A Bill entitled Personal Information Protection Act 2016 was recently passed by the House of Assembly and the Senate, and awaits Royal Assent for formal enactment.

Pipa specifically seeks to regulate the use of personal information by organisations in a manner that recognises both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes. Pipa defines an organisation as “any individual, entity or public authority that uses public information”.

The Government of Bermuda has expressed that Pipa will not be implemented for two years to allow for a fundamental, cultural and legal shift with respect to the treatment of personal information in Bermuda.

This decision to delay the implementation of Pipa for two years is unsurprising, particularly in light of the new-found obligations that Pipa shall ultimately impose upon every organisation in Bermuda. For example, Pipa mandates that every organisation shall adopt suitable measures and policies to give effect to its obligations and to the rights of individuals as set out in Pipa, and such measures and policies shall be designed to take into account the nature, scope, context and purposes of the use of personal information and the risk to individuals by the use of personal information.

Examples of information protected by Pipa include any information about an identified or identifiable individual (“Personal Information”) and any Personal Information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information (“Sensitive Personal Information”).

Upon the enactment of Pipa, a privacy commissioner shall be appointed by the Governor and will issue guidance and advice to assist organisations in their readiness for Pipa’s implementation. Examples of measures that organisations will have to adopt include the appointment of a privacy officer, the issuance of a privacy notice and the implementation of appropriate security safeguards to protect personal information.

It is important to note that failure to comply with Pipa may result in offences and penalties for organisations and individuals, in addition to an entitlement to compensation for any individual who suffers financial loss or emotional distress arising from their personal data being mishandled.

The former provides that a person who commits a statutory offence is liable on summary conviction, in the case of an individual, to a fine not exceeding $25,000 or to imprisonment not exceeding two years or to both; and on conviction on indictment, in the case of a person other than an individual, to a fine not exceeding $250,000.

The latter provides that an amount of compensation for any individual who suffers financial loss or emotional distress shall be determined by the court. In light of the inevitable change in the status quo that the enactment of Pipa will involve, organisations and businesses should prepare themselves prudently to ensure that they are operating in compliance with the Act.

Before its enactment, organisations can, and should, start taking various immediate steps to become compliant with Pipa. For example, organisations will require a commitment from management to ensure that a wholesale change in terms of their treatment of personal information is reflective of their new-found obligations.

Organisations should also begin considering which individual within an organisation may be best placed to serve as the requisite privacy officer. Additionally, organisations should start to consider educating and training their employees with respect to the implications of Pipa. Organisations can also begin to adopt policies and procedures relating to information governance to become compliant with Pipa before its enactment.

Undoubtedly, organisations will require legal advice or legal assistance in preparation for the implementation of Pipa.

The Act is a monumental development for information rights in Bermuda and should be welcomed both domestically and internationally. However, the legal implications of this human rights development justify organisations seeking to prevent any failure to comply with Pipa, particularly in light of the substantial offences and penalties available under the Act for individuals and organisations.

With the recent introduction of both the Public Access to Information Act 2010 and Pipa, Bermuda has now revolutionised its information rights legal framework. Public authorities and the public alike are still familiarising themselves with the implications of Pati almost six years after it received Royal Assent and more than a year after Pati became operative.

Consequently, risk-averse organisations should “seize the moment” to heighten their awareness about Pipa, particularly with consideration of the new offences and penalties for organisations and individuals that fail to comply with their statutory obligations.

•Lawyer Kai Musson is an associate with the Insolvency and Dispute Resolution Group at Taylors in association with Walkers, a former Human Rights commissioner and a recent panellist at Bermuda’s International “Right to Know” Day 2016 facilitated by the Information Commissioner’s Office. This column should not be used as a substitute for professional legal advice. Before proceeding with any matter discussed here, persons are advised to consult with a lawyer. Mr Musson can be reached at kai.musson@walkersglobal.com or 242-1532.