There have been recent indications from the Bermuda Government that Bermuda's Personal Information Protection Act 2016 ("PIPA") may come into full force this year.
Since PIPA was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been developing the Office of the Privacy Commissioner, organising administrative resources, and educating the public and businesses who collect and use personal information of their respective rights and obligations under PIPA. That is a good thing, because there is a lot for businesses to address.
In many ways, PIPA is one of Bermuda's few consumer rights laws and it is one that imposes onerous operational and administrative obligations that will be overseen by the experienced regulatory office of the Privacy Commissioner, Alexander White.
Given the recent indications that PIPA may be brought into full force this year, even if only on a sector by sector basis and perhaps with a compliance grace period, the questions for all businesses that collect and use personal information include:
- Are you administratively ready to fully comply with PIPA?
- How will you secure the consent necessary to collect and use personal information?
- How will you manage communications with individuals who want to see a copy of all personal information that you have about them?
- How will you manage their requests for corrections to, or deletions of, their personal information?
- To what extent must you revise your outsourcing, IT service contracts, and data processing service agreements?
- Are you organised to comply with an individual's direction for you to stop using their personal information?
As a result of the many rights that PIPA bestows on individuals, organisations must ensure that all of their business processes, customer relations programmes, data management systems and administrative processes are compliant with the practices, protections, and use restrictions that PIPA will soon impose on them.
Just as other organisations who are subject to similar privacy laws around the world have done, Bermuda organisations will have to review all of their current business processes and assess to what extent must they now be revised to ensure PIPA-compliant practices.
It is the common failure of businesses across all privacy jurisdictions when privacy laws are first introduced to appreciate the profound nature of how PIPA will impact many of their internal business operations. For example, in addition to the questions posed above, are your business' IT systems adequately secure from unauthorized access or cyber incident interference?
That is an important question because PIPA requires all businesses who use personal information (whether related to their personnel or otherwise in the course of their business) to ensure that they have “appropriate safeguards” (technological and otherwise) against: loss; unauthorized access, destruction, use, modification or disclosure; and, any other misuse of personal information. In order to determine what an “appropriate safeguard” is, PIPA prescribes that the quality and degree of safeguards that businesses must have in place to meet that standard must be proportional to the following factors and considerations: what is the likelihood and severity of the harm that could be threatened by the loss, access or misuse of the personal information; the sensitivity of the personal information been collected, stored and used by the business; the context in which it is held.
As for the sensitivity of the personal information, PIPA creates a unique category of especially sensitive information called “sensitive personal information” that includes personal information related to (among other attributes) race, ethnic origin, sexual orientation, and physical or mental health or disability. However, the sensitivity of many other categories of information must be taken into account for that “adequacy” determination, such as if the information is about financial matters, health insurance claims, the use of Employee Assistance programs, family relationships, and involvement in litigation or criminal matters (among other topics) can also constitute highly sensitive information that has the potential to cause harm if wrongfully used or disclosed.
As for the context in which the personal information is used, that criteria has many possible interpretations. However, it can be generally assumed, at this stage of pre-implementation, that a business that collects and uses (even commercially exploits) personal information as a part of their commercial operations (i.e., for profit), will likely have a higher standard of security care under PIPA than does a not-for-profit organization that collects and uses personal information for the sole benefit of the individuals who have provided that personal information to that organization.
As well, based on PIPA's proportionality principle, it may be said that the more extensive the nature and scope of personal information collection and use is by a business, and the more sensitive the personal information is, and the greater the vulnerability of individuals will be if that personal information is misused, the more thorough the business' adopted compliance “measures and policies” must be for them to be “suitable”, as expressly required by PIPA.
Mr. White describes PIPA's proportional requirement of “suitability” in these terms: “What exactly may be ‘suitable' for an organisation's privacy programme under Section 5 (1) will naturally vary by the organisation, the uses of personal information and the specific context. Our office's guidance, “What is a privacy programme?”, provides some examples of the types of measures and policies that may be suitable for an organisation to adopt, but the exact nature will differ from programme to programme.”
Whether as requirements for “appropriate safeguards” to protect personal information, or when ensuring that a business' compliance measures are “suitable”, businesses who outsource any part of their operation that uses personal information to either a commercial service provider or an affiliate, all of the business' PIPA duties and obligations under PIPA remain with that business and cannot be delegated. Therefore, businesses must ensure that they flow down all of those duties and requirements to their service providers in all outsourcing agreements. Even recently executed outsourcing agreements will have to be reviewed and re-assessed to ensure they are brought up to date with PIPA's many compliance requirements.
The full breadth of the restrictions, duties and obligations that PIPA will soon impose on businesses to protect individual privacy rights will be daunting to many businesses. It is in that context that organisations must now administratively address how they will comply with PIPA.
Originally Published by The Bermuda Chamber of Commerce Newsletter (Chamber Insider), February 2023
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.