John Farrell, a partner at Kennedys Law, and solicitor Punam Metha, look at the data security responsibilities implicit in the Information Manager’s role – and additional obligations coming down the line.
BIM, by its nature, relies on the exchange of electronic documents and data. The new role of BIM Information Manager or Coordinator is envisaged to manage this information exchange process. This article considers the potential scope of responsibility and risk of liability faced by such an Information Manager, including potential obligations arising from upcoming EU regulations.
The BIM objective is to have a fully integrated, collaborative process with models shared between the project team on a BIM hub, which is defined in the British Standard 1192:2007 as a “single-source of information for any given project, used to collect, manage and disseminate all relevant approved project documents”. As such, online platforms will increasingly play a critical role in successful BIM collaboration as they allow data from many different programmes to be shared across different organisations.
The construction industry is becoming alive to the risk of cyber attacks on such an online platform and the importance of a robust security system to protect data integrity and the project as a whole. There isn’t, however, clarity on who would be responsible for a data breach on a BIM project, particularly if many parties (such as the employer, contractors, consultants) are feeding into the BIM hub and if it is difficult to pinpoint exactly how a system has been breached.
Project management
The BIM protocol and the PAS 1192-2 specification provide for a BIM Information Manager. It is expected that this role may form part of a wider set of duties under an existing appointment and is likely to be performed either by the design lead or the project lead, which could be a consultant or contractor at different stages of the project.
In some circumstances, the employer in a construction project may appoint a standalone Information Manager (such as a third party contractor), which may become a more common approach in the future. This could involve specific companies providing information management services on BIM projects, rather than an individual(s) appointed by, or working for, the employer. As such, the scope of services required by an Information Manager will need to be clearly defined in the appointment of the party undertaking the role.
The Construction Industry Council (CIC), supported by the BIM Task Group, has prepared guidance notes on the scope of services required of an Information Manager, and their responsibilities, on broad terms, can be summarised as follows:
- Managing the processes and procedures for information exchange on projects;
- Initiating and implementing the project information plan and asset information plan (to be agreed by the parties involved in the BIM project);
- Assisting in the preparation of project outputs, such as data drops (the BIM definition for submission of information and exchange);
- Implementation of the BIM protocol, including the updating of the model production and delivery plan.
The initial responsibility for the appointment of the Information Manager lies with the employer, who must ensure that there is an Information Manager appointed (whether by the employer or another party) at all times until completion of the project, save to the extent the responsibility is that of another project team member appointed by the employer.
Is the Information Manager responsible for data?
It is the responsibility of the Information Manager to agree and issue Information Requirements (IR) before agreements between the employer and the project team are concluded. The IR define:
- How the model for the project must be developed (including which software versions will be used, and how the model will be coded);
- The common data environment;
- How files and layers will be organised;
- The coordination system that will be used;
- The spatial coordination and data drop requirements;
- Archiving procedures, security requirements and access rights procedures.
The above is not an exhaustive list, and is merely a framework for general information requirements (provided by Appendix 2 of the BIM protocol). It is apparent, however, that the Information Manager will have responsibility related to how the project information will be hosted, stored, operated and accessed – all of which are functions that are susceptible to a data breach.
Read related articles
PAS 1192-5 draft published: Can we collaborate on cyber security?
New cyber security guidance for BIM and built assets published
BIM bytes: Security of data under BS 1192-4:2014
So the Information Manager’s role involves establishing a Common Data Environment (CDE), setting up the software required for the information model, maintaining its integrity and, most critically, security standards. If a data breach occurs, questions relating to any breach of duty on the part of an Information Manager are inevitable.
As far as the other parties will be concerned, they will collaborate, exchange information and feed into the common data environment and it would be for the Information Manager who ensures that the data is managed properly (kept on a secure system and backed up, for example) and adequately protected from cyber threats such as malware of phishing attacks.
From a contractual perspective, it would be advisable for employers to take advice when appointing an Information Manager to ensure that they are protected against any legal action from other project parties or third parties. If an Information Manager is an independent contractor, they may have clauses that limit their liability, and/or transfer it to another company. It is therefore important to ensure that the appropriate collateral warranties are in place.
Personal data
Commercial data is likely to be of primary concern to those involved on a BIM project, and as such, they should be managed through clearly drafted contracts, risk analysis and security measures within a BIM project. However, along with project data, there will inevitably be the collection, processing and use of a degree of personal data, for example information on employees, their job roles, and locations. In the event that personal data is leaked as a result of a cyber breach, a BIM project may find itself answerable to data protection regulation.
The General Data Protection Regulation is on track to be adopted next month, meaning that it could take effect in 2017. If it is implemented as planned, BIM projects in the EU could be subject to audits and fines (of up to 2% of the turnover) if personal data is compromised.
The forthcoming EU Regulation will require companies to appoint an independent data protection officer (DPO), a form of compliance officer proficient at managing IT processes and data security who would act as a liaison with regulators and data owners. A BIM project may not require an independent DPO, but an employer should consider appointing someone in their organisation to carry out such a role if a particular project is likely to contain sufficient personal data.
The duties required of a DPO may form part of the appointment for an Information Manager as there is some overlap between the roles: both are independent, or carried out by external parties, and both require IT and data security proficiency.
However, there may be a conflict of roles in the sense that a DPO is required to notify the regulator in the event there is a data breach, when in fact the data breach may have occurred as a result of an Information Manager’s breach of duty. Whether an Information Manager would want to take on a dual role, and hold themselves accountable, is another question and one that may be answered more clearly in 2017.
Conclusion
Information Managers may be liable for more risks on a BIM project than they are aware. In particular, if they are involved in hosting a common data environment, and controlling or processing personal data, they should seek advice on how best to protect themselves and put in place contractual obligations on any third parties they instruct to process data.
Employers should also protect themselves in respect of any ancillary risks and consider appointing a standalone Information Manager rather than “adding on” additional duties to an existing appointment by a design lead or project lead – this will assist with achieving clarity on contractual rights and responsibilities.
With this in mind, an independent company providing information management services may try to limit their liability. Therefore, employers and insurers writing such risks are advised to evaluate the contractual structures in place, for example checking that all contracts are back to back.
The responsibilities of an Information Manager must also be clearly set out in their appointment to avoid any confusion in the event of a breach.
