A “Balanced” Approach to Personal Information Protection: A PIP on Each Shoulder?
About Peter D.A. Martin
Peter has practiced corporate and commercial law for more than 25 years and is acknowledged as one of the leading corporate lawyers in Bermuda. Peter has a broad range of experience, particularly in the areas of secured lending, business acquisitions and shipping.
Peter D.A. Martin’s full profile on mjm.bm.
The Personal Information Protection Act (“PIPA”) was enacted on 15 July 2016. However, it is not anticipated to come into force until 2018. This is to provide organisations with time to prepare for PIPA’s implementation. An independent Privacy Commissioner is due to be appointed shortly to assist with this process and ensure compliance with PIPA once it is in force.
The stated purpose of PIPA is to regulate the use of personal information in a manner that balances the need to protect the rights of individuals in relation to their personal information with the needs of organisations to use personal information for legitimate purposes.
PIPA will regulate the use of personal information by any organisation with effect from the coming into force of the Act. The PIPA regime will comprise PIPA itself, together with Regulations made by the Minister after consultation with the Privacy Commissioner. The Minister will also issue ‘codes of best practice’ after consultation with the Privacy Commissioner, and may issue codes of general application as well as specific codes for specific types of organisation.
At the date of this blog post, the Minister has not appointed a Privacy Commissioner, no Regulations have been made and no codes of best practice have been issued under PIPA.
General Data Protection Laws
The Computer Misuse Act 1996 provides among other things that unauthorised access to computer material is an offence, but otherwise Bermuda does not have any data protection laws of general application.
Relationship with Other Rights Legislation
PIPA is given primacy over legislation other than the Human Rights Act 1981, and in the event of conflict between PIPA and other legislation, it is intended that PIPA shall prevail.
In a number of decisions, the European Court of Human Rights has found that the treatment of personal data can fall within the ambit of Article 8 of the European Convention on Human Rights 1950 (the “Convention”), which provides that “everyone has the right to respect for his private and family life, his home and his correspondence.”
The Bermuda Constitution does not explicitly contain any provisions comparable to Article 8 and the right to a private life. However, the Bermuda Court has acknowledged that: “While the Convention does not form part of the domestic law of Bermuda it has been extended to this jurisdiction and carries persuasive authority.”
No “Contracting Out”
Section 4(5) expressly provides that it is against public policy for the rights, benefits and protections conferred by PIPA to be waived, and that any agreement to the contrary and any waiver or release of such rights, benefits and protections is void.
The potential application of PIPA is very broad. Information is “personal” if it relates to a named or identified individual, or if it relates to an individual who is identifiable from the information.
Use of Personal Information
The concept of “use” is also very broad, and includes collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying personal information.
Requirement for Consent
The general rule is that, subject to certain broad exceptions, personal information may only be used with the individual’s consent. “Sensitive personal information” may only be used with lawful authority, which requires the consent of the individual concerned, except where information is being used in the context of recruitment or employment, or for civil or criminal proceedings, or pursuant to an order of the Privacy Commissioner or the Court. For children under the age of 14, parental or guardian consent is required for organisations providing an information society service (a service delivered by means of digital or electronic communications).
PIPA will not be applied so as to affect any legal privilege, limit the information available by law to a party to a legal proceeding, or limit or affect the use of information that is the subject of trust conditions or undertakings to which a lawyer is subject.
“Grandfathering” of Information held before PIPA
Personal information collected and under an organisation’s control prior to the commencement date for PIPA is ‘deemed to have been collected pursuant to consent’ by the relevant individual and may continue to be used by the organisation for the purposes for which it was collected : Section 4(2) PIPA.
General Principles of Fairness and Reasonableness
An organisation is required to act reasonably in meeting its responsibilities under PIPA: Section 5(7), and is required to use personal information in a fair and reasonable manner: Section 8. The standard of reasonableness will be assessed according to what a reasonable person would think in the applicable circumstances.
PIPA imposes limits on the information which an organisation may legitimately collect for its stated purposes. Organisations may collect information that is ‘relevant’ and ‘adequate’ for its purposes, and ‘not excessive.’
Requirement for Suitable Measures and Policies
Every organisation that uses personal information must put in place “suitable measures and policies” to give effect to the organisation’s obligations under PIPA and to protect the rights conferred on individuals by PIPA. It is a defence for an organisation to prove to the Court that the organisation acted reasonably in the circumstances that gave rise to the offence, and the Court is required to consider whether a person has followed any relevant code of practice which was in issue at the time: See Offences below.
An organisation is required to provide individuals with a privacy notice about the organisation’s privacy practices and policies including the purposes for which the information will or might be used, except where it is reasonable for the organisation to conclude that all uses and proposed uses of the information fall within the reasonable expectations of the individuals concerned.
Access to Personal Information
Section 17 of PIPA provides that an individual may make a request to any organisation for access to personal information relating to him or her in the custody or under the control, of that organisation. The individual’s right to access personal information has clear implications for the employer/employee relationship. There are important exemptions from the obligation to give such access, for example, where the information is being used in disciplinary or criminal proceedings.
Obligation to Protect Personal information
Organisations are required to protect against the risks of loss, unauthorized disclosure or misuse of the personal information. The safeguards must be proportionate to the risk of harm in the particular context and such safeguards must be reviewed and re-evaluated from time to time. Where an organisation fails to protect personal information, it may be subject to a claim for financial compensation in the event an individual suffers financial loss or emotional distress as a consequence.
Obligation to Notify Breach of Security
In the event of unauthorized disclosure or access to personal information, which is likely to adversely affect an individual, organisations are required to notify the Privacy Commissioner and the individual affected ‘without undue delay’.
Transfer of personal information to an overseas third party
Organisations remain responsible for compliance with PIPA in respect of any personal information which they transfer overseas whether the third party is related to the organisation or not, e.g. a branch office.
PIPA creates a number of offences relating to the misuse of personal information. Where it is shown that the offence was committed with the consent or connivance of a director of the organisation, or a member of senior management, that director or manager may also be prosecuted for the offence. An individual may be fined up to $25,000 or imprisoned for up to 2 years, and an organisation may be liable on indictment for a fine of up to $250,000.
Given that data collection and processing practices are so widespread, it will be an enormous if not impossible task for the individual to keep track of which organisations are using his or her data, whether they are using his or her data for the purposes for which they stated it was being gathered and whether the organisations are complying with their published “measures and policies” and any applicable Codes of Practice. It is much too early to make any predictions about whether PIPA will provide the individual with the legal and practical means to establish a meaningful degree of “informational self-determinancy.”
FOR ACCESS TO THE DETAILED PROVISIONS OF PIPA, SEE THE LINKS BELOW: