PIPA: Regulating Use Of Personal Information

August 12, 2015

The Personal Information Privacy Act [PIPA] is presently on track to become law later this year and in addition to regulating the use of personal information, it is anticipated that heightened restrictions and increased protections will apply to the use of sensitive personal information, said Chen Foley, an attorney at Sedgwick Chudleigh.

Mr Foley said, “The Personal Information Privacy Act [or “PIPA”] is presently on track to become law later this year. It will introduce a number of new obligations regulating how “Organizations” [defined to include both businesses and non-profits] utilize information that can be used to identify an individual. Such protected information will be referred to in PIPA as “Personal Information”.

“Personal Information of individuals both inside and outside Bermuda will be subject to protection under PIPA if it is held by an Organization on island. Protection will be afforded to information relating living individuals as well as those who are deceased, for a period of up to 20 years from the date of death.

“It will not matter whether the information is held in hardcopy or electronically. If an Organization collects, holds, transfers, or otherwise uses Personal Information, it will have to be in compliance with PIPA.

“The Act will be similar to data protection legislation currently in force in Canada and the European Union, and will bring local law in line with international best practice.

“This is crucial for maintaining Bermuda’s competitiveness because the Member States of the EU currently restrict the transfer of information to countries that lack satisfactory privacy laws, including at present Bermuda.

“Legislative equivalence with EU standards will facilitate the exchange of commercial information between Bermuda and the continent, which will improve the efficiency with which business can be transacted.

“In addition to regulating the use of Personal Information, it is anticipated that heightened restrictions and increased protections will apply to the use of Sensitive Personal Information. This will include information relating to the protected categories currently listed in the Human Rights Act 1981, for example, race, sex, sexual orientation, family status, religious or other beliefs, disability and criminal history.

“Generally speaking, Organizations will be limited to using Personal Information for the limited purpose for which it is collected. They will be obliged to ensure the information is correct, and that it is not retained for longer than necessary.

“Where Organizations are required to share Personal Information with others, they will have to take steps to ensure continued compliance with PIPA once it is transferred.

“Organizations will also be required to ensure steps are taken to safeguard and protect the Personal Information they hold and use. The precise steps to be taken will vary depending on the nature and sensitivity of the information held.

“But best practice will require, at a minimum, that any portable electronic devices be password protected, and quite possibly encrypted, and that formal policies and procedures be put in place that give effect to an Organization’s obligations under PIPA.

“Organizations will also be required to publish privacy notices. These will advise the public of the purpose for which their information is being collected. The notices will need to set out the Organization’s practices with respect to using Personal Information, and identity any third parties who might be given the information.

“Individuals will be given the right to access Personal Information held about them, and Organizations will be required to provide details of that information subject to a number of limited exceptions. Where information held about an individual is incorrect, the individual will have the right to ask that it be amended.

“Individuals will also be given the right to request that an Organization delete information where it is not relevant for the Organization’s purposes. This could serve as a basis for introducing the “right to be forgotten” into our legal system, and could have consequences for freedom of expression. This is an area that will have to be closely monitored by media and telecommunications firms in particular.

“Where Personal Information has been compromised, Organizations will be under a duty to notify the Privacy Commissioner and individuals affected of the breach “without undue delay”.

“Individuals will have a right to compensation where they suffer loss or damage on account of a privacy breach, or where they suffer distress. The level at which compensation is payable has not yet been decided.

“Although not covered by the draft law, Organizations should put in place a privacy breach response plan. Such a plan should adopt a holistic approach to the risks associated with loss or misappropriation of Personal Information.

“It should cover not only technical matters, such as identifying the cause of the privacy breach and ensuring it is eliminated, but also ensure the Organization is cognizant of the legal obligations triggered by a breach.

“This should have the benefit of limiting the potential for loss, while also providing the Organization with a possible defence to any resulting claim that might be made against it.

“Further details about PIPA can be found at www.privacy.bm. The Government’s consultation period is set out end on Monday, the 17th of August 2015. Anyone who is interested in expressing a view on the model law should do so before then.”

Read More About

Category: All, Business, News