DLA Piper Intelligence

Data Protection
Laws of the World

Law

Bermuda
Bermuda

The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA are not yet in force but are expected to come into force in late 2018.

Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.

Last modified 30 Jan 2018
Law
Bermuda

The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA are not yet in force but are expected to come into force in late 2018.

Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.

Last modified 30 Jan 2018
Definitions

Definition of personal data

PIPA provides for a definition of "personal information" as meaning "any information about an identified or identifiable individual".

At common law, information is generally to be regarded as 'confidential' if it has a necessary quality of confidentiality and has been communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party who is subject to a duty of confidentiality.

Definition of sensitive personal data

PIPA provides for a definition of "sensitive personal information" as meaning "any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information". 

Last modified 30 Jan 2018
Authority

PIPA makes provision for the office of a Privacy Commissioner. Certain sections of PIPA dealing the Privacy Commissioner were brought into force on 2 December 2016 but a Privacy Commissioner has yet to be appointed.

Last modified 30 Jan 2018
Registration

There is no system of registration and none provided for in PIPA.

Last modified 30 Jan 2018
Data Protection Officers

There is currently no requirement to appoint a data protection officer. Once PIPA is fully in force, organisations covered by the legislation will be required to appoint a "privacy officer" for the purposes of compliance with PIPA.

Last modified 30 Jan 2018
Collection & Processing

Once fully in force, PIPA will regulate the collection and processing of personal information and will apply to any individual, entity or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.

The common law, which will continue to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to misuse or threaten to misuse confidential information.  The concept of 'misuse' is a broad one, but will often include any unauthorised disclosure, examination, copying or taking of confidential information.  The precise scope of the term however will depend largely on the specific circumstances, including the relevant relationship and the nature of the information.

Last modified 30 Jan 2018
Transfer

Once fully in force, PIPA will regulate the transfer of personal information to an overseas third party. The legislation provides that the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to ensure that the overseas third party provides comparable protection for the personal information.

Last modified 30 Jan 2018
Security

Once fully in force, PIPA will make provision for the implementation of proportional security safeguards against risk including loss, unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential information (deliberately or otherwise) may be liable at common law. 

Last modified 30 Jan 2018
Breach Notification

Once fully in force, PIPA will require notification of a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual concerned; and (b) the Privacy Commissioner. 

Last modified 30 Jan 2018
Enforcement

Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction.  These remedies are to be sought through, and enforced by, the Bermuda courts.

Last modified 30 Jan 2018
Electronic Marketing

The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May 2000 and came into force on 3 July 2000 (Standard). The definition of "e-commerce service provider" is  "a person who uses electronic means in providing goods, services or information" while an "intermediary" (with respect to an electronic record) means "a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services with respect to that electronic record". The Standard set out certain "Safe Harbour Guidelines" which included certain privacy requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for the purposes of sending bulk, unsolicited electronic records.  

Last modified 30 Jan 2018
Online Privacy

Once fully in force, PIPA will make special provision based on parental consent for certain uses of personal information about a child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information beyond those generally applicable to the use of confidential information.

Last modified 30 Jan 2018
Contacts
Michael Hanson
Michael Hanson
Managing Partner
T +1 441 542 4501
Keith Robinson
Keith Robinson
Partner
T +1 441 542 4502
Last modified 30 Jan 2018