DLA Piper Intelligence

Data Protection
Laws of the World

Definitions

Definition of use

PIPA applies to the "use" of personal information, and defines "use" as carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Definition of personal data

PIPA provides for a definition of "personal information" as meaning "any information about an identified or identifiable individual".

At common law, information is generally to be regarded as 'confidential' if it has a necessary quality of confidentiality and has been communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party who is subject to a duty of confidentiality.

Definition of sensitive personal data

PIPA provides for a definition of "sensitive personal information" as meaning "any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information". 

Last modified 28 Jan 2024
Law
Bermuda

The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA will come into force on 1 January 2025.

Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.

Last modified 28 Jan 2024
Definitions

Definition of use

PIPA applies to the "use" of personal information, and defines "use" as carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Definition of personal data

PIPA provides for a definition of "personal information" as meaning "any information about an identified or identifiable individual".

At common law, information is generally to be regarded as 'confidential' if it has a necessary quality of confidentiality and has been communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party who is subject to a duty of confidentiality.

Definition of sensitive personal data

PIPA provides for a definition of "sensitive personal information" as meaning "any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information". 

Last modified 28 Jan 2024
Authority

Alexander White, a US lawyer, has been the appointed Privacy Commissioner since 20 January 2020. He is responsible for setting up the Privacy Commissioner's Office, hiring and training staff, undertaking investigations, providing reports and developing public awareness of the rights of individuals and the obligations of organisations under PIPA.

Last modified 28 Jan 2024
Registration

There is no system of registration and none provided for in PIPA.

Last modified 28 Jan 2024
Data Protection Officers

There is currently no requirement to appoint a data protection officer. Once PIPA is fully in force, organisations covered by the legislation will be required to appoint a "privacy officer" for the purposes of compliance with PIPA.

Last modified 28 Jan 2024
Collection & Processing

Once fully in force, PIPA will regulate the collection and processing of personal information and will apply to any individual, entity or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.

The common law, which will continue to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to misuse or threaten to misuse confidential information.  The concept of 'misuse' is a broad one, but will often include any unauthorised disclosure, examination, copying or taking of confidential information.  The precise scope of the term however will depend largely on the specific circumstances, including the relevant relationship and the nature of the information.

Last modified 28 Jan 2024
Transfer

Once fully in force, PIPA will regulate the transfer of personal information to an overseas third party. The legislation provides that the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to ensure that the overseas third party provides comparable protection for the personal information.

Last modified 28 Jan 2024
Security

Once fully in force, PIPA will make provision for the implementation of proportional security safeguards against risk including loss, unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential information (deliberately or otherwise) may be liable at common law. 

Last modified 28 Jan 2024
Breach Notification

Once fully in force, PIPA will require notification of a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual concerned; and (b) the Privacy Commissioner. 

The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and the measures the organisation is taking to address the breach.

Last modified 28 Jan 2024
Enforcement

Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction.  These remedies are to be sought through, and enforced by, the Bermuda courts.

An individual convicted of an offence under PIPA will be liable to a fine of up to BMD 25,000 and/or to imprisonment for up to two years. An organisation convicted of an offence under PIPA will be liable to a fine of up to BMD 250,000. Proceedings can be brought against company directors and other officers in a personal capacity.

Last modified 28 Jan 2024
Electronic Marketing

The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May 2000 and came into force on 3 July 2000 (Standard). The definition of "e-commerce service provider" is "a person who uses electronic means in providing goods, services or information" while an "intermediary" (with respect to an electronic record) means "a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services with respect to that electronic record". The Standard set out certain "Safe Harbour Guidelines" which included certain privacy requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for the purposes of sending bulk, unsolicited electronic records.  

Last modified 28 Jan 2024
Online Privacy

Once fully in force, PIPA will make special provision based on parental consent for certain uses of personal information about a child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information beyond those generally applicable to the use of confidential information.

Last modified 28 Jan 2024
Contacts
Michael Hanson
Michael Hanson
Managing Partner
T +1 441 542 4501
Keith Robinson
Keith Robinson
Partner
T +1 441 542 4502
Jay Webster
Jay Webster
Partner
Carey Olsen
T + 1 441 542 4517
Last modified 28 Jan 2024