To print this article, all you need is to be registered or login on Mondaq.com.
Increasingly, businesses in Bermuda rely on the IT and
data-processing services of both domestic and overseas providers.
The collection and use of personal information is a ubiquitous
aspect of those services.
Whether delivered as cloud services, back-office outsourcing,
software (or data) “as a service” transactions, or
simply as affiliated company shared-service arrangements, the IT
service contracts that are used for those transactions will soon
become the subject of onerous legal compliance and regulatory
When Bermuda’s privacy laws — the Personal
Information Protection Act 2016 — are brought into full
force, the provisions of PIPA concerning the domestic and overseas
use of personal information will trigger an array of regulatory
restrictions and requirements.
They will include security safeguard requirements, proportional
standards of protection and numerous requirements concerning the
provision of personal information for use by third-party service
providers, domestic and overseas.
Therefore, as a matter of governance and risk management,
Bermuda organisations will be forced to re-evaluate and assess all
their existing and prospective IT and outsourcing service contracts
from that new and onerous regulatory perspective.
PIPA is clear in its assertion that although Bermuda
organisations can delegate the processing of data that contains
personal information to third-party service providers, they cannot
delegate to others their unmitigated and direct responsibility to
fully comply with the Act’s personal information use,
security and protection duties and obligations.
For example, even though the Act permits the privacy
commissioner to formally recognise that the country of an overseas
service provider (eg, cloud or other IT services) has privacy laws
that are comparable to PIPA , such a declaration will not release a
Bermuda organisation from continuing to own all the responsibility,
liability and related obligations to fully comply with its Pipa
Obviously the situation that IT executives, in-house counsel and
compliance managers want to avoid is having their organisation
caught in the middle between its upstream PIPA regulatory
requirements and any downstream IT service arrangements that will
not satisfy those PIPA obligations.
In the event that an IT service provider does not perform such
contractually required PIPA obligations, only the Bermuda
organisation will be held financially liable to compensate injured
individuals, will be answerable to the Privacy Commission, and will
be exposed to reputational harm — which could be especially
damaging if a breach concerns “sensitive personal
information”, as defined in the Act.
Therefore, the most efficient risk-management, commercial and
legal way for a Bermuda organisation to manage those regulatory
obligations and potential liability is by ensuring that its PIPA
obligations are stipulated as performance obligations in the
relevant service contract.
By ensuring that all of its material PIPA compliance obligations
are flowed down to its IT service providers in a well-drafted and
robust IT service contract, IT service providers thereby become
partners in assisting their Bermuda customer to comply with its
legal and regulatory obligations.
Only well-drafted contractual privacy provisions that are part
of the outsourced service specifications, including clear PIPA
compliance covenants, representations, warranties and indemnities,
can commercially and legally transfer any of the risk and liability
that the Bermuda organisation may suffer for the mistakes and
failures of its IT service providers — whether as an
arm’s-length or an affiliated IT service provider.
A circumstance that causes a Bermuda organisation to suffer
unmitigated liability, regulatory intervention and reputational
loss because it failed to contractually protect itself from the
failures of its IT service providers may also constitute a failure
of regulatory compliance management, a failure to exercise
normative risk management practices and a failure of prudent
Now is the time to review your IT outsourcing services
arrangements in light of the pending PIPA.
First published in The Royal Gazette, Legally Speaking,
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
POPULAR ARTICLES ON: Privacy from Bermuda