Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Bermuda: PrivCom publishes blog on lawful bases for use of personal data
On April 22, 2024, the Bermuda Office of the Privacy Commissioner (PrivCom) published a blog outlining the conditions under which organizations may use personal information according to the Personal Information Protection Act (PIPA) 2016.
Lawful bases
In particular, the blog highlights that Section 6 of PIPA lists six lawful bases for the use of personal information, namely when:
- an organization has the consent of the individual;
- a reasonable person would not expect that an individual would object, and there is no prejudice to the individual's rights;
- the organization needs that information to fulfill a contract;
- it is a legal requirement to collect and/or use the information;
- the information is publicly available and will be used for the same purpose that it was made public;
- the use of the personal information is necessary to respond to an emergency; and
- the use of the personal information is necessary in the context of an individual's employment relationship with the organization.
Consent
The blog states that organizations must ensure that consent for using personal information is both clear and specific. Further, the blog provides the following tips and good practices regarding consent:
- consent requests should be separate from other terms and conditions;
- separate consent must be obtained for different uses of personal information;
- the language used in consent forms should be clear and concise;
- any overseas third parties who will rely on the consent need to be clearly named;
- organizations should document evidence of consent; and
- consent should be reviewed and updated if the use of personal information changes.
You can read the blog here.