Bermuda appoints Privacy Commissioner
The Governor of Bermuda has appointed Bermuda’s first privacy commissioner (Privacy Commissioner) pursuant to powers under the Personal Information Protection Act 2016 (PIPA). The appointment commences on 20 January 2020.
Pursuant to PIPA, the appointment will have been made after consultation with the Premier who will have consulted with the Opposition Leader.
PIPA was passed by the Bermuda House of Assembly and Senate and received royal assent in 2016. It applies to organisations’ use of “personal information” in Bermuda, where the personal information is used wholly or partly by automated means, or where it forms or is intended to form part of a ‘structured filing system’.
The only provisions to become operative in 2016 were those relating to the appointment of a Privacy Commissioner. The commencement date applicable to the substantive provisions of PIPA was left open to allow organisations time to become compliant and for appointment of a Privacy Commissioner.
From 20 January 2020, the Privacy Commissioner will be responsible for monitoring how the act is administered to ensure that its purposes are achieved. The Privacy Commissioner will have powers under PIPA to conduct investigations into compliance and to make orders requiring organisations to (among other things) allow individuals access to their personal information or to erase personal information held by an organisation. An order of the Commissioner will be enforceable as a judgment after filing with the Registrar of the Supreme Court of Bermuda.
The Privacy Commissioner will also have powers to:
- Approve rules for the transfer of information outside the jurisdiction
- Give guidance and make recommendations of general application regarding compliance
- Establish or assist with the establishment of certification mechanisms and rules to demonstrate compliance with PIPA.
Crucially, appointment of the Privacy Commissioner is a step towards the establishment of codes of practice providing best advice for organisations generally regarding compliance with PIPA.
Such codes of practice are to be established by the minister responsible for the act following consultation with the Commissioner. They will be of considerable assistance to organisations in becoming compliant.
With the appointment of the Privacy Commissioner and the prospect of codes of practice on the horizon, we anticipate that the remaining provisions of the PIPA will become operative soon.
Any organisations who have not already done so should embark on a compliance gap analysis, assessing (among other things) what personal information they typically hold, what security safeguards apply, the use of privacy notices and their policies and practices relating to the retention, amendment and deletion of personal information.