Whether delivered as cloud services, back-office outsourcing, software (or data) “as a service” transactions, or simply as affiliated company shared-service arrangements, the IT service contracts that are used for those transactions will soon become the subject of onerous legal compliance and regulatory scrutiny.

When Bermuda’s privacy laws — the Personal Information Protection Act 2016 — are brought into full force, the provisions of PIPA concerning the domestic and overseas use of personal information will trigger an array of regulatory restrictions and requirements.

They will include security safeguard requirements, proportional standards of protection and numerous requirements concerning the provision of personal information for use by third-party service providers, domestic and overseas.

Therefore, as a matter of governance and risk management, Bermuda organisations will be forced to re-evaluate and assess all their existing and prospective IT and outsourcing service contracts from that new and onerous regulatory perspective.

PIPA is clear in its assertion that although Bermuda organisations can delegate the processing of data that contains personal information to third-party service providers, they cannot delegate to others their unmitigated and direct responsibility to fully comply with the Act’s personal information use, security and protection duties and obligations.

For example, even though the Act permits the privacy commissioner to formally recognise that the country of an overseas service provider (eg, cloud or other IT services) has privacy laws that are comparable to PIPA , such a declaration will not release a Bermuda organisation from continuing to own all the responsibility, liability and related obligations to fully comply with its Pipa obligations.

Obviously the situation that IT executives, in-house counsel and compliance managers want to avoid is having their organisation caught in the middle between its upstream PIPA regulatory requirements and any downstream IT service arrangements that will not satisfy those PIPA obligations.

In the event that an IT service provider does not perform such contractually required PIPA obligations, only the Bermuda organisation will be held financially liable to compensate injured individuals, will be answerable to the Privacy Commission, and will be exposed to reputational harm — which could be especially damaging if a breach concerns “sensitive personal information”, as defined in the Act.

Therefore, the most efficient risk-management, commercial and legal way for a Bermuda organisation to manage those regulatory obligations and potential liability is by ensuring that its PIPA obligations are stipulated as performance obligations in the relevant service contract.

By ensuring that all of its material PIPA compliance obligations are flowed down to its IT service providers in a well-drafted and robust IT service contract, IT service providers thereby become partners in assisting their Bermuda customer to comply with its legal and regulatory obligations.

Only well-drafted contractual privacy provisions that are part of the outsourced service specifications, including clear PIPA compliance covenants, representations, warranties and indemnities, can commercially and legally transfer any of the risk and liability that the Bermuda organisation may suffer for the mistakes and failures of its IT service providers — whether as an arm’s-length or an affiliated IT service provider.

A circumstance that causes a Bermuda organisation to suffer unmitigated liability, regulatory intervention and reputational loss because it failed to contractually protect itself from the failures of its IT service providers may also constitute a failure of regulatory compliance management, a failure to exercise normative risk management practices and a failure of prudent corporate governance.

Now is the time to review your IT outsourcing services arrangements in light of the pending PIPA.

Share
Twitter LinkedIn Email Save as PDF
More Publications
23 Mar 2023

Digital Assets in Bermuda – Unpacking the Proportionality Principle

A digital asset business wishing to obtain a licence under the Digital Asset Business Act 2018 will ...

Contributors: Karim Creary
10 Mar 2023

Bermuda Companies with Outsourced Services Should Review Contracts

It could be the influence of the Bermuda Triangle, but the convergence of several different circumst...

27 Feb 2023

Bermuda Businesses: Are You Ready to Comply with Our New Privacy Rules?

There have been recent indications from the Bermuda Government that Bermuda’s Personal Information...

24 Feb 2023

Home Transfers Within a Family Still Incur Taxes in Bermuda

Any home sale or transfer either by a live person or by inheritance typically attracts stamp duty.

20 Feb 2023

Bermuda: An Introduction to Dispute Resolution

This edition discusses Current Economic Conditions. 

Contributors: Khiyara Krige, James Batten
8 Feb 2023

Bermuda's Personal Information Protection Act - Are You Ready?

There have been recent indications from the Bermuda Government that Bermuda’s Personal Information...

1 Feb 2023

Starting a captive in Bermuda? What you need to know.

Bermuda has seen a steady increase in new captives being formed as well as new structures, risks and...

1 Feb 2023

Fund Finance Laws and Regulations 2023 – Bermuda

Bermuda is a major centre in the international offshore investment fund industry, with more than USD...

Contributors: Arielle DeSilva
25 Jan 2023

Chambers Insurance & Reinsurance Guide 2023: Bermuda

This guide provides the latest information on sources of insurance and reinsurance law, overseas-bas...

23 Jan 2023

Sponsored Dependants; How and Where Can They Work?

If a person arrives on the island under a work permit with their spouse or partner who is a sponsore...