In short, PIPA applies to “every organisation that uses personal information in Bermuda”.  An “organisation” means any individual, entity or public authority that uses personal information, and is widely accepted to include: trustees (in their capacity as such); corporations; partnerships of all kinds; trade and other commercial associations; organisations or societies; proprietorships; and, branch offices of foreign corporations that carry on business in Bermuda.

The word “use” is defined by PIPA to mean, “… carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it”. The use of personal information (“PI”) in Bermuda, would, as a matter of common law, also include any digital access to, and use, from within Bermuda of PI that is stored or located on a server that is outside of Bermuda.

Funds, along with their fund administrators and fund managers, that use PI in Bermuda (which includes the required collection and disclosure of and otherwise making available, PI concerning their officers, directors and beneficial owners to governmental authorities and various service providers in Bermuda for KYC and related AML / ATF purposes), are therefore subject to PIPA.

One source of a Fund’s requirement to collect and disclose personal information in Bermuda is found in the BMA’s “fit and proper” disclosure requirements for key Fund functionaries (including any controller, officer, secretary or senior executive) of the Fund. The nature of such disclosures must include (among other criteria) any personal information that is related to such person’s: education, training, and qualifications; reputation and character; criminal record, convictions for fraud or other dishonesty; contravention of any provision of insurance, banking investment or other legislation; censure or disqualification from any professional bodies; past “misconduct”; and, any past failure to conduct the business of the regulated entity with integrity and professional skills. Of course, the BMA directs those disclosure requirements on a Fund registrant directly, regardless of whether or not the actually gathering and disclosure of such personal information is undertaken for, and on behalf of, a Fund registrant by a third party service provider.

Even though PIPA applies to all organisations that use PI in Bermuda, the nature and the extent of any organisation’s required compliance to the administrative requirements of PIPA is based on a “proportional risk” based model. The factors that are generally considered when assessing the extent of activity that is required to be in compliance with PIPA in any particular circumstance are: (1) the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information; (2) the sensitivity of the personal information (including in particular whether it is sensitive personal information); and, (3) the context in which it is held. An additional factor that may inform the aforenoted variable of “context” is where the purpose of the PI use falls within the reasonable expectations of the individual.

PIPA’s Application to Funds

Any fund that is legally required to use PI in Bermuda, for the reasons described above, will be within the scope of PIPA. It is the organisation that directly holds those PI collection and disclosure obligations, that is responsible under PIPA for such use regardless of whether or not that organisation has retained third party service providers to carry out and perform those functions for, and on behalf of, the organisation.  Section 5(3) clearly stipulates that “Where an organisation engages (by contract or otherwise) the services of a third party (such as a fund administrator) in connection with the use of personal information, the organisation remains responsible for ensuring compliance with this Act at all times.”

PIPA outlines the conditions for using PI in Bermuda, and some of the main requirements which Bermuda funds should consider (among others) are as follows:

  • Compliance with PI use allowances, which may include individual consent
  • The provision of a privacy notice in most cases
  • The appointment of a privacy officer
  • Compliance with the allowance requirements for the transfer of PI to overseas organisations

Consent

In some cases, where a fund uses PI in the de minimis ways described for KYC purposes, it may be able to use PI without securing the express consent of the subject individuals.

For example, Sections 6(1)(c) and 6(1)(d) of PIPA outline additional conditions under which PI can be used without such consent, including:

  • for the performance of a contract to which an investor is a party;
  • for taking steps at the request of an investor with a view of entering into a contract; or,
  • where the use is pursuant to the provision of law which authorises or requires such use.

More specifically, an individual’s express consent will not be required by any fund that is legally required to collect and disclose PI to third parties in Bermuda, such as when AML/ATF laws require the collection of KYC related PI for disclosure to the Registrar of Companies, the Bermuda Monetary Authority, the organisation’s corporate service providers and/or its operational managers, its fund administrator, its law firm, and as well as to its auditors and bankers in Bermuda.

Privacy Notice

Pursuant to Section 9 of PIPA, in most circumstances an organisation which falls within the scope of PIPA will be required to provide its clients with a privacy notice which outlines how and for what purposes their PI will be used.

However, pursuant to Section 9(1)(3)(b) of PIPA, funds may not be required to provide a privacy notice to their respective investors or beneficial owners, Board of Directors and corporate officers as long as the fund can reasonably determine that all of the uses of the subject PI (i.e., for KYC uses or for legally required non administrative record purposes) will be within the reasonable expectations of those individuals.

Even though the provision of a privacy notice may not be strictly necessary for funds whose use of PI will be within the reasonable expectations of their members, investors and directors, we suggest that fund subscription agreements with investors should contain PI related provisions that disclose the reasons and purposes for the collection of investor PI, and that also includes the express acknowledgement and representation by the investor that such purposes associated with the fund are both required for the fund to perform that agreement and are within the reasonable expectations of each contracting investor.

Privacy Officer

Each fund must appoint a Privacy Officer. Although some aspects of such appointments under PIPA are somewhat ambiguous, subject to judicial clarification it is our view that organisations will not infringe PIPA where the position of Privacy Officer is held by an internal employee, officer or director of the organisation.  That role can also be internally filled by an employee of an affiliated company (i.e., that is under common ownership or control with the fund). The appointee need not be resident in Bermuda and that appointment does not generally require a Board resolution. As well, that appointment does not have to be filed or registered with any regulatory authority in Bermuda.

Once appointed, PIPA expressly allows the Privacy Officer to delegate their day to day administrative responsibilities associated with their duties of PIPA compliance oversight to a third-party service provider. In many cases, such a delegation of a Privacy Officer’s duties under PIPA to a service provider, even where the responsibilities of the Privacy Officer are de minimis, may require either a new service agreement to address the performance of those duties, or an amendment to an existing service agreement to include those additional service performance obligations.

Disclosure of PI to Service Providers and Foreign Entities

Where organisations such as funds are highly “virtual” in their structure, operation or organisation, they may retain others to collect and disclose PI on their behalf. However, it is still the client organisation that has the direct (and personal) legal responsibility to collect that PI as required by law or lawful purpose in Bermuda, and so that organisation is, at first instance, subject to PIPA.

The fundamental principle of an organisation’s continuing personal and direct responsibility for compliance under PIPA, (as noted above, in section 5(3) of PIPA) when others use PI for, and on behalf of, the organisation, is restated to address any circumstance where the fund intends to transfer PI to any service provider (or other third party) that is located outside of Bermuda, which is stated in section 15(1) of PIPA, in the following terms:

When an organisation transfers to an overseas third party personal information for use by that overseas third party on behalf of the organisation, or for the overseas third party’s own business purposes, the organisation remains responsible for compliance with this Act in relation to that personal information.”

As a practical next step, clients that consider that they may be within scope of PIPA should discuss with their Appleby contact appropriate language that can be included in their subscription agreement and potentially other documentation going forward. It would also be prudent to contact any Bermuda based service providers, particularly fund administrators and/or investment managers, to see how they are addressing PIPA to assist clients to be compliant.

Fund Administrators and Managers in Bermuda

Whether the subject fund is formed in Bermuda or outside of Bermuda, where the fund is administered or managed in Bermuda, the collection, holding, storing, consulting and, disclosure or use otherwise of any fund related PI by those Bermuda administrators or managers will also be governed by PIPA.

Foreign Fund Administrators and Managers of Bermuda Funds

Foreign administrators and managers of a Bermuda fund are not subject to PIPA if they are not using PI in Bermuda.  However, PI cannot be provided or transferred by a Bermuda fund to a foreign administrator or manager unless section 15 of PIPA can be complied with.

The most likely grounds of PI export allowance in section 15 of PIPA fall into two categories: the foreign adequacy or equivalent protection circumstance; or, the imposed adequacy or equivalent protection circumstance.  The former will permit PI to be exported by a Bermuda fund to a foreign administrator or manager if the laws of the jurisdiction where the PI is being exported to provides a comparable level of protection for the PI as PIPA does.  If that circumstance does not exist, then the PI may still be exported to the overseas third party where a comparable level of protection is imposed on the PI recipient by way of either contractual, mechanisms, corporate codes of conduct (including corporate rules) or other means to ensure that the overseas third party provides a comparable level of protection as PIPA provides for the transferred PI.

BMA & PIPA Compliance Overlap

Funds, administrators and managers that are licensed and regulated by the Bermuda Monetary Authority (BMA) should note that the BMA requires all registrants to comply with PIPA subject to similar principles of “proportional risk management” assessment and calibration.

In that regard, the BMA’s Operational Cyber Risk Management Code of Conduct (September 2022, Revised, the “Code”) for investment businesses and fund administration providers stipulates in sections 50 and 51 of the Code that all registrants must perform an assessment of their compliance against applicable data protection requirements, and where personal information is processed (used), such use must be in accordance with data protection and privacy laws relevant to each jurisdiction of operation.  Although the BMA has stated that it does not intend to “police” PIPA compliance by its registrants, it is clear that compliance failures under PIPA may have direct BMA compliance implications for any offending registrants.

 

Share
X.com LinkedIn Email Save as PDF
More News
Trust Disputes
11 Mar 2025 | News

Appleby to Sponsor and Speak at ConTrA and Informa Connect's Trusts in Litigation 2025

Anthony Williams
Niall MacDonald
Sam Williams
Erin Trimble-Cregeen
Sam Riihiluoma
Anthony Williams, Niall MacDonald, Sam Williams, Erin Trimble-Cregeen, Sam Riihiluoma
Website-Code-Bermuda
6 Mar 2025 | News

Technology Partner to Speak at Bermuda Risk Summit on Insurtech Panel

Duncan Card
Duncan Card
Website-Code-Bermuda-1
13 Feb 2025 | News

Appleby Bermuda is Distinguished as a Top-Ranked Leader in Corporate, Dispute Resolution and Insurance

Brad Adderley, John Wasty, Clive Langley, Jerome Wilson, Matthew Ebbs-Brewer
Appleby-homepage Banner-Global1
13 Feb 2025 | News

Top tier recognition for Appleby in Chambers Global 2025

Malcolm Moller, Brad Adderley, Clive Langley, John Wasty, Andrew Willins
Fund Finance
7 Feb 2025 | News

Appleby shares offshore expertise on fund finance laws and regulations in 2025

Jeremy Berchem, Matthew Ebbs-Brewer, Simon Felton, James Gaudin, Andrew Jowett
Private Client Trusts
7 Feb 2025 | News

Seven Appleby lawyers recognised among top-peer selected private client lawyers

Carlos de Serpa Pimentel, Claire van Overdijk KC, Sam Williams, Vanessa Schrum, Esmond Brown
Appleby-Website-Privacy-and-Data-Protection
6 Feb 2025 | News

Privacy Officer Training: Boot Camp (Bermuda)

Duncan Card
Duncan Card
Website-Code-Bermuda
30 Jan 2025 | News

Appleby Strengthens Its Renowned Litigation Practice with New Associate

Ryan Taylor
John Wasty
Ryan Taylor, John Wasty
Appleby-Website-Trust-Disputes
27 Jan 2025 | News

Appleby partners to speak at major trust and litigation conference in Morocco

Carlos de Serpa Pimentel
Claire van Overdijk KC
Carlos de Serpa Pimentel, Claire van Overdijk KC
Website-Code-Bermuda-1
20 Jan 2025 | News

Corporate Lawyer Sangheetaa Phary Joins Appleby Bermuda as Counsel

Sangheetaa Phary
Brad Adderley
Sangheetaa Phary, Brad Adderley