Compliance with Pipa for trustees
The Personal Information Protection Act 2016, the island’s data protection legislation, applies to all organisations that use personal information in Bermuda.
These three terms — organisations, use and personal information — are defined in the Act.
In the context of trust structures, “organisations” may include individual trustees, private trust companies, regulated local trust companies, underlying holding companies and protectors.
Navigating how each organisation must comply with Pipa in connection with any trust can be daunting.
For example, are individual trustees of the same trust, or a trustee and a protector of the same trust, more than one “organisation” for the purposes of Pipa, given that trusts do not have legal personality and “organisation” is not defined to include either a trust or a collection of individuals (or individuals and entities) with a common purpose?
This matters because obligations under Pipa fall on organisations — each of which must, for example, have a privacy officer, though a common privacy officer may be used where more than one organisation is under common ownership or control, which may be helpful here.
An important point to note about Pipa is that it is not possible to “contract out” of it, ie, for trustees to ask individuals about whom personal information may be held to waive their Pipa rights. Trustees may wish to consider whether any trust terms limiting disclosure to beneficiaries are inconsistent with Pipa.
Compliance with Pipa for trustees will typically involve, among other things:
- appointing a privacy officer/considering whether someone from a service provider can be nominated for this role
- formulating Pipa policies and procedures and considering the collection and use of personal information — generally, privacy notices should be sent out, and consent may be needed to use personal information. Care should be taken when seeking consent — for example, the guidance from the Privacy Commissioner states that “it is good practice to avoid making consent to processing a precondition of service”. If a person refuses consent to processing in circumstances where the trust could not operate without processing personal information, special consideration will be needed as to the best way to proceed. One may also wish to consider whether the “personal and domestic exemption” can ever apply in the family trusts context
- considering the integrity and retention of personal information, ie, making sure information held is accurate and not kept for longer than can be justified, which may be a tricky call
- considering requests for disclosure, rectification, blocking, erasure and destruction of information pursuant to Pipa. The interaction of disclosure rights under Pipa with the quite limited disclosure rights under general trust law principles (as enshrined in the Privy Council decision in Schmidt v Rosewood) is interesting. Navigating the exceptions to the right of access under Pipa may require advice, for example, where legal privilege might apply (though it may not be possible to plead this against beneficiaries) and where the disclosure of the personal information requested under Pipa would reveal personal information about another individual
- ensuring robust data security measures are in place
- considering contracts with service providers in terms of their responsibilities in relation to personal information, especially if they are an “overseas third party” subject to special provisions under Pipa. Going forward, all contracts entered into by trustees should be drafted with Pipa in mind; if it is possible to seek advice without transferring information that relates to identifiable individuals, that may be preferable
- taking special care of sensitive personal information, such as information on family life or health
- taking appropriate action in the event of security breaches — this may involve reporting to the Privacy Commissioner and affected individuals — and disclosure of breaches to insurers may also be needed. Indeed, trustees should ensure that any liability insurance, eg, directors’ and officers’ insurance for directors of a private trust company, covers breaches of Pipa
Breach of Pipa is a serious matter, as it can be a criminal offence, so trustees must work hard to get to grips with these issues as they apply to individual trust structures.
First Published in The Royal Gazette, Legally Speaking column, April 2025
