Nov 2024
When the substantive provisions of Bermuda’s Personal Information Protection Act 2016 (PIPA) become operational on 1 January 2025, it is vital that all in scope organisations ensure their compliance with PIPA.
This guide outlines key do’s and don’ts for organisations preparing for PIPA, from assessing whether the legislation applies to them, to implementing safeguards and adhering to proper data handling practices. By taking these steps organisations ensure a smooth transition to being in compliance.
Do’s
1. Determine whether your organisation is in scope of PIPA legislation
Consider if your organisation is using personal information in Bermuda. “Personal information” is defined as any information about an identified or identifiable individual (i.e. a natural person, whether they are explicitly identified by name or where their identity is identifiable from the information, such as their social insurance number). “Use” (and “using”) in relation to personal information is defined very broadly to mean carrying out any operation on personal information and includes collecting, holding, storing, disclosing, transferring and destroying information.
Use of Personal Information outside of Bermuda is not caught.
Exempted companies that do not have any employees or a physical office in Bermuda should consider if they are actually the organisation “using” the personal information. Guidance from the Office of the Privacy Commissioner indicates that if the only personal information being used in Bermuda is what the entity’s Bermuda service provider(s) (such as its corporate service provider or insurance manager) is using to satisfy such service provider’s statutory and contractual obligations then it is the service provider who is using the Personal Information and such use would be covered by the service provider’s privacy program.
2. Ensure Personal Information is only used for purpose collected
Understand what Personal Information you use and the purpose for such use. Such use must be based on one of the approved basis for use as set out in PIPA (consent from the individual being one such basis). Personal Information should only be used for the purpose for which it was collected.
It is important to note that any Personal Information used by an organisation prior to PIPA coming into force is deemed to have been used with the consent of the relevant individual(s).
3. Provide a Privacy Notice
Every organisation in scope of PIPA must provide affected individuals with a clear and easily accessible privacy notice about its practices and policies with respect to Personal Information.
4. Ensure Appropriate Safeguards
Ensure that appropriate safeguards are in place to protect the Personal Information. Such safeguards should be proportional to the sensitivity of the information and to the likelihood and severity of harm threatened to the individual if the Personal Information is lost or there is unauthorised access, modification or disclosure.
5. Continuously Review PIPA position
An organisation should review its PIPA position on an annual or periodic basis to ensure its position has not changed (e.g. does the organisation find itself collecting Personal Information not covered in its current privacy policy and notice, or if currently out of scope of the PIPA legislation, is the organisation now collecting and using Personal Information in Bermuda.)
Don’ts
1. Collect Personal Information for unclear purpose
Use of Personal Information should be for a purpose communicated in an organisation’s privacy notice. If Personal Information is required for a new purpose: (a) the use of the Personal Information must be compatible with the original purpose; (b) consent to use the Personal Information for the new purpose is obtained; (c) or there is a clear obligation or function set out in law that requires the use of the Personal Information.
2. Collect more Personal Information that is needed
Any Personal Information collected and used should be adequate, relevant and not excessive in relation to the purposes for which it is used.
3. Retain Personal Information for longer than necessary
Personal Information should only be kept to fulfil the purpose for which the information was collected. Organisations must have a strategy in place to ensure that the Personal Information they hold is not kept for longer than is required for its lawful purpose and is disposed of using appropriate safeguards.
For specific legal advice on how your organisation can prepare for PIPA, please contact a member of the Conyers regulatory team.
This article should not be construed as legal advice. It deals in broad terms only and is intended to provide an overview and give general information.