It is all about the data

Published: 9 May 2024
Type: Insight

All successful enterprises have a voracious appetite for data. The advanced abilities of IT systems — including artificial intelligence, big data solutions and cloud computing — are all fuelling the race to secure competitive advantages through data analytics.

Whether improving hospital patient outcomes, transforming government services, improving retail customer experiences, or better assessing insurance risk and pricing models, there is one common factor — they all require tremendous amounts of data, much of it comprised of personal information.

Although data used to be like air — free and unencumbered for all to access and consume — those days are long gone. Feeding the analytics beast, whether with raw or configured data, requires significant legal consideration.

For decades before the advent of privacy law, the creation, collection, ownership and the rights to use another person’s business information, including personal information, was legally protected in many different ways.

Business data may be proprietary to the person who provided or created it, or it may constitute commercial or personal information that is protected by the common law principles of confidentiality that originally took shape in Britain in the late 1960s.

Other information might be rigorously protected because of its connection to intellectual property, such as trade secrets, data analytic methodologies that are not otherwise patentable, knowhow, and even residual knowledge in the minds of employees.

The use of data might also be restricted because it was disclosed in the context of a fiduciary relationship, such as with trustees, corporate directors, partners or agents.

Certain other information may be expressly protected from restricted or unauthorised use by statute in various jurisdictions, such as hospital patient records or information that is used by industry regulators or tax authorities.

In addition to those data use restrictions, Bermuda’s new privacy law, the Personal Information Protection Act 2016, will add a new and powerful dimension to the legal considerations that are needed when accessing or using personal information in either a commercial or public sector context when it comes into force on January 1, 2025.

Traditionally, those rights have been managed by contractual terms and conditions that are implemented at the very source of data creation or disclosure, including agreements, consents, waivers and permissive use licences.

Today, the upstream users of data generally seek the representations, warranties and indemnities from the original collectors or creators of the data to ensure that their subsequent use of that data will not breach the rights of any third parties.

However, for data that is subject to Pipa, contractual solutions alone will not cure all aspects of data collection and use because the privacy rights of an individual concerning their personal information under Pipa will apply regardless of any agreement to the contrary, and any attempted waiver or release of an individual’s rights, benefits or protections under Pipa will be void.

Obviously, any existing contractual strategies to manage the legal risks of data collection and use may have to be reconsidered in the light of Pipa. Data collection agreements, licence use rights, representations, warranties, consents and waivers may now require a few revisions before that data is subsequently fed along any chain of third-party use.

Where personal information is initially provided for one reason and in a specific originating context, but will ultimately be required for other upstream purposes, all users of that personal information — some of whom may be many steps removed from the granting individuals — will need to tread carefully.

They must ensure that such upstream uses of that personal information will comply with all related law, including Pipa and all downstream contractual rights and consents, as well as ensuring that such use will not offend any other rights that individuals may have to protect their information privacy, property or confidentiality.

The initial collectors of data, especially where it includes personal information, would be wise to ensure that they have secured the rights that will legally permit all of the intended upstream uses of that data so that it complies with all data protection laws, including Pipa.

First Published in The Royal Gazette, Legally Speaking column, May 2024

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.