Accreditation risk

A recent case involved a software firm suing the Government for setting accreditation criteria that allegedly put it out of business.

In Integrated Education Software Limited v Attorney General [2012] NZHC 837. The plaintiff company, IES, had provided school management software since the 1980s. By the 2000s, it was one of a number of software providers to New Zealand schools.

Around this time, the Ministry of Education decided to implement interoperability standards for school management software. As the judgment notes:

The overall market was … very fragmented. There were 37 software vendors providing software to the compulsory education market. Most were small. Some were one-man back shed operations. The school software market had grown organically over the decade since 1989 and, although it was almost entirely state-funded, there were no uniform standards or other controls in place to ensure product quality.

… there was also concern within MoE about the variable quality of software packages and after-purchase support. Lack of technical expertise at school management level meant school leaders were often unable to make good choices. Ultimately it was felt that this represented a risk to government in terms of wasted expenditure where software was not up to spec or the vendor company failed.

So the MoE decided to set an accreditation model whereby software packages that met certain requirements would be accredited. A financial incentive would be put in place for schools that used an accredited package.

After some refinement and teething problems with the accreditation criteria, testing was carried in 2005. Seven vendors received accreditation, but IES did not. Users of IES’s software began to migrate to other, accredited vendors.

As a result, IES claimed that the accreditation process had damaged its business:

Although MoE argues that IES was in fact losing clients before the second accreditation round, there can be no doubt that IES’ failure to achieve accreditation did have a significant impact on that company’s fortunes. This occurred at two levels. First, it made it harder for IES to retain existing clients in the face of monetary incentives to change and MoE’s aggressive change campaign. Second, and for the same reasons, it made it more difficult for IES to attract new clients from the pool of 300 schools hunting for a new provider.

IES brought claims against the Government for:

  • Negligence, on the basis that the accreditation process was misconceived and poorly carried out; and
  • Bias / breach of natural justice (s 27 Bill of Rights Act).

Both of these claims (and another) were rejected.

On the negligence claim, the Court found that MoE’s adoption of an accreditation model was a policy matter, in which Courts are traditionally reluctant to intervene:

 The means by which the government is to fund the provision of SMS services to schools so as to ensure proper interoperability and appropriate standards in an era of widespread computer usage is a policy matter… These are questions for officials and politicians not Judges.

It also found that the MoE had no duty of care to IES in formulating and carrying out the accreditation process (it is worth noting that the Court suggested that the “proper footing” for a claim of this nature would have been misfeasance in public office), and considered that key facts were not made out.

On the bias claim, IES pointed to evidence it said showed that the MoE’s accreditation criteria favoured another vendor. The Court disagreed, saying there was no evidence to support an allegation of bias.


The case provides an example of regulatory risk for IT vendors, and confirms that the Government has a broad (though not unlimited) ambit to implement standards, accreditation regimes and other policies without judicial interference. It is logical and sensible for a Government agency such as MoE to implement baseline standards (e.g. interoperability requirements) for state-funded schools, and accredit providers meeting the standard to allow schools to make an informed choice. It is unfortunate that IES, for whatever reason, could not or did not get accredited in time (in 2005).

The case does not explain why IES could not alter its software to meet accreditation. Software development is often an expensive and time-consuming process, and many vendors would face financial or resource constraints to significantly update what may be a “legacy” package to meet new requirements (which they may consider to be flawed or inapplicable).

But if IES had been able to update its software before or during the accreditation process (over a period of some months and years), presumably it could have reduced it alleged losses. Whether this could have been alleviated by a different contracting model or business model is unknown.

Open source in government tenders

Computerworld reports:

A requirement that a component of a government IT tender be open-source has sparked debate on whether such a specification is appropriate.

The relevant part of the RFP (for the State Services Commission) puts the requirement as follows:

We are looking for an Open Source solution. By Open Source we mean:

  • Produce standards-compliant output;
  • Be documented and maintainable into the future by suitable developers;
  • Be vendor-independent, able to be migrated if needed;
  • Contain full source code. The right to review and modify this as needed shall be available to the SSC and its appointed contractors.

The controversy is whether this is a mandate of open source licensing (which it isn’t). The government should not mandate open source licensing or proprietary licensing on commercial-line tenders. More precisely, it should not rule solutions in or out based on whether they are offered (to others) under an open source licence. The best options should be on the table.

The four stated requirements are quite sensible. As the SSC spokesman said, there is nothing particularly unusual about them in government procurement. These requirements (or variations on them) are similarly common in private-sector procurement and development contracts. In the public sector in particular though, vendor independence and standards-compliance help avoid farcical situations like the renegotiation of the Ministry of Health’s bulk licensing deal.

Open standards and interoperability in public sector procurement is gaining traction around the world. Recently, the European Union called for “the introduction of open standards and interoperability in government procurement of IT”. And in the recent UK election, all three of the main parties included open source procurement in their manifestos.

So why the controversy in this case? Most likely it’s the perhaps inapt use of the term “open source” in the RFP (even though the intended meaning is clarified immediately afterwards). The term “open source” is a hot-button word that means many things to many people, but today it generally means having code licensed under a recognised open source licence, many of which are copyleft. Many vendors simply could not (or would never want to) licence their code under such a licence, and it would be uncommercial and somewhat capricious for a Government tender to rule out some (or even the majority of) candidates based on such criteria.

However, it is clear that the SSC did not use the term in that context, and does not intend to impose such a requirement. An appropriate source-available licence is as capable of meeting the requirements as an open source licence (see my post on source available vs open source). The requirement for disclosure of code to contractors and future modification can be simply dealt with on standard commercial IP licensing terms.

A level playing field for open and proprietary solutions is the essential starting point, with evaluation – which in most cases should include open standards and interoperability – proceeding from there.

Tech law update 22 April 2010

IT industry supports ban on software patents

InternetNZ, the New Zealand Computer Society and the New Zealand Open Source Society issued press releases yesterday in support of the ban on software patents:

The Labour Party also issued a press release supporting the decision and Minister Simon Power’s earlier endorsement:

Meanwhile law firm Chapman Tripp issued a press release criticising the decision:

Privacy Commissioner slams Google’s “experiment”

New Zealand’s Privacy Commissioner, Marie Shroff, has criticised Google Buzz as being a “commercial experimentation on New Zealanders and other internet users, involving the release of significant personal information”:

[Google’s actions] violated the fundamental, globally accepted principle that people should be able to control the use of their personal information.

The comments follow Ms Shroff’s signing of a joint letter to Google, stating:

It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.

These comments, including constructive requests that organisaions collects and process “only the minimum amount of personal information necessary” and create “privacy-protective default settings”, are admirable. Ms Shroff does a great job in standing up for New Zealanders’ privacy rights.

The difficulty, as I have written previously, is that people happily trade privacy for functionality. Millions of people willingly pour personal information into different websites every day. To what extent can Google be criticised for finding new, creative uses of information it has been willingly given, in accordance with terms agreed to by users? And to what extent is it necessary or right for governments to intervene?

Open standards in Government procurement

Earlier this year I commented that “the Government must properly mandate open standards and multi-vendor capable solutions for future state-sector IT procurement”.

European Union ministers have now called for “the introduction of open standards and interoperability in government procurement of IT”. This comes as part of an ongoing development of procurement frameworks.

The report states that some groups claim the proposal has been “so watered down due to intense lobbying by the proprietary software makers, to such an extent that the document will have no impact on the market”. Other industry groups have praised the proposals as “well balanced”.

Tech Law news 6 April 2010

Don’t forget the domain names

Securing key domain names likely to be associated with a venture is business-101. Unfortunately for Tourism Australia, they launched their new “Nothing like Australia” campaign without registering, which has now been setup as a spoof site. They are now investigating legal action against the site for alleged misuse of a trade mark.

This raises the question of whether parody is a defense to trade mark infringement (for a local situation, see here). In New Zealand, there is no specific parody defence in the Trade Marks Act 2002, although a trade mark must generally be used “in the course of trade” for infringement to occur. A 2007 case, Solid Energy New Zealand Ltd v Mountier raised the question of whether use of a trade mark was use “in trade”. It found that the parody was not “in trade” for the purposes of the Fair Trading Act 1986, but did not reach a conclusion on the trade mark aspect. It also found that the trade mark owner had an arguable case for “exclusive use” of the trade mark, which (assuming a broad application what is “use”) would seem to prevent a parody defence. Whether or not the Bill of Rights Act 1990 (section 14) would override that is yet to be seen.

Cost of world-wide advertising campaign: AUD$150 million. Cost of not registering obvious domain names: $19.95. Parody site: priceless.

Gene patent ruled invalid

For the first time in the US, a judge has ruled that a human gene patent was invalid. This casts doubt on the validity in general of gene patenting in the US, the key market for biotechnology.

New Zealand’s in-progress Patents Bill (reported back from select committee last week) does not expressly exclude gene patents. It does exclude patents contrary to morality, which cover some biotechnology applications. However it does add a requirement for “usefulness”, which will prevent gene-related patents from being granted when no specific use has been discovered or disclosed (as has happened previously). But the value of a gene patent in a particular market is of questionable value, if it cannot be patented in key worldwide markets. The US case (which is sure to be appealed) is therefore of major importance to the biotechnology industry worldwide.

Online health records coming to New Zealand

2014 has been set as the target date for an online national health records system in New Zealand. Meanwhile, ISO (the International Standards Organisation) recently released new standards on electronic health records. From the press release:

Together, the two documents provide a powerful comprehensive solution to address e-health data integrity, including ethical and legal concerns, privacy protection, regulations concerning access and disclosing of records among other needs specific to the industry.

It will be interesting to see if the New Zealand programme achieves ISO compliance from the outset. The Privacy Act 1993 requires that reasonable safeguards be used to protect personal information, and in the case of service providers, that “everything reasonably within the power of the agency is done to prevent unauthorised use or unauthorised disclosure of the information”. It would be difficult to argue that failure to acheive “reasonable compliance” with an ISO standard (representing best, or at least good, practice) meets that standard.