THE PINK SANDBOX:
BUILD YOUR CASTLE IN BERMUDA
As introduced in our Mid-Atlantic Privacy Compass, the Office of the Privacy Commissioner is committed to promoting a responsible approach while facilitating new and innovative technologies.
Responsibility does not solely fall on organisations. Oversight bodies and stakeholder groups have a responsibility to participate constructively in the process.
Regulators around the world have developed "sandboxes," or structures where innovative organisations can test and experiment in a controlled environment and in close coordination with oversight expertise.
Of course, we know something about sand here in Bermuda, which is famous for its pink-tinted beaches. Our community is by nature a collaborative space where interactions between participants are convenient - an ideal testing ground for new ideas.
This page will describe our Privacy Innovation and Knowledge-sharing (or, "Pink") Sandbox and how organisations may express interest.
WHAT IS THE PINK SANDBOX?
The Personal Information Protection Act (PIPA) provides the Privacy Commissioner with the power to "comment on the implications for protection of personal information in relation to an organisation's existing or proposed programmes" (Section 29(1)(f)) and to "give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations" (Section 29(1)(i)).
The Privacy Innovation and Knowledge-sharing ("Pink") Sandbox will serve as a formal mechanism to allow our office to engage with organisations early, without discouraging innovative programmes or ideas that do not have long histories of risk profiles.
The Pink Sandbox will encourage a Privacy by Design approach that anticipates issues early, allowing partners to avoid missteps and build privacy into their products or services as a default setting.
WHAT ARE THE BENFITS OF PARTICIPATING?
Working through the Pink Sandbox provides entrepreneurs with access to PrivCom expertise to enable them to feel more confident in their product or service, as well as their organisational approach to privacy issues.
Since involvement in the Pink Sandbox will be publicly announced, the organisation will gain visibility as a responsible member of the community who is undertaking their due diligence.
Organisations will also have the ability to contribute to the development of our office's regulatory approach to novel issues.
WHAT DOES PARTICIPATION ENTAIL?
Every organisation and idea is unique, so Pink Sandbox engagements will vary in each instance. As an early step, the organisation and PrivCom will agree on the scope of the engagement, including details such as frequency of communications and meetings.
On a case-by-case basis, our Office will issue qualified statements of regulatory comfort to indicate product or service, or organisational, compliance with privacy standards and best practices. Such statements would be qualified to indicate that, on the basis of the Pink Sandbox engagement and information provided, there was no indication of a PIPA violation. This statement would be a point-in-time statement that could be adapted, changed, or revoked (even retroactively) based on future developments or additional information.
HOW DOES AN ORGANISATION EXPRESS INTEREST?
First, an organisation should review the "Pink Sandbox Terms and Conditions." Signed agreement will be necessary to engage with PrivCom after an expression of interest is accepted.
If an organisation agrees to the Terms and Conditions, send an email to PinkSandbox@privacy.bm with the Subject Line "Pink Sandbox Expression of Interest."
In the body of this email, include details under the following headings:
Brief description of organisation, including sector, size category, legal status (i.e. privately-held, charity, etc.), and other relevant details
Organisation web site
Location of team involved in engagement
Contact details, including an individual's name, title and role, email address, and phone number
Summary of product or service involved in engagement
Anticipated types of personal information to be used by product or service
Anticipated timescale of engagement
Organisational goals for engagement
Please note that these details will form a material aspect of your Pink Sandbox engagement letter.