On 2 December 2016, the administrative provisions of the Personal Information Protection Act 2016 (PIPA; the Act) came into force establishing the office and powers of the Privacy Commissioner and providing for the method of appointment of the Privacy Commissioner. The substantive provisions of the Act will not come into force until 2018.
One objective of Parliament in passing the Personal Information and Protection Bill was to put in train the process by which Bermuda may seek a data protection adequacy determination from the European Commission. An adequacy determination will be of considerable assistance to Bermuda reinsurers, for example, who need to import personal data from Europe for underwriting and claims-related purposes.
The resolution of the European Parliament in May 2016 regarding ongoing negotiations of the EU-US Privacy Shield, an arrangement intended to replace the now defunct ‘safe harbour’ decision, has emphasised the importance to a successful adequacy application by a non-EU country that the holder of the office responsible for the administration and enforcement of domestic personal information protection legislation should be independent from government. This fact was explicitly acknowledged by the Minister for Economic Development in his ministerial statement on 3 February 2017, announcing the commencement of the administrative provisions of the Act on 2 December 2016. The Minister said ‘the creation, staffing and operations of the Commissioner’s office will be done in a manner to ensure full compliance with those requirements’.
Insurers and insurance managers, agents and brokers, in common with all organisations, will need to adopt suitable measures and policies to give effect to their obligations and to the rights of individuals set out in the Act, when the substantive provisions come into force. It will be difficult to craft measures and policies to ensure compliance until the Privacy Commissioner (once appointed) has published guidance or the Minister for Economic Development has issued a code of conduct, but insurers and insurance managers, agents and brokers should be familiarising themselves with the Act’s substantive provisions now.
Overview of PIPA
The Act applies to every organisation that uses personal information in Bermuda where the personal information:
- is used wholly or partly by automated means, or
- forms, or is intended to form, part of a structured filing system.
‘Personal information’ is information about an identified or identifiable individual.
When the substantive provisions come into force, organisations must not use personal information unless one or more of the conditions of section 6 of the Act are met.
‘Using’ personal information ‘means carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it’.
There are some exclusions from the regulation of the use of ‘personal information’, such as the ‘use of business contact information for the purpose of contacting an individual in his capacity as an employee or official of an organisation’. However, whether all personal information used about an individual is ‘business contact information’, is likely to be hard to determine in some cases.
In practice, organisations are likely to seek to premise their lawful use of personal information predominantly on the satisfaction of condition (1)(a) of Section 6 of the Act, which requires obtaining the knowing consent of the individual. This is because compliance with the condition can be tested objectively.
Other conditions of use may also be of practicable assistance to organisations, for example, where use is necessary for the performance of a contract to which the individual is a party, or is pursuant to a provision of law that authorises it, or is in relation to publicly available information. But assessing compliance with these conditions will involve a greater degree of judgment than testing for consent.
Personal information may also be used (except sensitive personal information) where a reasonable person giving due weight to the sensitivity of the personal information would consider that the individual would not reasonably be expected to request that the use of his personal information should not begin or cease and the use does not prejudice the rights of the individual.
Since it will be difficult for organisations to anticipate in any given case whether this condition is fulfilled, it is likely that it will be used more as a last resort in connection with uses that would otherwise been unlawful rather than relied on by organisations as a general rule for ensuring their compliance with the Act.
When the substantive provisions of the Act come into force, organisations will be required to:
- Safeguard personal information.
- Only use it in a lawful and fair manner.
- Provide individuals with privacy notices, which the organisation must take reasonably practicable steps to ensure are provided either before or at the time of collection of personal information, about the organisation’s practices and policies with respect of personal information.
- Except with the consent of the individual, or where necessary to provide a service or product that is required by the individual, or in certain other circumstances, use personal information only for the specific purpose stated in the privacy notice.
- Ensure that any personal information used is accurate and kept up to date to the extent necessary for the purposes of use and kept no longer than is necessary for that use.
- Not transfer personal information to an overseas third party unless it reasonably believes the personal information will be subject to a level of protection comparable to that required by the Act.
There are penalties under the Act for certain breaches and for financial loss and emotional distress:
- On summary conviction, in the case of an individual, to a fine of up to $25,000 or up to two years of imprisonment or to both.
- On conviction on indictment, in the case of a person other than an individual, to a fine of up to $250,000.
The Privacy Commissioner, when appointed, will have various powers which may be used to assist insurers and insurance managers, agents, and brokers in confirming what they must do to comply, including powers to:
- Comment on the implications for protection of personal information in relation to an organisation’s existing or proposed programmes.
- Approve binding corporate rules for transfers of personal information to an overseas third party.
- Give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations under the Act.
- Permit an organisation to transfer personal information to an overseas third party where the organisation has reasonably demonstrated that it is unable to assess the level of protection provided by the overseas third party for that personal information provided the transfer does not undermine the rights of the individual.
- Establish certification mechanisms that can demonstrate compliance with the Act.
In addition, as noted at the start of this article, the Minister with responsibility for the Act (currently the Minister for Economic Development) may publish codes of practice.
Consequential amendments to other legislation necessary to implement the Act are expected to be tabled later this year.
Head of Non-Contentious Insurance
[email protected] 441.278.7164 direct
[email protected] 441.278.7160 direct
[email protected] 441.278.7165 direct