In this guidance note, we describe the risks and potential harms to individuals that organisations and privacy officers should consider.
The Personal Information Protection Act (PIPA) speaks about risks and harms in a few different sections. But what do we mean when we talk about "harm" from the use or misuse of personal information?
Organisations should consider the risk of harm to an individual when they are assessing what security safeguards are needed, when they suffer a breach of security, and when they are evaluating whether an offense has been committed.
PIPA section 13, "Security safeguards," contains the following requirements:
(1) An organisation shall protect personal information that it holds with appropriate safeguards against risk, including— (a) loss; (b) unauthorised access, destruction, use, modification or disclosure; or (c) any other misuse. [Emphasis added]
(2) Such safeguards shall be proportional to— (a) the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information; (b) the sensitivity of the personal information (including in particular whether it is sensitive personal information); and (c) the context in which it is held, and shall be subject to periodic review and reassessment. [Emphasis added]
PIPA section 44(3)(g), authorises the Commissioner to order an organisation that has suffered a breach of security "to provide specific information to persons in the event of a breach [of security] which is likely to cause significant harm to individuals." [Emphasis added]
PIPA sections 47(1)(a) and (b) state that a person commits an office - or, in other words, is breaking the law - if they use, authorise use of, or gain access to personal information "in a manner that is inconsistent with this Act and is likely to cause harm to an individual or individuals." [Emphasis added]
There are many, varying formulas that organisations may utilise to try to understand or assess business risk or other risks. Various frameworks will operationalise how one should consider harms to individuals - and may use many different terminologies, such as "context," "exposure," "harm," "hazard," "likelihood," "loss," "probability," "risk," "sensitivity," "severity," or another word.
Ultimately, PIPA's provisions contain the flexibility to allow organisations to approach these issues in a variety of ways, so long as the organisation acts in a reasonable manner.
Privacy harms can be abstract and hard to imagine. Further, PIPA is a new law, and the idea of personal information harm is new to Bermuda. This guidance note outlines some of the potential harms if personal information were to be lost, used in an unauthorised way, or otherwise misused.
This list cannot be comprehensive, as technology is constantly evolving and creating new uses for personal information. Organisations are responsible for considering the potential harm, the harm's likelihood and severity, the sensitivity of information, and the particular context in which they use personal information.
If you have questions that are not addressed here, please reach out to our office via our Contact Us page.
Privacy Harms that Organisations Should Consider
An organisation should consider whether personal information that is lost, used in an unauthorised way, or otherwise misused could result in:
Physical harm
Questions to ask: Could the use or misuse of this personal information lead to stalking, harassment, or physical assault? Could the publication of personal information lead to intimidation or threats? Could the use or misuse of personal information promote or enable physical harm?
Examples of personal information: physical or GPS location; address; photograph or description
Economic harm
Questions to ask: Could the use or misuse of this personal information lead to identity theft? Could an individual lose productivity or time resolving any financial issues?
Examples of personal information: Financial account numbers; credit card numbers
Reputational harm
Questions to ask: Could the use or misuse of this personal information harm an individual's image or regard in the community? Could they lose business, employment, or be rejected socially? Could someone be confused about whether this individual is the one making a statement?
Examples of personal information: Romantic or sexual details; medical details; a person's name, image, or likeness
Emotional harm
Questions to ask: Could the use or misuse of this personal information cause emotional distress, such as anger, annoyance, anxiety, embarrassment, fear, frustration, humiliation, or a feeling of violation?
Examples of personal information: Intimate images; physical location; information used in identity theft; health or medical details
Relationship harm
Questions to ask: Could the use or misuse of this personal information harm an individual's relationships or damage their trust?
Examples of personal information: Private communications; information shared in confidence; questions for expert advice; information covered by fiduciary duties
Chilling effect harm
Questions to ask: Could the use or misuse of this personal information inhibit an individual from exercising a right?
Examples of personal information: Political or religious opinions; beliefs; information about associations, including minority groups; medical details
Discrimination harm
Questions to ask: Could the use or misuse of this personal information disadvantage an individual? Could an individual be subject to unequal treatment or harassment? Could a discriminatory pattern be further entrenched for an individual? Does the use or misuse of this personal information result in disproportionate effects on different groups of individuals? Does this personal information in any way affect rights?
Examples of personal information: Details relating to gender, sexual orientation, race or place of origin, or other minority status; directory information such as address if publicised
Thwarted expectations harm
Questions to ask: Could the use or misuse of this personal information be against the individuals' reasonable expectations? Would we be breaking promises by using information this way? Violating a contract?
Examples of personal information: Behavioural information; usage information; personal information used in a way the individual did not expect or understand
Loss of control harm
Questions to ask: Could the use or misuse of this personal information cause an individual to lose control of their personal information or choices? Are we retaining the personal information in a way that holds potential for harm? Is there a potential "downstream" use that the individual cannot control? Does the individual want the personal information to be shared the way were are planning? Could this personal information create or increase an individual's vulnerability?
Examples of personal information: Biometric information; information created by the individual
Data quality harm
Questions to ask: Could the use or misuse of this personal information cause harm if it is not accurate, complete, or up-to-date? (Even the harm of having to take time to correct the personal information?)
Examples of personal information: Consumer profiles or reports; address; income or financial details
Lack of informed choice harm
Questions to ask: Could the use or misuse of this personal information in this way prevent an individual from refuting, responding, or asserting rights?
Examples of personal information: Background checks; credit checks
Disturbance harm
Questions to ask: Could the use or misuse of this personal information disrupt, disturb, or be a nuisance?
Examples of personal information: Phone numbers; emails addresses; other contact information
Loss of autonomy harm
Questions to ask: Could the use or misuse of this personal information in this way restrict someone's choices, coerce, trick, or manipulate them? Does using this personal information harmfully distort the individual's decision-making?
Examples of personal information: This harm could apply to many kinds of information, and depends more on how options or choices are presented and the manner in which consent is obtained.
This list is derived in part from the "Typology of Harms" by professors Danielle Keats Citron and Daniel J. Solove.
Another useful way to consider harms is to group them into categories. In a 2017 report on automated decision-making, the Future of Privacy Forum (FPF) identified ways that the use of personal information could lead to differing treatment of individuals or harmful impacts on members of certain communities.
If personal information is misused, the result could be a:
Loss of Opportunity, such as jobs or employment, insurance and benefits, housing access, or educational access;
Economic Loss, such as credit issues, receiving different prices, or receiving only certain advertisements;
Social Detriments, such as being grouped or filtered into bubbles, being stereotyped or treated incorrectly, or subjected to bias; or
Loss of Liberty, such as being placed under surveillance or watch, or being restrained or incarcerated.
FPF's table of harms is below, and the full report is available on the FPF's site.
Organisations can use the frameworks discussed here or develop their own to consider whether individuals will be affected by varying harms.
Our office will continue to develop guidance with examples of practices, and we will work with community groups to develop standards. However, it will be impossible to cover every possible circumstance in advance. For this reason, organisations would be well served to document their due diligence and the factors entering into their reasonable judgements to show their good accountability.
Organisations must consider the harm to an individual, involving the specific purposes and uses of personal information in their specific context, in order to protect information according to the likelihood or severity of harm.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Last Revised: 7 Sept 2021