Understanding Pipa: defining its scope and starting to prepare
Conyers continues its series diving into different topics relating to Bermuda’s privacy legislation, including: how do we prepare for the Personal Information Protection Act, the role and requirements of privacy officers and what are our rights as individuals?In this second part, Conyers discusses to whom Pipa applies and what organisations can do to prepare for its implementation
In the first part of this series we discussed why data and privacy legislation has developed and its purpose. We also provided a brief introduction to Bermuda’s privacy legislation, the Personal Information Protection Act 2016. While the substantive provisions of Pipa have not yet come into force, and we do not yet have a date for implementation, many organisations have already begun the process of getting “Pipa-prepared”. Indeed, the Privacy Commissioner and his team have been providing helpful community outreach and guidance to assist with this process. However, it understandably remains a challenge to know where to begin.
Before being able to establish any privacy programme, an organisation needs to first understand whether Pipa applies to it and what personal information it is holding or has control over. Essentially, it needs to conduct an “information inventory”. This is not as scary as it sounds, but does require management to consider a number of factors.
To whom does Pipa apply?
Pipa applies to all organisations, being any individual, entity — eg, companies, associations, non-profits and charities — or public authority:
1, That uses personal information in Bermuda (Pipa does not apply to the use of personal information outside of Bermuda)
2, Where that personal information is used wholly or partly by automated means — electronically in computer files — or where its use, if not by automated means, forms or is intended to form part of a structured filing system
While we delve into these aspects further below, it should be noted that Pipa does include certain practical exclusions. Pipa does not apply, for example, to the use of personal information for:
• Personal or domestic purposes; eg, a guest list for a party
• Artistic, literary or journalistic purposes with a view to publication in the public interest where seen as necessary to protect the right to freedom of expression
• The use of business contact information for purposes of contacting an individual in their capacity as an employee or official of organisation; eg, a law firm can list its lawyers and their business contact information on the firm’s website.
Where is the personal information being used?
Pipa is applicable only to personal information that is being used in Bermuda. For local organisations, Pipa therefore likely will be applicable. However, an example where it might not be applicable is if an exempt company has a US office where all the human resource functions are undertaken with no records being kept, used or obtainable in Bermuda. In such a case, the personal information held and used by the US office is not caught by Pipa.
What personal information is being collected and used by the organisation?
Pipa concerns the use of personal and sensitive personal information. We covered the definitions of these terms in the first article of our series. In brief, “personal information” is broadly defined and means “any information about an identified or identifiable individual” (ie, a natural person whether they are explicitly identified by name or where their identity is identifiable from a piece of information, such as their social insurance number). “Sensitive personal information” refers to certain and more sensitive data about an individual; for example, their place of origin, race or sexuality.
An organisation needs to understand what information it is collecting and using to know if it is caught by Pipa. For example, retail companies often ask for telephone numbers and e-mails from their customers. Doctors and dentists collect the personal and sensitive personal information necessary to provide the appropriate care to their patients. Insurance companies will collect personal and sensitive personal information in order to provide life insurance or medical coverage. In addition to considering what personal information it collects from customers, an organisation should also identify what personal information it is collecting from its employees.
How is the personal information being stored?
As set out above, Pipa applies to personal information being used wholly or in part by automated means or, if not by automated means, where it forms or is intended to form part of a structured filing system.
By way of example, if a restaurant takes a person’s name and telephone number for a takeout order but then throws away the order form once the food is collected, such information is arguably not part of a structured filing system, and the organisation is not caught under Pipa — in respect of this personal information, at least. However, if the restaurant stores the customer’s information in a Filofax notebook for future reference, or has an online ordering system where the customer’s details are stored electronically, then the personal information would be subject to Pipa.
What is the purpose of collecting the personal information?
Pursuant to Pipa, once implemented, the information being collected should be used only for the specific purpose for which it is collected and for which the individual would reasonably expect it to be used. An organisation should therefore consider its purposes for collecting information and whether or not these fall within the permitted categories in Pipa or if they need to obtain further consents. For example, a dentist office will collect personal information on a patient to be able to provide the required dental care. However, if it uses the personal information to send a birthday e-mail to the patient, that is arguably using the personal information for the purpose of business promotion or marketing, and the patient’s consent should be obtained for using it in this way before doing so. Organisations need to have a clear understanding as to why they are collecting the personal information so they can ensure it is used only for that purpose. In addition, it is important that the organisation is transparent about the use of such personal information and makes the purpose clear in their privacy notice.
Where is the information stored?
This may be a difficult question for an organisation to address and it may require the assistance of its technology team. It is important to know where the personal information is stored, as the individual has certain rights under Pipa, which the organisation can address properly only if it knows where all the personal information stored on that individual is kept. An organisation may have physical hard copies kept in a filing cabinet or vault. In addition, it may have an electronic database where the personal information on clients and employees is stored. The personal information may have been submitted by e-mail, so it is also stored in the e-mail filing system. Another aspect to this question is whether such information is stored only in Bermuda or has the organisation transferred it somewhere else for storage? Pipa imposes specific obligations on organisations that transfer personal information to overseas third parties.
How old is the personal information in the organisation’s control?
You may remember from our first article that one of the underlying principles of Pipa is that personal information should not be kept any longer than is necessary for its use. For example, if a real estate company has requested personal information on a buyer of a property in order to satisfy anti-money laundering rules, it needs to consider how long it is required to keep such information on file to satisfy the anti-money laundering legislation. Once it is no longer needed, it should consider having a procedure in place to delete such information from its records.
Going through the questions above will hopefully help organisations with their preparations for Pipa. Once an organisation has clarified that Pipa is applicable, it will need to appoint a privacy officer, implement an appropriate privacy programme and ensure its staff are trained. Some organisations may prefer first to appoint a privacy officer, who will then be tasked with carrying out the information inventory.
The next part in this series will address the role and responsibilities of the privacy officer.
• Julie McLean is a director at Conyers, while Andrew Barnes and Sarah Blair are associates. This article is not intended to be a substitute for legal advice or a legal opinion. It deals in broad terms only and is intended merely to provide a brief overview and give general information. If you would like to obtain legal advice on Pipa, please contact the Conyers team