Since PIPA was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been developing the governance operations of the Office of the Privacy Commissioner, organising administrative resources, and been active in educating the public and businesses who collect and use personal information of their respective rights and obligations under PIPA. That is a good thing, because there is a lot for businesses to address.

In many ways, PIPA is one of Bermuda’s few consumer rights laws and it is one that imposes onerous operational and administrative obligations that will be overseen by the experienced regulatory office of the Privacy Commissioner, Alexander White.

With a law degree from The University of Georgia, and a litany of post-graduate programs in data protection and privacy regulation under his belt, Mr White has devoted his career to regulatory oversight, including serving as the State of South Carolina’s Deputy Chief Privacy Officer from 2014 to 2020 and as a member of the U.S. Department of Homeland Security’s Data Privacy & Integrity Advisory Committee.

Given the recent indications that PIPA may be brought into full force by June of 2023, even if only on a sectorial basis, the question for all organisations that collect and use personal information is:

  • Are you administratively ready to fully comply with PIPA?
  • How will you secure the consent necessary to collect and use personal information?
  • How will you manage communications with individuals who want to see a copy of all personal information that you have about them?
  • How will you manage their requests for corrections to, or deletions of, their personal information?
  • To what extent must you revise your outsourcing and data processing service agreements?
  • Are you organised to comply with an individual’s direction for you to stop using their personal information?

As a result of the many rights that PIPA bestows on individuals, organisations must ensure that all of their business processes, customer relations programmes, data management systems and administrative processes are compliant with the practices, protections, and use restrictions that PIPA will soon impose on them.

Just as other organisations who are subject to similar privacy laws around the world have done, Bermuda organisations will have to review all of their business processes with a view to possibly revising (if not re-engineering) many of them into PIPA-compliant practices.

It is the common failure of organisations to appreciate the profound nature of how PIPA will impact all of their internal business operations that use personal information that has led to a misunderstanding across many organisations concerning the nature and scope of the PIPA compliance policies they must soon adopt.

In an article I wrote last year, I pointed out that the “Privacy Notice” that is required by PIPA (Section 9) is not, in any way, the same thing as PIPAS’s requirement that organisations must “adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in” PIPA (which I will refer to as a “privacy policy”).

However, over the past several months, I have been asked to review the “privacy policies” of numerous organisations who have simply provided me with a copy of a privacy notice (often borrowed from an affiliate company’s website that happens to be identified on the website as a “Privacy Policy”). That confusion has often arisen because organisations in different jurisdictions have labelled their online “Privacy Notices” as their “Privacy Policy”, so many organisations mistakenly send me their labelled online “Privacy Policy” under the misapprehension that the online notice they have sent to me constitutes the much more profound privacy policy that is required under PIPA.

In fairness, PIPA does require both formulations to be created and adopted by all organisations, so some confusion is understandable.

On the one hand, organisations must adopt suitable measures and policies to give effect to their ability to comply with all of the rights that PIPA now bestows on individuals and to address how each organisation will operationally perform its related obligations under PIPA.

On the other hand, the requirement to provide individuals with a defined “privacy notice” might sound to many like “privacy policy overlap”, but it is not. The two are completely distinct.

Mr White has recently noted the distinction between a mere privacy notice and the more onerous requirement to adopt suitable privacy measures and policies in the following terms: “Many organisations mistakenly approach a privacy notice as if their public-facing statement is the extent of the privacy programme. In fact, that notice is simply describing aspects of the programme that it may be relevant for the public to know, like how to contact the privacy officer or with whom data is commonly shared. Including such details in the notice can reduce an administrative burden in having to answer those questions from individuals. But, ultimately, the notice is just a description of the work being done — it is not the work itself.”

With regard to the adoption of the more onerous privacy policy, PIPA very clearly requires organisations to adopt suitable measures and policies to give effect to all of its obligations under PIPA.

PIPA stipulates that such privacy policies must be designed to take into account the nature, scope, context and purposes that personal information will be used for, and what the risks are that individuals will face by such personal information use.

Based on PIPA’s proportionality principle, it may be said that the more extensive the nature and scope of personal information collection and use is, the more sensitive the personal information is, and the greater the vulnerability of individuals will be if personal information is misused, the more thorough the organisation’s adopted measures and policies must be in order for them to be “suitable” under PIPA.

Mr White describes PIPA’s proportional requirement of “suitability” in these terms: “What exactly may be ‘suitable’ for an organisation’s privacy programme under Section 5 (1) will naturally vary by the organisation, the uses of personal information and the specific context. Our office’s guidance, “What is a privacy programme?”, provides some examples of the types of measures and policies that may be suitable for an organisation to adopt, but the exact nature will differ from programme to programme.”

The full breadth of the restrictions, duties and obligations that PIPA will soon impose on organisations to protect individual privacy rights will be daunting to many organisations. It is in that context that organisations must now administratively address how they will comply with PIPA.

In most cases, an organisation’s compliance practices will extend far beyond the content of a privacy notice, and might well be regarded more as the adoption of an internal administrative manual that sets out all the detailed policies, restrictions and administrative practices that the organisation must follow for the collection, protection, storage, use and management of all personal information.

Organisations that believe they have complied with PIPA’s requirement to adopt suitable measures and policies to promote PIPA compliance by simply writing and publishing a mere “Privacy Notice” may run the serious risk that a compliance audit will put them offside of PIPA’s mandatory privacy policy adoption requirements.

The liabilities of that non-compliance circumstance may be exacerbated where an organisation has harmed individuals through any breach of PIPA that could have been mitigated or avoided if suitable compliance measures and policies had been formulated and adopted by the organisation.

Therefore, please do not confuse your organisation’s summary privacy notice (which is frequently published as mere online disclosure of compliance principles to individuals), with the detailed and proportionally manualised policies, administrative practices and operational processes that will be required for your organisation to collect and use personal information in full compliance with PIPA.

First Published In The Royal Gazette, Legally Speaking, February 2023

Locations

Bermuda

Services

Corporate

Sectors

Privacy & Data Protection

Type

Insight

Share
X.com LinkedIn Email Save as PDF
More Publications
Appleby-Website-Privacy-and-Data-Protection
14 Apr 2025

M&A transactions under PIPA (Bermuda)

Mergers and business acquisitions are among the many different types of business transactions that r...

Duncan Card
Karim Creary
Duncan Card, Karim Creary
Appleby-Website-Insurance-and-Reinsurance
1 Apr 2025

Bermuda: With everything growing, all of the ILS world will rise together

It’s been an exceptionally busy and record start to the year for the catastrophe bond sector, and ...

Brad Adderley
Brad Adderley
Appleby-Website-Employment-and-Immigration
27 Mar 2025

Entering and Exiting Bermuda for Visa-Controlled Nationals

As it stands, with direct commercial flights to and from Bermuda only going from the United Kingdom,...

Theodora Hand
Theodora Hand
Appleby-Website-Corporate-Practice
27 Mar 2025

How foreign companies become Bermuda companies

Bermuda, renowned as a global business hub, offers a robust legal and regulatory framework that attr...

Milaun Perott
Milaun Perott
Appleby-Website-Insurance-and-Reinsurance
24 Mar 2025

Bridging the USD51 trillion gap: asset-intensive reinsurance in Bermuda

In this article we examine the rise and regulatory landscape of Asset-Intensive Reinsurance (AIR) in...

Brad Adderley
Max Tetlow
Brad Adderley, Max Tetlow
Appleby-Website-Privacy-and-Data-Protection
20 Mar 2025

PIPA Guidance on Financial Services (Bermuda)

This month, the Privacy Commissioner of Bermuda released his Financial Services Guidance Notes: Fin...

Duncan Card
Duncan Card
IWD Grid Capture
8 Mar 2025

International Women’s Day 2025 roundtable: Rights. Equality. Empowerment.

As we recognise International Women’s Day 2025, we are reminded that gender equality is not just a...

Corporate
28 Feb 2025

Bermuda Monetary Authority’s proposed resilience code

The Bermuda Monetary Authority, which well understands the operational risks associated with financi...

Duncan Card
Duncan Card
Dispute Resolution
25 Feb 2025

Bermuda: An Introduction to Dispute Resolution 2025

The stable, competitive regulatory and legal regime in Bermuda continues to ensure its place as a hu...

John Wasty
Sam Riihiluoma
Claire van Overdijk KC
James Batten
John Wasty, Sam Riihiluoma, Claire van Overdijk KC, James Batten
Appleby-Website-Banking-and-Financial-Services
19 Feb 2025

Recent Updates on BVI, Cayman and Bermuda laws

Entities incorporated or registered in the British Virgin Islands (BVI), Cayman Islands and Bermuda ...

Fiona Chan
Angelina Wong
Fiona Chan, Angelina Wong