Update on the Bermuda Personal Information Protection Act 2016
The substantive provisions of the Bermuda Personal Information Protection Act 2016 (PIPA) are expected to come into operation later this year. The PIPA was passed by the Bermuda House of Assembly and Senate and received royal assent in 2016, but the date on which its substantive provisions come into operation was postponed to allow organisations time to prepare themselves for compliance. It applies to organisations’ use of “personal information” in Bermuda where the personal information is used wholly or partly by automated means or where it forms or is intended to form part of a “structured filing system”.
The PIPA and European data protection
It is hoped that the new laws will enable Bermuda to secure an adequacy determination from the European Commission. An adequacy determination would facilitate the cross-border transfer or personal data between Bermuda and the European Economic Area pursuant to provisions of the European Union General Data Protection Regulation (Regulation (EU) 2016/679 (EU GDPR)).
As with the EU GDPR, the lawful use of personal information under the PIPA is built around the knowing consent of the individual to whom the information relates. Organisations are to send privacy notices to individuals identifying the purposes for which personal information will be used; explaining their rights; and providing the means for giving consent. Use of personal information is to be consistent with the notices. The PIPA allows carve-outs for certain uses, where actual consent is not needed, including:
- Where the use is necessary for the performance of contracts or for entry into contracts at the request of the individual.
- Where the use is necessary in the context of the individual’s present, past or potential employment by the organisation.
- The use is pursuant to a provision of law that authorizes or requires the use.
Additionally, where a reasonable person would expect that the individual would not object to the use and the use does not prejudice the individual’s rights, consent is not required. Furthermore, consent is deemed to have been given where it can be implied from conduct. However, these exemptions do not apply to “sensitive personal information”.
Owing to the broad definition of “sensitive personal information” (which includes, for instance, information disclosing the family or marital status of an individual), it is anticipated that in practice actual consent will be needed in a wide range of cases.
The minister with responsibility for the protection of personal information will be required to establish codes of practice which will no doubt provide well-needed advice to organisations on compliance with the act. The codes of practice are to be established following consultation with the Privacy Commissioner, an office created by the PIPA. The position has not yet been filled. Applications were invited in early July 2018.
The act creates offences for certain cases of non-compliance. They are punishable by fines of up to BD$25,000 or two years imprisonment where committed by individuals or, where committed by legal persons, by fines of up to BD$250,000.
The PIPA will have wide-ranging ramifications for organisations using personal information in Bermuda. Organisations need to prepare for the coming into force of the substantive provisions of the PIPA by, among other things:
- Verifying that they have internal procedures and data security that will permit them to comply with the safeguarding provisions of the PIPA and to comply with individuals’ rights to, for example, the erasure and correction of information, where applicable.
- Analysing how they use personal information and determining which uses benefit from exemptions and which will require actual consent.
- Preparing privacy notices and ensuring that relevant means of giving consent where necessary will be provided.
- Verifying that all vendors and suppliers to whom information is transferred will use such information in a manner compliant with the PIPA.
Related item: GDPR - a 10 step launch checklist