Introduction
PIPA came into full force on 1 January 2025. All organisations that are in scope need to be familiar with the privacy protection obligations that now apply. We summarise these below before answering the key questions regarding PIPA compliance.
- Responsibility and compliance – organisations must ensure controls are in place that are tailored to the organisation to give effect to its obligations and the rights of individuals to privacy.
- Conditions for use – organisations are only permitted to use personal information where a lawful condition for such use applies.
- Sensitive personal information – sensitive information may only be used where lawful and the conditions for use are stricter, most often, requiring explicit consent of the individual. Sensitive personal information includes any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.
- Fairness – organisations should only use personal information where it is fair to do so and not detrimental, unexpected, or misleading to the individual concerned.
- Privacy Notice – all individuals must be provided with a privacy notice prior to, or at the time of, collection of personal information that is compliant with the requirements for such notices under Section 9 of PIPA.
- Purpose limitation – organisations must only use personal information for the purpose(s) for which it was collected or related purposes.
- Proportionality – personal information used must be adequate, relevant and not excessive in relation to the purposes for which it is used.
- Integrity – an organisation should take reasonable steps to ensure the personal information that it uses is up-to-date and accurate.
- Security safeguards – security safeguards must be maintained to protect personal information.
- Transfer of personal information to an overseas third party – transfers to an overseas third party are subject to the additional requirements.
- Protection of children – specific rules apply to the use of personal information about a child, defined to mean anyone under the age of 14.
- Rights of individuals – individuals maintain rights over their personal information in relation to access, correction, blocking and consent.
- Privacy Officer - all in scope organisations are required to appoint a privacy officer who is responsible for the management of personal information.
What entities are in scope?
PIPA applies to all organisations in Bermuda that "use" "personal information", where such information is used wholly or partly by automated means or where it forms, or is intended to form, part of a structured filing system.
"Personal information" means any information about an identified or identifiable individual. In practice this means any information from which an individual could be identified, directly or indirectly, by itself or when combined with other information or context.
"Use" in relation to personal information has a very broad application and includes carrying out any operation on personal information including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.
Are all Bermuda based organisations in scope?
No, many organisations in Bermuda will not be using personal information, for example captive insurers, reinsurers and holding companies may not be using any personal information themselves and therefore will not be in scope for PIPA compliance. This is a question of fact and will depend on whether underlying policy holder information, director and officer information, KYC information or employee information is used by an organisation, for example. For many, all such information may sit with a corporate service provider, insurance manager or other third party within, or outside of, Bermuda.
Are overseas entities in scope?
PIPA only applies to an organisation in Bermuda. This is regardless of whether the overseas organisation is providing goods and services to individuals in Bermuda, monitoring the behaviour of individuals in Bermuda or otherwise collecting the personal information of individuals in Bermuda.
How does an organisation demonstrate responsibility and compliance?
Organisations need to implement policies and procedures that are commensurate with their nature, size and complexity, including:
- implementing an internal Personal Information Protection Policy and an external Privacy Notice;
- a documented data mapping exercise;
- documented use practices for personal information, including the conditions relied upon for use;
- staff training;
- documented rationale for data sharing arrangements;
- contractual clauses requiring PIPA compliance;
- privacy impact assessments;
- breach incident response plans; and
- procedures to respond to PIPA rights requests.
Who can be a privacy officer?
All in scope organisations are required to appoint a privacy officer who is responsible for the management of personal information. The role can be outsourced to an external provider or to an inhouse privacy officer, including overseas. The individual should have a good understanding of privacy laws and concepts and should have the time available to dedicate to the Bermuda role.
What are the lawful conditions for use?
Organisations may only use personal information where a lawful condition exists. Such conditions are:
- the personal information is used with the consent of the individual and the organisation can reasonably demonstrate that the individual has knowingly consented;
- except in relation to sensitive personal information, a reasonable person giving due weight to the sensitivity of the personal information would consider:
- that the individual would not reasonably be expected to request that the use of their personal information should not begin or should cease; and
- that the use does not prejudice the rights of the individual;
- the use of the personal information is necessary for the:
- performance of a contract to which the individual is a party; or
- taking of steps at the request of the individual with a view to entering into a contract;
- the use of the personal information is pursuant to a provision of law that authorises or requires such use;
- the personal information is publicly available information and will be used for a purpose that is consistent with the purpose of its public availability;
- the use of the personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
- the use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation or in a third party to whom the personal information is disclosed; or
- the use of the personal information is necessary in the context of an individual’s present, past or potential employment relationship with the organisation.
Where such a condition does not apply, organisations may only use personal information in very limited circumstances, as set out in Section 6(3) of PIPA.
What constitutes consent?
To be able to rely on consent as the condition for use, an organisation shall provide clear, prominent, easily understandable, accessible mechanisms for an individual to give consent in relation to the use of their personal information, i.e., express consent.
However, an organisation is not obliged to provide such mechanisms where it can be reasonably implied from the conduct of an individual that the individual consents to the use of their personal information for all intended purposes that have been notified to them, but this does not apply to sensitive personal information. That is, implied consent can be relied upon provided sensitive information is not being used and an adequately drafted privacy notice has been provided.
When an individual consents to the disclosure of their personal information by an intermediary for a specified purpose, that individual will be deemed to have consented to the use of that personal information by the receiving organisation for the specified purpose.
An individual will also be deemed to have consented to the use of their personal information for the purpose of coverage or enrolment under an insurance, trust, benefit or similar plan if the individual has an interest in or derives a benefit from that plan.
Is direct marking permitted?
Unlike other jurisdictions, PIPA does not require express consent to be in place for direct marketing. Instead, individuals have a right to request an organisation to cease, or not to begin, using their personal information for the purposes of advertising, marketing or public relations. It is therefore an "opt-out" regime.
What security safeguards are required?
Organisations are required to maintain safeguards to protect personal information from loss, unauthorised access, destruction, use, modification or disclosure or any other misuse.
No one-size-fits-all in this regard and safeguards must be proportionate to the likelihood and severity of the harm that could occur; the sensitivity of the personal information; and the context in which it is held.
What obligations arise in the event of a breach?
In case of a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual, the organisation responsible for that personal information is required to, without "undue delay", report the breach to the Privacy Commissioner and then notify any impacted individual. Undue delay is not defined, such flexibility provides organisations with time to contain the breach before turning to concerns regarding reporting requirements (in contrast to many overseas regimes with a fixed timeframe for reporting).
What additional obligations apply to overseas transfers?
Prior to making an overseas third-party transfer, an organisation must assess the level of protection provided by the overseas third party for that personal information, including considering the level of protection offered by the law applicable to the overseas third party as well as the safeguards in place at the overseas third party itself.
If an organisation is not satisfied with the level of protection offered, it must ensure that the contract with the third-party sets out clear obligations in relation to the personal information, including having adequate protections in place to prevent loss or theft of the personal information, requirements to notify the organisation in relation to adverse events regarding the personal information and requirements to only use the personal information for the purposes for which it was collected.
What exemptions exist?
PIPA does not apply to:
- the use of personal information for personal or domestic purposes;
- the use of personal information for artistic, literary or journalistic purposes with a view to publication in the public interest in so far as is necessary to protect the right to freedom of expression;
- the use of business contact information for the purpose of contacting an individual in their capacity as an employee or official of an organisation;
- personal information about an individual who has been dead for at least 20 years;
- personal information about an individual that has been in existence for at least 150 years;
- personal information transferred to an archival institution where access to the personal information was unrestricted or governed by an agreement between the archival institution and the donor of the personal information before the coming into operation of PIPA;
- personal information contained in a court file and used by a judge of any court in Bermuda or used as part of judicial administration or relating to support services provided to the judges of any court in Bermuda, but only where such personal information is necessary for judicial purposes;
- personal information contained in a personal note, communication or draft decision created by or for an individual who is acting in a judicial, quasi-judicial or adjudicative capacity; or
- personal information used by a member of the House of Assembly or the Senate where such use relates to the exercise of the individual's political function and the personal information is covered by parliamentary privilege.
Enforcement
PIPA provides the Privacy Commissioner with the power to grant an order following an inquiry into a matter or complaint. Such an order may:
- direct the organisation to give the individual access to all or part of their personal information that is under the control of the organisation if the Commissioner determines that the organisation is not permitted, under PIPA, to refuse access;
- confirm the decision of the organisation or require the organisation to reconsider its decision concerning access if the Commissioner determines that the organisation may, under PIPA, refuse access;
- direct the organisation to refuse the individual access to all or part of their personal information if the Commissioner determines that the organisation is required under PIPA to refuse access;
- confirm that an obligation imposed on an organisation by PIPA has been performed, or require that an obligation imposed on an organisation by PIPA be performed, including requiring an organisation to take specific steps to remedy a breach of PIPA;
- confirm that a right set out in PIPA has been observed or require that a right set out in PIPA be observed;
- confirm a decision not to correct, erase, delete or destroy personal information or specify that personal information is to be corrected, erased, deleted or destroyed and how such personal information is to be corrected, erased, deleted or destroyed and may, if reasonably practicable, require the organisation to notify third parties to whom the personal information has been disclosed of the correction, erasure, deletion or destruction;
- require an organisation to stop using personal information in contravention of PIPA;
- confirm a decision of an organisation to use personal information;
- require an organisation to destroy personal information used contrary to PIPA;
- require an organisation to provide specific information to persons in the event of a breach which is likely to cause significant harm to individuals.
The Commissioner also has the power to issue warnings and public admonishments of an organisation. The Commissioner does not however have the power to issue a fine but criminal offences may be pursued through the Courts.
There are a range of offences in relation to the unlawful use of personal information in contravention of PIPA. An individual who commits an offence is liable on summary conviction to a fine not exceeding $25,000 and/or up to two years in prison. For an organisation that commits an offence, it may be liable on indictment to a fine not exceeding $250,000.
Conclusion
Walkers Bermuda is assisting clients on all aspects of compliance with PIPA including:
- providing advice memorandums confirming whether an entity is in scope for PIPA or out of scope;
- reviewing and revising contracts and drafting PIPA clauses;
- drafting policies and privacy notices;
- conducting and documenting data mapping exercises; and
- preparing privacy impact assessments for overseas data transfers.
Please reach out for assistance.
