IWD2022: Empowerment for Women through Privacy Regulations
To mark International Women's Day 2022's theme of "Break the Bias," this week our office will provide tips and focus on privacy and technology concerns that affect women. Today's post focuses on automated decision-making & profiling.
Meet Susan. She has just applied for a loan online and was denied within minutes of applying. Confused, she contacts the bank and is advised that a decision-making AI is used, not a human being. She wonders if the computer didn’t consider her work experience correctly because of a gap in her resume or a prior position with reduced hours. Susan believes that, had a human being reviewed her application and taken into consideration the changes in her financial journey, she would have been successfully offered the loan.
“Automation” is the term used to describe the wide range of technologies that minimise human intervention in processes, such as predetermining decision criteria, subprocess relationships, and self-service checkout machines.
Automated decisions that give women access to opportunities or services can be riddled with conscious or unconscious bias by developers and content contributors. "Decision algorithms" are mathematic equations designed by developers who use mathematical models to make decisions. Automation could be used for deciding on eligibility for bank loans, artificial intelligence could monitor behaviours during job interviews, and college admissions algorithms could make decisions that impact women. Biases by developers or content contributors in any of these technologies can impact those opportunities, and women are at times especially vulnerable to unfair decisions.
There are also privacy risks when organisations engage in profiling. “Profiling” refers to the collection and use of data to evaluate specific aspects or characteristics of an individual. The purpose is to predict the individual’s behaviour and make decisions to affect it. In advertising and marketing, some strategies are designed solely to attract the attention of women and girls. From colour choices to the individuals shown in the advert or product placement, every element is strategically designed to appeal to women who may be looking to shop (or not). This emotional and mental coercion, to unconsciously lure a specific gender to behave in a predicted manner, can be unfair and lead to injustices for women.
Privacy rights, such as protections relating to automated decision-making and profiling, protect women and girls from this type of abuse. Rights against automated decision-making and profiling are not explicitly mentioned in Bermuda’s Personal Information Protection Act (PIPA), but these rights are essentially implied in the wording of the legislation. Organisations must identify the purpose and legal condition under which they use information, such as by requesting an individual’s consent – and in order to get that consent, the organisation would have to explain its profiling or automated decision-making processes. In addition, PIPA often restricts the use of personal information to when it is “necessary” to accomplish a purpose, and often automated decision-making or profiling may not be strictly necessary.
Because PIPA protects individual’s rights, organisations that use automation or other modern technologies to simplify processes and make decisions that affect individuals must ensure that they are taking steps to ensure fairness, transparency, and compliance with PIPA and other relevant data privacy, human rights, or other regulations.
If you are concerned about unfair uses of personal information, PrivCom can be a great support. Through advice and guidance, the Office of the Privacy Commissioner for Bermuda assists individuals with understanding privacy rights and registering complaints. We offer practical guidance for organisations with data protection, privacy, and security best practices, and creative solutions for unique privacy challenges.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."
About International Women's Day: Marked annually on March 8th, International Women's Day (IWD) is a global day celebrating the social, economic, cultural and political achievements of women. The day also marks a call to action for accelerating gender parity. The campaign theme for International Women's Day 2022 is #BreakTheBias. Whether deliberate or unconscious, bias makes it difficult for women to move ahead. Knowing that bias exists isn't enough. Action is needed to level the playing field.