DATA PROTECTION OVERVIEW
Bermuda’s Personal Information Protection Act 2016(PIPA) received Royal Assent in July 2016 and applies to all organisations in Bermuda using personal information. With significant ties to both sides of the Atlantic, the PIPA was drafted as a bespoke privacy framework, designed to meet Bermuda’s unique requirements. Its provisions are drawn from privacy legislation in multiple jurisdictions.
PIPA’s initial operative provisions came into force in December 2016 to enable the establishment and appointment of a Privacy Commissioner. A Privacy Commissioner has been appointed and took office on 20 January 2020. There will now be a transitional period to allow for the preparation and adoption of necessary secondary legislation and the issuance of draft guidance, to enable organisations based in Bermuda to achieve compliance. As at the date of publication of this Guide, the Privacy Commissioner has not yet issued any guidance and PIPA remains only partially in force.
NOTE: The responses below relate to the version of the PIPA passed by the Bermuda Government on 27 July 2016.
The PIPA is bespoke legislation drafted around a set of EU-style “data protection principles” with the express intention of securing EU “adequacy” status to enable personal information to move freely between the EU and Bermuda. Following the appointment of the Privacy Commissioner, it is anticipated that an application to the EU will be made by the Privacy Commissioner for “adequacy” status.
The PIPA does not adopt the “data controller” “data subject’ or “data processor” nomenclature of EU data protection laws, referring instead to “organisations” “individuals” and “third parties”. PIPA does retain the principle that the “organisation” – defined as any individual, entity or public authority that uses personal information – is responsible for ensuring compliance with the law at all times. Pure processors of personal information are not directly regulated under the PIPA.
Pending the full implementation of the PIPA, it is likely that the Bermuda courts would follow English common law principles regarding breach of confidence and the misuse of confidential or private information.
“Personal Information” is defined widely to mean “any information about an identified or identifiable individual”.
The PIPA requires that personal information be collected and used in a fair, lawful and transparent manner, it should be accurate and be kept up to date. Any personal information collected must be proportionate to the purposes for which it is collected and should not be retained for longer than is necessary.
Collecting personal information
Subject to certain limited exceptions, such as where the use is necessary to comply with a court order, organisations can only collect or otherwise use personal information where one or more of the following conditions are met:
- the personal information is used with the consent of the individual where the organisation can reasonably demonstrate that the individual has knowingly consented;
- except in relation to sensitive personal information (see below), a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use should not begin or should cease and that the use does not prejudice the individual’s rights;
- the use of the personal information is necessary for the performance of a contract to which the individual is a party or for taking steps at the individual’s request with a view to entering into a contract;
- the use of the personal information is authorised or required by law;
- the personal information is publicly available and will be used for a purpose consistent with its public availability;
- the use of the personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
- the use of the personal information is necessary to perform a task carried out in the public interest, or in the exercise of official authority vested in the organisation, or in a third party, to whom the personal information is disclosed; or
- the use of the personal information is necessary in the context of an individual’s present, past or potential employment relationship with the organisation.
Using personal information means carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.
Generally, personal information can only be used by an organisation (defined as an individual, entity or public authority) for the purposes notified to the individual supplying the personal information before or at the time of the collection of the personal information.
An organisation must also provide individuals with a clear and easily accessible privacy notice detailing its personal information practices and policies, including the:
- fact that personal information is being used;
- purposes for which the personal information is or might be used;
- identity and types of individuals or organisations to whom the personal information might be disclosed;
- identity and location of the organisation, including how to contact it about its handling of personal information;
- name of the privacy officer;
- choices and the means the organisation provides to an individual for limiting the use of, and for accessing, rectifying, blocking, erasing and destroying, their personal information.
Organisations shall take all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection, or, where that is not possible, as soon thereafter as is reasonably practicable.
A privacy notice should be provided by the organisation using the personal information at each point of data capture, whether that is online, via a mobile handset, via a paper form, by telephone or otherwise.
Organisations are not obliged to provide a privacy notice if all the personal information held by it is publicly available, or if it reasonably determines that all uses made, or to be made, of the personal information are within the reasonable expectations of the individual to whom it relates.
What constitutes valid consent?
Organisations who wish to rely on an individual’s consent to use their personal information are required to provide clear, prominent, easily understandable, accessible mechanisms for the individual to give consent. However, they are not obliged to provide such mechanisms where it can be reasonably implied from the individual’s conduct that they consent to their personal information being used for the purposes of which they have been notified. Relying on implied consent is not permissible in relation to the use of sensitive personal information (see below).
When an individual consents to personal information disclosure by an intermediary for a specified purpose, that individual will be deemed to have consented to the use of that personal information for the specified purpose.
An individual will be deemed to have consented to the use of their personal information for the purpose of coverage or enrolment under an insurance, trust, benefit or similar plan if the individual has an interest in or derives a benefit from that plan.
Personal information, in an organisation’s control as at the date the substantive provisions of the PIPA come into force, will be deemed to have been collected with the individual’s consent and therefore may be used for the purposes for which it was collected.
The PIPA also contains specific provisions regarding the use of personal information collected from a child under the age of 14 in connection with digital services that are specifically targeted at children. In those circumstances the organisation must obtain consent from a parent or guardian before that information is used.
Sensitive personal information
Sensitive personal information is treated differently from other personal information and includes information relating to an individual’s race, national or ethnic origin, colour, sex, sexual orientation, sexual life, marital status, political opinions, religious beliefs, trade union membership, physical or mental health, medical data, family status, and biometric or genetic information. Biometric information is defined as information relating to the physical, physiological or behavioural characteristics of an individual which allows his unique identification, such as facial images or fingerprint information.
Sensitive personal information benefits from enhanced protection, so additional conditions must be satisfied before the information is processed. This might involve: obtaining separate consent; only using the information if it is necessary for performance of an employment contract; protecting an individual’s vital interests; or as part of legal proceedings.
Retention of Personal Information
Organisations must ensure that the personal information they hold is accurate, kept up to date and is not retained longer than is necessary to fulfil the original collection purpose. The PIPA does not specify prescribed data retention periods and so an analysis will need to be undertaken to determine how long personal information is legally required to be kept under other applicable legislation, as well as how long it should be retained in accordance with the “necessity of purpose” test.
Similarly, it will be important to evaluate how personal information can be securely purged, in accordance with the PIPA, once the purposes for holding it have been fulfilled by the organisation.
Accessing Personal Information
Individuals are entitled to have access to and correct their personal information, and request that their personal information is not used for advertising, direct marketing or public relations. Organisations must ensure that adequate technical and security safeguards prevent unauthorised access, destruction or loss to the personal information they hold.
Individuals have the right to request access to:
(a) personal information about the individual in the organisation’s custody or control;
(b) the purposes for which the personal information has been and is being used by the organisation; and
(c) the names or types of persons to whom, and circumstances in which, the personal information has been and is being disclosed.
The individual may ask for a copy of or to examine their personal information. Subject to the Privacy Commissioner issuing specific guidance on access rights, Appleby takes the view that the individual is not automatically entitled to a copy of the document containing their personal information. The organisation may choose to provide a copy but is not obliged to; the individual’s right is limited to access to their personal information only, which can be extracted from the document if appropriate.
The access request must be sent to the organisation in writing and the organisation must respond within 45 days, which may be extended by up to 30 days in certain circumstances, including where a large amount of personal information has been requested. The organisation is entitled to charge a reasonable fee for handling the request, which may be payable before providing access.
No consent is required for the processing of personal information in connection with:
- safeguarding national security;
- the protection of members of the public against financial loss due to dishonesty, malpractice or other seriously improper conduct by, or the unfitness, impropriety or professional incompetence of, individuals concerned in the provision of banking, insurance, investment, trust or other financial services or in the management and ownership of an organisation;
- the protection of charities against misconduct or mismanagement in their administration and from loss or misapplication of their property;
- securing the health, safety and welfare of individuals at work;
- the protection of the public against risks to their health or safety arising out of or in connection with the actions of individuals at work;
- crime prevention or detection and compliance with international obligations regarding the detection, investigation and prevention of crime;
- the apprehension or prosecution of offenders;
- tax or duty assessment or collection;
- the prevention, investigation, detection and prosecution of breaches of ethics for regulated professionals; or
- the economic or financial interests of Bermuda.
Are there any other exemptions?
Yes, internet service providers and other organisations acting as a conduit for personal information transmitted by a third party are not liable under the PIPA for any breach committed while acting as a pure communication provider.
Personal information can also be disclosed as part of a business transaction consisting of the purchase, sale, lease, merger or amalgamation or any other type of acquisition or disposal of, or the taking of a security interest in respect of, an organisation or a portion of an organisation or any business or activity or business asset of an organisation and includes a prospective transaction of such a nature.
International transfers of personal information
Before personal information transfers are made to an overseas third party, the organisation must assess the level of protection provided by the overseas third party and, if they are not satisfied that the overseas third party can provide a comparable level of protection, the organisation is required to employ contractual mechanisms, corporate codes of conduct or other means to protect the personal information. The Bermuda Government, on the recommendation of the Privacy Commissioner, may designate any jurisdiction as providing a comparable level of protection to the PIPA, but no such designations have yet been made.
Where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information (whether domestic or overseas), the organisation remains responsible for ensuring compliance with the PIPA at all times.
How is direct marketing regulated?
The collection and use of personal information for direct marketing is subject to the general principles of the PIPA, but individuals have a specific right to request an organisation to not use or cease using their personal information for advertising, marketing or public relations purposes.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring under the PIPA. However, it is recommended that employers carry out a privacy impact assessment and evaluate less intrusive approaches to achieving the monitoring objectives. Employers should confirm to employees that they are being monitored and explain the purposes of the monitoring and the kinds of personal information being collected. Although much employee information will constitute sensitive personal information, it is unlikely that employee monitoring information (such as times of entry to the office and records of the employee’s computer usage) will be, so it should not be necessary to obtain the employee’s separate consent.
Can telephone calls be recorded?
Yes, but as personal information may be collected during the call, the general provisions of the PIPA will apply. The organisation should identify the lawful basis on which personal information can be used and it would be best practice to conduct a privacy impact assessment.
The caller needs to be notified at the start that the conversation may be recorded and the purpose of recording, for example training and monitoring. Further, even if the organisation is satisfied that it is not strictly required to provide the caller with a privacy notice, it would still be good practice to give the caller the opportunity to review the organisation’s privacy notice. This can be achieved by informing the caller where the privacy notice can be found, for example on the organisation’s website.
What rules apply to the recording of CCTV footage?
To the extent that individuals can be identified from CCTV footage, the information captured is likely to constitute personal information, and its use will be regulated by the PIPA.
To ensure that any personal information collected via CCTV is not excessive or goes beyond the collection purpose, consideration should be given to the location and angles of cameras. CCTV footage should be kept secure and for no longer than is required to fulfil the collection purpose. Prior to providing access to any footage, as part of a subject access request, careful consideration should be given as the footage may include third parties who may be personally identifiable from the images.
Individuals should be informed that their personal information could be captured by CCTV, for example, by way of a clear and prominent sign displayed in the area covered by the cameras.
Established as an independent public office, the Office of the Privacy Commissioner shall be appointed for a five year period. In the exercise of their functions, the Commissioner will not be subject to the direction or control of any other person or authority.
The Privacy Commissioner can issue guidance on compliance requirements, investigate complaints of breaches of the PIPA, and initiate investigations of its own volition. The Commissioner will also be responsible for liaising with domestic and foreign law enforcement agencies and regulators in connection with the PIPA.
Under the PIPA the approach to enforcement is generally administrative and consultative but criminal sanctions are also available. The Commissioner can also publish a finding or decision in full, thereby “naming and shaming” offending organisations.
No registration or notification with the Privacy Commissioner or any other authorities is required under the PIPA.
Does a separate privacy officer need to be appointed by the organisation?
All organisations are required to designate a privacy officer for compliance with the PIPA. The privacy officer will have primary responsibility for communicating with the Privacy Commissioner.
What are the penalties for non-compliance with the PIPA?
A person commits an offence if, amongst other things, they:
- fail to comply with an order made or a notice served by the Commissioner;
- use sensitive personal information without consent or another lawful basis for its use;
- dispose of, alter, falsify, conceal or destroy evidence during an investigation or enquiry by the Commissioner; or
- fail to notify a breach of security to the Commissioner.
An individual who commits an offence is liable on summary conviction to a fine, not exceeding BMD$25,000, or to imprisonment, not exceeding two years, or to both; and in the case of a person other than an individual, they are liable on conviction on indictment to a fine not exceeding BMD$250,000.
Where an offence is committed by a body corporate, and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of any director, manager, secretary, or similar officer of the body corporate then they, as well as the body corporate, commits that offence and are liable to prosecution.
No separate cybersecurity legislation has been enacted in Bermuda. The PIPA requires that “appropriate” safeguards be put in place to protect personal information against unauthorised access, destruction, use, modification or disclosure.
Who needs to be notified in the event of a data breach?
Security breaches leading to the loss, unlawful destruction, unauthorised disclosure of, or access to personal information likely to adversely affect an individual, must be reported to the Privacy Commissioner and the affected individual notified without undue delay.
When notifying the Privacy Commissioner, the organisation must describe the:
(a) nature of the breach;
(b) likely consequences of the breach for applicable individuals; and
(c) measures taken, or to be taken, by the organisation to address the breach;
Failure to notify of a breach is an offence for which the penalties set out above are applicable.