The Personal Information Protection Act ("PIPA") is legislation intended to strengthen data protection and set out best practices for the use of personal information in Bermuda. Initially introduced in December 2016, PIPA is expected to come into full effect before the end of 2018 and draws on legislation from a number of leading jurisdictions to reflect a set of internationally accepted privacy principles and practices.
Bermuda’s introduction of PIPA is reflective of today’s increasingly data-driven world and rapidly evolving business and technology landscape, which has made the regulation of personal data and information more complex than ever. PIPA is the latest addition to a growing slate of data protection legislation globally and helps satisfy both the needs of individuals and organisations with respect to the use of personal information.
PIPA provides specific rights designed to give individuals greater control over their personal data which include access to their own personal information as well as the right to rectify, block, delete or destroy this information. Organisations face a greater burden to ensure compliance with PIPA and must adhere to a specified set of obligations surrounding the collection, storage or other use of personal information. These include:
- Ensuring personal information is used in a lawful and fair manner, for specific purposes only, and individuals have given consent to use their personal information;
- Ensuring the information is relevant and not excessive for the purposes of use and that there are enhanced protections in place around sensitive personal information which includes details about an individual’s race, health, family status or religious beliefs;
- Ensuring the information is accurate, kept up-to-date where necessary and not kept for longer than is necessary;
- Ensuring the information is held securely and not transferred outside Bermuda without adequate checks and safeguards;
- Putting in place appropriate protocols to mitigate risk, including the appointment of a Privacy Officer and providing individuals with a privacy notice explaining practices and policies on personal information;
- Granting individuals with access to their specific personal information, the purposes for which the information has been or is being used and the parties to whom the information was disclosed.
While there may be further evolution of PIPA ahead of the enforcement date, there is a need for organisations to understand the new statutory obligations and to implement suitable policies and procedures, including systems and security enhancements, to ensure compliance. It is advised that organisations review their internal governance procedures and make any necessary enhancements, working with service providers, legal advisors and any other key stakeholders to have the necessary agreements, systems and processes in place to avoid penalties for non-compliance. Failure to adhere to the noted requirements may result in fines of up to US$250,000 for organisations and US$25,000 or imprisonment up to two years for individuals.
As one of the leading global corporate and fiduciary service providers, Maples Fiduciary recognises the challenges that new regulation can present. Data protection has become an increasingly critical business issue and given the significant changes and impact that PIPA will have on organisations, we remain committed to partnering with our clients to ensure preparedness as the effective date approaches. Our unmatched global experience and expertise addressing the issues and mandates set out in similar legislation puts us at the forefront of these changes in Bermuda. Our personalised and responsive level of service and collaborative approach ensure we can help our clients to effectively navigate the complexities of today’s evolving business landscape.