Bermuda has appointed its first Privacy Commissioner, a role established under the Personal Information Protection Act 2016 (PIPA). The new commissioner will be tasked with fully implementing the PIPA legislation. Certain sections of PIPA came into force in 2016, and this appointment is an important step in bringing the remaining operative provisions into force. Organisations that have not yet reviewed their obligations under PIPA would be well advised to do so now.
Alexander White, a US lawyer, has been appointed Privacy Commissioner with effect from 20 January 2020. He will be responsible for setting up the Privacy Commissioner's Office, hiring and training staff, undertaking investigations, providing reports and developing public awareness of the rights of individuals and the obligations of organisations under PIPA.
PIPA sets out how organisations, businesses and the Bermuda Government may use personal information. It applies to every individual, entity or public authority that uses personal information in Bermuda, including non-profits. The legislation reflects a set of internationally accepted privacy principles and good business practices for the use of personal information in the digital age.
"Personal information" is defined as any information about an identified or identifiable individual. "Use" is defined very broadly and includes collecting, storing, disclosing, transferring and destroying information.
What obligations does PIPA impose?
PIPA imposes specific obligations on organisations that control the processing of personal information, including:
- Every organisation must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals as set out in PIPA. Organisations must provide individuals with a clear and easily accessible statement about their practices and policies with respect to personal information.
- The measures and policies must be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals of the use of the personal information.
- Where an organisation engages the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with PIPA at all times (with additional requirements where an overseas third party is engaged).
- Every organisation must designate a "privacy officer" for the purposes of compliance with PIPA. The privacy officer will have primary responsibility for communicating with the Privacy Commissioner.
Conditions for using Personal Information
PIPA outlines eight conditions for the use of personal information. An individual's personal information may only be used if one or more of the following conditions are met:
- The personal information is used with the consent of the individual, where the organisation can reasonably demonstrate that the individual has knowingly consented.
- A reasonable person, giving due weight to the sensitivity of the personal information, would consider that the individual would not reasonably be expected to refuse the use of their personal information, and that the use does not prejudice the rights of the individual.
- The use of the personal information is necessary for the performance of a contract to which the individual is a party, or for entering into such a contract.
- The use of the personal information is pursuant to a provision of law that authorises or requires such use.
- The personal information is publicly available and will be used for a purpose that is consistent with the purpose of its public availability.
- The use of the personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public.
- The use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority.
- The use of the personal information is necessary in the context of an individual's present, past or potential employment relationship with the organisation.
When reviewing policies and practices for the purposes of compliance with PIPA, it is helpful to keep in mind the following general principles on which the legislation is based:
- An organisation should use personal information in a lawful and fair manner.
- The use must be for specific purposes only and the information should not be used in a manner incompatible with those purposes.
- The personal information is relevant and not excessive for the purposes of use.
- The personal information is accurate, kept up-to-date where necessary, and not kept for longer than is necessary.
- The personal information is held securely.
- Personal information should not be transferred outside Bermuda without adequate checks and safeguards.
"Sensitive Personal Information"
Sensitive personal information, which includes information about an individual's race, health, family status or religious beliefs, is a separate class of personal information and is subject to enhanced protection. Employee data almost always includes this information; organisations should pay particular attention to the appropriate collection, handling and secure storage of this data.
What rights do individuals have under PIPA?
The legislation grants individuals specific rights in relation to their personal information including, subject to specified limitations, the right:
- of access to their own personal information
- of access to their own medical records
- to rectify, block, delete or destroy their own personal information.
Are there any exemptions?
In order to ensure that personal information can be used in appropriate circumstances, PIPA does not apply to certain uses. For example, PIPA does not apply to the use of personal information for personal or domestic purposes, or for artistic, literary or journalistic purposes with a view to publication in the public interest (to protect the right of freedom of expression). It does not apply to the use of business contact information for the purpose of contacting an individual in their capacity as an employee or official of an organisation. PIPA also recognises a number of specific exemptions, such as national security.
Offences and Penalties
PIPA establishes a number of offences and penalties for failure to comply with its requirements, including failure to notify the Privacy Commissioner and the affected individual in the event of a breach. Offences may incur fines of $250,000 for organisations, and $25,000 or imprisonment up to two years for individuals.
How can we help?
Protecting personal data is now business critical, with reputations and criminal liability at stake. Conyers can assist with understanding your obligations under the law and taking the necessary steps to ensure compliance. Conyers will be hosting a seminar on PIPA in early 2020. Please contact your usual Conyers lawyer or one of those listed below if you would like to attend our seminar or have any questions on PIPA.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.