Bermuda has introduced the
Personal Information Protection Act, 2016
(“PIPA”) to regulate the use of personal information by organisations in a manner that recognises both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes. The Act will come into full force in the latter part of 2018. It will affect every individual and every organisation in Bermuda, including Government and non-profits. Organisations are advised to review their internal governance procedures to ensure compliance with their new statutory obligations.
What is PIPA?
PIPA sets out how organisations, businesses and the Bermuda Government may use personal information. The Act has drawn on legislation from a number of jurisdictions including Canada, the United States and Europe. It reflects a set of internationally accepted privacy principles and good business practices for the use of personal information in the digital age. PIPA is intended to complement the Public Access to Information Act, 2010, which provides for public access to information held by Bermuda public authorities, while simultaneously protecting personal information.
Who does PIPA affect?
PIPA applies to any individual, entity or public authority that uses personal information in Bermuda. It encompasses both digital and non-digital information. “Personal information” is defined as any information about an identified or identifiable individual. “Use” is defined very broadly and includes collecting, storing, disclosing, transferring and destroying information.
What Obligations does the Act Impose?
PIPA imposes specific obligations on organisations that control the processing of personal information, including:
- Every organisation must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in PIPA. Organisations must provide individuals with a clear and easily accessible statement about their practices and policies with respect to personal information.
- The measures and policies must be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals of the use of the personal information.
- Where an organisation engages the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with PIPA at all times.
- Every organisation must designate a “privacy officer” for the purposes of compliance with PIPA. The privacy officer
will have primary responsibility for communicating with the Privacy Commissioner.
Conditions for using Personal Information
PIPA outlines eight conditions for the use of personal information. An individual’s personal information may only be used if one or more of the following conditions are met:
- The personal information is used with the consent of the individual, where the organisation can reasonably demonstrate that the individual has knowingly consented.
2. A reasonable person, giving due weight to the sensitivity of the personal information, would consider that the individual would not reasonably be expected to refuse the use of their personal information, and that the use does not prejudice the rights of the individual.
3. The use of the personal information is necessary for the performance of a contract to which the individual is a party, or for entering into such a contract.
4. The use of the personal information is pursuant to a provision of law that authorises or requires such use.
5. The personal information is publicly available and will be used for a purpose that is consistent with the purpose of its public availability.
6. The use of the personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public.
7. The use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority.
8. The use of the personal information is necessary in the context of an individual’s present, past or potential employment relationship with the organisation.
When reviewing policies and practices for the purposes of compliance with PIPA, it is helpful to keep in mind the following general principles on which the legislation is based:• An organisation should use personal information in a lawful and fair manner.
- An organisation should use personal information in a lawful and fair manner.
- The use must be for specific purposes only and the information should not be used in a manner incompatible with those purposes.
- The personal information is relevant and not excessive for the purposes of use.
- The personal information is accurate, kept up-to-date where necessary, and not kept for longer than is necessary.
- The personal information is held securely.
- Personal information should not be transferred outside Bermuda without adequate checks and safeguards.
“Sensitive Personal Information”
Sensitive personal information, which includes information about an individual’s race, health, family status or religious beliefs, is a separate class of personal information and is subject to enhanced protection. Employee data almost always includes this information; organisations should pay particular attention to the appropriate collection, handling and secure storage of this data.
Are there any Exemptions?
In order to ensure that personal information can be used in appropriate circumstances, the Act does not apply to certain uses. For example, PIPA does not apply to the use of personal information for personal or domestic purposes, or for artistic, literary or journalistic purposes with a view to publication in the public interest (to protect the right of freedom of expression). It does not apply to the use of business contact information for the purpose of contacting an individual in their capacity as an employee or official of an organisation. PIPA also recognises a number of specific exemptions, such as national security.
What rights do individuals have under PIPA?
The legislation grants individuals specific rights in relation to their personal information including, subject to specified limitations, the right:
- of access to their own personal information;
- of access to their own medical records; and
- to rectify, block, delete or destroy their own personal information.
PIPA establishes the office of a Privacy Commissioner, appointed by the Governor in consultation with the Premier. This appointment has not been made at the time of this Alert. The Privacy Commissioner is responsible for monitoring the administration of PIPA to ensure that its purposes are achieved, for conducting investigations, issuing warnings and educating the public about PIPA.
Offences and Penalties
PIPA establishes a number of offences and penalties for failure to comply with the requirements of the Act, including failure to notify the Privacy Commissioner and the affected individual in the event of a breach. Offences may incur fines of $250,000 for organisations, and $25,000 or imprisonment up to two years for individuals.
How can we help?
Protecting personal data is now business critical, with reputations and criminal liability at stake. Conyers can assist with understanding your obligations under the law and taking the necessary steps to ensure compliance.