Bermuda - Data Protection Overview
1. Governing Texts
Data protection in Bermuda is currently comprised of a complex set of sectoral laws, regulator guidance and common law precedents established by the Bermuda courts. The Personal Information Protection Act 2016 ('PIPA'), however, is now partially in force within the jurisdiction and, is intended to become the overarching legislation regulating the right to personal informational privacy in Bermuda.
Despite Bermuda's status as a British Overseas Territory, the EU Regulations are not part of Bermuda's current legal system and EU Directives are, accordingly, not automatically implemented into Bermuda law. Notwithstanding this, the introduction of the PIPA has caused the Government of Bermuda ('the Government') to consider the commerce opportunities that would arise from an adequacy decision from the European Commission, once the PIPA is fully in effect. Specifically, an adequacy decision would allow for the free flow of personal information between Bermuda and any EU Member State, together with the increasing number of non-EU states who have obtained such adequacy decisions. This would increase economic opportunities for international businesses operating from Bermuda by helping to satisfy international privacy compliance requirements and placing them on a level playing field with organisations based in competitor jurisdictions that are already deemed adequate by the European Commission.
Once the PIPA is fully in force, it is expected that the data protection framework will be supplemented by an official body of determinations and guidance issued by the Office of the Privacy Commissioner ('Priv Com') and decisions rendered by the Bermuda courts interpreting the legislation. In the meantime, a new body of jurisprudence has been issued by the Office of the Information Commissioner for Bermuda ('ICO') which considers the protections afforded to personal information in the context of regulating the public's access to records held by Bermuda public authorities.
BERMUDA UPDATE: 1 September 2021
On 13 December 2019, the appointment of the island’s first Privacy Commissioner, Mr. Alexander McD White, was announced by the Governor of Bermuda and the post became effective on 20 January 2020. Subsequent to that appointment, the public health crisis arising from the COVID-19 pandemic shifted local regulatory focus to the enactment of legislative measures to preserve residents' health.
Notwithstanding the uncertainty surrounding the future trajectory of Coronavirus, the appointment of the Privacy Commissioner was a significant catalyst for industry privacy awareness on island. This was due, at least in part, to the high level of activity that the Privacy Commissioner engaged in, both within the jurisdiction and overseas, to promote awareness of PrivCom and the approach to be taken by the supervisory authority to business preparations for the new statutory privacy framework.
On 17 June 2021, the Office of the Human Rights Commission for Bermuda ('HRC') tabled its Annual Report ('the HRC Report') for the year ending 31 December 2020. In the HRC Report, the HRC formally welcomed the Privacy Commissioner, and confirmed that PIPA was anticipated to be fully enacted in short succession and that PrivCom was 'integral to Bermuda's continued advancement of rights in the current world climate as an international jurisdiction.' Interestingly, the HRC reported that close to 15% of intakes that its offices received in 2020 concerned the Coronavirus and, despite the lower rate of intakes during the first few months of the pandemic, the HRC saw almost a 9% increase in overall intakes in 2020 from the previous year. It is unclear at this time to what extent the subject matter of those intakes had a nexus to any privacy informational rights, as set out in PIPA, or fell within the scope of existing data protection sectoral law in Bermuda.
In light of this on-going response, the substantive content of this guidance note has not been fully updated. It will be fully updated once the Public Health (COVID-19) Emergency Order 2021 (and corresponding regulations) have ceased to have effect under the laws of Bermuda or additional provisions of PIPA come into force within the jurisdiction.
Existing sectoral laws in Bermuda are significantly older than PIPA. While it is generally anticipated that the existing data protection law will remain in force once PIPA is fully operative, it is worth noting that PIPA expressly provides that consequential amendments to other statutes can be made by the Minister responsible for ICT policy and innovation ('the ICT Policy Minister') where it appears to be necessary or expedient for the purposes of the legislation.
All legislation, including PIPA, is and will continue to be subject to the Bermuda Constitution Order 1968 (‘Constitution’) which overrides both domestic legislation, common law principles, and the Human Rights Act 1981 ('HRA').
PIPA expressly states that if its provisions are inconsistent or in conflict with a provision of another enactment, PIPA will prevail unless it is inconsistent with or in conflict with a provision in the HRA, in which case, the HRA will prevail. PIPA further states that the legislation applies notwithstanding any agreement to the contrary and any waiver or release of the rights, benefits, or protections provided under PIPA will be against public policy and void.
Sectoral-specific areas of data regulation in Bermuda include the following specific areas:
- the Digital Asset Business Act 2018 ('DABA');
- the Digital Asset Business (Cybersecurity) Rules 2018 ('the Cybersecurity Rules').
Public Authority Sector:
- the Public Access to Information Act 2010 ('PATI'); and
- the Public Access to Information Regulations 2014.
- the Telecommunications Act 1986 ('TA');
- the Electronic Communications Act 2011 ('ECA'); and
- the Electronic Transactions Act 1999 ('ETA'), and its corresponding Standard for Electronic Transactions.
Chapter 1 of the Constitution expressly establishes that every person in Bermuda is entitled to protection for the privacy of their home and other property, subject to respect for the rights and freedoms of others and for the public interest. In advance of the appointment of the Privacy Commissioner, a significant constitutional step was taken by the Governor through the exercise of her powers under the Constitution to protect and support the mandate of the Privacy Commissioner and to ensure the independence of PrivCom.
Acting in accordance with the recommendation of the Bermuda Public Service Commission, the Governor issued the Bermuda Public Service (Delegation of Powers) Amendment Regulations 2018 ('the Regulations') on 11 January 2018. Through these Regulations, the Governor has delegated her constitutional powers to both the Information Commissioner (responsible for the enforcement of PATI) and the Privacy Commissioner to exercise control over the appointment, removal, and disciplinary control of the public officers assisting in the discharge of the functions of their independent offices. This watershed measure significantly reduced the risk of governmental influence over these offices and is thoroughly welcomed as part of good governance for the administration of these offices and in preparation for an adequacy application.
There are a number of regulatory authorities and postholders in Bermuda that have the power to issue guidance/ have issued guidance pertaining to data protection.
PrivCom has issued the following guidance:
- Guidance on Privacy Issues in Public Health Emergencies; and
- Guidance on Collection and Usage of Data for Contact Tracing.
The ICO has not issued any guidance.
Bermuda Monetary Authority ('BMA') has issued the following guidance:
- Operational Cyber Risk Management Code of Conduct ('Cyber Code of Conduct') for the insurance Sector in October 2020.
This Cyber Code of Conduct applies to all Bermuda registered insurers, insurance managers, and Intermediaries (agents, brokers and insurance market place providers). These categories of organisations are collectively referred to throughout the Cyber Code of Conduct as 'registrants'.
The Cyber Code of Conduct confirms that the BMA will assess the registrant's compliance with the guidance in a proportionate manner relative to its nature, scale, and complexity. These elements will be considered collectively, rather than individually (e.g., a registrant could be relatively small in scale but manage an extremely complex business; therefore, it would still be required to maintain a sophisticated risk management framework).
The Cyber Code of Conduct came into effect on 1 January 2021 and registrants are required to be in compliance by 31 December 2021.
Pursuant to section 32 of PIPA (not in force), the ICT Policy Minister will be required to issue codes of practice, after consultation with the Privacy Commissioner, with best practice advice for organisations generally, or for specific types of organisations, to comply with PIPA. The Privacy Commissioner may also be consulted by Minister in connection with the Minister's passing of general regulations for the carrying out of or giving effect to the purposes of PIPA.
The ICT Policy Minister has not issued any guidance.
1.3. Case law
2. Scope of Application
PIPA will apply to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use, other than by automated means of personal information, which form, or are intended to form, part of a structured filling system.
Please see 2.1 above.
PIPA does not apply to:
- the use of personal information for personal or domestic purposes;
- the use of personal information for artistic, literary, or journalistic purposes with a view to publication in the public interest in so far as is necessary to protect the right to freedom of expression;
- the use of business contact information (an individual's name, position name, or title, business telephone number, business address, business e-mail, business fax number, and other similar business information) for the purpose of contacting an individual in their capacity as an employee or official of an organisation;
- personal information about an individual who has been dead for at least 20 years;
- personal information about an individual that has been in existence for at least 150 years;
- personal information transferred to an archival institution where access to the personal information was unrestricted or governed by an agreement between the archival institution and the donor of the personal information before the coming into operation of PIPA;
- personal information contained in a court file and used by a judge of any court in Bermuda, used as part of judicial administration or relating to support services provided to the judges of any court in Bermuda, but only where such personal information is necessary for judicial purposes;
- personal information contained in a personal note, communication, or draft decision created by or for an individual who is acting in a judicial, quasi-judicial, or adjudicative capacity; and
- personal information used by a member of the House of Assembly or the Senate where such use relates to the exercise of his political function and the personal information is covered by parliamentary privilege.
The legislation will also not apply to affect any legal privilege, limit the information available by law to a party to any legal proceedings, or limit or affect the use of information that is the subject of trust conditions or undertakings to which a lawyer is subject.
PIPA further establishes a series of exemptions for organisations. The main exemptions provide that, except for the minimum requirements, organisations do not need to comply with much of the substantive provisions of PIPA.
The main exemptions in PIPA can be broadly described as follows:
- the national security exemption, which requires an exemption certificate signed by the ICT Policy Minister;
- the communication provider exemption, which eliminates the liabilities of directors, officers, or authorised agents of communications providers for any breach committed while acting as a communication provider under PIPA;
- the regulatory activity and honours exemption, which applies only if:
- such use is required for the purposes of discharging a relevant function (as defined in the section); the relevant function is designed for a purpose recognised by the section; and
- only to the extent to which the application of the substantive provisions of PIPA would be likely to prejudice the proper discharge of those functions; and
- the general exemption, which applies to specific instances of law enforcement, the economic, or financial interests of Bermuda and the regulation of professionals, to the extent that the application of some of the substantive provisions of PIPA would be likely to prejudice any of these matters.
The ancillary exemption in PIPA is as follows:
- the disclosure for the purposes of business transaction exemption, which applies during the period leading up to and including the completion of a business transaction and also where a business transaction is completed only if:
- the business transaction falls within the specific definition provided by PIPA; and
- the personal information is necessary for a purpose identified by PIPA.
3.1. Main regulator for data protection
On 20 January 2020, the appointment of Bermuda's first Privacy Commissioner, Mr. Alexander McD White, became effective. Notwithstanding this notable advancement towards enhanced privacy regulatory enforcement in Bermuda, the substantive provisions of PIPA remain inoperative and data protection is largely regulated by the Courts and on a sectoral basis.
3.2. Main powers, duties and responsibilities
The main powers, duties, and responsibilities of the Privacy Commissioner are threefold and can be summarised as follows:
Investigation and resolution of complaints
- conduct investigations or inquiries concerning compliance with PIPA; and
- attempt to resolve complaints by negotiation, conciliation, mediation, or otherwise.
Education and industry guidance
- comment on the implications for protection of personal information in relation to an organisation's existing or proposed programs;
- approve binding corporate rules ('BCR') for transfers of personal information to an overseas third party. BCRs are defined under PIPA as personal information protection policies approved by the Privacy Commissioner which are adhered to by an organisation for transfers or sets of transfers of personal information;
- give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations under PIPA; and
- establish or assist with the establishment of certification mechanisms and associated rules for the purpose of demonstrating compliance with PIPA (and may, without prejudice to their tasks and powers, delegate the operation of a certification mechanism to an independent certification body with the appropriate level of expertise in relation to the protection of personal information).
Orders and enforcement activity
- issue formal warnings, admonish an organisation, and bring to its attention any failure by the organisation to comply with PIPA;
- agree on a course of action with an organisation;
- issue orders in connection with inquiries and permit an organisation to transfer personal information to an overseas third party (for use either on behalf of the organisation or for that overseas third party's own business practices) where the organisation has reasonably demonstrated that it is unable to comply with PIPA's statutory procedure for organisations to assess the level of protection provided by an overseas third party for personal information (provided the transfer does not undermine the rights of the individual); and
- authorise an organisation to disregard one or more requests for access to personal information, medical records or rectification, blocking, erasure, or destruction of personal information if the requests would unreasonably interfere with the operations of the organisation or amount to an abuse of the right to make those requests because of their repetitious or systematic nature or are otherwise frivolous or vexatious.
On completing an inquiry, the Privacy Commissioner must dispose of the matters by making an order or issuing a formal warning or public admonishment.
If the inquiry relates to an organisation's decision to give or refuse to give access to all or part of an individual's personal information the Privacy Commissioner may, by order:
- direct the organisation to give the individual access to all or part of their personal information that is under the control of the organisation;
- confirm the decision of the organisation;
- require the organisation to reconsider its decision concerning access; or
- direct the organisation to refuse the individual access to all or part of their personal information.
If the inquiry relates to any other matter, the Privacy Commissioner may, by order, do one or more of the following:
- confirm that a PIPA obligation imposed on an organisation has been performed;
- require that a PIPA obligation imposed on an organisation be performed (including requiring an organisation to take specific steps to remedy a breach of the legislation);
- confirm that a right set out in PIPA has been observed;
- require that a right set out in PIPA be observed;
- confirm an organisation's decision not to correct, erase, delete, or destroy personal information;
- specify that personal information is to be corrected, erased, deleted, or destroyed by an organisation and:
- how such personal information is to be corrected, erased, deleted, or destroyed; and
- may, if reasonably practicable, require the organisation to notify third parties to whom the personal information has been disclosed of the correction, erasure, deletion, or destruction;
- require an organisation to stop using personal information in contravention of PIPA;
- confirm a decision of an organisation to use personal information;
- require an organisation to destroy personal information used contrary to PIPA; and
- require an organisation to provide specific information to persons in the event of a breach of security.
The Privacy Commissioner may, alternatively, make an order as they consider appropriate or may issue a formal warning or public admonishment if the abovementioned orders would not be applicable. A copy of an abovementioned order may be filed with the Registrar of the Supreme Court of Bermuda and, after filing, the order is enforceable as a judgment or order of that court.
4. Key Definitions
Data controller|Data processor: There is no definition for 'data controller' or 'data processor' in PIPA. However, an 'organisation' is any individual, entity, or public authority that uses personal information.
Sensitive data: 'Sensitive personal information' is any personal information relating to an individual's place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information (not yet in force).
Biometric data: Any information relating to the physical, physiological, or behavioural characteristics of an individual which allows his unique identification, such as facial images or fingerprint information.
5. Legal Bases
Conditions for use of Personal Information
Section 6 (not in force) of PIPA establishes that (with limited exceptions) an organisation may use an individual's personal information only if one or more of the following conditions are met:
- the personal information is used with the consent of the individual where the organisation can reasonably demonstrate that the individual has knowingly consented;
- except in relation to sensitive personal information, a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use of his personal information should not begin or cease and that the use does not prejudice the rights of the individual;
- the use of the personal information is necessary for the performance of a contract to which the individual is a party or for the taking of steps at the request of the individual with a view to entering into a contract;
- the use of the personal information is pursuant to a provision of law that authorises or requires such use;
- the personal information is publicly available information and will be used for a purpose that is consistent with the purpose of its public availability;
- the use of the personal information is necessary to respond to an emergency that threatens the life, health, or security of an individual or the public;
- the use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation or in a third party to whom the personal information is disclosed; or
- the use of the personal information is necessary in the context of an individual's present, past or potential employment relationship with the organisation.
For the purpose of relying on consent as a condition for the use of personal information, PIPA will require that an organisation:
- provide clear, prominent, easily understandable, accessible mechanisms for an individual to give consent in relation to the use of his personal information;
- an organisation is not obliged to provide such mechanisms where it can be reasonably implied from the conduct of an individual that he consents to the use of his personal information for all intended purposes that have been notified to him, but this does not apply to sensitive personal information;
- when an individual consents to the disclosure of his personal information by an intermediary for a specified purpose, that individual will be deemed to have consented to the use of that personal information by the receiving organisation for the specified purpose; and
- an individual will be deemed to have consented to the use of his personal information for the purpose of coverage or enrolment under insurance, trust, benefit, or similar plan if the individual has an interest in or derives a benefit from that plan.
Please see section on legal bases above.
Please see section on legal bases above.
If an organisation is unable to meet any of the conditions of use in PIPA (as set out above) then it may use personal information only if:
- the personal information was collected from, or is disclosed to, a public authority which is authorised or required by a statutory provision to provide the personal information to, or collect it from, the organisation;
- the use of the personal information is for the purpose of complying with an order made by a court, individual, or body having jurisdiction over the organisation; or
- the use of the personal information is reasonable to protect or defend the organisation in any legal proceeding.
Please see section on legal bases above.
Please see section on legal bases above.
If an organisation is unable to meet any of the conditions of use in PIPA (as set out above) then it may use personal information only if:
- the use of the personal information is for the purpose of contacting the next of kin or a friend of an injured, ill or deceased individual;
- the use of the personal information is necessary in order to collect a debt owed to the organisation or for the organisation to repay to the individual money owed by the organisation; or
- the use of the personal information is in connection with disclosure to the surviving spouse or a relative of a deceased individual if, in the reasonable opinion of the organisation, the disclosure is appropriate.
The PIPA Draft Model and its corresponding explanatory notes ('the Explanatory Notes') were released in 2015.
The Explanatory Notes defined privacy as 'the expectation that confidential personal information disclosed in private will not be disclosed to third parties when that disclosure would cause either embarrassment or emotional distress to a person of reasonable sensitivities.' They further confirmed that the PIPA Draft Model was based on the following eight international privacy principles:
- personal information shall be used fairly and lawfully;
- personal information shall be used for limited specified purposes;
- personal information shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are used;
- personal information shall be accurate and, where necessary, kept up to date;
- personal information used for any purpose shall not be kept for longer than is necessary for that use;
- personal information shall be used in accordance with the rights of individuals;
- personal information shall be kept securely; and
- personal information shall only be transferred to third parties (including international transfers) where there is a comparable level of protection.
According to the Explanatory Notes, the PIPA Draft Model was intended to provided a light regulatory environment to, but which had been prepared so that for an application for EU adequacy might be made. In this context, the Explanatory Notes confirmed that the purpose of PIPA was, 'to govern the use of personal information by organisations in a manner that recognises both the need to protect the human rights of individuals in relation to their personal information and the need of organisations to use personal information for purposes that are legitimate.'
7. Controller and Processor Obligations
Organisations are not required to register with PrivCom.
PIPA does not adopt the terms 'controller' or 'processor' (or 'joint controller') into its terminology for the purposes of defining the extent of organisations' responsibilities and rights. PIPA does, however, make a distinction between a third party and an overseas third party, and establishes a statutory procedure (not in force) for organisations to assess the level of protection provided by an overseas third party for personal information in advance of any transfer of personal information to that overseas third party.
PIPA establishes that where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with the legislation at all times. A 'third party' is not defined in PIPA.
When an organisation that uses personal information in Bermuda transfers personal information to an overseas third party for use by that overseas third party on behalf of the organisation, or for the overseas third party's own business purposes, the organisation remains responsible for compliance with PIPA in relation to that personal information.
Before making any such transfer, the general requirement (not currently in force) established by PIPA is that an organisation must complete the following statutory procedure to assess the level of protection provided by the overseas third party for that personal information:
- consider the level of protection afforded by the law applicable to such overseas third party;
- if the organisation reasonably believes that the protection provided by the overseas third party is comparable to the level of protection required by PIPA, the organisation may rely on such comparable level of protection while the personal information is being used by the overseas third party; and
- where the level of protection threshold is not satisfied, the organisation must employ contractual mechanisms, corporate codes of conduct including BCRs, or other means to ensure that the overseas third party provides a comparable level of protection.
For the purposes of deciding whether the protection provided by the overseas third party is comparable to the level of protection required by PIPA, an organisation that uses personal information in Bermuda can take into account:
- the designation of any jurisdiction as providing a comparable level of protection by the Minister; and
- the third party's adoption of a certification mechanism recognised by the Privacy Commissioner.
Notwithstanding the general position outlined above, an organisation may transfer personal information to an overseas third party for use by that overseas third party, on behalf of the organisation or for the overseas third party's own business purposes, if:
- the transfer of the personal information is necessary for the establishment, exercise, or defence of legal rights; or
- the organisation assesses all the circumstances surrounding the transfer of personal information to the overseas third party and reasonably considers that the transfer of personal information is:
- occasional; and
- unlikely to prejudice the rights of an individual.
In March 2021, the Privacy Commissioner exercised his authority under Section 29(1)(i) of PIPA to recognise the Asia Pacific Economic Cooperation ('APEC') Cross Border Privacy Rules ('CBPR') System as a certification mechanism for transfers of personal information to an overseas third party. While a relatively new standard, the CBPR System has been recognised as an overseas data transfer mechanism by multiple Asia-Pacific countries and is an explicitly named option in the recent Agreement between the United States of America, the United Mexican States, and Canada ('USMCA').
PrivCom recommended that if an overseas third party claims to be CBPR-certified, Bermudian organisations should verify their claim by consulting the public Compliance Directory and should further ensure that the CBPR certification is a material part of their agreement with the overseas third party.
There is no explicit requirement in PIPA for organisations to maintain records pertaining to their use of personal information. Notwithstanding this, once PIPA is fully in force it may prove challenging for organisations to meet their wider obligations under PIPA and to demonstrate that their practices are compliant with PIPA in the absence of the same.
Sectoral law in Bermuda does establish general statutory requirements for the maintenance of records by organisations.
There is no explicit requirement in PIPA for organisations to carry out a Data Protection Impact Assessment ('DPIA').
Notwithstanding this, once PIPA is fully in force, organisations which use of personal information will be subject to the statutory requirements of fairness, purpose limitation, proportionality, maintaining the integrity of personal information, and employing security safeguards.
An overarching requirement will be that an organisation must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals in PIPA and must further to act in a reasonable manner.
In the absence of carrying out a DPIA or establishing internal triggers for the circumstances in which a DPIA should be undertaken, an organisation may find it challenging to meet these wider obligations and to demonstrate that its practices with respect to the use of personal information are compliant with PIPA.
PIPA requires organisations to designate a representative privacy officer for the purposes of compliance with the legislation. The privacy officer will be tasked with the primary responsibility for communicating with the Privacy Commissioner. The legislation confirms that a group of organisations under common ownership or control, may appoint a single privacy officer, provided that a privacy officer is accessible from each organisation. A designated privacy officer may also delegate their duties to one or more individuals.
PIPA mandates that where there has been a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of or access to personal information, which is likely to adversely affect an individual, the organisation responsible for that personal information must, without undue delay:
- notify any individual affected by the breach; and
- notify the Privacy Commissioner of the breach. The notification to the Privacy Commissioner must describe:
- the nature of the breach;
- its likely consequences for that individual; and
- the measures taken and to be taken by the organisation to address the breach, so that the Privacy Commissioner can determine whether to order the organisation to take further steps and for the Privacy Commissioner to maintain a record of the breach and the measures taken.
There are no specific provisions in PIPA requiring organisations to delete personal information within specific timeframes. However, PIPA does provide that an organisation must ensure that personal information for any use is not kept for longer than is necessary for that use. This is considered part of an organisation's responsibility to maintain the integrity of personal information.
Once fully in force, PIPA will regulate the use of personal information about children in information society. In this context, the following statutory definitions are applicable:
- information society service: means a service which is delivered by means of digital or electronic communications; and
- child: means an individual under the age of 14.
PIPA will require that an organisation which uses personal information about a child in the provision of an information society service where:
- the service is targeted at children; or
- the organisation has actual knowledge that it is using personal information about children
And consent is relied upon, must obtain consent from a parent or guardian before the personal information is collected or otherwise used.
In using personal information about a child in the provision of an information society service, an organisation must be reasonably satisfied that consent obtained under is verifiable (so that it can be obtained only from the child’s parent or guardian) and must further establish procedures to verify whether the individual is a child when it is reasonably likely that the organisation will use personal information about a child.
When an organisation is providing an information society service to a child, the organisation will further be prohibited from seeking to obtain personal information from the child about other individuals, including in particular, personal information relating to the professional activity of parents or guardians, financial information or sociological information. This prohibition is subject to the exception that an organisation may seek to obtain personal information about the identity and address of the child's parent or guardian for the sole purpose of obtaining consent in accordance with PIPA's requirements.
When complying with its PIPA obligations, an organisation delivering an information society service to a child must provide a privacy notice that is easily understandable and appropriate to the age of the child.
In legal proceedings brought against an organisation for failure to comply with these requirements, it will be a defence for the organisation to prove that it had taken such care as in all circumstances was reasonably necessary to comply with these requirements.
Once fully in force, PIPA will prohibit an organisation from using sensitive personal information without lawful authority to discriminate against any person contrary to any provision of Part II of the HRA. Sensitive personal information will be considered to be used with lawful authority if and only to the extent that it is used:
- with the consent of any individual to whom the information relates;
- in accordance with an order made by either the court or the Privacy Commissioner;
- for the purpose of any criminal or civil proceedings; or
- in the context of recruitment or employment where the nature of the role justifies such use.
There is currently no requirement in PIPA for an organisation to enter into a contractual arrangement with a third party to lawfully effect a transfer of personal information. However, section 5 (not in force) of PIPA, expressly confirms that where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for always ensuring compliance with the legislation.
Section 15 (not in force) further establishes a statutory verification process that organisations regulated by PIPA must undertake prior to any transfer of personal information to an overseas third party. If a regulated organisation reasonably believes that the protection provided by the overseas third party is not comparable to the level of protection required by PIPA, that organisation must employ contractual mechanisms, corporate codes of conduct (including binding corporate rules, or other means to ensure that the overseas third party provides a comparable level of protection.
Where a regulated organisation relies on a certification mechanism, even one that has been recognised by the Privacy Commissioner, to justify its determination that the protection in an overseas third party's country is comparable to PIPA, the guidance of the Privacy Commissioner indicates that the organisation should ensure that certification is a material part of their agreement with the overseas third party.
8. Data Subject Rights
Once fully in force, PIPA will require organisations to take all reasonably practicable steps to ensure that a privacy notice is provided to data subjects either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable.
Subject to discreet exceptions, Section 9 (not in force) of PIPA mandates that organisations must issue privacy notices to individuals regarding their practices and policies with respect to personal information. Organisations must take all reasonably practicable steps to ensure that the privacy notice is provided either before or at the time of collection of personal information, or, where that is not possible, as soon thereafter as is reasonably practicable. The following mandatory content must be included in the privacy notice of an organisation:
- the fact that personal information is being used;
- the purposes for which personal information is or might be used;
- the identity and types of individuals or organisations to whom personal information might be disclosed;
- the identity and location of the organisation, including information on how to contact it about its handling of personal information;
- the name of the privacy officer; and
- the choices and means that the organisation provides to an individual for limiting the use of, and for accessing, rectifying, blocking, erasing, and destroying their personal information.
Subject to specific exemptions, at the request of an individual for access to their personal information, and having regard to that which is reasonable, an organisation must provide the individual with access to:
- personal information about the individual in the custody or under the control of the organisation;
- the purposes for which the personal information has been and is being used by the organisation; and
- the names of the persons or types of persons to whom, and circumstances in which, the personal information has been and is being disclosed.
An individual may make a written request to an organisation to correct an error or omission in any of their personal information which is under the control of the organisation. If there is an error or omission in personal information in respect of which a request for a correction is received by an organisation, the organisation must correct the personal information as soon as reasonably practicable. Where the organisation has also disclosed the incorrect information to other organisations, the organisation must send a notification containing the corrected information to each such organisation, if it is reasonable to do so.
An individual may request an organisation to erase or destroy personal information about themselves where that personal information is no longer relevant for the purposes of its use. On receiving such a request, an organisation must erase or destroy the personal information that the individual has identified in their request or provide the individual with its written reasons as to why the use of such personal information is justified.
An individual may request an organisation to cease, or not to begin, using their personal information for the purposes of advertising, marketing, or public relations. On receiving such a request, an organisation must cease, or not begin, using the personal information for such purposes. An individual may also request an organisation to cease, or not to begin, using their personal information where the use of that personal information is causing or is likely to cause substantial damage or substantial distress to the individual or to another individual. On receiving such a request, an organisation must either cease, or not begin, using the personal information that the individual has identified in their request, or provide the individual with written reasons as to why the use of such personal information is justified.
Although PIPA does provide for the right to access personal information, the legislation does not expressly provide for the right to data portability however it is possible that this activity could fall within the scope of the right of access and remains a matter for the interpretation of the Privacy Commissioner.
PIPA currently does not expressly provide for the right not to be subject to automated decision-making however it is possible that this activity could fall within the scope of other rights and remains a matter for the interpretation of the Privacy Commissioner.
Subject to Section 47(5), a person commits an offence if he (Section 47(1) of PIPA):
- wilfully or negligently uses or authorises the use of personal information in a manner that is inconsistent with Part 2 of PIPA and is likely to cause harm to an individual or individuals;
- wilfully attempts to gain or gains access to personal information in a manner that is inconsistent with PIPA and is likely to cause harm to an individual or individuals;
- disposes of or alters, falsifies, conceals, or destroys personal information, or directs another person to do so, in order to evade a request for access to the personal information;
- obstructs the Commissioner or an authorised delegate of the Commissioner in the performance of the Commissioner's duties, powers, or functions under PIPA;
- obstructs the Commissioner or an authorised delegate of the Commissioner in the performance of the Commissioner's duties, powers, or functions under PIPA;
- knowingly or recklessly fails to comply with Section 34(1) (restrictions on disclosure by Commissioner or staff).
Subject to Section 47(4) and (5), a person commits an offence if he (Section 47(2) of PIPA):
- fails to comply with an order made by the Commissioner under PIPA;
- fails to comply with a notice served by the Commissioner under PIPA;
- contravenes section 7 (sensitive personal information);
- disposes of, alters, falsifies, conceals, or destroys evidence during an investigation or inquiry by the Commissioner; or
- fails to notify a breach of security to the Commissioner in accordance with section 14 of PIPA.
A person commits an offence under Section 47(1) or (2) is liable (Section 47(3) of PIPA):
- on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both; and
- on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000.
In proceedings brought against an organisation or an individual, it is a defence for the organisation or individual charged with an offence under Section 47(2) to prove to the satisfaction of the court that the organisation or individual, as the case may be, acted reasonably in the circumstances that gave rise to the offence (Section 47(4) of PIPA).
In determining whether a person has committed an offence under PIPA, a court shall consider whether a person has followed any relevant code of practice which was at the time issued by the Minister (Section 47(5) of PIPA).
Where an offence under this PIPA has been committed by a body corporate and is proved to have been committed with the consent or connivance of, or to be attributable to, any neglect on the part of (Section 47(6) of PIPA):
- any director, manager, secretary, or similar officer of the body corporate; or
- any person who was purporting to act in any such capacity, he, as well as the body corporate, commits that offence and is liable to be proceeded against and punished accordingly.
Where the affairs of a body corporate are managed by its members, Section 47(6) applies, in relation to the acts and defaults of a member in connection with his functions of management, as if he were a director of the body corporate.
A copy of an order made by the Privacy Commissioner may be filed with the Registrar of the Supreme Court of Bermuda ('Supreme Court') and, after filing, the order is enforceable as a judgment or order of that Court.
An individual who suffers financial loss or emotional distress due to an organisation's failure to comply with any of the requirements of PIPA will be entitled to compensation from the organisation. The amount of compensation that an individual is entitled to under PIPA for each contravention will be determined by the Court.
In legal proceedings brought against an organisation for failure to comply with PIPA, it will be a defence for the organisation to prove that it had taken such care as in all circumstances was reasonably necessary to comply with the requirement.
In the absence of the substantive provisions of PIPA being in force, no formal enforcement decisions have been issued by the Privacy Commissioner to date.
However, Decisions of the ICO under the PATI framework pertaining to personal information are listed below:
- Decision Notice 02/2017: Public Service Commission (Request to amend record of personal information: failure to decide within statutory timeframes;
- Decision Notice 01/2018 Bermuda Tourism Authority (Employee compensation);
- Decision Notice 06/2018: Government Department (Personnel records);
- Decision Notice 02/2019: Office of the Governor (DPP recruitment and appointment records);
- Decision Notice 10/2019: Department of Corrections (Records related to released sex offenders);
- Decision Notice 24/2019: Bermuda Hospitals Board (Executive Team compensation);
- Decision Notice 30/2019: Ministry of Health Headquarters (Medical cannabis import application records);
- Decision Notice 32/2019: Ministry of Health Headquarters (Physician referral letters);
- Decision Notice 02/2020: Department of Health (Records of incidents in day care centres and child care provider); and
- Decision Notice 03/2020: Ministry of Education Headquarters (Records of personal information).