Since PIPA was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been developing the Office of the Privacy Commissioner, organising administrative resources, and educating the public and businesses who collect and use personal information of their respective rights and obligations under PIPA. That is a good thing, because there is a lot for businesses to address.

In many ways, PIPA is one of Bermuda’s few consumer rights laws and it is one that imposes onerous operational and administrative obligations that will be overseen by the experienced regulatory office of the Privacy Commissioner, Alexander White.

Given the recent indications that PIPA may be brought into full force this year, even if only on a sector by sector basis and perhaps with a compliance grace period, the questions for all businesses that collect and use personal information include:

  • Are you administratively ready to fully comply with PIPA?
  • How will you secure the consent necessary to collect and use personal information?
  • How will you manage communications with individuals who want to see a copy of all personal information that you have about them?
  • How will you manage their requests for corrections to, or deletions of, their personal information?
  • To what extent must you revise your outsourcing, IT service contracts, and data processing service agreements?
  • Are you organised to comply with an individual’s direction for you to stop using their personal information?

As a result of the many rights that PIPA bestows on individuals, organisations must ensure that all of their business processes, customer relations programmes, data management systems and administrative processes are compliant with the practices, protections, and use restrictions that PIPA will soon impose on them.

Just as other organisations who are subject to similar privacy laws around the world have done, Bermuda organisations will have to review all of their current business processes and assess to what extent must they now be revised to ensure PIPA-compliant practices.

It is the common failure of businesses across all privacy jurisdictions when privacy laws are first introduced to appreciate the profound nature of how PIPA will impact many of their internal business operations. For example, in addition to the questions posed above, are your business’ IT systems adequately secure from unauthorized access or cyber incident interference?

That is an important question because PIPA requires all businesses who use personal information (whether related to their personnel or otherwise in the course of their business) to ensure that they have “appropriate safeguards” (technological and otherwise) against: loss; unauthorized access, destruction, use, modification or disclosure; and, any other misuse of personal information. In order to determine what an “appropriate safeguard” is, PIPA prescribes that the quality and degree of safeguards that businesses must have in place to meet that standard must be proportional to the following factors and considerations: what is the likelihood and severity of the harm that could be threatened by the loss, access or misuse of the personal information; the sensitivity of the personal information been collected, stored and used by the business; the context in which it is held.

As for the sensitivity of the personal information, PIPA creates a unique category of especially sensitive information called “sensitive personal information” that includes personal information related to (among other attributes) race, ethnic origin, sexual orientation, and physical or mental health or disability. However, the sensitivity of many other categories of information must be taken into account for that “adequacy” determination, such as if the information is about financial matters, health insurance claims, the use of Employee Assistance programs, family relationships, and involvement in litigation or criminal matters (among other topics) can also constitute highly sensitive information that has the potential to cause harm if wrongfully used or disclosed.

As for the context in which the personal information is used, that criteria has many possible interpretations. However, it can be generally assumed, at this stage of pre-implementation, that a business that collects and uses (even commercially exploits) personal information as a part of their commercial operations (i.e., for profit), will likely have a higher standard of security care under PIPA than does a not-for-profit organization that collects and uses personal information for the sole benefit of the individuals who have provided that personal information to that organization.

As well, based on PIPA’s proportionality principle, it may be said that the more extensive the nature and scope of personal information collection and use is by a business, and the more sensitive the personal information is, and the greater the vulnerability of individuals will be if that personal information is misused, the more thorough the business’ adopted compliance “measures and policies” must be for them to be “suitable”, as expressly required by PIPA.

Mr. White describes PIPA’s proportional requirement of “suitability” in these terms: “What exactly may be ‘suitable’ for an organisation’s privacy programme under Section 5 (1) will naturally vary by the organisation, the uses of personal information and the specific context. Our office’s guidance, “What is a privacy programme?”, provides some examples of the types of measures and policies that may be suitable for an organisation to adopt, but the exact nature will differ from programme to programme.”

Whether as requirements for “appropriate safeguards” to protect personal information, or when ensuring that a business’ compliance measures are “suitable”, businesses who outsource any part of their operation that uses personal information to either a commercial service provider or an affiliate, all of the business’ PIPA duties and obligations under PIPA remain with that business and cannot be delegated. Therefore, businesses must ensure that they flow down all of those duties and requirements to their service providers in all outsourcing agreements. Even recently executed outsourcing agreements will have to be reviewed and re-assessed to ensure they are brought up to date with PIPA’s many compliance requirements.

The full breadth of the restrictions, duties and obligations that PIPA will soon impose on businesses to protect individual privacy rights will be daunting to many businesses. It is in that context that organisations must now administratively address how they will comply with PIPA.

First Published In The Bermuda Chamber of Commerce Newsletter (Chamber Insider), February 2023

Locations

Bermuda

Services

Corporate

Sectors

Privacy & Data Protection

Type

Insight

Share
Twitter LinkedIn Email Save as PDF
More Publications
21 Feb 2024

Bermuda Privacy Law Compliance: Pitfalls to Avoid

Although members of the Chamber are aware that Bermuda’s Personal Information Protection Act, 2016...

19 Feb 2024

Bermuda: An Introduction to Dispute Resolution in 2024

International business is the primary area of economic activity in Bermuda, as a result of not just ...

15 Feb 2024

Preserving wealth in a Bermuda dynastic trust

The Vanderbilt family gained prominence through shipping and railroad empires and eventually various...

8 Feb 2024

Bermuda’s promising telecommunications future

Last year was a stellar one for Bermuda’s positioning in the global array of telecommunications se...

25 Jan 2024

Fund Finance Laws and Regulations 2024 – Bermuda

The Bermuda fund industry sees investment predominantly from North America and Europe, and therefore...

24 Jan 2024

Chambers Insurance & Reinsurance Guide 2024: Bermuda

This guide provides the latest information on sources of insurance and reinsurance law, overseas-bas...

23 Jan 2024

New Limitations on the Length of Stay for Visitors to Bermuda

In November 2022, The Minister of Economy and Labour, the Hon. Jason Hayward, JP, MP, announced that...

18 Jan 2024

Technology Experience a Must for Board Composition

Corporate governance is an enterprise-wide endeavour that addresses all aspects of an organisation. ...

11 Jan 2024

ILS Steps Up When Needed Most

After a robust 2023 for ILS, five experts in this space debated the changing role ILS is playing in ...

10 Jan 2024

The Global – your offshore corporate law questions answered

The Global is Appleby’s quarterly collection of expert insights and analysis on the latest develop...