The new Personal Information Protection Act, due to be in full force by December 2018, will regulate the future processing of all personal information in Bermuda. While much of the focus to date has been on the compliance obligations for organisations with regard to their customer data holdings, those organisations also need to take steps now to ensure that they understand their obligations as employers. Employers need to have in place policies and procedures to ensure the proper protection of employee personal information under their control and to give themselves flexibility to monitor an employee’s use of e-mail, the internet and other devices where necessary.

Employers in Bermuda need to get it right — reputations and criminal liability will soon be at stake. Appleby partners MICHAEL HANSON and STEVEN REES DAVIES and senior associate PETER COLEGATE consider some of the most pressing issues.

Drafted around a set of internationally recognised privacy principles, the Personal Information Protection Act 2016 (PIPA) provides a framework of rights and duties designed to give individuals greater control over their personal information.

“Personal information is defined widely to include any data which enables an individual to be identified, said Steven Rees Davies of Appleby.

“Personal information relating to employees must be processed fairly and lawfully and used for a legitimate purpose that has been notified to the employee in advance. Employee data holdings should not be excessive in relation to the purposes for which they are collected and should be securely purged once those purposes have been fulfilled.

“An important aspect of employee data is that it almost invariably includes ‘sensitive personal information’, such as information about an individual’s health and ethnic background.

“Sensitive personal information is subject to enhanced privacy protection under the PIPA and therefore requires careful handling.”

The PIPA gives employees the right to access personal information held about them and to request that any inaccurate data is corrected or deleted. Employers will need to have policies and procedures in place to manage these requests.

The new law also obliges employers to cease processing personal information once the purposes for which that information has been collected have been exhausted. Prescribed data retention periods are not set out in the PIPA but an analysis will need to be undertaken to determine how long employee data should be kept for. Similarly, it will be important to evaluate how personal information can be securely deleted once the purposes for holding it have been fulfilled.

Data protection policies

Under the PIPA the employer is required to set out the purposes for which employee personal information is being collected and details of whom that data may be shared with. Recommended best practice is for this information to be set out in a separate privacy notice which can be provided to the employee at the same time as the employment contract. If the privacy policy changes over time, and in particular if personal information is to be processed for any new purposes, this processing can only be undertaken if fresh consent is obtained from the employee.

“The purpose of an employee data protection policy is to set out the conditions under which the employer will process personal information and ensure that everyone in the business is aware of their individual responsibilities and the employer’s expectations regarding privacy,” said Michael Hanson, partner at Appleby specialising in employment and immigration.

“If an individual suffers damage caused by an employer’s breach of its obligations under the PIPA, he or she could potentially bring claims for breach of contract, unfair dismissal and any distress suffered. The individual could also report the matter to the Privacy Commissioner, the regulator responsible for enforcing the new law.”

The Privacy Commissioner has extensive investigative powers and may serve an enforcement notice directing the employer to take the steps necessary to remedy the contravention. Refusal to comply or failure to comply with a notice is an offence. Employers may be liable on conviction to a fine of $250,000 or imprisonment for a term of two years, or both. “The Commissioner also has the power to ‘name and shame’ data controllers for breaches of the PIPA”, added Mr Hanson.

Employee monitoring

There is no general prohibition against an employer undertaking surveillance of employees in Bermuda. An employer has a right to direct its employees’ work activities and for that reason the employer has a right to reasonably monitor such activities. However, any collection, use and storage of personal information must comply with the PIPA.

“A forward-thinking employer can put itself in a strong position to investigate grievances and potential incidents of poor performance or misconduct, by having a clear and easily accessible employee monitoring or technology use policy.

In particular, the policy should explain that the use of the employer’s IT systems, including e-mail, internet, telephones and mobile devices, may be monitored from time to time and employees should have no expectation of privacy when using those devices. Employers should also include a contractual right to monitor within the employment contract,” Mr Hanson said.

An employer that wishes to conduct covert monitoring of its employees must have a legitimate purpose which would be prejudiced by giving notification to the employees of the purpose of that monitoring. A good example would be the prevention or detection of crime or serious misconduct.

Cybercrime

For many employers payroll processing and other back-office functions are now mostly digitised and are often delegated to external service providers. In an age where highly sensitive information can be exchanged at the touch of a button, data protection issues must be considered before any transfers of employee data are made to third parties. “These transfers also leave employers vulnerable to cyberattacks as criminals can easily identify and exploit weak links in the flow of information between an organisation and its external providers.

“There is no substitute for proper due diligence on the systems, policies and procedures of those providers to ensure that personal information is handled appropriately and securely,” said Peter Colegate, a privacy and data protection specialist at Appleby in the Cayman Islands. “Regular physical audits and independent testing of a service provider’s controls would also be advisable.”

The attraction of flexible working has led to a growth in the popularity of “bring-your-own-device” (BYOD) policies. While some organisations are issuing smartphones and tablets for employees, other employees may be using their personal devices for business purposes without approval.

“Where BYOD is offered, a careful balance needs to be struck between employee satisfaction and protecting personal information,” Mr Colegate said.

“Organisations should put in place a clear BYOD strategy that sets out minimum do’s and don’ts for using a device. There should be a clear segregation of enterprise data which should at all times be under the control of the employer.

“Data should be encrypted and the employer should have the ability to remotely access, monitor and wipe the data and prevent data access from third party apps,” Mr Colegate added.

Protecting personal information is now business critical for employers in Bermuda. Even if monetary losses are not sustained as a result of personal information being mishandled, the reputational damage to an organisation following a breach of the new law could be devastating.