Legal Confidentiality Restrictions in Process and Portfolio

/Legal Confidentiality Restrictions in Process and Portfolio

Legal Confidentiality Restrictions in Process and Portfolio

The main intentions of introducing a solution for process and portfolio management often include obtaining a clear view of how the company’s most innovative, strategic and valuable projects are moving through the Stage-Gate® process, what the resulting portfolio looks like and sharing the knowledge in these projects among scientific, commercial and managerial staff. It can be concerning if some information is considered confidential and should, in fact, not be visible to certain staff members.

What type of information needs to be shielded?

Firstly, innovative products and related technologies may be classified due to contractual or legal obligations. This is often the case in joint ventures where contractual agreements including NDAs regarding IP, technical and commercial information limit the degree to which it can be made visible to a wider audience.

Secondly, the transport of information across country borders is in some cases subject to government control via export regulations. For some data a government clearance is required before access can be granted. For example, this is the case with weapons systems and so-called “dual use” technologies, including life science and chemical products which may potentially be used either for good or to do harm. Certain other countries or designated individuals, companies or organizations are forbidden to have any kind of access. The detail of these regulations is generally related to a country’s need to conform to international treaties, or its membership of the Australia Group or the Wassenaar Arrangement.

A process and portfolio management system implemented in R&D will therefore contain some information that is either legally or contractually constrained or subject to trade compliance. Access to and export of this data accordingly needs to be controlled to ensure compliance and avoid fines.

Key questions to consider when implementing a process and product portfolio management (PPM) solution:

1.    In which country should a company with international research facilities locate the PPM server? Note that all other countries using the system are exporting data to and importing data from that country and must comply with import/export regulations.

Based on an assessment of trade laws and the multiple licenses required, locating the server in the USA may be difficult as this country has the most stringent set of regulations, which continue  to apply even after data has been exported. Furthermore, all data which enters the USA becomes US-origin data from that point on. The option of a “non-Wassenaar” country such as China or India (although India has applied for membership) also adds additional difficulties, as many stringent regulations will apply to government licenses required for storing export controlled data on servers hosted in those countries.

It is therefore a better practice to locate the server in a country other than the USA whose regulations are based on the Wassenaar Arrangement, e.g. Germany, Italy, New Zealand, the Netherlands, etc.

2.    How can we provide access to restricted data within the system strictly on a per user basis?

Apart from general regulations there is a need to govern the specific access to projects concerning technologies requiring protection for contractual or export control reasons by individuals on the basis of their nationality (including multiple citizenships), residence, office location and other factors. It is however not practically possible to configure the rights of individuals on the basis of the factors mentioned above in such a way that these can be applied automatically.

Best practice is therefore to include within Stage-Gate projects an initial assessment (questionnaire) to be completed by the project manager and legal specialists allowing for the early identification of restricted technologies. In fact, the assessment may be repeated at various times in order to track technological or commercial changes. If any restricted technologies, IP or other aspects are identified, the project should be placed in/moved to the confidential access group.

Most projects can be accessed by any user of the Stage-Gate system with the appropriate rights, usually on an organizational basis, e.g. per business unit or department. Projects in a confidential access group however are visible only to project members. This has the advantage that project members can be selected on the basis of their individual rights. If necessary, they can be asked to sign Letters of Assurance or fulfill other legal obligations. Figure 1 shows that confidential projects have a separate access group. They are visible to the members of their teams and to the legal personnel who do the assessment. Note that the IT personnel who manage the database root also need to be screened as they will have access to all data; even managers who have corporate level access need to be team members before they can access a confidential project.

restricted access to projects

Figure 1: Restricted Access to Projects

3.    Can we differentiate the information displayed in portfolio views in terms of confidentiality?

The company normally expects its portfolio information to be widely available to management in all parts of the company. How is our portfolio doing with respect to strategic fit, value and balance? What is the progress of different projects through the Stage-Gate process? What are we spending our resources on? However, as some managers will be restricted with reference to certain project data. Best practice is to make a clear separation of general portfolio views that contain mainly numerical, financial or Stage-Gate progress data. These can be available to all. We can also generate a set of restricted portfolio views which may contain more detailed text and key words referring to the nature of the technology. It is possible to exclude managers from being able to see these.

In my experience these strategies have enabled our clients to control access to restricted data.

Frank van Ruyssevelt is a Business Consultant located in the Netherlands. He has more than 12 years experience with Sopheon within the context of international businesses, particularly in Europe and the Middle East. He has developed and implemented innovation business process solutions for ideation, process support and portfolio management, particularly in the chemical and food sectors. Connect with Frank on LinkedIn.

2016-12-14T21:01:38-05:00April 30th, 2013|