Privacy laws could be rolled out on staggered basis by sectors
A law designed to protect personal information could be further rolled out on a staggered basis by sector, according to the Privacy Commissioner.
Alexander White explained that international businesses might be ready for data compliance while other organisations could benefit from additional support.
The Personal Information Protection Act received assent in July 2016, but the full force of the law has yet to take effect.
A government spokeswoman told The Royal Gazette that the aim is for the legislation to be in place in the spring.
Mr White said Pipa granted authority to the relevant minister to appoint different days for separate provisions of the act.
He added: “Our office is working closely with Government on a harmonisation amendment Act to ensure Pipa can be brought into effect smoothly.
“One of the provisions of this amendment would allow the minister to bring different sections into effect for different organisations, which will allow for tailored guidance and support as the process moves forward.
“For example, international businesses might be well prepared for data privacy compliance, and they may also be under an obligation to ensure that any personal information they receive from a foreign jurisdiction is legally protected.
“These organisations will benefit from guidance that aligns with global standards, such as those in the UK, EU, US and Canada.
“Having Pipa in effect locally may even be a key element of their legal or due diligence framework.”
Mr White said: “Other organisations may benefit from having additional support and resources, such as the checklists and templates that our office is producing.
“Pipa could be brought into effect later for those sectors.
“We encourage organisations – especially small and medium organisations – not to wait to reach out, but to adopt a proactive approach to prepare.
“Now is the time to take advantage of opportunities to engage with our office, cost-free and risk-free.”
Alexander White, the Privacy Commissioner, acknowledged earlier that privacy regulations could be difficult to explain in simple terms.
He said after he took up the role in January 2020: “I think the best way to say it is that privacy is putting an individual in control of information about themselves.”
The Pipa was designed to uphold personal information rights in electronic and hard-copy form held by all businesses, organisations, charities and government departments.
An entry on the government website said: “While organisations require the use of personal information to provide services, it is important that individuals have control over their information and how it is used and shared.
“Privacy legislation is also critical in the digital age.
“It plays a major role in the development of a country’s cybersecurity framework and is a key driver for a successful digital economy.”
The Privacy Commissioner website showed some of the requirements listed under the Act’s Responsibility and Compliance section, which have yet to come into operation.
It added that the provisions contained “a great deal of flexibility” but said organisations should implement policies that covered areas such as “conducting an inventory and classifying (or ‘mapping’) what personal information is used”; documenting how personal information is to be used; providing appropriate training to people with access to data; analysing privacy risks; and developing an action plan to respond to potential breaches of security.
The Privacy Commissioner said the best way to effectively bring the legislation into force was by providing sufficient advance notice to the public and in phases.
He added: “For example, our leaders could determine a date by which organisations must comply and enforcement can begin, and then create a separate date for when individuals can begin exercising their rights directly to the organisation.
“This is an important element – I often say that Pipa did not create one regulator, but created 60,000.
“Each individual will have the ability to go to an organisation and exercise their rights, and in many cases our office will not be directly involved.
“For this reason, advance notice is especially useful to ensure organisations are well prepared once they start receiving those requests.
“In my experience, implementing these business processes takes time, so businesses should start to plan and budget for the work in advance.
“The ability to bring the act into effect for different classes of organisations will allow us to develop a smooth runway for the community.
“A carefully planned approach will encourage sustainable changes to all of our ways of doing business and will strengthen Bermuda’s position as a global jurisdiction for business and technology.
“Our office is working closely with government decision-makers to provide recommendations on these matters.”
The Pipa was passed by legislators in July 2016.
Some sections – largely relating to the role and office of the Privacy Commissioner, the power to make consequential amendments to other laws, and commencement dates – came into operation on December 2 that year.
A government spokeswoman said last week: “The Cabinet Office can advise that the legislative process regarding Pipa is substantially completed.
“Currently Government is in the final stages of enacting the legislation, with the aim of having it in place in the spring of 2023.”
Mr White said his office was funded in this fiscal year for 14 full-time employees – up from four in 2021-22.
He added that the increase put the organisation “at a similar size to our colleagues in other small jurisdictions”.
The current headcount is seven, with recruitment for several positions “in progress” and job adverts planned for January to fill three posts in compliance, legal and information systems auditor roles.
Mr White said: “We are pleased to say that, thanks to the talented pool of Bermudians interested in this field, our recruitment to date been entirely local.
“As a guest worker myself, I consider it my mission to build the local expertise and to hand the baton to a Bermudian when my time is finished.”
He added that the total salary spend for the office in 2022-23 was estimated to be $746,436.99.
Mr White pointed out that personal information has become a part of almost every business activity.
He said: “Setting standards for protection and use of that information is a key pillar to regulation of both existing and new technology and information systems.
“Our staff are proactively laying the groundwork for our office’s role once Pipa comes into effect.
“The more that we can raise awareness in the community and establish expectations for standards of compliance with Pipa in advance, the smoother the regulatory process will be once in effect.”
Mr White added that a week in the office typically included work on recruitment as well as developing operational policies and procedures, drafting guidance notes and responding to questions from individuals and organisations.
Other tasks were to plan and execute public events as well as "engaging with stakeholders to develop codes of conduct and specific guidance based on industry or other factors“.
Alexander White, the Privacy Commissioner, said that in addition to regular work, his office was planning for the Global Privacy Assembly 2023, which “will bring hundreds of our privacy commissioner counterparts and technology executives from all corners of the world”.
He added: “We will be pleased to share more details with the community as we get closer, as it will be a wonderful opportunity to share our home with people who might never have been able to visit otherwise.”
Mr White also highlighted Data Privacy Week, which will run from January 23 to 27.
He said: “Our engagement team is hard at work planning island-wide events, such as age-appropriate ‘privacy hour’ activities for schools, a privacy chat and tea party event for seniors, charity and community engagement discussions, an artificial intelligence workshop with business leaders and more.”
Mr White said that there was also work to liaise with “international colleagues and foreign or commercial ministries on matters of data protection standards to promote Bermuda as an equivalent jurisdiction, which is often needed to facilitate international trade”.
He added: “From a regulatory perspective, our philosophy is to engage in constructive conversations in advance – if we can advise or correct noncompliance now, then there is one less matter to contend with as a formal enforcement action.”