Since PIPA was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been developing the Office of the Privacy Commissioner, organising administrative resources, and educating the public and businesses who collect and use personal information of their respective rights and obligations under PIPA. That is a good thing, because there is a lot for businesses to address.

In many ways, PIPA is one of Bermuda’s few consumer rights laws and it is one that imposes onerous operational and administrative obligations that will be overseen by the experienced regulatory office of the Privacy Commissioner, Alexander White.

Given the recent indications that PIPA may be brought into full force this year, even if only on a sector by sector basis and perhaps with a compliance grace period, the questions for all businesses that collect and use personal information include:

  • Are you administratively ready to fully comply with PIPA?
  • How will you secure the consent necessary to collect and use personal information?
  • How will you manage communications with individuals who want to see a copy of all personal information that you have about them?
  • How will you manage their requests for corrections to, or deletions of, their personal information?
  • To what extent must you revise your outsourcing, IT service contracts, and data processing service agreements?
  • Are you organised to comply with an individual’s direction for you to stop using their personal information?

As a result of the many rights that PIPA bestows on individuals, organisations must ensure that all of their business processes, customer relations programmes, data management systems and administrative processes are compliant with the practices, protections, and use restrictions that PIPA will soon impose on them.

Just as other organisations who are subject to similar privacy laws around the world have done, Bermuda organisations will have to review all of their current business processes and assess to what extent must they now be revised to ensure PIPA-compliant practices.

It is the common failure of businesses across all privacy jurisdictions when privacy laws are first introduced to appreciate the profound nature of how PIPA will impact many of their internal business operations. For example, in addition to the questions posed above, are your business’ IT systems adequately secure from unauthorized access or cyber incident interference?

That is an important question because PIPA requires all businesses who use personal information (whether related to their personnel or otherwise in the course of their business) to ensure that they have “appropriate safeguards” (technological and otherwise) against: loss; unauthorized access, destruction, use, modification or disclosure; and, any other misuse of personal information. In order to determine what an “appropriate safeguard” is, PIPA prescribes that the quality and degree of safeguards that businesses must have in place to meet that standard must be proportional to the following factors and considerations: what is the likelihood and severity of the harm that could be threatened by the loss, access or misuse of the personal information; the sensitivity of the personal information been collected, stored and used by the business; the context in which it is held.

As for the sensitivity of the personal information, PIPA creates a unique category of especially sensitive information called “sensitive personal information” that includes personal information related to (among other attributes) race, ethnic origin, sexual orientation, and physical or mental health or disability. However, the sensitivity of many other categories of information must be taken into account for that “adequacy” determination, such as if the information is about financial matters, health insurance claims, the use of Employee Assistance programs, family relationships, and involvement in litigation or criminal matters (among other topics) can also constitute highly sensitive information that has the potential to cause harm if wrongfully used or disclosed.

As for the context in which the personal information is used, that criteria has many possible interpretations. However, it can be generally assumed, at this stage of pre-implementation, that a business that collects and uses (even commercially exploits) personal information as a part of their commercial operations (i.e., for profit), will likely have a higher standard of security care under PIPA than does a not-for-profit organization that collects and uses personal information for the sole benefit of the individuals who have provided that personal information to that organization.

As well, based on PIPA’s proportionality principle, it may be said that the more extensive the nature and scope of personal information collection and use is by a business, and the more sensitive the personal information is, and the greater the vulnerability of individuals will be if that personal information is misused, the more thorough the business’ adopted compliance “measures and policies” must be for them to be “suitable”, as expressly required by PIPA.

Mr. White describes PIPA’s proportional requirement of “suitability” in these terms: “What exactly may be ‘suitable’ for an organisation’s privacy programme under Section 5 (1) will naturally vary by the organisation, the uses of personal information and the specific context. Our office’s guidance, “What is a privacy programme?”, provides some examples of the types of measures and policies that may be suitable for an organisation to adopt, but the exact nature will differ from programme to programme.”

Whether as requirements for “appropriate safeguards” to protect personal information, or when ensuring that a business’ compliance measures are “suitable”, businesses who outsource any part of their operation that uses personal information to either a commercial service provider or an affiliate, all of the business’ PIPA duties and obligations under PIPA remain with that business and cannot be delegated. Therefore, businesses must ensure that they flow down all of those duties and requirements to their service providers in all outsourcing agreements. Even recently executed outsourcing agreements will have to be reviewed and re-assessed to ensure they are brought up to date with PIPA’s many compliance requirements.

The full breadth of the restrictions, duties and obligations that PIPA will soon impose on businesses to protect individual privacy rights will be daunting to many businesses. It is in that context that organisations must now administratively address how they will comply with PIPA.

First Published In The Bermuda Chamber of Commerce Newsletter (Chamber Insider), February 2023

Locations

Bermuda

Services

Corporate

Sectors

Privacy & Data Protection

Type

Insight

Share
Twitter LinkedIn Email Save as PDF
More Publications
24 Jun 2024

High-level overview of Bermuda Monetary Authority’s three-tiered capital system

Insurers and reinsurers are faced with uncertainties relating to the timing and scale of future loss...

10 Jun 2024

Bankruptcy & Restructuring – Planning for Failure

The sudden collapse of Lehman Brothers in September 2008 sent shockwaves around the globe. As the la...

4 Jun 2024

Bermuda’s cybersecurity law transformation is well underway

We are almost six month into 2024, and this year has already been transformative for IT and cyber se...

23 May 2024

Regulatory oversight is key for Bermuda’s insurance sector

Bermuda’s thriving insurance and reinsurance sector requires effective regulatory oversight if it ...

9 May 2024

It is all about the data

All successful enterprises have a voracious appetite for data. The advanced abilities of IT systems ...

3 May 2024

Best Practices for Conducting Investigations into Employee Grievances

Grievance procedures are very important, but often overlooked, procedures that all employers should ...

25 Apr 2024

Trusts, and how they came to be

What traces its history through Ancient Rome and the Crusades, can have many de facto owners, none a...

8 Apr 2024

Electronic dissemination of corporate communications by Hong Kong listed issuers from an offshore perspective

In June 2023, The Stock Exchange of Hong Kong Limited published consultation conclusions to its cons...

3 Apr 2024

Bermuda: Lack of New Players Is Supporting Strong Interest in ILS

All signs point to another very strong year for the catastrophe bond and related insurance-linked se...

2 Apr 2024

Choosing the right structure for your business in Bermuda

Anyone seeking to set up a business in Bermuda has a variety of options, depending on the nature of ...