AustLII Home | Databases | WorldLII | Search | Feedback

Journal of Law, Information and Science

Journal of Law, Information and Science (JLIS)
You are here:  AustLII >> Databases >> Journal of Law, Information and Science >> 1996 >> [1996] JlLawInfoSci 14

Database Search | Name Search | Recent Articles | Noteup | LawCite | Help

Reid, Katherine; Clark, Eugene; Cho, George --- "Legal Risk Management for Geographic Information Systems" [1996] JlLawInfoSci 14; (1996) 7(2) Journal of Law, Information and Science 169

Legal Risk Management for Geographic Information Systems

KATHARINE REID, EUGENE CLARK, AND GEORGE CHO[*]

Abstract

The development and use of Geographic Information Systems (GIS) constitute a critical component of almost all infrastructure development and is a billion dollar industry. Writing from an Australian legal perspective, this article surveys some of the legal risks and uncertainties regarding the development, use and commercialisation of GIS. The authors proffer a number of practical suggestions regarding legal risk management strategies which businesses and governments may utilise in relation to GIS.

Introduction

Geographic Information Systems (GIS)[1] are automated mapping and analysis computer systems that use relational database software to overlay spatial data (such as satellite remote sensed data or topographic data) with other data (such as statistical data). The resulting product and related services (GIS product) can be manifested in several forms including tables, charts, maps or images. The applications of GIS technology are diverse and widespread, ranging from global navigation positioning systems to statistical databases for marketing and street light maintenance systems. GIS have typically been developed and utilised by government agencies, although present trends indicate increasing involvement by the private sector in either independently developing and utilising GIS or commercialising existing publicly owned GIS.[2] In Australia alone, a survey of more than 120 GIS users suggested that the expenditure on spatial information related services ranged between $395 million and $493 million. Further it has been predicted that a GIS expenditures will increase by another 50% over the next three years.[3] In Europe and the US, GIS related expenditures are in the billions.[4]

The development and application of GIS in a commercial context involves several legal risks which, if ignored, could result in liability and loss for a business (or government entity) that develops GIS (GIS developer) and/or sells, distributes or resales GIS products (GIS business). As part of its overall management strategy, it is important that a GIS developer or GIS business (“organisation”) limit or avoid these legal risks through the implementation of a legal risk management strategy. Part 1 of this article outlines the principles of risk management and, in particular, what constitutes legal risk management. Part 2 of this article considers legal risk management in the GIS context and offers some strategies for managing the legal risks associated with the development of GIS. Part 3 examines the legal implications of a sale or other commercial exploitation of GIS. The article concludes in Part 4 with the discussion of compliance strategies for legal risk management systems associated with GIS.[5]

Part 1: what is legal risk management?

Risk management involves the development and implementation of a system for identifying and measuring risks that may occur in relation to a business’ activities, and devising strategies to minimise, transfer, insure against or, if possible, eliminate those risks. However, risk management is not confined to the defensive role of minimising risks. In order to be effective, risk management should be an integral part of the general management and planning processes of the organisation. Because the implementation of a risk management strategy may involve significant organisational change, responsibility for its implementation should be the task of senior management. In addition, the organisation must be prepared to ensure compliance by allocating sufficient resources for education/training of employees, and for monitoring and audit activities.

The first step in developing a risk management system is to identify the inherent risks associated with the activities carried out by the organisation. A risk management system ideally encompasses the entire range of risks which an organisation may encounter, including risks such as insolvency of debtors, late delivery or non-delivery by suppliers as well as the legal risks associated with the activities of the organisation.

The second step in developing a risk management system is to quantify the risk. During this process each risk is evaluated with a view to determine its probability and financial significance. Relevant considerations include the likelihood of the risk eventuating, what kind of damage/injury can occur and how severe such damage/injury will be should the problem eventuate. In addition, a comparison is made of the costs to the organisation of choosing to do nothing, ceasing the activity, or implementing some other risk management strategy in respect of each risk.

The third step is to develop a strategy to reduce, transfer, manage or accept the identified risks. If the cost associated with a risk outweighs the benefit of continuing the activity the activity may have to be ceased. In other instances, it may be economically viable to transfer or share the risk by means of a contract with the parties with whom the organisation deals or by way of insurance. In calculating the costs associated with transferring a risk it is important to include the following:

“...whatever the transferee entity charges for its acceptance of the risk, plus the cost of supplying the entity with necessary information, and the costs of monitoring or reducing the risk as required by the transferee entity.”[6].

In other circumstances it may be cost effective for the organisation to bear the risk, that is, be ‘self-insuring’. In calculating the cost of bearing such a risk the organisation should take into account the cost of monitoring the activity for any increase in likelihood of the risk eventuating[7]. The fourth step in the risk management process is to implement the risk management strategy. Finally, procedures should be put into place, such as monitoring audits and training programs, to ensure ongoing compliance with the risk management strategy.[8]

Risk management in the context of legal risk (legal risk management) involves three objectives: (i) the pro-active use of legal strategies to achieve business goals; (ii) regulatory compliance, that is compliance with the laws that regulate the activities conducted by the organisation[9] and (iii) avoidance of loss and civil liability (contractual and non-contractual).[10] Organisations usually place more emphasis on achieving the second objective[11] and this emphasis is reflected in much of the literature where legal risk management is more commonly examined and referred to in terms of “legal compliance”. Legal risk management involves, in the broadest sense, a proactive use of the law which helps to integrate product development, marketing, finance and all other aspects of a business. It is also an equally useful management tool for avoiding loss and civil liability. Importantly, an organisation can control the amount of time spent dealing with the legal risks it faces, as opposed to responding to litigation proceedings, the progression of which is largely out the control of the organisation:

“[t]he timing and extent of [risk management] program expenditures is, for the most part, entirely within the control of corporate managers. The timing and extent of litigation- along with related disruptions and liability expenses- is generally not within management’s control. [Risk management] program activities can, within some limits, be blended into the fabric of corporate production. Litigation, by contrast, comes as a unique, stubborn, demanding onslaught to corporate management and production.”[12]

The use of legal risk management to plan for business development, prevent loss and avoid civil liability is particularly significant in the GIS context because the legal risks associated with the commercial exploitation of GIS are predominantly these types of risks. It is beyond the scope of this article to develop a legal risk management strategy that encompasses all the legal risk factors that a GIS business may encounter. Instead the focus is on identifying the legal risks that are specific to the commercial exploitation of GIS and provide guidelines for formulating a risk management strategy to address such risks. It is recognised that not all organisations dealing with GIS will undertake the entire range of activities that the commercial exploitation of GIS can involve; some organisations may undertake only the development aspect of GIS and others may undertake only the sale of GIS products.

It is often the case that some organisations are involved in the development of GIS while other organisations are concerned primarily with the sale of GIS products. In order to facilitate identification of areas of this article that are relevant to a particular organisation, the discussion of legal risks and guidelines for managing those risks considers separately the development of a GIS and the sale or resale of GIS products. and related services The discussion does not extend to quantifying the legal risks that are identified and discussed. The quantification of such risks is best undertaken by the particular organisation involved as it requires the consideration of various financial factors such as cost/benefit comparisons, the details of which will be particular to the organisation and the specific GIS applications.

Part 2: legal risk management in the GIS context: Development of GIS

2.1 Overview of legal risks for GIS developers

This section examines the application of risk management principles to the legal risks associated with the development of GIS.

What are the legal risks associated with developing a GIS? The development of a GIS commonly includes the following activities:

• creation or modification of relational database software that typically is capable of performing the following functions:

“map digitizing, digital map editing, topological structuring, map display and query, map projection, network flow analysis, vector overlay analysis, buffer generation, cell-based modeling, surface modeling, map composition, and hardcopy output”[13] (GIS software).

• the purchase of other software required to operate the GIS computer system such as software that enables networking capability;

• the purchase of hardware such as computers, external hard disks, scanners, plotters, printers and the equipment necessary to enable networking;

• the acquisition (by purchase or collection) of the data that is processed by the GIS software such as statistical data, satellite images and topographic data.

These activities expose GIS developer to several legal risks, of which the principal ones are:

(i) failure by the GIS developer to secure intellectual property rights for the GIS;

(ii) liability for intellectual property infringement;

(iii) failure to secure accountability for a defective GIS;

(iv) liability for breach of privacy/confidentiality obligations; and

(v) legal uncertainties involved with contracting out either by or to a Government agency.

Each of these risks are discussed in turn.

2.2 Risk of failure to secure intellectual property rights

An GIS developer may fail to secure intellectual property rights in relation to its GIS for a number of reasons. One group of reasons relate to the law itself concerning which it must be pointed out that there are many uncertainties regarding the intellectual property laws as they apply to a GIS.[14] Other reasons are inherent in the nature of the technology. A GIS comprises several components (essentially software, hardware and data) which, if viewed as one entity will not attract intellectual property protection. Each individual component, however, may attract intellectual property protection.[15] Of these components (unless the GIS developer has developed the hardware component of the GIS), a GIS developer is most likely to be entitled to secure intellectual property protection in relation to the software or data component of the GIS.[16]

The principal intellectual property protection that a GIS developer can secure in respect of these components is copyright protection although software may, if sufficiently novel and inventive, attract patent protection.[17] The most difficult component for which to secure copyright protection is the data component of a GIS. In order for copyright to subsist in the data component of a GIS the data must be characterised as a literary work. Two categories of literary work are relevant in this context, compilations or tables and computer programs (which include ‘related information’)[18]. If the data component of a GIS can be characterised as one of those two categories a GIS developer may be able to secure copyright protection for such data. However, the copyright protection for compilations or tables of data is limited to the selection and arrangement of the data and not the data itself.

Even if intellectual property rights subsist in relation to a component of the GIS it may not be the GIS developer that is entitled to ownership of those rights. Obviously, where the GIS developer has simply purchased hardware and not developed it, the GIS developer will not be entitled to the intellectual property rights that are associated with that component unless the purchase included an assignment of those intellectual property rights. In addition, unless otherwise agreed contractually, a GIS developer may find that it is not entitled to the intellectual property rights associated with that component. For example, where a GIS developer contracts a developer to create GIS software, the general assumption is that copyright subsists with the developer.[19] Also, whilst a GIS developer is entitled to the copyright that subsists in software that is created by an employee[20], if such software is patentable the employee may be entitled to patent the software (although an employer in turn may have rights of equitable ownership)[21]. Moreover, a GIS developer that modifies or customises software, the copyright to which it does not own, will not generally be entitled to the copyright that subsists in relation to the modified software because adaptation is a right accorded to the original copyright owner. In fact to modify or adapt a copyright protected software without the consent of the original copyright owner may constitute infringement. Finally, if a GIS developer develops a GIS in conjunction with a government department or agency, ownership of the copyright that subsists in the various components that comprise the GIS may be affected by the operation of section 176(2) of the Copyright Act 1968 which provides that original works made by or under the direction or control of the Crown will become the copyright of the Crown.

Finally, a GIS developer may not be entitled to sole ownership of the intellectual property rights associated with the GIS. For example, under copyright law if a GIS developer jointly develops a component of the GIS with another party, under copyright law the other party may constitute a joint author of that component and as such may be entitled to independently exploit the component without infringement.[22]

2.3 Risk of liability for infringement of intellectual property rights

Liability for intellectual property infringement may arise in two contexts. Firstly, the data component of the GIS may be copyright protected. A GIS developer which incorporates, without the consent of the copyright owner, data that is copyright protected may be liable for copyright infringement. Also any unauthorised modification or enhancement of such data may, depending on the level of copyright protection that the data attracts, infringe the copyright owner’s right of adaptation. In the context of the sale of satellite data, some government agencies waive their right to royalties for data. For example Landsat data may be modified and enhanced without payment of royalties.[23]. To a lesser extent, SPOT IMAGE allows royalty-free modification of its images if such modification results in an image where the original pixel structure no longer exists.[24] In contrast, the Australian Surveying and Land Information Group (AUSLIG) charges royalties for reproduction of its data for commercial purposes, the calculation of which depends on the intended use of the data and the extent of reproduction.

Liability for infringement of intellectual property rights may also arise in relation to the software component of a GIS. If the software component of the GIS reproduces code, without the consent of the other party to do so, from another party’s software, that is patented or in which copyright subsists, such use may constitute infringement. Similarly the purchase and subsequent modification without consent of another party’s software may constitute infringement of that party’s intellectual property rights.

2.4 Risks of failure to secure accountability for a defective GIS

It is convenient to describe collectively the legal risks that a GIS developer faces when a GIS proves to be defective as the failure to secure accountability. A GIS may be defective due to an error, defect or malfunction in any of its components (software, hardware or data). The potential errors and malfunctions of GIS are manifold. For example, the software component of a GIS alone could be defective on several counts:

“[d]efective computer software may result from the manufacturing process, the failure to warn of the dangers involved in its use, or the flawed design of the software.”[25]

In addition, the software component may be defective due to a failure to adequately test the software, correct significant bugs, warn of the software’s limitations or provide sufficient instruction on how to use the software[26]. In fact, no software will be completely error free:

“When incorrect output appears, the programmer must attempt to locate the error. If a bug is identified in the software and the program is modified to eliminate the bug, the danger arises that the modification itself will introduce new errors into the program. Eventually, if the software appears to work correctly most of the time, it will develop an aura of ‘reliability’. At some point, the benefits of discovering and eliminating additional bugs will be outweighed by the costs of further testing. Relying on personal skill and experience, the programmer must make a judgement that the program is reliable enough for operational use. In other words, programmers put software into operation realizing that the software probably is not errorfree and that bugs may remain hidden in it for years”[27]

Furthermore, each time software is modified or altered the potential for error is increased as

“[i]nstructions may be logically dependent on each other and certain assumptions may be built into the algorithm. Thus a simple alteration in one section may have a substantial effect throughout the entire program”[28]

Defects in hardware too, can have several causes:

“Spontaneous failure may result from such subtle and ephemeral occurrences as temperature variations, humidity changes, power fluctuations, environmental contaminants, or static electricity. Even under ideal conditions, electronic components are expected to wear out after prolonged use. A failure may be transient or very complex in nature, makings its cause difficult to detect. Moreover, if electrical or other disturbances alter the instructions or data electronically stored in the computer’s memory circuitry, electronic hardware error can masquerade as software error.”[29]

Also, defective hardware may result from its computational limitations:

“For example, the space in a computer’s memory is obviously limited. Therefore, commonly used numbers of infinite length, such as pi, can be stored only as approximations. Hardware constraints such as “round-off” errors have been known to affect the accuracy of computations....”[30]

An aggrieved party typically secures accountability for a defective product by way of contract or the law of negligence. The use of these mechanisms, however, can be limited in the context of GIS. Contractual liability may be difficult to secure simply because a GIS developer has failed to specify comprehensively the functional and operational requirements of the GIS to each party that supplies components of the GIS, thus making it difficult to prove accountability if the GIS turns out to be defective. In some instances, contractual liability may simply not exist. If a developer is contracted to create or customise the GIS software, and that developer engages a subcontractor to carry out part or all of the software development, the subcontractor may not actually enter into a contract with the GIS developer. Whilst in some cases the GIS developer may be a party to the agreement between the developer and subcontractor, it is often the case that the subcontractor is employed by the developer alone in which case if the component developed by the sub-contractor is defective it may be difficult for the GIS developer to make the subcontractor accountable for such defect.

Liability for negligence may also be difficult to establish. In order to succeed in a claim of negligence against another party for a defective component, a GIS developer will have to establish that the conduct of the other party did not meet the standard of care that it owed to the GIS developer to ensure that the component was not defective. As it is impossible to ensure that software, hardware and large volumes of data are completely error free the fact that there is an error will not necessarily establish that the other party’s conduct fell short of the standard of care. In addition,

“[t]he difficulty of proving negligence may be enhanced further if a copy of the software in operation at the time of the malfunction is not preserved and therefore is unavailable to a plaintiff for examination. Even if a copy has been preserved, however, the plaintiff will have to employ a team of programmers, who may be totally unfamiliar with the software, to search through a multitude of instructions for a bug that may have escaped detection through several months of testing”.[31]

2.5 Risk of liability for breach of privacy/confidentiality obligations

Liability for breach of privacy and confidentiality obligations is another legal risk faced by a GIS developer. Such a GIS developer may be liable for breach of confidentiality if the data component of its GIS is subject to an obligation of confidentiality. In this respect it is relevant to note that an obligation of confidence is imposed on government authorities who acquire data pursuant to statutory powers: Johns v. Australian Securities Commission [1993] HCA 56; (1993) 178 CLR 408. Thus, a GIS developer that is a government agency may be liable for breach of confidentiality if the data component of its GIS contains data, the provision of which has been required under law (such as census information, rates information, personal financial information). In addition, a GIS developer may be liable for using data whose use is legislatively restricted. For example, the Privacy Act 1988 (Cth) operates to restrict the use of information about an individual held by Commonwealth government departments and agencies, credit providers (eg banks), credit reporting agencies and entities that handle tax file numbers. Where the data component of a GIS consists of data that has been collected by one of the entities regulated by the Privacy Act and such data makes the identity of an individual apparent, the use of such data may breach the Privacy Act. A GIS developer will not, however, be liable for breaching the Privacy Act if the individual concerned has consented to the use of the data, such use has been otherwise authorised or required by or under law or such use is reasonable in that it was directly related to the purpose for which the information was obtained.

2.6 Risks involved with contracting out either by or to a Government agency

2.6.1 Definition and growth of outsourcing

Australia, in common with commercial trends elsewhere, is experiencing a radical change in its organisational framework. This radical change has been called out sourcing or contracting out. Increasingly, businesses are taking up the notion of further specificity with the movement of whole organisations towards a concentration on single core tasks resulting in contracting out the peripheral tasks to other organisations whose core task is to provide such services/goods. In the case of Government, 'contracting out’ refers to the use by the Government of contractors to provide services to the public on behalf of the Government.[32] Within this context, the term "contractor" is used to refer to both private sector contractors and not-for-profit bodies funded wholly or in part by Government. This growing emphasis on outsourcing was recently illustrated by the Technology review Group's Report, 'Client's First' which in recommendations 26 to 31 suggests that all businesses (including government business enterprises) need to give outsourcing serious attention. As applied to GIS development, contracting out can occur at least three scenarios. First, the Government may outsource the development of all or part of a GIS system. A second context occurs after the contracting out has occurred and a party/customer seeks redress in relation to GIS products or services which were authorised by the Government but contracted out to a third party. A third scenario is where an organisation contracts the Government to provide the GIS or a component of the GIS.

2.6.2 Legal Uncertainties in the case of contracting out by Government

It must be acknowledged that many legal uncertainties exist regarding the use of contracting out by government bodies. Many of these uncertainties will be applicable in the case of a government body which elects, for example, to contract out the development of a GIS and information gathering and data collection functions of various kinds.

Public service model versus contract model: Underlying these uncertainties is the tension between traditional 'public service' accountabilities of the Government for the provision of services and a new 'contract' model by which the Government relies on 'contractual' principles to ensure that these responsibilities are fulfilled.

Merger of public and private sector law: Further uncertainties are caused by the trend for public and private sector law to merge. For example, industries are now adopting concepts which developed in the administrative law field. A case in point is the adoption of ombudsmen by the banking industry. Another is the application of the Privacy Act 1988 (Cth) to credit records. In the other direction, Government departments are increasingly being urged to operate on a 'commercial' footing and the Hilmer Report made it clear that Government Business Enterprises should play by the same competitive rules as private business.

Uncertainties regarding appropriate legal remedies: One of the greatest areas of uncertainty in relation to contracting out of GIS services is what remedies exist when a Government service is provided by a private party to whom the Government has contracted out those services. There are many legal uncertainties about the extent to which administrative law remedies (such as those provided by the Freedom of Information Act 1982 (Cth) and the Privacy Act 1988 (Cth)) may be extended to contract providers. Individuals or organisations should be able to seek redress for decisions or actions for which governments are accountable, including those services which have been contracted out. Yet, contracting out alters the relationship between service recipients and the Government. While the Government retains the financial and political accountability, individuals may no longer have recourse to the same administrative remedies. This issue is presently being considered by the Government. Among the questions being raised are:

Do traditional administrative law remedies apply to a contractor?

Do traditional contract and tort remedies provide adequate protection?

Is there a need for additional remedies?

If so, what should they be? Customer charters (in which the tender document requires the provider to establish procedures for redress on the part of dissatisfied customers)? Independent monitoring?

Accountability of Government The Industry Commission Report, Competitive Tendering and Contracting Out by Public Sector Agencies, makes the point that while responsibility to do certain things can be transferred via contracting out, accountability for results cannot. [33]

"Whatever the method of service delivery, a government agency must remain accountable for the efficient performance of the functions delegated to it by Government, including:

• translating broad program objectives into detailed service specifications;

• choosing a person (in-house or external) to deliver the service;

• ensuring that the service required is actually delivered; and

• dealing equitably and responsively with the clients and the public."[34]

2.6.3 Other risks when governments are involved in developing GIS

It is frequently the case that a GIS is developed by a government entity, often times a local government body.[35] As public institutions, governments face special legal risks in addition to those identified above. While a comprehensive examination of these legal issues is beyond the scope of this article, these legal risks revolve around such areas as legal uncertainties regarding ownership of data, the need to ensure compliance with the Privacy Act 1988 (Cth), difficulties in complying with Freedom of Information legislation, questions about the impact of recently enacted essential facilities legislation and related reforms to the Trade Practices Act 1974 (Cth) which, by restricting the shield of crown immunity, require government business enterprises to play by the same restrictive trade practices as rules govern private business.[36]

2.7 Some risk management strategies for GIS developers

There is no 'off-the-shelf' or single best way to manage the legal risks facing GIS development. In general terms, the best results are achieved when managers have a basic legal literacy about the issues involved so that they may be able to work closely with their legal advisers to develop a strategy which meets the needs of the specific situation. To assist managers and others with this basic legal literacy, set out below are a 'bundle' of strategies which are likely to be relevant to most GIS development contexts.

2.7.1 Use contracts to limit risk

The most effective legal risk management strategy in relation to the development of a GIS is to transfer, share or minimise legal risk by way of contract; the opportunity to do so arises primarily during the design and planning stage of the GIS. Of course the use of contract as a risk management strategy may not always be cost efficient. GIS developers should consider the following strategies for contractually avoiding the legal risks associated with developing a GIS:

• Where a GIS developer has chosen to develop the GIS software itself, it should contractually secure ownership of all intellectual property rights relating to the GIS software with its relevant employees (e.g. each employee developing the GIS software assigns all copyright and rights to patent whether such development took place at work or at home or whether such software was developed outside the course of the employee’s ordinary employment);

• Where some or all of the components of the GIS are acquired from other parties the necessity for contractually managing the legal risks associated with developing GIS expands. The party with whom a legal risk can be contractually limited will depend on the method of acquisition adopted by the organisation developing the GIS. A GIS developer that acquires some or all of the components of the GIS from other parties can do so by: (i) contracting individually with the suppliers of the various components (multi-suppliers); (ii) engaging a party to act as agent of the developer to organise the acquisition of the components. Under this approach (systems integration) the GIS developer still individually contracts with each supplier of the component; (iii) contracting with another party (prime contractor)to assume responsibility for providing the entire GIS.[37] In contrast with the multi-supplier or systems integration approach where legal risk is limited by contracting with each supplier individually, a GIS developer that adopts a prime contractor approach can limit legal risk by contracting solely with the prime contactor.

The following legal risks can be limited by way of contract where some or all of the components of the GIS are acquired from other parties:

• Accountability for defects in the individual components supplied by other parties can be secured at the time those components are acquired. Accountability for defects can be secured contractually in a number of ways. Firstly, the contract with the relevant party can specify the functionality and operational requirements including testing standards of the GIS as a whole (not just of the individual component) so that the other party is aware of the role of and expectations of the component that it supplies. The testing standards should specify the degree of error allowed and require the documentation of known bugs or limitations on the performance of the component. Secondly, the contract can expressly impose liability on the other party for a defective component by way of warranties or an indemnity. Where the component provided by the supplying party is data, it may be appropriate for the GIS developer to require that the party provide a warranty as to its legal entitlement to sell the data (e.g. the sale of the data does not infringe intellectual property rights or confidentiality and privacy obligations) and to the accuracy of the data (which could include a warranty as to the age of the data or that its accuracy was cross-checked). Thirdly, the contract could include maintenance clauses that require the supplying party to provide maintenance services in the event that the component proves to be defective. Finally, to address the legal risks that arise when subcontractors are engaged, a contract between the GIS developer and the supplying party could require that in the event that the supplying party engages subcontractors, the supplying party assumes responsibility for the actions of any subcontractor (by way of an indemnity);

• Ownership of intellectual property rights associated with the component supplied including the intellectual property rights that subsist if the component (especially software) is modified can be secured by way of assignment. A typical use of contract to manage legal risk in this context is the assignment, by a developer who is contracted to create the GIS software, of all intellectual property rights relating to the software to the GIS business. Alternatively, if a GIS developer sublicences the GIS software, a contract may provide that the GIS developer is entitled to sublicence the software (for example provide the software to users who purchase a GIS product in digital form) and own the intellectual property rights derived from any modification of the software;

• Liability for the infringement of another party’s intellectual property rights can be transferred to the supplying party by way of contract (through the use of indemnity clauses or warranties, for example);

• Liability for breaching privacy and confidentiality obligations in respect of data component of a GIS could be transferred by way of contract with the supplying party by including a warranty that the data does not disclose confidential information or infringe privacy laws.

2.7.2 Implement and document testing procedures

The GIS should be tested comprehensively for defects and the testing procedures adopted should be documented. In addition to being tested for functionality and compatibility with the system used by the GIS developer, the GIS should be tested on potential users of the products derived from the GIS in order to identify any confusing, inconsistent or misleading uses of colours, symbols and graphics.[38] The higher the risk of a defect occurring and the greater the impact of such defect, the more extensive the testing should be. Reference should be made to mechanisms that have been adopted by others who have implemented similar GIS to minimise the occurrence of damage or injury resulting from a defective GIS.[39] Relevant industry standards for testing the GIS should be also followed.

The implementation and documentation of testing procedures achieves two risk management objectives. Firstly, if a GIS proves to be defective the testing records should facilitate the identification of the component that is responsible for rendering the GIS defective which in turn isolates the party responsible for the defect. Secondly, the fact that comprehensive testing was undertaken can reduce exposure to liability for damage or injury suffered by a customer who uses an erroneous GIS product that was caused by a defective GIS.

2.7.3 Obtain insurance

An alternative risk management strategy for limiting or avoiding the legal risks associated with developing a GIS is to obtain insurance to cover the risk. It may not be cost effective or even possible to insure against every legal risk associated with the development of a GIS. Types of insurance relevant for managing risk in the GIS context include liability insurance for intellectual property infringement and product liability insurance. It is also relevant to note that if insurance is obtained it would be prudent to obtain cover for claims made against the GIS developer for economic loss as well as claims for loss resulting from personal injury or property damage.

2.7.4 Establish good tendering practice

Below are some strategies which should be followed by Governments who have decided to contract out the development of all or part of a GIS. GIS best practice guidelines should be in place which, among other things,

• consider transition costs, staff development issues, etc when moving from government provision of a service to outsourcing;

• ensure the tender process is open, and competitive;

• ensure tender specifications are clear and will meet needs and provide quality service;

• ensure that the supplier gives adequate details and documentation of the service/goods offered;

• provide adequate staff development of purchasing and other government officers involved in the outsourcing tender formulation, provision and monitoring of tenders.[40]

If done well, the use of contracting out may enhance accountability. Both the Industry Commission Report (pp 4-5) and the Administrative Review Council Report, (pp 15-16) stress that competitive tendering and contracting out has the potential to enhance government accountability by:

a) requiring the contracting agency to specify clearly the service to be delivered and to allocate precisely responsibilities between the agency and the contractor for delivery. This makes it easier to identify the cause of any failure. Lines of responsibility should be as clear as possible;

b) requiring the contracting agency to specify the criteria on which the contractor's performance is to be measured and monitored. However, this can be difficult when the service provider must exercise discretion on the amount and mix of services provided.

2.7.5 Be aware of special problems when dealing with Government

In dealing with the Government, GIS developers should be aware of remedies which are potentially available in relation to government conduct. However, as mentioned above, there is considerable uncertainty regarding the extent to which government remedies will apply to those who are contracted by the government to provide a service on behalf of the Government. The key elements of the administrative law system as applied to Government include:

a) the capacity to challenge the legality of Government decisions by action in the High Court under the Constitution and in the Federal Court under the Judiciary Act 1903 (Cth).;

b) a codified and simplified form of seeking judicial review of the lawfulness of most statutory administrative decisions using the Administrative (Judicial Review) Act 1977 (Cth) (AD(JR) Act);

c) a right to seek written statements of reasons for administrative decisions provided for by the AD(JR) Act and the Administrative Appeals Tribunal Act 1975;

d) in relation to a wide range of decisions made under legislation, the capacity to seek review of the merits of those decisions by an independent tribunal and in particular the Administrative Appeals Tribunal.

e) an Ombudsman established by the Ombudsman Act 1976 (Cth) to investigate government maladministration, either as a result of a complaint made or on the Ombudsman's own initiative;

f) broad rights of access to government-held documents, and a right for an individual to update or correct government-held personal information under the Freedom of Information Act 1982 (Cth);

g) regulation of the use and storage of information about individuals through the Privacy Act 1988 (Cth) and the Archives Act 1983 (Cth);

h) the ability to seek internal review of a government decision, that is, merits review of an agency's primary decision undertaken by another officer within the same agency.[41]

2.7.6 Develop a crisis plan

Even with the best legal risk management program in place, mistakes will sometimes happen. For example, as was the case in the recent Arnott's extortion experience, the damage may be caused by forces beyond the GIS developer’s control. In these situations, a legal risk management system should include a crisis component which anticipates and sets out the procedures to be followed in such situations and the appropriate interplay among legal, management, public relations and other perspectives. Unfortunately, this is an aspect often ignored by Australian companies as noted Gottshall who found that less than 24% of Australian companies were prepared to handle a crisis.[42]

In conclusion, whether one is developing a GIS or components of a GIS for the Government, or using a GIS to carry out activity on behalf of the Government, the best way to minimise risk is to ensure that each party knows what to expect under the contract and who is to be responsible for what. This requires parties to do their homework prior to contract formation and to establish a good working relationship with clear communication protocols so that tensions are dealt with and disputes resolved at an early stage.

Part 3: legal risk management for GIS businesses that sell, resale or distribute GIS products and services

This section considers risk management in the context of the legal risks associated with the sale of GIS products.

3.1 Overview of the legal risks associated with GIS products

We use the term “sale of GIS products” to include the following activities:

• the sale, resale or distribution of GIS products and services. A GIS product may take the form of a table, map, chart or image. Alternatively, a GIS product may be provided to a customer in digital form such as on a floppy disk, portable disk drive or by allowing the customer access to the GIS business’ network to download the data;

• the detection and correction of errors in the GIS system including fixing software bugs, correcting erroneous data and updating data.

The principal legal risks associated with the sale, resale or distribution of GIS products are: (i) liability for an erroneous GIS product; (ii) failure to secure intellectual property protection for the GIS product; (iii) liability for infringement of intellectual property rights; and (iv) risks involved with the violation of restrictive trade practices laws which seek to promote competition.

3.2 Risk of liability for an erroneous GIS product

A GIS business that supplies an erroneous GIS product (which definition includes the provision of a service may be liable for negligence). A GIS product may be erroneous for a number of reasons. In our earlier discussion of liability for a defective GIS we identified the defects that can arise in respect of the software and hardware components of a GIS. These defects in turn can cause a GIS product to be erroneous. In addition, invalid data, or a mistake in entering data, or the use of data that is out of date, or the presentation of data in such a way that it can be misinterpreted can cause a GIS product to be erroneous. As the focus of this article is on the management of legal risks we do not examine comprehensively the basis for which liability for negligence arises.[43] Instead we consider in general terms only how liability in negligence in this context can arise.

In order to succeed in a claim of negligence against a GIS business for the sale to a customer of an erroneous GIS product it will be necessary for the customer to establish three elements. The first element that the customer must establish is that the GIS business owed the customer a duty to take care to avoid causing loss or damage to the customer[44]. Two factors are relevant to establishing that a duty of care exists in the context of the sale of a GIS product or provision of an information service. The risk of injury or loss must be reasonably foreseeable as a consequence of the failure to take reasonable care to avoid causing loss or injury to the customer. Further, particularly where the customer has incurred solely economic loss, there must be what has been termed a “relationship of proximity” between the customer and the GIS business. In the context of the provision of erroneous information (which the provision of an erroneous GIS product arguably constitutes) such relationship will ordinarily be found to exist where physical injury or damage results from the provision of erroneous information[45]. In addition, where the loss suffered by the customer is solely economic loss it is necessary that the customer reasonably relied on the skill and expertise of the GIS business and the GIS business knew or ought to have known of that reliance.[46] A relevant factor in determining whether reliance was reasonable in this context is the relative skill and expertise of the GIS business and the customer.[47] It is likely that reliance will be reasonable where the GIS business is or proclaims[48] itself to be expert in relation to the GIS product that it provides and the customer has no such skill and expertise. Another relevant factor for determining the existence of a duty of care is the presence or absence of a disclaimer or exclusion clause. This factor will be discussed in more detail later in this article.

The second element that a customer must establish is that the GIS business’ conduct was inferior to the standard of care a reasonable person would have taken in such circumstances. If it can be established that the GIS business fell short of the standard required of a business that provides such products then the GIS business will be liable for negligence. The third element that a customer must establish is that the inferior conduct of the GIS business caused the loss or damage complained of and the type of loss or damage suffered was reasonably foreseeable as a consequence of the GIS business’ inferior conduct (that is, the loss or injury that occurred was not far fetched or fanciful)[49].

Whether a GIS business is liable in negligence for an erroneous GIS product will depend on the circumstances of each case. Factors relevant to determining liability for negligence include:

• the potential of the GIS product to cause harm

Clearly the more potential an erroneous GIS product has for causing damage or injury, the more likely it is that a duty of care to avoid causing loss or damage to a customer exists. GIS businesses that provide global positioning products for aircraft, for example, will clearly owe their customers a duty of care.

• the degree of skill and expertise required to create the GIS product

The higher the degree of skill and expertise required to create the GIS product the easier it is to establish reasonable reliance, a factor that indicates that a duty of care exists.

• the procedures adopted for detection and correction of errors in the GIS product

The procedures that a GIS business has adopted for the detection and correction of errors are relevant to determining whether a GIS business’ conduct has failed to meet the standard of care of a ‘reasonable man’. Thus, if no procedures are in place at all it is highly likely that the conduct of the GIS business will be held to fall short of the standard of care and consequently a GIS business will be liable in negligence for an erroneous GIS product.

• the presence of a disclaimer

A disclaimer may indicate against the existence of a duty of care, although the presence of a disclaimer alone will not be conclusive.[50]

Finally, a GIS business may additionally be liable for an erroneous GIS product under a number of consumer protection laws. Section 52 of the Trade Practices Act 1974 (Cth) and its equivalent provisions under the State Fair Trading Acts operate to impose strict liability on corporations for engaging in "conduct which is misleading or deceptive or likely to mislead or deceive.' It is conceivable that in some circumstances the sale of an erroneous GIS product could attract the operation of the section 52 of the Trade Practices Act or its State/Territory equivalent. Moreover, the use by a GIS business of a disclaimer or exclusion clause will not be effective because a contractual provision cannot override a statutory dictate against such actions.[51] The existence of such an exclusion clause or disclaimer, may, however, go to the issue of whether the targeted audience was in fact misled, in which case, the clause is not attempting to exclude liability but seeks to prevent the liability from arising in the first place.[52]

In addition, the sale of a GIS product may in some circumstances constitute a “consumer” sale in which case a GIS business will be liable if the GIS product sold breaches any of the terms and warranties that are implied into such sale by the Trade Practices Act and its State equivalents. A GIS business that supplies an erroneous GIS product may also be liable for the sale of an unsafe product under the product liability provisions of Part vA of the Trade Practices Act.[53]

A GIS business may be additionally liable for an erroneous GIS product under other consumer protection laws[54]

3.3 Risk of failure to secure adequate intellectual property protection for the GIS product

Another legal risk facing a GIS business that sells GIS products is the failure to secure adequate intellectual property protection for its GIS products. The most relevant form of intellectual property protection in the context of GIS products, is copyright. In order to attract copyright protection a GIS product must fall within one of the categories specified in the Copyright Act 1956 (Cth). A GIS product will in most instances qualify as a literary work (as a table or compilation). In addition it is possible that a GIS product could constitute a computer program (as ‘related information’).[55] In other circumstances a GIS product will qualify as an artistic work (for example if the GIS product is in the form of a map).

The adequacy of the copyright protection afforded to GIS products, however, is made uncertain by the following factors. Firstly, given that a GIS product is usually generated by a computer, it is by no means clear that a GIS business is the author of a GIS product and therefore the owner of any copyright that subsists in that product. Secondly, even if authorship is not in issue, the copyright protection afforded to GIS products will be limited in that copyright protects against substantial [56]reproduction. Thus, another party may legitimately reproduce portions of a GIS product without infringing the GIS business’ copyright. Thirdly, where the GIS product qualifies for copyright by virtue of being a literary work in the form of a “table or compilation”, copyright will operate to protect the selection and arrangement of the data rather than the data itself.

3.4 Risk of liability for infringement of intellectual property rights

Liability for infringement of intellectual property rights can also arise in relation to the sale of a GIS product. In some circumstances, for example, where the GIS product purchased by a customer comprises large volumes of data, it may be desirable for the customer to acquire it in digital form. In such instances, it may be impossible for the customer to make use of the GIS product without the GIS software that was used to create the product. If a GIS business provides a customer with a copy of the GIS software and it does not own the intellectual property rights (e.g. copyright) relating to the software, nor is licensed to provide a copy of it to its customers, the GIS business will be liable for infringement.

3.5 Risks involved with the violation of restrictive trade practices laws which seek to promote competition.

3.5.1 Background to recent reforms to Australian competition law

In a de-regulated economy, Governments have increasingly turned to competition law as a vehicle to guard against the abuses of de-regulation. This is evidenced by the Hilmer reforms which has ushered in a new regime of regulation (discussed below) which for the first time applies to the States and to government business enterprises the provisions of Part IV of the Trade Practices Act 1974 (Cth). Part IV of the Trade Practices Act prohibits various forms of anti-competitive conduct, such as contracts which substantially lessen competition, price fixing among competitors, the misuse of market power, resale price maintenance, mergers and acquisitions which have a substantially lessening effect on competition, and other forms of restraint of trade such as exclusive dealing arrangements which have a substantially lessening effect upon competition in a particular market.

On 11 April 1995, the Council of Australian Governments supported the Government's competition policy reform package and signed agreements implementing the above reforms.[57] These agreements included the Competition Principles Agreement which sets out principles on structural reform of public monopolies, competitive neutrality between the public and private sectors, prices oversight of utilities and other corporations with a significant monopoly power, a regime to provide access to essential facilities, and a program of review of legislation restricting competition. The Governments also agreed to publish policy statements on competitive neutrality and the application of the Competition Principles Agreement to Local Government as of June 1996.[58] There was also agreement to review by the year 2000 all legislation which restricts competition. The lesson is clear: the Trade Practices Act and competition law is no longer of concern only to corporations; it also applies to local and state Governments and to individuals. Government business enterprises, including those connected with GIS development or commercialisation, must play by the same commercial rules as private business.

3.5.2 Essential facilities

Given the smallness of the Australian market and the increasing importance of mapping information to infrastructure and other economic development, it could well be that a particular GIS would be an essential facility which must be used by all commercial players in a designated area. This context raises question of rights to access to the GIS. The Hilmer reforms amended the Trade Practices Act by establishing provisions which deal with access to essential facilities,[59] characterised by a natural monopoly, eg power grid, gas pipeline. It is arguable that the essential facilities doctrine could also apply to a GIS. The Act[60] defines service to include " (a) the use of an infrastructure facility such as a road or railway line." It also includes "(c) a communication or similar service;" but does not include "the use of intellectual property."[61] This would suggest that access to the GIS technology itself may be caught under the legislation, but not the information itself, which information would likely be classified as intellectual property.

Access to essential facilities can be achieved if they are declared to be essential facilities and access would promote competition. Once a facility is declared, parties are free to negotiate their own terms and conditions for the use of such facility. If they cannot agree then they can notify the Australian Competition and Consumer Commission (ACCC) which can make a determination. An alternative is for the owner or operator of the facility to offer an undertaking to the Commission regarding the terms and conditions. Finally, even if a GIS is not regarded as an 'essential facility' for purposes of Part IIIA of the Trade Practices Act, particular conduct may nevertheless fall foul of s 46 of the Act which deals with the misuse of market power (discussed below in s 3.53).

3.5.3 Other contexts in which restrictive trade practices laws should be considered

There are four sets of relationships in GIS development and commercialisation which should be monitored carefully to ensure compliance with competition law. The first concerns relationships with competitors. These can easily involve anti-competitive activities such as allocation of markets, anti-competitive mergers, price fixing and other practices. A second set of relationships concerns relations with suppliers or customers. Here one must watch for illegal re-sale price maintenance and such vertical restraints as territorial allocation, reservation of customers and similar practices which may have the effect of substantially lessening competition. The third set of relationships is that between the GIS seller or provider of goods and/or services and other parties such as patent licensees. Intellectual property relationships in relation to GIS, for example, might involve cross-license holders who are competitors, as well as vertical relationships such as a licensee who is obligated to purchase other products as a condition of obtaining the patent license. Finally, one must be concerned about one's relationship with the GIS industry itself. For example, a group of small businesses may cooperate to market aggressively against a large player and in the process violate such provisions as section 45 which prohibits arrangements or understandings which substantially lessen competition.

3.5.4 Legal risks where one party has a substantial degree of market power

One of the most commonly alleged breaches of the restrictive trade practices provisions of the Trade Practices Act is s 46 which deals with a misuse of market power. The Trade Practices Commission Guidelines regarding s. 46 provide a useful framework for the kinds of activity which may amount to a misuse of market power. Refusals to deal, lease only policies, a decision to stop supply to a distributor because of complaints about discounting, tying arrangements for example of other products to patented products, long term requirements contracts, predatory pricing, denial of access to essential facilities, vertical integration to foreclose supply to competitors, plans to target a competitor in order to increase market share--all such conduct needs to be carefully reviewed so that such decisions in relation to a GIS business can be commercially justified and do not amount to an attempt to take advantage of market power to damage or hinder a competitor.

From the standpoint of a small firm which is being victimised by a large firm, it is important to 'flag' and document such conduct so that action can be taken pursuant to s. 46 to remedy the misuse of market power by the larger firm. A good example of the application of s 46 to a GIS type of context is Pont Data Australia Pty Ltd v ASX Operation Pty Ltd.[62] In that case the Australian Stock Exchange, LTD (ASE) operated through various subsidiaries to supply stock exchange transaction information to processors who in turn provided an electronic information service to subscribers. Pont Data, one of the down-stream processors, provided a service which competed with services provided by the ASE. Pont Data was successful in its argument that the ASE breached s 46 by taking advantage of its market power to impose on Pont Data uncompetitive terms of supply.

3.6 Some risk management strategies for businesses that sell, distribute or resale GIS products

The exact formulation of a risk management strategy for a particular GIS product will depend upon the particular circumstances of each case. In deciding on the details of a specific risk management plan, it is best to secure legal advice at the earliest possible moment and not wait until one is threatened with litigation before attention is given to such matters. Some common strategies for managing the commercial exploitation of GIS include the following:

3.6.1 Review, update and correct

It is important that a GIS business implement practices to detect and correct any errors or defects that may cause a GIS product to be erroneous. Details of the procedures adopted should be documented as they can be used to substantiate a defence that a GIS business met the standard of care expected of a reasonable person in such circumstances.

Furthermore, if modifications of the GIS software are contemplated it would be prudent to get the persons involved with the initial development of the GIS software to consider whether the proposed modifications would have an effect on the accuracy of the GIS products.

3.6.2 Use disclaimers and warnings

Liability for an erroneous GIS product can be reduced by providing warnings (disclaimers) of the limitations of the GIS product. These warnings could be imprinted or otherwise affixed to the GIS product and could be expressed in a number of ways. For example, simply specifying the date the GIS product was created or the date/age of the data used in the GIS product will inform (warn) a customer how up to date or accurate a GIS product is. Alternatively, a warning could specify the factors that affect the accuracy of the GIS product, such as the age of the underlying data and the scale used for representing geographical data. Otherwise, a warning could “alert the user to any plausible dangers that could emerge from [the] foreseeable use [of the GIS data]”.[63] Warnings may not succeed in avoiding liability for negligence, however, if a simple modification to the design of the GIS product could reduce or eliminate the risk of injury or damage. This is because the omission or disregard of a simple modification may indicate a failure to meet the standard of care that would be exercised by a reasonable person in such circumstances.

Liability for an erroneous GIS product may also be limited through the use of an exclusion clause. Care must be taken to ensure that the liability excluded does not exceed that which is permitted to be excluded under law. For example, where a customer purchases a GIS product and such transaction is regulated by the consumer protection provisions in the Trade Practices Act 1974 (Cth) and equivalent State legislation, a GIS business cannot exclude liability if the effect of such exclusion amounts to excluding liability for the conditions and warranties implied by the consumer protection provisions beyond that which is allowed under law. In addition, it is not possible to exclude liability for actions of the GIS business that could be construed as misleading or deceptive conduct. The definition of misleading and deceptive conduct would include purporting to exclude liability which cannot be excluded under consumer protection law.[64]

The Trade Practices Act also prohibits the exclusion of liability for breach of the product liability provisions in Part VA.[65] The use of a disclaimer to exclude liability for an erroneous GIS product may also be limited by a ruling made by Barwick CJ in Mutual Life and Citizens Assurance Co Ltd v. Evatt [1968] HCA 74; (1968) 122 CLR 556. In that case, Barwick CJ expressed the view that, where a plaintiff relies on advice or information provided by the defendant, and the defendant is the only possible source of information, a disclaimer of responsibility in those circumstances has no effect. Such a principle may well apply to the sale of a GIS product where the GIS business is the only source for the GIS product sought by a customer. It is interesting to note that a statutory basis for this principle can be found in section 68A(3)(a) of the Trade Practices Act[66] albeit its application to GIS products is limited to the exclusion of liability for the conditions and warranties implied by the consumer protection provisions in that Act.

3.6.3 Use contract law to avoid or limit legal risk

A number of the legal risks can be minimised or transferred by way of contract. Some strategies for contractually limiting or avoiding these risks include:

• Warning, by way of disclaimer, of any qualifications to the accuracy of the GIS product supplied by the GIS business.[67]

• Limiting or, in some circumstances, excluding contractual and non-contractual liability (eg liability for negligence) by way of an exclusion clause. Special care must be taken with the drafting of disclaimer/exclusion clauses to avoid invalidity.[68]

• Specifying what remedies will be available to a customer in the event that the GIS product is erroneous. As suggested in the context of contractual liability but equally applicable to non-contractual liability:

“Rather than leaving to a court the job of deciding the appropriate remedy for contractual liability, parties should decide, where possible, what remedy will be available for what breach.”[69]

For example, a GIS business could specify that the remedy available to a customer for an erroneous GIS product is limited to a full refund. Care must be taken when drafting a “remedies” clause because the extent to which a GIS business may limit remedies may, in some circumstances, be regulated by the consumer protection provisions of the Trade Practices Act and its State equivalents.

• Prohibiting the reproduction or modification of a GIS product by a customer without the consent of the GIS business. This would address the difficulties discussed earlier of securing adequate intellectual property protection for GIS products. Again, care must be taken with the drafting of such a clause to avoid invalidation under anti-competition/restraint of trade law;

• Acquiring a licence to distribute copies of GIS software to customers where a GIS business is not already legally entitled to do so.

3.6 .4 Obtain insurance

An alternative legal risk management strategy for a GIS business that uses GIS products is to obtain insurance. Relevant types of insurance that could be obtained to manage the legal risks associated with the use of GIS include product liability insurance, professional indemnity insurance and insurance for intellectual property infringement. The earlier discussion of insurance as a risk management strategy for the risks associated with the development of a GIS applies equally to the use of insurance for managing the risks associated with the use of a GIS.

3.6.5 Strategies to ensure compliance with competition law

• Conduct a competition law compliance audit

An important strategy to ensure compliance with competition law is to conduct a legal audit. In order to do so in relation to the GIS industry, the auditor will have to be familiar with the industry, the marketed products/services, customers and competitors. From this information, sensitive areas will be identified and examined. Among those areas likely to be investigated are:

- any communication having to do with prices, terms, conditions;

- whether price lists are exchanged and with whom;

- how competitor's prices are obtained?;

- any communications related to dealer termination or refusal to deal;

- any communications related to division of territories or customers;

- communications which discuss costs;

- communications with competitors;

- trade association involvement and rules of operation;

- dealer complaints;

- licensing agreements;

- resale price recommendations;

- nature of decisions about and announcements of prices;

- nature of any interlocking directorates, for example in joint venture corporations.

• Resale price maintenance (RPM)

One of the most significant changes to the Trade Practices Act as a result of the Hilmer Report, was the expansion of s 48 (resale price maintenance) to cover services as well as goods. As the GIS industry in Australia develops and as contracting out becomes more common, GIS businesses will increasingly distribute their services through others. A good example of such a service supply chain was the Pont Data case discussed above. Government for example might provide the basic information and develop a GIS and then sell it to wholesalers who in turn retail it to others down the supply chain. This area requires a well thought-out policy which is put in to practice and strictly adhered to. RPM is one of the easiest infractions of the Trade Practices Act to prove and one which attracts quite substantial penalties.[70] Accordingly, where such supply chains are involved, it is imperative that all draft agreements between suppliers and retailers be reviewed by legal counsel. However, a supplier of services does not engage in RPM merely to recommend prices. However, it must be clear in all communications and in practice that the prices are recommended only. If RPM is the substantial and operative reason for refusing to supply or cutting off supply, then the Trade Practices Act will be infringed. In conducting a compliance audit, the lawyer should examine correspondence for evidence of RPM and act accordingly to correct it.

A GIS business that distributes its services through others should also be aware that there are certain circumstances in which the court will presume RPM motivation. This underscores the need for managers to document the commercial reasons for their actions. Proof of one's motives does not occur only in the courtroom; it begins by carefully documenting one's motivation along the way. Moreover, careful documentation of one's commercial intentions is also the best way to prevent a lawsuit to begin with. Finally, a compliance program will be of no avail unless it is followed and put into practice at all levels of the organisation. In the area of pricing, this is especially so. Sales representatives, distributors, and employees who have frequent contact with customers and competitors should be well informed about legal requirements and company procedures to insure compliance with the law.

• Price Discussions with competitors

At the heart of competition law is the belief that it is the competitive market which should determine the price of goods and services. As with RPM, the area of pricing GIS products or components is especially sensitive and must be monitored carefully. It also important for staff to realise that even informal arrangements and understandings will be caught by s 45 of the Trade Practices Act.

• Trade association and related activity

As the GIS market in Australia has grown and continues to grow, it will be increasingly common for GIS developers and GIS businesses to become involved in trade association activities which bring suppliers, competitors and consumers together to share information, review the latest technological developments and so on. Genuine informational exchanges and the promotion of one's industry are all to be commended. However, trade associations must be especially careful lest their activities border on collusive conduct which seeks to maintain prices. Again, mindful of the need for good record keeping, association members should keep minutes and other documentation which supports the pro-competitive benefits of association activity. Any detrimental impact upon competition caused by trade association policies should be mitigated, against or if possible, prevented. Trade association rules and procedures should be reviewed periodically to ensure compliance with the Trade Practices Act.

• Joint ventures and interlocking directorates; mergers

As mentioned earlier, one of the elements of legal risk management involves the proactive role of law in strategic business planning. Given the large sums of money involved in information technology projects, it is common to utilise joint ventures and mergers to carry out business objectives. Although the technical legal details are beyond the scope of this article, it is important to realise that legal perspectives play a vital role in structuring such transactions, enabling them to work and minimising the risk of loss. Special problems occur in relation to corporations which form a joint venture company with interlocking directors from both companies on the Board of the joint venture company. In these situations, the directors must be vigilant about conflicts of interest and know at all times which director's hat they are wearing. Otherwise, they may be in breach of both their obligations under the Corporations Law as well as the Trade Practices Act.

Merger activity is also very common in technology industries. The competition law compliance audit should also examine the organisation's plans for increasing market share or diversifying by means of a merger or acquisition of assets of another company. Mergers which have the effect of substantially lessening the competition of a market may be challenged by the ACCC. The nature of interlocking directorates are of special concern, both from the standpoint of exposure under the Corporations Law as well as the Trade Practices Act.

• Corrective action

If the competition law compliance audit reveals areas of possible exposure to legal liability, corrective action to remedy the problem should be planned and undertaken promptly. It is also important to point out that in addition to looking for "trouble spots" the GIS business should also ensure that the files contain useful documentation to explain the "business" reasons behind cost changes, dealer terminations, etc so that should a matter be litigated, the firm has helpful evidence readily available to substantiate a defence.

• Authorisations/notifications

GIS businesses should be sure to take advantage of the authorisation and notification protection provided under the Trade Practices Act. If an authorisation is provided on the basis of certain conditions or undertakings, the organisation should monitor its conduct to ensure that such conditions were complied with and undertakings performed. Otherwise, there is a real risk that the authorisation may be revoked. Because all authorisations today are granted for a limited period of time only, it is important regularly to document the public benefits and lack of anti-competitive harm inherent in such conduct.

3.6.6 Develop a crisis plan

The discussion relating to the use of a crisis plan for managing the legal risks associated with the development of a GIS is equally relevant to the legal risks associated with the use of a GIS.

Part 4: compliance strategies for legal risk management systems[71]

A critical component of an effective legal risk management system is the implementation of procedures and work practices to ensure compliance with the risk management system. In this part we consider some general and specific strategies for implementing a legal risk management system and ensuring that the legal risk management system adopted is complied with.

4.1 Involvement of Senior Management

A legal risk management system is unlikely to be sufficiently emphasised unless senior management supports such an initiative. An affirmation by the senior people in the organisation of the importance of compliance can be influential in achieving compliance with a risk management system by its employees

“At a basic level, ... compliance in a large organization depends on a strong statement of interest in law compliance by top executives who are in a position to state corporate policy. Absent this sort of support for law compliance as a requirement of the corporate principal, corporate operating employees will not view ... compliance as a requirement of them in their roles as corporate agents. Hence, top level policies in support of law compliance and related actions by corporate executives to make it clear that these policies are meant to be enforced within the corporate organization are necessary elements of agency processes aimed at organizational law compliance.”[72]

Also, as stated earlier in this article, it is important that a specific member of senior management takes responsibility to see that legal risks are identified and a plan put in place to manage the risks accordingly.

4.2 Top Down and Bottom-up Compliance: Employees as Their Own Compliance Officer

Legal risk management is part of every employee's job description. In the final analysis, legal risk management will be effective only if it permeates the very bones of the organisation. Clear company policies and managers who preach the benefits of legal risk management are not of themselves sufficient. To be truly effective, each employee must be their own risk management officer.

4.3 Creating effective communication channels

An effective legal risk management strategy demands excellent communication at all levels and in all directions. In addition, the legal risk management strategy should be developed in consultation with all levels in the organisation.

4.4 Monitoring/reporting procedures

A legal risk management system can only be effective if it is continuously monitored for compliance levels and for relevance. Legal risk management is not a once off activity, but a process of continual adjustment. This is achieved by:

• carrying out periodic evaluations of the legal risk management system for its effectiveness. Consideration should be given to any new activities undertaken by the business and, where legal risks associated with such activities are not addressed by the current legal risk management system, the adoption of risk management strategies to address the new legal risks should be considered. In addition the activities of the GIS developer or business should be periodically evaluated to identify any new legal risks that may arise;

• carrying out periodic employee surveys to gauge employee awareness of the GIS business’ legal risk management strategy, and more specifically to gauge each employee’s awareness of those aspects of the strategy that directly affect him or her;

• implementing a reporting system where employees can report new activities undertaken by the GIS business that involve legal risk and instances of non compliance with the legal risk management system in place;

• implementing procedures for reacting to customer feedback concerning defects or errors in the GIS products sold[73]. Attention to customer feedback not only means fewer complaints and more satisfied customers but also leads to fewer lawsuits. It is therefore important that customer complaints are listened to and addressed as soon as possible, and by someone who has the power to do something about it;

• documenting the risk management strategies adopted by the GIS business. Effective documentation will help avoid many lawsuits and is crucial to winning them, should an organisation be unfortunate enough to be involved in one. In this regard, records should be kept of:

- the testing and review procedures undertaken in relation to the GIS including records of modifications or updates made to any component of the GIS;

- the outcome of any compliance audits/reviews and any action taken to rectify instances of non-compliance;

- customer and employee reports of defects and errors with the GIS and GIS products; including records of any action taken to verify and if necessary rectify those defects and errors;

- agreements and licences evidencing ownership of intellectual property rights or rights to use intellectual property; and

- any brochures, advertisements or manuals that set out specifications of the GIS product sold by the GIS business which are then provided to customers.

4.5 Awareness and incentive programs for employees

The participation and cooperation of employees is crucial for achieving compliance with a risk management system. Key strategies for achieving employee participation and cooperation include:

4.5.1 Conduct training and awareness programs

Clearly an awareness or training component for new employees, and the provision of refresher training for existing employees which specifies the actions that an employee may or may not take is important for achieving compliance with a risk management strategy[74]. For example where a GIS business develops the GIS software itself, the employees who create the software should be made aware of their responsibility to observe privacy/confidentiality obligations in relation to the data component of the GIS, as well as other legal restrictions such as the limits on unauthorised use of intellectual property. Similarly, if warnings (disclaimers) are provided by the GIS business, employees must be made aware they cannot make statements that have the effect of negating such warnings, for example, by stating that they will not be relied on by the GIS business or by contradicting qualifications on the accuracy of the GIS product.

4.5.2 Provide incentives (sticks and carrots) for compliance

Employee compliance can also be improved through the provision of rewards such as salary increases or bonuses or penalties for failure to comply: “Positive employment rewards should be administered in accordance with the same job requirements of lawful performance. Rewards such as bonuses or salary increases should be withheld where otherwise desirable corporate performance is attained illegally. If possible, positive rewards should be granted for diligent pursuit of law compliance, and lax efforts to support corporate law compliance (such as failures to make reasonable efforts to detect or stop illegal conduct) should be grounds for discipline or dismissal.”[75]

Conclusion

Risk management is recognised as an important management tool for businesses, which if overlooked can result in:

“(1) Excessive time spent by managers and boards in dealing with unanticipated losses.... (2) Adverse effects on [the business’] credit ratings and costs of capital. (3) Reduction in cash flows, growth, and profitability due to non-optimal pricing necessitated by concerns over risk. (4) Deterioration of public image and loss of customers because of actions offending societal norms. (5) Difficulty in finding qualified persons who will serve on boards of directors because of concerns about personal liability; [and] (6) Abandonment of certain strategically desirable projects because of inadequate ability to manage associated loss exposures, domestically and internationally.”[76]

This article has applied risk management principles to identify and formulate guidelines for developing a legal risk management strategy for organisations that commercially exploit GIS. In addition, guidelines were offered about ways to ensure the effective implementation of a legal risk management strategy. The application of risk management in the context of legal risk has often been limited to achieving the objective of legal compliance. This article demonstrates that risk management is an integral part of business and government planning which will enable an organisation to achieve its goals and while at the same time avoiding loss and civil liability. The overriding lesson for GIS developers and businesses is that to fail to plan is to plan to fail.


[*] Katharine Reid is a researcher and part-time lecturer at the University of Canberra. She was formerly with Clayton Utz. Eugene Clark is Professor of Law and Head of School, University of Canberra; George Cho is Assoc Prof in the Faculty of Applied Science at the University of Canberra. We also acknowledge the input of researchers Arthur Hoyle and Kerrin Stewart who, with the authors are part of the University of Canberra research team investigating geographic information systems. This article represents the outcome of research undertaken as part of an ARC Grant project on GIS and the law. The present article will be followed up by three additional articles to appear in the next issue of this journal. These articles will focus on: 1) intellectual property issues in relation to GIS; tort liability issues inherent in GIS development and commercialisation; and a comparison of the legal treatment of GIS in the US.

[1] We have used the term “GIS” interchangeably in this article to refer to Geographic Information Systems or Geographic Information System as the context requires.

[2] For example, the commercial activities of the government owned Australian Surveying and Land Information Group (AUSLIG) are in the process of being privatised.

[3] P Oosthuizen, "AISIST Spatial Information Survey, Price, Waterhouse Urwick" (1994), Vol 53 AURISA News 14.

[4] George Cho, 'Legal Dilemmas in Geographic Information: Property, Ownership and Patents', 1995, Vol 6(2) Journal of Law and Information Science 193, 195.

[5] A more detailed examination of legal risk management in the GIS context will be undertaken by the authors in a book that will be published at a later date.

[6] Katherine Taylor Eubank, “Paying the Costs of Hazardous Waste Pollution: Why is the Insurance Industry raising such a stink?”, University of Illinois Law Review, 1991, 173, 189.

[7] Ibid.

[8] Richard S Gruner and Louis M Brown, “Organizational Justice: Recognizing and Rewarding the Good Citizen Corporation”, 21 The Journal of Corporation Law, 731, 751.

[9] Michael S Baram, “Corporate Risk Management and Risk Communication in the Euro Community and the United States”, Spring 1989, 2 Harvard Journal of Law & Technology 85, 89 (downloaded from Lexis-Nexis).

[10] Michael S Baram, “Corporate Risk Management and Risk Communication in the Euro Community and the United States”, Spring 1989, 2 Harvard Journal of Law & Technology 85, 89 (downloaded from Lexis-Nexis).

[11] Ibid at 91.

[12] Richard S Gruner and Louis M Brown, “Organizational Justice: Recognizing and Rewarding the Good Citizen Corporation”, 21 The Journal of Corporation Law, 731, 751.

[13] “Geographic Information Systems”, 1996, http://grid2.cr.usgs.gov/survey/introduction.html.

[14] See George Cho, 'Legal Dilemmas in Geographic Information: Property, Ownership and Patents', 1995, Vol 6(2) Journal of Law and Information Science 193.

[15] See Anne M Fitzgerald, "Square Peggs and Round Holes: Recent US Developments in Copyright Protection for Computer Software," 1993, 4(1) Journal of Law and Information Science 142.

[16] See Andrew Christie, "The Future of Australian Copyright Protection for Computer Programs and Related Products," 1996, Vol 7(1) Journal of Law and Information Science 87.

[17] See generally, John V Swinson, "Software Patents in the United States," 1993, 4(1) Journal of Law and Information Science 116.

[18] Margaret Calvert, Technology Contracts, A Handbook for Law and Business in Australia, Butterworths, Sydney, 1995, p 300 para 8.9.

[19] Section 35(1) Copyright Act 1968 (Cth).

[20] Section 35(6) Copyright Act 1968 (Cth).

[21] Margaret Calvert, Technology Contracts, A Handbook for Law and Business in Australia, Butterworths, Sydney, 1995, 336 -337.

[22] David L Hayes, “Acquiring and Protecting Technology: The Intellectual Property Audit”, 1992, http://www.fenwick.com/pub/propaud.html.

[23] D Rhind, “Data Access Charging and Copyright and their implications for GIS”, Int. J. Geographical Information Systems, 1992, vol 6, no 1, 13,24.

[24] Ibid.

[25] Lori A Weber, “Bad Bytes: The Application of Strict Products Liability to Computer Software”, St John’s Law Review, Spring 1992, Vol 66, number 2, 469, 477.

[26] Bijoy Bordoloi, Kathleen Mykytyn, Peter P Jr Mykytyn, “A framework to limit systems developers’ legal liabilities”, Journal of Management Information Systems, Spring 1996, V 12 No 4, pp 161-185 (downloaded from ABI/Inform).

[27] Daniel J Hanson, “Easing Plaintiffs’ Burden of Proving Negligence for Computer Malfunction”, October 1993, 69 Iowa Law Review 241, 245-246.

[28] Ibid at 246.

[29] Ibid at 247.

[30] ibid at 247.

[31] Ibid at 246.

[32] Administrative Review Council, The Contracting Out of Government Services, Issues Paper, February, 1997, at 1.

[33] The Industry Commission Report, Competitive Tendering and Contracting Out by Public Sector Agencies, 1996, Canberra, AGPS, at pp 4-5.

[34] Ibid.

[35] See Alan Jarman, "Introducing Spatial Information Systems Into Local-Level Government: some Priorities, Problems and Puzzles Concerning Organisational Innovation," 1995, vol 6(2) Journal of Law and Information Science 208.

[36] Restrictive trade practices implications under Part IV of the Trade Practices Act are considered in 3.5 of this article.

[37] Louis H. Milrad, “Contracting for GIS Technology in the Public Sector”, GIS LAW, 1992, vol 1 no 2, 16.

[38] Bijoy Bordoloi, Kathleen Mykytyn, Peter P Jr Mykytyn, “A framework to limit systems developers’ legal liabilities”, Journal of Management Information Systems, Spring 1996, vol 12 no 4, pp 161-185 (downloaded from ABI/Inform).

[39] Ibid.

[40] (Industry Commission, Competitive Tendering and Contracting Out by Public Sector Agencies, Report No 48, AGPS, Melbourne, 1996).

[41] Administrative Review Council, The Contracting Out of Government Services, Issues Paper, Feb 1997, pp 12-13.

[42] Anderson, S 'Why Arnotts is Good in a Crisis' The Australian Financial Review, Monday, February 17, 1997, p 13, 1997.

[43] For a discussion of Australian product liability law see, Eugene Clark and John Livermore, Australian Marketing Law, 1994, Law Book Company, Sydney, 1994, chapter 5.

[44] See Donoghue v. Stevenson (1932) AC 562, Sutherland Shire Council v. Heyman [1985] HCA 41; (1985) 157 CLR 424 at 498.

[45] Deane J in Sutherland Shire Council v. Heyman [1985] HCA 41; (1985) 157 CLR 424 at 495.

[46] Gibbs CJ in L Shaddock & Associates Pty Ltd v. Parramatta City Council (No 1) [1981] HCA 59; (1981) 150 CLR 225 at 231.

[47] L Shaddock & Associates Pty Ltd v Parramatta City Council (No 1) [1981] HCA 59; (1981) 150 CLR 225; San Sebastian Pty Ltd v. Minister Administering the Environmental Planning and Assessment Act 1979 [1986] HCA 68; (1986) 162 CLR 340.

[48] Barwick CJ in Mutual Life and Citizens Assurance Co Ltd v. Evatt [1968] HCA 74; (1968) 122 CLR 556 at 574.

[49] Overseas Tankship (UK) Ltd. v. Miller Steamship Co Pty Ltd (The Wagon Mound (No.2) [1966] UKPC 1; [1967] 1 AC 617.

[50] Barwick CJ in Mutual Life and Citizens Assurance Co Ltd v. Evatt [1968] HCA 74; (1968) 122 CLR 556 at 570.

[51] eg Benlist Pty Ltd v Olivetti Australia Pty Ltd (1990) ATPR para 41-043;

[52] See generally, A Terry, "Disclaimers and Deceptive Conduct," 1986, 14 Australian Business Law Review 478.

[53] See the discussion under 3.5.2 below in relation to disclaimers and exclusion clauses.

[54] For example, in some circumstances a GIS business may be liable for an erroneous GIS product under the misrepresentation provisions of the Trade Practices Act (Cth) 1974 and its State equivalents or the Sale of Goods Act enacted in each State and Territory.

[55] Margaret Calvert, Technology Contracts, A Handbook for Law and Business in Australia, Butterworths, Sydney, 1995, p 300 para 8.9.

[56] Section 14, Copyright Act 1956 (Cth).

[57] See, Trade Practices Commission, "COAG Green Light for Policy Reform' Bulletin Issue 81, May 1995, pp. 11-13

[58] See eg, Competition Policy Reform (New South Wales) Act 1995; See generally, Heydon, Trade Practices Law, Sydney, LBC Information Services, Vol 3, at 22,011 ff.

[59] For a general discussion of the essential facilities doctrine, see Lang, "Defining Legitimate Competition: Companies' Duties to Supply Competitors & Access to Essential Facilities" (1994) 18 Fordham International Law Journal 437.

[60] Trade Practices Act, Part IIIA

[61] Trade Practices Act 1974 (Cth), s 44B. Note that this is a fairly restricted definition and is much narrower than the case derived essential facilities doctrine as applied in the US. At the same time, it should also be realised that denial of access to an essential facility could also be ground for a misuse of market power under s 46 of the TPA.

[62] (1990) 21 FCR 385; upheld on appeal: ASX Operations Pty Ltd v Pont Data Australia Pty Ltd (1990) 27 FCR 460,.

[63] Bijoy Bordoloi, Kathleen Mykytyn, Peter P Jr Mykytyn, “A framework to limit systems developers’ legal liabilities”, Journal of Management Information Systems, Spring 1996, vol 12 no 4, pp 161-185 (downloaded from ABI/Inform).

[64] Karmot Auto Spares Pty Ltd v. Dominelli Ford (Hurstville) Pty Ltd (1992) 35 FCR 560; Keen Mar Corporation Pty Ltd v. Labrador Park Shopping Centre Pty Ltd (1989) ATPR (Digest) 46, 048. See Margaret Calvert, Technology Contracts, A Handbook for Law and Business in Australia, Butterworths, Sydney, 1995, p 430 at para 12.17.

[65] Section 75AP(1) of the Trade Practices Act 1974 (Cth) provides that any term of a contract that excludes, restricts or modifies the product liability provisions in Part VA is void.

[66] Section 68A(3)(a) of the Trade Practices Act 1974 (Cth) provides that “the availability of equivalent goods or services and suitable alternative sources of supply” is a factor relevant to determining whether an exclusion of liability for the conditions and warranties implied by the consumer protection provisions is “fair or reasonable” and consequently will be upheld by the courts.

[67] The use of warnings (disclaimers) is discussed in more detail in 3.5.2 above;

[68] This aspect is discussed in more detail in 3.5.2 above.

[69] Margaret Calvert, Technology Contracts, A Handbook for Law and Business in Australia, Butterworths, Sydney, 1995, p.521 at para 15.42.

[70] Penalties for each violation under the Trade Practices Act can be as high as $10,000,000 for a corporation and $500,000 for an individual.

[71] Some parts of this section were adapted from: Eugene Clark, "Legal Compliance Programs: General Principles and Practical Guidelines for Preventative Legal Action", (November 1996) Journal of Contempory Issues in Business and Government,vol 2, no 2, pp 16-32; Eugene Clark, "The Role of Legal Compliance Programs in the Marketing of Goods and Services: Product Liability, Advertising, Credit Management, Intellectual Property and International Trade Issues", Journal of Contemporary Issues in Business and Government , Vol 3, No 1, pp. 4-20.

[72] Ibid at 750.

[73] Bijoy Bordoloi, Kathleen Mykytyn, Peter P Jr Mykytyn, “A framework to limit systems developers’ legal liabilities”, Journal of Management Information Systems, Spring 1996, vol 12 no 4, pp 161-185 (downloaded from ABI/Inform).

[74] Richard S Gruner and Louis M Brown, “Organizational Justice: Recognizing and Rewarding the Good Citizen Corporation”, 21 The Journal of Corporation Law, 731, 754.

[75] Ibid at 754.

[76] American Risk and Insurance Association, “Risk Management- A Position Paper published by the American Risk and Insurance Association”, http://www.aria.org/riskpos.htm.


AustLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback
URL: http://www.austlii.edu.au/au/journals/JlLawInfoSci/1996/14.html