User status: Offline
|
If there is a non payment issue then you should hold onto everything you can and seek legal advise.
|
Half Pint
Member
Registered: 25th Mar 02
User status: Offline
|
but you'd have no right over customer data as its not related to intellectual property. you will probably find that pulling the pulg you would be required to verify that all customer data has been destroyed.
This is where the DPA comes into effect.
I would not make too much noise on this otherwise it could come back to bite you.
|
gravesy
Member
Registered: 21st Apr 10
User status: Offline
|
Under the DPA you need to have a valid reason to keep anything defined as personal - that is any data related to a living identifiable individual.
Like Half Pint says don't do anything that will come back to bite you.
[Edited on 07-06-2010 by gravesy]
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Obviously legal action is our last resort, but it sounds like we're in a bit of shit fest and don't have any leverage on the client 
Does the DPA extent to business contact information as well? Although i'm assuimg we can hold on to data like calendar/booking information which isn't covered by the DPA?
Cheers for the help though
|
Laney
Member
Registered: 6th May 03
Location: Leeds
User status: Offline
|
Is the data actually worth anything?
|
gravesy
Member
Registered: 21st Apr 10
User status: Offline
|
quote:
Originally posted by Dom
Obviously legal action is our last resort, but it sounds like we're in a bit of shit fest and don't have any leverage on the client
Leverage starts to get a bit nasty. Be very careful at this point and go through your contractual obligations with a fine toothed comb. If the contract doesn't stipulate your position either way on a particular point then I believe (IANAL and all that bollocks) that you can take no action - that is not deliver or hand back data, unless it is specified. Usually commercial contracts do state an exit for both parties and the actions resulting from that.
quote:
Does the DPA extent to business contact information as well? Although i'm assuimg we can hold on to data like calendar/booking information which isn't covered by the DPA?
Phone numbers, names, addresses, descriptions(to an extent ie can be directly related to an individual) photos, etc. all come under the DPA.
Dates in a diary wont necessarily come under the DPA unless there is a particular trail for example if my diary showed my daily commute from my postcode to my place of work that starts to come under personal data. It would be theoretically possible to identify me from that data.
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
quote:
Originally posted by Laney
Is the data actually worth anything?
Well it's worth enough that it has been known for staff of one company to work at another to leak/steal the information.
quote:
Originally posted by gravesy
quote:
Originally posted by Dom
Obviously legal action is our last resort, but it sounds like we're in a bit of shit fest and don't have any leverage on the client
Leverage starts to get a bit nasty. Be very careful at this point and go through your contractual obligations with a fine toothed comb. If the contract doesn't stipulate your position either way on a particular point then I believe (IANAL and all that bollocks) that you can take no action - that is not deliver or hand back data, unless it is specified. Usually commercial contracts do state an exit for both parties and the actions resulting from that.
Apart from stating that all of source code and data will be handed over to the client upon competition and payment of the project (although we hold Intellectual property rights to the application), the contract doesn't state any get out clauses or who owns the data in the case that both parties walk away etc.
But as you say, it's pretty risky using this as leverage.
But cheers for the help, at least i now know where we stand.
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Online
|
quote:
Originally posted by Steve
if its personal data they will always be able to request a copy under dpa
The data subjects will but the data controller has no such right.
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Online
|
quote:
Originally posted by Dom
Does the DPA extent to business contact information as well? Although i'm assuimg we can hold on to data like calendar/booking information which isn't covered by the DPA?
It relates to information which identifies a living individual. So contact information generally would fall under it unless it's already in the public domain.
In any case, this doesn't give you the right to withhold it, merely removes some of your obligations to protect it.
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Online
|
If you want to take ownership of the data then you then become the data controller for the purposes of DP.
Now as a data controller you would normally require purpose and consent to hold the data, hold it for reasonable time frames etc. all the standard DP principles. I can see no reason why any of this should be applicable to you as you have no direct interest in the data and indeed no direct relationship with any of the data subjects? (and they wouldn't consent anyway?)
So it can never be 'your' data.
However, you are acting in the capacity of data processor having had the processing subcontracted to you - ie. you should still keep the data safe and not disclose etc.
Normally there would be an agreement in place to clarify your position, put in place by the data subject who is going the subcontracting (ie. this company you are dealing with) and if there's any problem over the legal position, they will be in trouble for not having done this - schedule 1 part 2, paragraphs 11 and 12.
http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_9#sch1
So you could also technically argue that in lieu of any such arrangement, you are controller and you're currently holding a load of data that you've no interest in!
The joys of feature creep.
Personally I would be closing the system and giving them some time to pay at which time they will have full access again. If they don't pay, delete everything (secure delete if you're not feeling like being implicated in a breach in five years).
If they don't like being blackmailed, remind them of their disregard of principle 7.
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
Cheers Ian
|
