Bermuda's Personal Information Protection Act 2016 (PIPA) will, when fully operative, represent a significant change in informational privacy law in Bermuda. While it envisages a comparatively "light regulatory environment" for informational privacy, the act will require a number of practical changes for many organisations.
At the time of writing, only those sections relating to the establishment and operation of the office of the Privacy Commissioner are in force. In many respects, Bermudian organizations remain in suspense as they eagerly await guidance on the interpretation and application PIPA.
Following the appointment of Bermuda's first Privacy Commissioner in January 2020, the expectation was that PIPA would be on track for roll-out by the end of 2020. COVID-19, not surprisingly, is believed to have contributed to the delay in the implementation of PIPA. There is a general expectation that there will be movement within Q1 of 2021, including other provisions of PIPA coming into force. It is envisioned that PIPA will come into force in stages. This is a welcome strategy for businesses as the impact will be less immediate and disruptive to operations.
What provisions of PIPA will next be brought into force is not known, although it can be expected to be those provisions relating to the adoption of measures and policies, including security, responding to access and other requests of individuals and the appointment of a privacy officer. Privacy notices can be expected to follow in a second phase once organizations have had an opportunity to identify what information they use, how they use it and for what purposes.
In anticipation of the coming into full force of PIPA, some business have begun to examine what personal information they use. Some have adopted their first privacy policies and notices while others, in particular global players, have embarked on amendments to their existing privacy policies and notices to comply with PIPA. Others have chosen to wait until guidance is in place, so as to avoid the fine-tuning of policies, re-circulation of revised notices and changing practices and training that may be required. Whichever approach an organization has taken, the Privacy Commissioner has signalled there will be considerable advance notice before the enforcement of any provisions of PIPA, including information sessions and the issuance of a guidance. And so, for now, Bermuda waits for that sign to be given.
Kennedys' privacy offering
We are poised to help clients devise, implement and/or fine-tune, depending on their needs, their policies procedures in the course of remaining months leading up to the date on which the substantive provisions of PIPA will become operative.
We are particularly adept at advising entities registered under the Insurance Act 1978 on PIPA compliance.
Our lawyers have expertise in helping at all stages of the life cycle of an organisation's use of personal information, covering:
Our advice is pragmatic, straight-forward and commercially-focused, always with the long-term objectives and health of your business in mind.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances. Kennedys operates in Bermuda in association with Kennedys Chudleigh Ltd.