PERSONAL INFORMATION PROTECTION ACT 2016 (PIPA)

Bermuda's Personal Information Protection Act (PIPA) received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.

TEXT OF THE ACT

Click on the image above to access a PDF file of the act, or click here.

BERMUDA GOVERNMENT

For more information on the history of PIPA and government perspective, see: www.gov.bm/privacy

OFFICE GUIDANCE

PIPA provides the Privacy Commissioner with general powers to educate the public, engage in research, and give guidance and recommendations. Follow up-to-the-moment guidance on our Blog's Guidance & Reports page.

A statue of blindfolded Justice with the Bermuda flag

General Topics

"What is a privacy programme?" (18 Nov 2020)

"The Principles of Privacy by Design" (15 July 2020)

"Mid-Atlantic Privacy Compass" (May 2020)

"Bermuda Report on Information Accountability" (31 March 2020)

Covid & Contact Tracing

"Guidance on Collection and Usage of Data for Contact Tracing" (19 June 2020)

"Privacy Issues in Public Health Emergencies" (18 March 2020)

Cybersecurity

Cybersecurity Awareness Month 2020: 30 Daily Tips (Oct 2020)

"Work from home tips from Bermuda's Cybersecurity Governance Board" (30 March 2020)

Data Transfers

"Guidance on vendors, third parties, and overseas data transfers" (1 March 2021)

"PrivCom recognises APEC CBPR System as a certification mechanism for overseas data transfers" (2 March 2021)

Privacy Means Business

"How Investing in a Privacy Programme Pays Off" (14 Aug 2020)

"How to develop a business case, adopt buy-in at all levels, and introduce a privacy & cyber program" [Video of panel](25 Jan 2021)

Privacy Options

"Messenger Apps" (12 Jan 2021)

Frequently Asked Questions (FAQs)

Note: populating these FAQs and their answers is still in progress. If you have a question that is not addressed here, reach out to our office via our Contact Us page.

Privacy and PIPA Basics

"Privacy and PIPA" [47-min video]

This free video training taught by Commissioner White may be watched at any time. This video includes:

A high-level discussion of the definition of privacy, its historical development and its importance [Time-stamp: 0:00-15:07],
An explanation of PIPA's rights and obligations [Time-stamp: 15:07- 30:52],
A general description of the components of a privacy programme [Time-stamp 30:53-37:00], and
Cybersecurity tips from Deloitte Bermuda's Brett Henshilwood [Time-stamp: 37:00-46:37].

Note: This video was a presentation to nonprofit and charitable organisations.

When does PIPA come into effect?

PIPA Section 52(2) grants the authority to the Minister to “appoint different days for different provisions of the Act.” Some provisions are already in effect, such as the provisions that deal with the creation and powers of the position of Privacy Commissioner. Other provisions relating to specific rights and responsibilities have not yet entered into effect.

Our office is working closely with Government personnel on a timeline and procedure for bringing the law into effect, but at the moment we are unable to cite specific dates of operation. Our goal is to provide significant advance notice before provisions come into effect, and to provide information sessions and guidance on specific practices prior to the requirement to implement them.

For Individuals

How do I make a complaint about an organisation's privacy practices?

You may contact our office according to the information on the Contact Us page. However, please note that until PIPA comes into effect, we may be limited in the actions we can take. We will pursue informal discussions, as appropriate.

Do you have resources for children?

Our blog has several articles oriented to younger audiences, such as:

Commissioner White has spoken to classrooms, and we would be happy to schedule a virtual discussion with your school.

We also recommend the resources on Government's CyberTips page.

For Organisations

What is a privacy programme?

For an introduction to the basic elements of a privacy programme, see our blog post from November 2020. This post includes links to other resources and checklists, too.

Won't a privacy programme be too expensive?

Our office will provide templates and guidance to help all organisations, even small businesses and nonprofits, support privacy rights.

That said, privacy programmes can actually help a business become more profitable! For more, see our blog post: "In Bermuda, Privacy Means Business: How Investing in a Privacy Programme Pays Off".

How do we develop a business case for privacy?

Commissioner White participated in a panel discussion on this topic that you can watch.

What is a privacy officer?

PIPA requires organisations to designate a privacy officer who is responsible for compliance with the act and communications with our office and the public. For more in this topic, see our guidance note: "What is a privacy officer?" This note goes into further detail on the requirement to appoint a privacy officer and the role itself.

For Professionals

How do I become a Privacy Officer?

There is no one path to becoming a Privacy Officer, which involves skills in understanding technology, laws and regulations, compliance, cybersecurity, and many other aspects of business operations.

A key skill is the ability to communicate across those different business areas, and help them understand each other. Privacy Officers should always ask their colleagues how they do their jobs, with a mind set to understand the business better.

There are a variety of classes and professional certifications available to supplement your Privacy Officer skills. The most well-known professional body is the International Association of Privacy Professionals (IAPP), which offers professional certifications.

A local business, the TLC Group, offers privacy officer training that has been recognised by our office as providing training that is appropriate to the knowledge, skills, and abilities needed for an individual to perform the duties of a Privacy Officer under the Personal Information Protection Act 2016 (PIPA).

Our office is developing more details on Privacy Officers, so please check back for future guidance.

Are there local community or professional groups for Privacy Officers?

Examples of community groups in Bermuda include:

Association of Bermuda Compliance Officers
Bermuda Bar Sub-Committtee for the Advancement of Privacy Law and Appropriate Regulation of the Legal Industry
International Association of Privacy Professionals (IAPP), Bermuda KnowledgeNet Chapter
The Institute of Internal Auditors (IIA), Bermuda Chapter
ISACA, Bermuda Chapter

Are you hiring? How do I learn more about working with PrivCom?

We have launched a Careers page that contains details on working with our office and current opportunities.