Shared data environments in the defence industry: the challenge of collaboration

Who is allowed to input material, who is allowed to modify it and who is allowed to use it? Does this reflect the rules of any common support methodologies and the rights granted by prior contracts under which the material was developed? If the intention is to delegate approval to those tasked with the day-to-day delivery of tasks, what role does the SDE play (i.e. does it flag items for approval or is that managed by the delivery teams themselves)?

Is the intention for the SDE to provide a single point of truth (for example in relation to access and user rights to the content in the SDE or quality / health & safety approvals that have been issued)? If so, consideration needs to be given as to how that will operate in practice (and the associated rules of working captured or referenced in the supporting legal agreements). If the SDE automates those processes, how are urgent operational requirements addressed?

What are the contractual (and common sense!) rules on confidentiality concerning the data in the SDE? Does the access control system (and its configuration) reflect the terms of contracts placed or proposed for the development and delivery of the SDE?

What licences are in place to use the SDE platform and tools (and under those agreements, who manages and holds the risk of a data or IP breach – the users who access the data or the provider of the SDE who controls access)? Do the licences granted extend to all users? Have you sufficient oversight of any subcontractor's supply chain to know who is in their wider team?

Does the software proposed as the basis of the SDE contain any open source elements? If so, caution is needed as in some cases the use of open source components can restrict your options concerning the future licencing of material derived from them.

What licences are in place for the use of background IP (have you obtained the necessary third party consents), and who owns and can use the IP that arises during the life of the SDE (whether completely new material or modifications to the original data set)? How far does the licence to use extend? Do the access controls of the SDE reflect any restrictions on use?

Is the material that is inputted into the SDE manipulated or translated in any way as part of the collation / ingestion process? If so, it is worth considering the legal implications of this.

How will the SDE be customised in terms of trade marks and branding? Will your logo feature or that of your customer? If you are branding this as your product, is your customer expecting that? If you plan to use your customer's logo, have you been given permission?

Will the SDE have a novel user interface or system architecture, or valuable algorithms, that you will want to protect and use elsewhere? If so, it would be worth seeking guidance on your ability to protect and exploit such intellectual property.

Who holds the risk and liability in relation to a failure of the SDE? In order to consider this an exercise first needs to be undertaken to assess the different risks that are present. For example, those arising from a temporary interruption to data services, a loss / corruption of data or a security breach.

There are, of course, technical mitigations for this (such as security access controls and back-up systems), but they are not the subject of this article. The risk assessment and resulting register should note all key risks and then how they are addressed, even if standard and accepted practices are being used in mitigation. The risk register needs to note not only what the mitigation is but who is responsible for deploying it.

While this article does not address technical cyber security options, it is important to consider whether a cyber-risk rating been assigned by the customer and ensure that the levels of access control and encryption (etc.) meet the required standards.

Is the content of the SDE subject to any national security controls? For example, have you considered the terms of any applicable Security Aspects Letter.

Is the content of the SDE subject to any export controls (for example, the U.S. ITAR)? If so, then export control specialists will need to advise on the limitations on sharing and the suitability of the SDE for holding such content. Specific approvals, agreements or licences may need to be issued by the relevant government(s) before the information can be made available via the SDE.

Will the content contain any personal data? If so, the system needs to comply with the General Data Protection Regulation and related legislation, and a process created for identifying and reporting a breach. Have appropriate privacy notices been included in the SDE user interface design? Will all users be required to acknowledge the terms of use (as set out in the relevant SDE User Agreements) when they log in?

Please note that the advent of Brexit could have a significant impact on how data transfers are managed between processers in the UK and the EU27, and existing agreements may need to be amended to address this.

Are there any other regulatory compliance or project management requirements (e.g. arising under the Construction (Design and Management) Regulations 2015 or from the use of Building Information Models) that need to be designed into the SDE system architecture?

Many of the issues raised in this article (for example those concerning export control and management of modifications to data) will require that the SDE tool tracks who has seen and modified information and can provide a credible audit trail. This is useful not only for delivering the requirements of the SDE, but also for demonstrating contractual and regulatory compliance.

What are the wider customer requirements (present and future)? For example, have you considered whether the customer may want to expand the scope of the SDE?

What are the terms of any agreement under which the SDE has been funded and developed? Do they align with the terms of agreements that govern the pre-existing data that will be kept in the SDE? Do they dictate who owns any material that is generated?

How reliant are you on third party providers (for example, your I.T. or cloud service providers)? In the event that they let you down, temporarily or permanently, do you have a business continuity / disaster recovery plan to set out how you will maintain delivery of the SDE? Does your insurance cover deal with issues relating to the SDE and the data within it?

What happens to the SDE tool and data once the initial contract expires?

Who has access to the data after expiry / termination and is the customer permitted to use it when commissioning a replacement SDE from another provider?

What level of support is the customer entitled to expect from you during the final stages, and after the end, of the contract for the provision of the SDE?

How will you resolve any disputes? There may be legal issues but also practical day-to-day disagreements as to how data was modified (for example, if the records of the SDE do not accord with an individual contractor's work book). How will you ensure that disputes are resolved with minimum disruption to the service provision?