A Bill entitled Personal Information Protection Act 2016 ("PIPA") was recently passed by the House of Assembly and the Senate and awaits Royal Assent for formal enactment. The PIPA specifically seeks to regulate the use of personal information by organisations in a manner which recognises both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes. The PIPA defines an organisation as 'any individual, entity or public authority that uses public information'.
The Government of Bermuda has expressed that PIPA will not be implemented for two years in order to allow for a fundamental cultural and legal shift with respect to the treatment of personal information in Bermuda. This decision to delay the implementation of PIPA for two years is unsurprising particularly in light of the newfound obligations that PIPA shall ultimately impose upon every organisation in Bermuda. For example, PIPA mandates that every organisation shall adopt suitable measures and policies to give effect to its obligations and to the rights of individuals as set out in the PIPA and such measures and policies shall be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals by the use of personal information. Examples of information protected by PIPA include any information about an identified or identifiable individual ("Personal Information") and any Personal Information relating to an individual's place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information ("Sensitive Personal Information").
Upon the enactment of PIPA, a privacy commissioner shall be appointed by the Governor and will issue guidance and advice to assist organisations in their readiness for PIPA's implementation. Examples of measures that organisations will have to adopt include the appointment of a privacy officer, the issuance of a privacy notice and the implementation of appropriate security safeguards to protect personal information. It is important to note that failure to comply with PIPA may result in offences and penalties for organisations and individuals in addition to an entitlement to compensation for any individual who suffers financial loss or emotional distress, arising from their personal data being mishandled. The former provides that a person who commits a statutory offence is liable on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both and on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000. The latter provides that an amount of compensation for any individual who suffers financial loss or emotional distress shall be determined by the court. In light of the inevitable change in the status quo that the enactment of PIPA will involve, organisations and businesses should prudently prepare themselves to ensure that they are operating in compliance with PIPA.
Prior to its enactment, organisations can (and should) start taking various immediate steps to become compliant with PIPA. For example, organisations will require a commitment from management in order to ensure that a wholesale change in terms of their treatment of personal information is reflective of their newfound obligations. Organisations should also begin considering which individual within an organisation may be best placed to serve as the requisite privacy officer. Additionally, organisations should start to consider educating and training their employees with respect to the implications of PIPA. Organisations can also begin to adopt policies and procedures relating to information governance in order to become compliant with PIPA prior to its enactment. Undoubtedly, organisations will require legal advice or legal assistance in preparation for the implementation of PIPA.
PIPA is a monumental development for information rights in Bermuda and should be welcomed both domestically and internationally. However, the legal implications of this human rights development justify organisations seeking to prevent any failure to comply with PIPA particularly in light of the substantial offences and penalties available under PIPA for individuals and organisations.
With the recent introduction of both the Public Access to Information Act 2010 ("PATI") and PIPA, Bermuda has now revolutionised its information rights legal framework. Public authorities and the public alike are still familiarising themselves with the implications of PATI almost six years after PATI received Royal Assent and over a year after PATI became operative. Consequently, risk averse organisations should 'seize the moment' to heighten their awareness about PIPA particularly with consideration of the new offences and penalties for organisations and individuals that fail to comply with their statutory obligations.
This article first appeared in The Royal Gazette on 11th October 2016.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.