We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
03 July 2018
The Personal Information Protection Act (PIPA) was passed in 2016 with a two-year implementation period to provide companies with sufficient time to comply. It is anticipated that the PIPA will be in full force later in 2018. The PIPA was introduced to regulate and protect the use of personal information and embodies eight core privacy principles which are internationally recognised and accepted. Under the PIPA, companies can use personal information only in a lawful and fair manner and only if at least one of the below conditions are met:
(a) the personal information is used with the consent of the individual where the organisation can reasonably demonstrate that the individual has knowingly consented;
(b) except in relation to sensitive personal information, a reasonable person giving due weight to the sensitivity of the personal information would consider—
(i) that the individual would not reasonably be expected to request that the use of his personal information should not begin or cease; and
(ii) that the use does not prejudice the rights of the individual;
(c) the use of the personal information is necessary—
(i) for the performance of a contract to which the individual is a party; or
(ii) for the taking of steps at the request of the individual with a view to entering into a contract;
(d) the use of the personal information is pursuant to a provision of law that authorises or requires such use;
(e) the personal information is publicly available information and will be used for a purpose that is consistent with the purpose of its public availability;
(f) the use of the personal information is necessary to respond to an emergency that threatens the life, health or security of an individual or the public;
(g) the use of the personal information is necessary to perform a task carried out in the public interest or in the exercise of official authority vested in the organisation or in a third party to whom the personal information is disclosed; or
(h) the use of the personal information is necessary in the context of an individual's present, past or potential employment relationship with the organisation.
Further, under the PIPA, individuals are provided with certain rights, including the right to:
Individuals can also request a privacy notice, whereby the company must clearly set out its policies and practices regarding the protection of personal information.
In order for companies to comply with the PIPA, they must not only implement additional policies and procedures and conduct appropriate employee training, but also make several operational changes. As a start, companies should complete an internal risk assessment to determine the impact of the PIPA on their current operations. Further, companies must designate a privacy officer, who will be responsible for managing the company's compliance with the PIPA and coordinating all communication with the privacy commissioner. Companies are also responsible for ensuring that personal information is protected when transferred to third parties, including overseas third parties.
Companies should review their current operations to establish the lawful basis for their processing and use of personal data and establish a process for obtaining consent. Consideration should also be given to the use and management of sensitive data and children's data. Further, consideration should be given to formalisation of a data breach notification procedure in anticipation of potential breaches to ensure PIPA compliance.
Guidance notes will be issued shortly to help companies to achieve PIPA compliance. Companies should seek legal advice and guidance to ensure that their operations comply with the PIPA.
The General Data Protection Regulation (GDPR) was passed in May 2016 and came into effect on 25 May 2018. The GDPR has been referred to as the most comprehensive and complex data privacy regulation in the world. As with the PIPA, the GDPR was enacted to govern the use of personal information and data relating to any individual in the European Union as well as EU citizens living overseas. It was designed to protect the rights of EU citizens as individuals. The GDPR applies to companies located within the European Union and all companies using or holding EU individuals' personal data outside of the European Union.
Bermuda companies should seek legal advice to determine whether the GDPR applies to their operations and, if so, how. Bermuda companies will need to assess whether they offer or sell goods or services to EU citizens in order to bring their operations in line with the GDPR. Notably, the GDPR provides some exceptions for companies that have fewer than 250 employees.
For further information on this topic please contact Cheri Minors at Carey Olsen Bermuda by telephone (+1 441 542 4500) or email (firstname.lastname@example.org). The Carey Olsen Bermuda website can be accessed at www.careyolsen.com.
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.