PrivCom Frequently Asked Questions
Who is the Office of the Privacy Commissioner (PrivCom)?
The Office of the Privacy Commissioner for Bermuda was established as an independent public office in accordance with the Personal Information Protection Act 2016 (PIPA). The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognises both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
What is the difference between PrivCom and ICO?
The Privacy Commissioner for Bermuda (PrivCom) regulates the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties. The Information Commissioner (ICO) is an independent public office that promotes and oversees the use of the Public Access to Information (PATI) Act 2010 in Bermuda. The PATI Act gives Bermudians and residents the right to make a ‘PATI request’—a written request for access to a record held by a public authority in Bermuda. The purposes of the PATI Act include increasing transparency and promoting accountability for public authorities.
When will PIPA come into effect?
PIPA will be brought into full effect on 1 January 2025.
How will PIPA affect my business?
PIPA requires organisations in Bermuda that use personal information to implement certain requirements, including auditing what personal information organisations use, having a privacy programme in place, protecting the personal information and the privacy rights of individuals, using personal information only for legitimate purposes, and informing individuals through privacy notices about the ways in which they use their personal information.
How do I respond to people when they send me information I don’t want?
Once PIPA is in place, if an organisation sends you information that you don’t want, including marketing, advertising, promotional, and other material that you did not agree to receiving, you have a right to object to this unauthorised use of your personal information and to ask the organisation to stop sending the information to you. If you previously gave consent but have changed your mind, you have a right to withdraw your consent and to ask the organisation to stop sending you the information.
Is PrivCom a Government office? Quango?
PrivCom is an independent office established in accordance with the Personal Information Protection Act 2016 (PIPA). The office is non-ministerial. It is not a quango.
What does PrivCom investigate?
PrivCom investigates privacy complaints by individuals regarding organisations’ use of individuals’ personal information, including sensitive personal information. PrivCom also investigates information breaches that may occur in organisations.
What kind of information do people request from PrivCom?
Individuals in Bermuda request advice and/or guidance regarding their personal information rights. They may also request help with their privacy complaints. Organisations may request guidance on privacy programmes, a regulatory consultation, or participation in the Pink Sandbox.
What is the Global Privacy Assembly (GPA) and why are they coming to Bermuda?
The Global Privacy Assembly (GPA) – a global forum that brings together more than 130 data protection and privacy watchdogs worldwide – seeks to provide leadership in data protection and privacy. The Assembly first met in 1979 as the International Conference of Data Protection and Privacy Commissioners. In September 2020, PrivCom joined the GPA as an accredited member under the helm of the Privacy Commissioner, Alexander White, with full voting rights on joint resolutions and an equal voice to participate in working groups. Today, Commissioner White serves as a member of the GPA Executive Committee (ExCo) and Chair of the Reference Panel. In October 2023, the 45th GPA annual meeting will be held in Bermuda. The theme of the event is ‘Ripples Waves and Currents’, which is indicative of the inter-connected nature of privacy laws and data protection around the globe.
Why is it important for PrivCom to be part of the GPA and other international organisations?
Through the GPA, PrivCom engages with its international counterparts to enhance Bermuda’s reputation as a regulatory leader and to ensure that its guidance and actions are consistent with standards and best practices around the globe. This benefits individuals, as well as businesses, organisations, and other entities in Bermuda. While individuals benefit because their privacy rights are interpreted according to the high standards of global consensus, organisations benefit through PrivCom’s guidance reflecting consensus best practices. At the same time, PrivCom’s regulatory actions become interoperable standards that suit multiple jurisdictions, promoting consistency and reducing compliance costs.
Can organisations share information regarding conference registration lists, such as name, title and company (public information), with delegates?
PIPA has an exclusion for “business contact information,” stating that the act does not apply to “the use of business contact information for the purpose of contacting an individual in his capacity as an employee or official of an organisation” (section 4(1)(c)). “‘[B]usiness contact information’ means an individual’s name, position name or title, business telephone number, business address, business e-mail, business fax number and other similar business information” (Section 2). So, if the information meets this definition, and your use of the information is for contact details in one’s capacity as an employee or official of an organisation, PIPA would not apply to that use.