Privacy Commissioner preparing people for Pipa
Six years after legislation for the Personal Information Privacy Act was passed, Privacy Commissioner Alexander White still cannot say when it will be enacted.
It is the Government’s prerogative, not his, to set the timeline.
“Pipa provides a provision that says the minister can provide different days for different parts of the act to come into force,” Mr White said. “I don't think anyone expected there to be a global pandemic that took everyone's attention, and has taken quite a lot of community resources to respond to.”
But in the meantime, Mr White’s office has been running workshops to educate people and organisations on their privacy rights under Pipa.
The workshops usually fill up quickly.
More and more, people are contacting him to ask how they can make a formal complaint against an organisation for their privacy practices. But what they can do is limited before Pipa is enacted.
“You will have to use privacy self defence and make sure you are reading carefully before you commit to different uses of personal information,” Mr White said. “You will see questions of intrusion upon seclusion that could be litigated as a tort matter. But from our office’s perspective we can make advisory recommendations for organisations and we can speak to them. In many cases it is not a malicious action, but simply ignorance, not understanding what is happening.”
He said that when an individual saw an organisation using information the wrong way, they could point it out to the organisation, or suggest they talked to the Privacy Commissioner.
“Or they could get it onto the record to say I don't want you to use my information this way,” Mr White said. “Once the formal powers are in place you can make that firm declaration that we can have a different conversation about.”
One of the things Pipa will regulate is the right to be forgotten.
“In Pipa, under certain circumstances, you can have your data erased, but it is not an absolute right,” Mr White said. “There are lines where organisations can say: ‘No, I do have a legitimate need to hold this information’.”
A legitimate need might be keeping financial information for audit purposes or anti- money laundering regulations.
“Pipa says my mission as Privacy Commissioner is to not only to protect the rights of individuals, but also the ability of organisations to use personal information for legitimate purposes,” Mr White said.
A survey conducted by KPMG last year found that 100 per cent of respondents thought privacy laws would be good for Bermuda. But a high percentage of people also indicated they were not sure what they had to do, to be Pipa compliant.
“We need to continue with this training and awareness and helping organisations understand what they have to do,” Mr White said.
“Some will be able to devote a team to these type of things and some will be able to do it themselves. We have to make sure the idea of privacy compliance is not going to be prohibitive to an organisation‘s functioning.”
Mr White said that even an individual could create a privacy issue for someone.
“The size of an organisation, in and of itself, cannot dictate how much effort they put into their privacy programme. It has to do with the risk of harm.”
Mr White has found that companies that are already complying with international privacy regulations are better prepared for Pipa enactment.
“United Kingdom and European Union laws tend to be a little bit more explicit, when it comes to say, security controls, on exactly what you have to do, and exactly how you have to conduct that risk assessment,” he said.