There have been recent indications from the Bermuda Government that Bermuda’s Personal Information Protection Act 2016 may come into full force in May or June.

Since Pipa was enacted in 2016, the Government of Bermuda and the Privacy Commissioner have been developing the governance operations of the Office of the Privacy Commissioner, organising administrative resources, and been active in educating the public and businesses who collect and use personal information of their respective rights and obligations under Pipa. That is a good thing because there is a lot for businesses to address.

In many ways, Pipa is one of Bermuda’s few consumer rights laws and it is one that imposes onerous operational and administrative obligations that will be overseen by the experienced regulatory office of the Privacy Commissioner, Alexander White.

With a law degree from the University of Georgia and a litany of postgraduate programmes in data protection and privacy regulation under his belt, Mr White has devoted his career to regulatory oversight, including serving as the State of South Carolina’s deputy chief privacy officer from 2014 to 2020 and as a member of the US Department of Homeland Security’s Data Privacy & Integrity Advisory Committee.

Given the recent indications that Pipa may be brought into full force by June 2023, even if only on a sectorial basis, the question for all organisations that collect and use personal information is:

• Are you administratively ready to fully comply with Pipa?

• How will you secure the consent necessary to collect and use personal information?

• How will you manage communications with individuals who want to see a copy of all personal information that you have about them?

• How will you manage their requests for corrections to, or deletions of, their personal information?

• To what extent must you revise your outsourcing and data-processing service agreements?

• Are you organised to comply with an individual’s direction for you to stop using their personal information?

As a result of the many rights that Pipa bestows on individuals, organisations must ensure that all of their business processes, customer relations programmes, data management systems and administrative processes are compliant with the practices, protections, and use restrictions that Pipa will soon impose on them.

Just as other organisations who are subject to similar privacy laws around the world have done, Bermuda organisations will have to review all of their business processes with a view to possibly revising (if not re-engineering) many of them into Pipa-compliant practices.

It is the common failure of organisations to appreciate the profound nature of how Pipa will impact all of their internal business operations that use personal information that has led to a misunderstanding across many organisations concerning the nature and scope of the Pipa compliance policies they must soon adopt.

In an article I wrote last year, I pointed out that the “Privacy Notice” that is required by Pipa (Section 9) is not, in any way, the same thing as Pipa’s requirement that organisations must “adopt suitable measures and policies to give effect to its obligations and to the rights of individuals set out in” Pipa (which I will refer to as a “privacy policy”).

However, over the past several months, I have been asked to review the “privacy policies” of numerous organisations who have simply provided me with a copy of a privacy notice (often borrowed from an affiliate company’s website that happens to be identified on the website as a “Privacy Policy”). That confusion has often arisen because organisations in different jurisdictions have labelled their online “Privacy Notices” as their “Privacy Policy”, so many organisations mistakenly send me their labelled online “Privacy Policy” under the misapprehension that the online notice they have sent to me constitutes the much more profound privacy policy that is required under Pipa.

In fairness, Pipa does require both formulations to be created and adopted by all organisations, so some confusion is understandable.

On the one hand, organisations must adopt suitable measures and policies to give effect to their ability to comply with all of the rights that Pipa now bestows on individuals and to address how each organisation will operationally perform its related obligations under Pipa.

On the other hand, the requirement to provide individuals with a defined “privacy notice” might sound to many like “privacy policy overlap”, but it is not. The two are completely distinct.

Mr White has recently noted the distinction between a mere privacy notice and the more onerous requirement to adopt suitable privacy measures and policies in the following terms: “Many organisations mistakenly approach a privacy notice as if their public-facing statement is the extent of the privacy programme. In fact, that notice is simply describing aspects of the programme that it may be relevant for the public to know, like how to contact the privacy officer or with whom data is commonly shared. Including such details in the notice can reduce an administrative burden in having to answer those questions from individuals. But, ultimately, the notice is just a description of the work being done — it is not the work itself.”

With regard to the adoption of the more onerous privacy policy, Pipa very clearly requires organisations to adopt suitable measures and policies to give effect to all of its obligations under Pipa.

Pipa stipulates that such privacy policies must be designed to take into account the nature, scope, context and purposes that personal information will be used for, and what the risks are that individuals will face by such personal information use.

Based on Pipa’s proportionality principle, it may be said that the more extensive the nature and scope of personal information collection and use is, the more sensitive the personal information is, and the greater the vulnerability of individuals will be if personal information is misused, the more thorough the organisation’s adopted measures and policies must be in order for them to be “suitable” under Pipa.

Mr White describes Pipa’s proportional requirement of “suitability” in these terms: “What exactly may be ‘suitable’ for an organisation’s privacy programme under Section 5 (1) will naturally vary by the organisation, the uses of personal information and the specific context. Our office’s guidance, “What is a privacy programme?”, provides some examples of the types of measures and policies that may be suitable for an organisation to adopt, but the exact nature will differ from programme to programme.”

The full breadth of the restrictions, duties and obligations that Pipa will soon impose on organisations to protect individual privacy rights will be daunting to many organisations. It is in that context that organisations must now administratively address how they will comply with Pipa.

In most cases, an organisation’s compliance practices will extend far beyond the content of a privacy notice, and might well be regarded more as the adoption of an internal administrative manual that sets out all the detailed policies, restrictions and administrative practices that the organisation must follow for the collection, protection, storage, use and management of all personal information.

Organisations that believe they have complied with Pipa’s requirement to adopt suitable measures and policies to promote Pipa compliance by simply writing and publishing a mere “Privacy Notice” may run the serious risk that a compliance audit will put them offside of Pipa’s mandatory privacy policy adoption requirements.

The liabilities of that non-compliance circumstance may be exacerbated where an organisation has harmed individuals through any breach of Pipa that could have been mitigated or avoided if suitable compliance measures and policies had been formulated and adopted by the organisation.

Therefore, please do not confuse your organisation’s summary privacy notice (which is frequently published as mere online disclosure of compliance principles to individuals), with the detailed and proportionally manualised policies, administrative practices and operational processes that will be required for your organisation to collect and use personal information in full compliance with Pipa.

Duncan Card is a partner at Appleby who specialises in IT and outsourcing contracts, privacy law and cybersecurity compliance in Bermuda. A copy of this column can be obtained on the Appleby website at www.applebyglobal.com. This column should not be used as a substitute for professional legal advice. Before proceeding with any matters discussed here, persons are advised to consult with a lawyer.