Bermuda has appointed its first Privacy Commissioner, a role established under the Personal Information Protection Act 2016 (PIPA). The new commissioner will be tasked with fully implementing the PIPA legislation. Certain sections of PIPA came into force in 2016, and this appointment is an important step in bringing the remaining operative provisions into force. Organisations that have not yet reviewed their obligations under PIPA would be well advised to do so now.
Alexander White, a US lawyer, has been appointed Privacy Commissioner with effect from 20 January 2020. He will be responsible for setting up the Privacy Commissioner’s Office, hiring and training staff, undertaking investigations, providing reports and developing public awareness of the rights of individuals and the obligations of organisations under PIPA.
PIPA sets out how organisations, businesses and the Bermuda Government may use personal information. It applies to every individual, entity or public authority that uses personal information in Bermuda, including non-profits. The legislation reflects a set of internationally accepted privacy principles and good business practices for the use of personal information in the digital age.
“Personal information” is defined as any information about an identified or identifiable individual. “Use” is defined very broadly and includes collecting, storing, disclosing, transferring and destroying information.
What obligations does PIPA impose?
PIPA imposes specific obligations on organisations that control the processing of personal information, including:
- Every organisation must adopt suitable measures and policies to give effect to its obligations and to the rights of individuals as set out in PIPA. Organisations must provide individuals with a clear and easily accessible statement about their practices and policies with respect to personal information.
- The measures and policies must be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals of the use of the personal information.
- Where an organisation engages the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with PIPA at all times (with additional requirements where an overseas third party is engaged).
- Every organisation must designate a “privacy officer” for the purposes of compliance with PIPA. The privacy officer will have primary responsibility for communicating with the Privacy Commissioner.