The Personal Information Protection Act (PIPA) in Bermuda has been in effect for some time now, but not all of its provisions have come into force. While the establishment of the Office of the Privacy Commissioner was one of the initial provisions that came into effect, the majority of the operative provisions are still pending. In this article, we will delve into PIPA with the help of Julian Wheddon, Associate Legal Services of Ocorian Law in Bermuda, to understand the act's definition, its impact on organisations, and the statutory obligations that come with it.
What is the Bermuda Personal Information Protection Act (PIPA)?
The Personal Information Protection Act 2016 ("PIPA" or the "Act") was introduced to regulate and protect the use of personal information by individuals, companies, public authorities and other organisations in and from within Bermuda. PIPA outlines the requirements for individuals and organisations that use personal information, as well as the rights that individuals have regarding the use of their personal information.
Is PIPA in effect in Bermuda?
The Privacy Commissioner recently moderated a panel discussion entitled, 'Privacy in Bermuda and Beyond: Are we Ready for PIPA?', and despite indications that the operative provisions of PIPA would be implemented in spring 2023, it is still unclear when exactly all the provisions of PIPA will fully come into force. It is expected that the timeline for the enactment of the outstanding provisions of PIPA will be guided and determined by the promulgation of prescribed Regulations by the Commissioner in accordance with the Act, however, we encourage clients to be proactive in reviewing whether they will be compliant when the time comes.
How is the Bermuda Personal Information Protection Act (PIPA) defined?
Personal information or data is defined as including any information about an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" includes information relating to aspects such as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information.
Use of Personal Information
Use of personal information means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."
What are the conditions for the use of Personal Information?
Under PIPA, the collection and use of personal information is subject to internationally recognised principles of data privacy. Personal information may only be used if at least one of the following conditions is met:
- the organisation must be able to reasonably demonstrate that the individual has knowingly consented;
- except in relation to sensitive personal information, a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably request that the use of his personal information should not begin or that they would want it to cease and use does not prejudice the rights of the individual;
- it is necessary for the performance of a contract to which the individual is a party or for the taking of steps at the request of the individual with a view to entering into a contract;
- use of personal information is pursuant to a provision of law that authorises or requires such use;
- the personal information is publicly available and will be used for a purpose consistent with its public availability;
- use of personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
- it is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation or in a third party to whom the personal information is disclosed; or
- it is necessary in the context of an individual's present, past or potential employment relationship with the organisation.
What are the statutory obligations on organisations under PIPA?
PIPA imposes the following statutory obligations on organisations that use personal information:
- the organisation must designate a representative as a privacy officer for compliance purposes;
- the organisation must provide individuals with a clear and easily accessible privacy notice detailing its practices and policies with respect to personal information either before or at the time of collection of the information (unless all use of the information is within the reasonable expectations of the individual to whom the personal information relates);
- with certain exceptions, the personal information can only be used for the limited purposes set out in the privacy notice;
- the information collected must be adequate, relevant and not excessive in relation to the purpose it is used;
- the information must be accurate and kept up to date to the extent necessary for the purpose of use and cannot be kept longer than necessary for that use;
- the personal information an organisation holds must be protected with adequate safeguards against loss, unauthorised access and other misuse. Safeguards must be proportional to the likelihood and severity of the harm threatened by the loss, the sensitivity of the personal information and the context in which it is held;
- in case of breach, the organisation must notify the Privacy Commissioner without delay and all individuals that may be affected; and
- where an organisation engages the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance.
What are the required safeguards for international data transfers?
Organisations remain responsible for the protection of personal information where it is transferred to an overseas third party and before making any such transfer, the organisation shall assess the level of protection provided by the overseas third party for that personal information. Where the Privacy Commissioner does not designate a particular jurisdiction as providing a comparable level of protection, the organisation must employ contractual mechanisms, corporate codes of conduct or other means to ensure the overseas third party provides a comparable level of protection.
How can organisations in Bermuda prepare for PIPA?
Organisations will need to adopt reasonable measures and policies to give effect to their obligations and the rights of individuals taking into account the nature, scope, context and purposes of the use of personal information as well as the potential risk to individuals due to the use of their personal information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.