Using an Employee’s Personal Information in Light of PIPA
Since 2016, there has been significant development in the law relating to the use of personal information. In Bermuda, the Personal Information Protection Act 2016 (‘PIPA’) received Royal Assent on 27 July 2016 but has not yet come into full force, however following a recent government announcement, that PIPA is to come into full effect on 1 January 2025, employers need to be aware of how this important piece of legislation will affect them.
One important consideration for employers is how they obtain consent for and use the personal information of employees. Employers may need to use personal information, defined under PIPA as “any information about an identified or identifiable individual”, for a number of legitimate reasons, and many have used contracts of employment to obtain that consent.
When an employer wishes to use the personal information of an employee, they may rely on provisions in contracts of employment whereby the employee has consented to that use of personal information. S.4(5) of PIPA states that “This Act applies notwithstanding any agreement to the contrary, and any waiver or release given of the rights, benefits or protections provided under this Act is against public policy and void.” As a result, any terms regarding consent in a contract of employment will only be valid provided that the terms are in line with the provisions of PIPA. Employers may wish to take legal advice to have the existing, and potential, contracts of employment reviewed to ensure that they comply with PIPA.
It may seem to an employer that consent is the most obvious and straightforward method by which to establish a lawful basis to use the personal information of an employee. The international legal landscape, however, provides a different position. Whilst under s.6 of PIPA, an organisation may use an individual’s personal information “where the organisation can reasonably demonstrate that the individual has knowingly consented”, the well-established position in the UK, as stated in the Information Commissioner’s Office (‘ICO’) guidance for organisations, is that where an organisation is in a position of power over the individual, consent will not be the appropriate basis for processing. The ICO guidance states that “consent will not usually be appropriate if there is a clear imbalance of power between [the organisation] and the individual. This is because those who depend on [the services of the organisation], or fear adverse consequences, might feel that they have no choice but to agree – so consent is not freely given. This will be a particular issue for public authorities and employers”. Although the ICO guidance does not state that consent is never appropriate, it is important to note that obtaining consent is the exception rather than the rule for employers to use personal information in an employment context.
Whilst PIPA does not explicitly ban employers from using consent as their lawful basis for using personal information in Bermuda, the position in the UK is a persuasive one. It is undoubtedly difficult for employers to show that any consent obtained was given freely and that employee could refuse to consent if they were to so choose, without ramification.
Bermuda has not yet provided any guidance similar to that provided by the ICO in the UK, however it is undeniable that the issue regarding the imbalance of power between employers and employees is a universal one. In the UK, the advice given by the ICO, and the position which should be adopted by UK organisations, is that employers should not rely on consent but rather should look for another lawful basis for processing data.
PIPA provides those alternative bases at s.6(1), specifically s.6(1)(h) which states that “an organisation may use an individual’s personal information if… the use of the personal information is necessary in the context of the individual’s present, past or potential employment with the organisation”. An employer would not need to obtain consent from the employee to use their personal information provided that the use of that personal information was in line with the legislation. In practice, PIPA is in fact making the lives of the employer easier; removing the need to obtain consent. The onus will be on the employer to show that it was “necessary in the context of” employment to use that personal data and this is likely where any potential dispute may lie.
Given the UK’s position on employers using consent as the lawful basis by which to use employee information, this is likely to be persuasive to a court in Bermuda. Additionally, following the introduction of s.6(1)(h) of PIPA, employers may wish to rely on the legislative provisions in PIPA as the lawful basis for the use of personal information rather than any consent provisions in a contract of employment.
First Published in the Bermuda Chamber of Commerce Newsletter (Chamber Insider), June 2023
