PIPA requires all organisations, in both the public and private sectors, to act reasonably in meeting their responsibilities under the Act, as well as ensure that they use personal information in a lawful and fair manner.
The lawful part is nothing new, and the obligation to act reasonably is pervasive across statutory and contractual obligations.
However, a duty to act fairly is usually associated with public sector conduct and administrative procedure, and is comparatively new legal territory for the private sector.
Pipa is flexibly structured to impose greater duties of care and protection where there is a greater risk of harm to the individual should their personal information be wrongfully used or disclosed. Therefore, organisations have a very wide ambit of discretion and judgment along that continuum of compliance.
The conduct that a duty of fairness may require for private sector organisations under PIPA has been addressed by the Privacy Commissioner, who has published helpful guidance.
The fairness principles that the Privacy Commissioner advanced includes conduct: to handle personal information in ways that individuals would reasonably expect; to not deceive or mislead individuals; that takes into account the interests of those affected by such decisions; and, in a manner that facilitates the exercise of individual privacy rights.
That guidance very closely echoes Britain’s Information Commissioner’s Office, which is that jurisdiction’s independent body mandated to uphold information rights.
Their version of Pipa — the UK General Data Protection Regulation, which is not part of Bermuda’s privacy law — contains a similar duty of fair conduct.
The Bermuda ICO’s guidance asserts that the duty of fairness also extends to treating “… individuals fairly when they seek to exercise their rights over their data. This ties in with your obligation to facilitate the exercise of individuals’ rights”.
However, as helpful as that non-binding guidance is, a duty of fair conduct in the context of Bermuda’s imminent privacy law may also go farther.
At common law, compliance with a duty of fairness also suggests that decisions affecting others should: not be undertaken with malice or in bad faith; be in accordance with a transparent process that is followed in all situations without favouritism, bias or unequal treatment; and, avoid arbitrary decisions towards those affected.
There is no question that PIPA’s imposed duty of fairness will require the private sector to carefully consider the management and administrative measures and policies that PIPA requires all users of personal information in Bermuda to formulate and adopt by January 1, 2025.
First Published in The Royal Gazette, Legally Speaking column, October 2023