The word “use” is defined by PIPA to mean, “… carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it”. The use of personal information (“PI”) in Bermuda, would, as a matter of common law, also include any digital access to, use or viewing from within Bermuda of PI that is stored or located on a server that is outside of Bermuda.

Funds, along with their fund administrators and fund managers that use PI in Bermuda (which includes the collection and disclosure of PI to governmental authorities and various service providers in Bermuda for KYC purposes, in part associated with AML/ATF regulatory compliance), are therefore subject to PIPA.

Even though PIPA applies to all organisations that use PI in Bermuda, the nature and the extent of any organisation’s compliance to the administrative requirements of PIPA is based on a “proportional risk” based model. The factors that are generally considered when assessing the extent of activity that is required to be in compliance with PIPA in any particular circumstance are: (1) the likelihood and severity of the harm threatened by the loss, access or misuse of the personal information; (2) the sensitivity of the personal information (including in particular whether it is sensitive personal information); and, (3) the context in which it is held. An additional factor that informs the aforenoted variable of “context” is where the purpose of the PI use falls within the reasonable expectations of the individual.

PIPA’s Application to Funds

Any fund that uses PI in Bermuda, as described above, will be within the scope of PIPA. PIPA outlines the conditions for using personal information. Some of the main requirements which Bermuda funds should consider are the following, please note that this is not an exhaustive list:

  • Compliance with PI use allowances, which may include individual consent
  • The provision of a privacy notice in most cases
  • The appointment of a privacy officer
  • Compliance with the allowance requirements for the transfer of PI to overseas organisations

Consent

In most cases where a fund uses PI in the de minimis ways described, it may be able to use PI without the express consent of the subject individuals.

For example, Sections 6(1)(c) and 6(1)(d) of PIPA also outline additional conditions under which PI can be used without consent, including:

  • for the performance of a contract to which an investor is a party to;
  • for taking steps at the request of an investor with a view of entering into a contract;
  • where the use is pursuant to the provision of law which authorises or requires such use.

More specifically, an individual’s express consent will not be required by any fund that is legally required to collect and disclose PI to third parties in Bermuda, such as when AML/ATF laws require the collection of KYC related PI by a company for disclosure to the Registrar of Companies, the Bermuda Monetary Authority, the organisation’s corporate service providers and/or its operational managers, its fund administrator, its law firm, and possibly to its auditors and bankers in Bermuda.

Privacy Notice

Pursuant to Section 9 of PIPA, in most circumstances an organisation which falls within the scope of PIPA will be required to provide its clients with a privacy notice which outlines how and for what purposes their PI will be used.

However, pursuant to Section 9(1)(3)(b) of PIPA, funds may not be required to provide a privacy notice to their respective investors, Board of Directors and corporate officers as long as the fund can reasonably determine that all of the uses of the subject PI (i.e., KYC uses and for non-commercial administrative corporate record purposes and in compliance with legal requirements) will be within the reasonable expectations of those individuals.

Even though the provision of a privacy notice may not be strictly necessary for funds whose use of PI will be within the reasonable expectations of their members, investors and Board, we suggest that any fund subscription agreements to be entered into by investors should contain PI related provisions that disclose the reasons and purposes for the collection of investor PI, and that will provide an acknowledgement and representation by the investor that such use purposes associated with the fund are both required for the fund to perform that agreement and are within the reasonable expectations of each contracting investor.

Privacy Officer

Each fund must appoint a Privacy Officer. Although aspects of such appointments under PIPA are somewhat ambiguous, it is our view that organisations will not infringe PIPA where the position of Privacy Officer is held by an internal employee, officer or director of the company. This position can also be internally filled by an employee of an affiliated company (i.e., that is under common ownership and control with the fund). The appointee need not be resident in Bermuda and that appointment does not require a Board resolution. As well, that appointment does not have to be filed or registered with any regulatory authority in Bermuda.

Once appointed, the Privacy Officer may delegate their day to day administrative responsibilities associated with their duties of PIPA compliance oversight to a third-party service provider. In many cases, such a delegation of a Privacy Officer’s duties under PIPA to a service provider, even where the responsibilities of the Privacy Officer are de minimis, may require either a new service agreement to address the performance of those duties, or an amendment to an existing service agreement to include those additional service performance obligations.

Disclosure of PI to Service Providers and Foreign Entities

Where organisations such as funds are highly “virtual” in their structure, operation and organisation, they may retain others to collect and disclose PI on their behalf. However, it is still the client organisation that has the direct (and personal) legal responsibility to collect that PI as required by law or lawful purpose in Bermuda, and so it is that organisation that is, in the first instance, subject to PIPA. The personal responsibility for PIPA compliance by funds where PI is collected and used by third party service providers on their behalf, as described above, is expressly addressed and anticipated in section 5 (3) of PIPA, which stipulates that:

Where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with this Act at all times.

That fundamental principle of an organisaton’s continuing personal and direct responsibility for compliance under PIPA, even when others use PI for, and on behalf of, the organisation who has the legal responsibility for PI collection and use, is restated at section 15 (1) of PIPA, as follows:

When an organisation transfers to an overseas third party personal information for use by that overseas third party on behalf of the organisation, or for the overseas third party’s own business purposes, the organisation remains responsible for compliance with this Act in relation to that personal information.”

As a practical next step, clients that consider that they may be within scope of PIPA should discuss with their Appleby contact appropriate language that can be included in their subscription and potentially other documentation going forward. It would also be prudent to contact any Bermuda based service providers, particularly fund administrators and/or investment managers, to see how they are addressing PIPA to assist clients to be compliant.

Share
X.com LinkedIn Email Save as PDF
More News
Appleby-Website-Technology-and-Innovation
5 Dec 2024 | News

Appleby leads offshore firms in Chambers FinTech 2025

Peter Colegate, Richard Field, Claire Milne WS, Andrew Jowett, Jerome Wilson
Appleby-Website-Success4
25 Nov 2024 | News

Appleby named Offshore Firm of the Year at 2024 GRR Awards

David Bulley, Mark Holligon, Ben McCosker, Sebastian Said, John Wasty
Corporate
20 Nov 2024 | News

Appleby recognised as a leading corporate firm in IFLR1000's 2024 Caribbean rankings

David Clark, Simon Raftopoulos, Brad Adderley, Tammy Richardson-Augustus, Jeffrey Kirk
BDA-1024x576
6 Nov 2024 | News

Appleby Continues to Lead in Bermuda as the Only Firm Ranked in Tier 1 Across All Six Practice Categories

Brad Adderley, David Clark, Matthew Ebbs-Brewer, Clive Langley, Sally Penrose
Appleby-Website-Success1
6 Nov 2024 | News

Top tier recognition for Appleby in Legal 500 Caribbean 2025 rankings

Brad Adderley, Jeffrey Kirk, Norman Klein, David Clark, Matthew Ebbs-Brewer
M&A
18 Oct 2024 | News

Appleby authors 2024 guides on mergers & acquisitions (M&A) for Bermuda, Cayman, Isle of Man and Mauritius

Dean Bennett, Sharmilla Bhima, Matthew Ebbs-Brewer, Jacob MacAdam, Garry Manley
Website-Code-Bermuda
16 Oct 2024 | News

Ojeda Smith Recognised as a 2024 Rising Star by the Bermudian Magazine

Ojeda Smith
Ojeda Smith
Website-Code-Bermuda
16 Oct 2024 | News

Kiara Wilkinson Recognised as a 2024 Rising Star by the Bermudian Magazine

Kiara Wilkinson
Kiara Wilkinson
Appleby-Website-Private-Client-and-Trusts-Practice
10 Oct 2024 | News

Appleby to Speak at STEP Conference In Bermuda

Nicola Bruce
John Wasty
Nicola Bruce, John Wasty
Website-Code-Bermuda
8 Oct 2024 | News

Appleby Welcomes Three Bermudian Pupils to Its Coveted Trainee Programme

Brad Adderley
Brad Adderley