Log In

Reset Password
BERMUDA | RSS PODCAST

Privacy and the private sector

Duncan Card is a partner at Appleby who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda (Photograph supplied)

Bermuda’s Personal Information Protection Act 2016, which comes into full force on January 1, 2025, includes an important compliance obligation that the public sector is far more familiar with than the private sector.

Pipa requires all organisations, in both the public and private sectors, to act reasonably in meeting their responsibilities under the Act, as well as ensure that they use personal information in a lawful and fair manner.

The lawful part is nothing new, and the obligation to act reasonably is pervasive across statutory and contractual obligations.

However, a duty to act fairly is usually associated with public sector conduct and administrative procedure, and is comparatively new legal territory for the private sector.

Pipa is flexibly structured to impose greater duties of care and protection where there is a greater risk of harm to the individual should their personal information be wrongfully used or disclosed. Therefore, organisations have a very wide ambit of discretion and judgment along that continuum of compliance.

The conduct that a duty of fairness may require for private sector organisations under Pipa has been addressed by the Privacy Commissioner, who has published helpful guidance.

The fairness principles that the Privacy Commissioner advanced includes conduct: to handle personal information in ways that individuals would reasonably expect; to not deceive or mislead individuals; that takes into account the interests of those affected by such decisions; and, in a manner that facilitates the exercise of individual privacy rights.

That guidance very closely echoes Britain’s Information Commissioner’s Office, which is that jurisdiction’s independent body mandated to uphold information rights.

Their version of Pipa — the UK General Data Protection Regulation, which is not part of Bermuda’s privacy law — contains a similar duty of fair conduct.

The Bermuda ICO’s guidance asserts that the duty of fairness also extends to treating “… individuals fairly when they seek to exercise their rights over their data. This ties in with your obligation to facilitate the exercise of individuals’ rights”.

However, as helpful as that non-binding guidance is, a duty of fair conduct in the context of Bermuda’s imminent privacy law may also go farther.

At common law, compliance with a duty of fairness also suggests that decisions affecting others should: not be undertaken with malice or in bad faith; be in accordance with a transparent process that is followed in all situations without favouritism, bias or unequal treatment; and, avoid arbitrary decisions towards those affected.

There is no question that Pipa’s imposed duty of fairness will require the private sector to carefully consider the management and administrative measures and policies that Pipa requires all users of personal information in Bermuda to formulate and adopt by January 1, 2025.

• Duncan Card is a partner at Appleby who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda. A copy of this column can be obtained on the Appleby website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult a lawyer

You must be Registered or to post comment or to vote.

Published October 12, 2023 at 7:57 am (Updated October 12, 2023 at 7:36 am)

Privacy and the private sector

What you
Need to
Know
1. For a smooth experience with our commenting system we recommend that you use Internet Explorer 10 or higher, Firefox or Chrome Browsers. Additionally please clear both your browser's cache and cookies - How do I clear my cache and cookies?
2. Please respect the use of this community forum and its users.
3. Any poster that insults, threatens or verbally abuses another member, uses defamatory language, or deliberately disrupts discussions will be banned.
4. Users who violate the Terms of Service or any commenting rules will be banned.
5. Please stay on topic. "Trolling" to incite emotional responses and disrupt conversations will be deleted.
6. To understand further what is and isn't allowed and the actions we may take, please read our Terms of Service
7. To report breaches of the Terms of Service use the flag icon