PIPA, which received Royal Assent on July 27, 2016, will come into full effect on January 1, 2025, meaning that the clock has started ticking and employers must begin preparing for its impact.

Personal information is defined under PIPA as “any information about an identified or identifiable individual”.

Sensitive personal information, which is a category of personal information, is defined as “any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information”.

In practice, the sort of personal information about employees that an employer is likely to have access to and retain includes financial information, pension information, age, security clearance information, drug test results and health records or medical information.

Such information may be obtained by an employer for many reasons, such as for insurance purposes, work permit submission or workplace diversity and equality monitoring.

Personal information should be collected with consent. Where an employer retains personal information prior to PIPA coming into force, it is deemed to have been collected pursuant to consent being given by that individual.

When an employer wishes to use the personal information of an employee, they may rely on provisions in contracts of employment whereby the employee has consented to such use.

It may seem to an employer that consent is the most obvious and straightforward method by which to establish a lawful basis to use the personal information of an employee. However, to rely on consent under PIPA, an employer must “reasonably demonstrate that the individual has knowingly consented”.

The difficulty here is that where there is a clear imbalance of power between an employer and employee, as there almost always is, it could be hard for an employer to show that there was knowing consent.

Instead, employers can rely on alternative bases for use of personal information laid out in PIPA, including showing that the “use of the personal information is necessary in the context of the individual’s present, past or potential employment with the organisation”.

While that approach actually makes it easier for the employer to use the personal information of the employee if the employer is able to show that such use was “necessary in the context of” employment, it may carry a higher risk for potential disputes. This is on the basis that what is necessary in the context of employment is in fact sensitive depending on each individual circumstance; thus it is open to an employee to argue that it was not necessary in the context of their employment to use their personal information.

In preparing for the arrival of PIPA, employers should ensure that they have clear policies in place which address the requirements of, and establish measures to ensure compliance with, the legislation.

For example, PIPA requires an employer to “ensure that any personal information used is accurate, relevant and not excessive to the purposes for which it is used”.

As such, measures and policies that address the handling and retention of data, such as data management, data handling and privacy policies, will require careful consideration.

Employers will need to ensure that the purpose for which the use of personal information is retained is clear, as well as making sure that only personal information that is relevant to the purpose is retained for a proportionate and considered period of time.

Clear policies should also be established regarding the disposal of personal information.

Employers should begin to think about these considerations now to ensure that by January 1, 2025, when PIPA comes into full force, they are compliant.

First Published in The Royal Gazette, Legally Speaking column, July 2023

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Privacy-and-Data-Protection
28 Nov 2024

Augmented Advocacy Series (Bermuda): Copyright infringement in the age of AI

Artificial intelligence is revolutionising the way that humans solve problems and create.

Appleby-Website-Employment-and-Immigration
19 Nov 2024

When and how to vary a Bermuda contract of employment

A contract of employment is a legal agreement that sets out the terms and conditions of an employee�...

Technology and Innovation
8 Nov 2024

When non-tech companies buy IT

Generally, there are three categories of information technology buyers: non-technology enterprises, ...

050-Insolvency-Restructuring-Grid-Image
15 Oct 2024

Insolvency: Bermuda

In-Depth: Insolvency (formerly The Insolvency Review) offers an incisive review of the most conseque...

Appleby-Website-Insurance-and-Reinsurance
10 Oct 2024

Recovery planning for commercial insurers

New rules released by the Bermuda Monetary Authority aim to equip certain insurers with a structured...

The Global Website header
7 Oct 2024

The Global – your offshore corporate law questions answered: October 2024

The Global is a quarterly collection of corporate expert insights and analysis across Appleby's glob...

Brad Adderley, Bermuda Managing Partner at Appleby, will speak at the 2022 Society of Actuaries (SOA) Life Meeting on 23-26 August in Chicago.
2 Oct 2024

Bermuda: It’s Impressive How Mainstream Cat Bonds Have Become

Although Brad Adderley, Bermuda Managing partner at Appleby, doesn’t expect 2024 to be another rec...

Appleby-Website-Private-Client-and-Trusts-Practice
26 Sep 2024

Private Wealth and Private Client: Bermuda

In-Depth: Private Wealth and Private Client (formerly The Private Wealth & Private Client Review) pr...

Technology and Innovation
26 Sep 2024

Augmented Advocacy Series (Bermuda): The Practice of Law in the Age of AI

As the world enters the age of artificial intelligence, the legal profession is once again faced wit...