Businesses in every sector are under pressure to innovate to stay ahead of the competition. ''Open innovation'' is a term that has come to describe innovation which extends beyond the traditional Research and Development department of a business and embraces a broader pool of talent and ideas within the whole business and frequently also extends to an external partnership with a third party collaborator to assist with and accelerate the process.
Collaborative innovations or innovative collaborations (both descriptions apply) present opportunities to reduce costs, share risk, provide broader access to talent and ideas, and ultimately achieve greater monetary gain.
Data frequently plays a central role in this drive towards ''open'' innovation as there is a significant value attached to it. Data can be used to generate new products or services and revenue streams, to identify efficiencies within an organisation and reduce costs, and to inform strategic decision-making.
Unlocking the value of your data
Encouraging open innovation using data often requires a flow of information and intellectual property rights in and out of an organisation. The traditional rules of engagement in this context may not always apply. Engaging with external partners and sharing data assets can make a business vulnerable, its boundaries more permeable and ownership rights less certain, as well as giving rise to regulatory considerations.
Organisations therefore need to safeguard their data whilst ensuring its future value in the context of more collaborative innovation. This involves thinking through all the legal considerations and practical steps that will allow you to adapt and have the flexibility of process to become enablers of innovation and help your organisation stay ahead of the curve.
To maximise the value of data so that it can be sold or licensed to third parties immediately or in the future, organisations need to prepare, collate and safeguard their data effectively from the start, as well as ensuring it is compliant with the new data protection laws and safeguarded as far as possible against outside threats like cyber attacks, data fraud, data security breaches and shareholder activism. When sharing data assets it is also important to be mindful to avoid other potential pitfalls within competition law, ethics and criminal law.
Anticipating the value in data
Knowing what data your organisation has available or accessible, assessing the type, the quantity, the quality and ensuring all data sets are properly organised in a structured way and kept up to date, where necessary, is vital before any open innovation or collaboration can occur. This can be achieved through a regular auditing process, although this can often be a challenge for organisations running multiple legacy IT systems.
Although there is some scope for copyright protection, individual pieces of information or data do not generally attract property rights, but it is possible that compilations of data can attract intellectual property rights (IPR) which can be valued and sold or licensed.
Copyright and sui generis database rights can exist in collections of data, but in relation to these rights it is the structure of the compilation and the database as a whole that is protected respectively and not each individual item of data of itself, unless these data are themselves copyright works (with the required level of creative endeavour involved). Using your data to compile a database may therefore give increased protection for the data as a whole (although not individually). These rights are aimed at preventing a competitor stealing the content of your database (sui generis database rights) or protecting a particularly original structure of a database (database copyright).
A database is legally defined in the Copyright, Designs and Patents Act 1988 (CDPA) s 3A(1) as: 'a collection of independent works, data or other materials which are arranged in a systematic or methodical way and are individually accessible by electronic or other means.'
Databases can include contact management systems, document management systems, knowledge management systems, intranets, back-office inventory systems, purchase order systems, and websites, amongst others. To fall within the definition of a database there is in fact no requirement for a compilation of data to be in electronic form but in today's digital economy digitising data assets is essential to realising their maximum value.
Complex data sets can be derived from virtually every kind of digital interactions, such as internet transactions, email, mobile payments, click streams, as well as Internet of Things (IoT) devices. The possibilities are endless. These data sets can then be amalgamated and organised into larger data sets that can be analysed to reveal useful information about users' preferences, to learn more about a particular market, find trends in a market or to make predictions about future behaviour.
Another way to keep control of data is to treat it as confidential information or trade secrets. This requires access to be limited to those within a confidentiality arrangement or who are impliedly required to keep such information confidential. This form of protection has its limitations since, once the confidentiality arrangements are breached, it is very difficult to recapture the data and re-impose confidentiality, although injunctions can be used to prevent further dissemination.
Protecting IP Rights in data
As stated above, there are a variety of intellectual property rights that data sets can have.
Enforcement of rights in data is difficult. Not only are such rights difficult to establish but where data has been amalgamated, such as in collaborative situations, it may be difficult to establish which data comes from which party and thus show any chain of ownership. Often, the answer is to use contract law, or to define data structures so that they explicitly indicate origin.
The use of a contractual licence for collaborations allows for all terms of the sharing of data to be addressed. If you hold valuable copyright material, you can specify that using it or copying it or doing anything with it, except as set out in the contract, will be a fundamental breach of contract which entitles you to claim liability for breach of contract. The terms of this liability can be negotiated; you may wish to stipulate unlimited liability for breach of the IP clause or a set limit of liability may be agreed on.
The Database Directive (96/9/EC), implemented into the UK by the Copyright and Rights in Database Regulations 1997 (SI 1997/3032) (Database Regulations), created intellectual property rights in the contents of a database (as defined above). The contents are protected under a sui generis database right where there has been a substantial investment in the obtaining, verifying and presentation of data, and can be enforced against those extracting data from the database in large chunks or repeated small amounts
As mentioned above, it is also possible for the structure of the database to attract copyright protection. For a compilation to attract copyright as a literary work consisting of a database it will only be original if ''by reason of the selection or arrangement of the contents of the database the database constitutes the author's own intellectual creation'' (Section 3A (2) CDPA as inserted by regulation 6 of the Database Regulations). This requires the author of the database to have made free and creative choices, not formulaic ones, in order to attract database copyright, and raises problems for databases compiled or structured without any innate creativity and calls into question whether databases created using AI or machine learning could qualify. UK copyright law provides a solution to this problem: where a computer has generated something, then the person who made the arrangement for the computer to do this is the owner of the copyright in the created work. This principle has not been tested in relation to sui generis database rights as yet.
Compilations of data which do not fall within the definition of a database under Section 3A(1) of the CDPA (such as a table or graph) may be protected by copyright as literary works. The standard of originality required for copyright to apply is relatively low, but it does need to involve some demonstrable skill and labour.
Generally the author or creator of a work is the first owner of copyright (whether in a database or otherwise) (section 11(1) CDPA) and similarly, the owner of a sui generis database right is, in the first instance, the person who created the qualifying database. This is important when considering monetising the asset by innovation or collaboration in cases where the business has commissioned a third-party contractor to create the database. In order to own the copyright in it, the business must enter into an agreement with the contractor which contains an assignment of copyright.
For the purposes of internal innovation by employees, the CDPA and the Database Regulations give an employer automatic ownership of copyright and database rights in works created by its employees in certain circumstances, subject to any agreement to the contrary (Section 11(2) CDPA). It is important not to be caught out in the case of temporary or self-employed agency staff: check the individual's contract, as if they are working as a consultant, they will also need to sign an assignment as with a third party contractor.
Monetising your data assets
Commercially, database owners will often choose to exploit their database assets via a licence, rather than a one-off sale, to enable them to maximise the financial potential of the database which can be reproduced (under licence) an infinite number of times without degrading the original and accessed by many users at the same time. Any licence which allows for use of an organisation's data should provide adequate protection for IPRs in the data. It is also possible to apply a model where access to a database is solely via an API (application programming interface) to enable it to be used effectively, but without the need to provide a copy of the full database to a third party.
Asserting contractual rights over data
Although it may be possible for compilations of data to be protected via intellectual property rights as described above, the protections are often patchy and inflexible for organisations wishing to assert quasi-ownership rights over data in their possession. The natural consequence of this is that companies often seek to assert contractual rights over data or otherwise negotiate commercial arrangements quite apart from any IP protection they may be able to take advantage of.
However, when considering the monetisation of data, a key element of this process is considering whether the data is also 'personal data' for privacy purposes, and then having a legitimate basis in place (such as the consent of the data subjects) to use the data as desired. Thus a well thought through data governance and privacy policy is key to creating data sets which have the potential for monetisation.
Data governance and privacy
Data privacy is a prime consideration from a regulatory and compliance perspective in any new innovative or collaborative venture involving data.
It is important first to consider whether a data set contains personal data. The definition of personal data is broad. The raw data might not be personal data but if, when it is combined with other information that you hold as an organisation or otherwise have access to, the person can be identified, then the General Data Protection Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 (DPA) must be complied with.
The importance of data protection impact assessments
A Data Protection Impact Assessment (DPIA) will need to be carried out before any new venture or collaboration is embarked upon involving new technologies and where the relevant data sets contain personal data. Article 35 (1) of the GDPR stipulates:
To see the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
