THE PINK SANDBOX:

BUILD YOUR CASTLE IN BERMUDA

As introduced in our Mid-Atlantic Privacy Compass, the Office of the Privacy Commissioner is committed to promoting a responsible approach while facilitating new and innovative technologies.

 

Responsibility does not solely fall on organisations. Oversight bodies and stakeholder groups have a responsibility to participate constructively in the process.

Regulators around the world have developed "sandboxes," or structures where innovative organisations can test and experiment in a controlled environment and in close coordination with oversight expertise. 

Of course, we know something about sand here in Bermuda, which is famous for its pink-tinted beaches. Our community is by nature a collaborative space where interactions between participants are convenient - an ideal testing ground for new ideas.

This page will describe our Privacy Innovation and Knowledge-sharing (or, "Pink") Sandbox and how organisations may express interest. 

WHAT IS THE PINK SANDBOX?

The Personal Information Protection Act (PIPA) provides the Privacy Commissioner with the power to "comment on the implications for protection of personal information in relation to an organisation's existing or proposed programmes" (Section 29(1)(f)) and to "give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations" (Section 29(1)(i)).

The Privacy Innovation and Knowledge-sharing ("Pink") Sandbox will serve as a formal mechanism to allow our office to engage with organisations early, without discouraging innovative programmes or ideas that do not have long histories of risk profiles.

The Pink Sandbox will encourage a Privacy by Design approach that anticipates issues early, allowing partners to avoid missteps and build privacy into their products or services as a default setting.

WHAT ARE THE BENFITS OF PARTICIPATING? 

Working through the Pink Sandbox provides entrepreneurs with access to PrivCom expertise to enable them to feel more confident in their product or service, as well as their organisational approach to privacy issues. 

Since involvement in the Pink Sandbox will be publicly announced, the organisation will gain visibility as a responsible member of the community who is undertaking their due diligence.

Organisations will also have the ability to contribute to the development of our office's regulatory approach to novel issues.

WHAT DOES PARTICIPATION ENTAIL?

Every organisation and idea is unique, so Pink Sandbox engagements will vary in each instance. As an early step, the organisation and PrivCom will agree on the scope of the engagement, including details such as frequency of communications and meetings.

Generally, the engagement could consist of issue-spotting sessions during design and development phases or product walkthroughs; review of privacy policy and documentation, such as Privacy Impact Assessments (PIA), Privacy Notices, or other Accountability documentation; and/or training and awareness sessions and workshops with design and development teams.

On a case-by-case basis, our Office will issue qualified statements of regulatory comfort to indicate product or service, or organisational, compliance with privacy standards and best practices. Such statements would be qualified to indicate that, on the basis of the Pink Sandbox engagement and information provided, there was no indication of a PIPA violation. This statement would be a point-in-time statement that could be adapted, changed, or revoked (even retroactively) based on future developments or additional information.

HOW DOES AN ORGANISATION EXPRESS INTEREST?

First, an organisation should review the "Pink Sandbox Terms and Conditions." Signed agreement will be necessary to engage with PrivCom after an expression of interest is accepted.

If an organisation agrees to the Terms and Conditions, send an email to PinkSandbox@privacy.bm with the Subject Line "Pink Sandbox Expression of Interest." 

 

In the body of this email, include details under the following headings:

  • Organisation name

  • Brief description of organisation, including sector, size category, legal status (i.e. privately-held, charity, etc.), and other relevant details

  • Organisation web site

  • Location of team involved in engagement

  • Contact details, including an individual's name, title and role, email address, and phone number

  • Summary of product or service involved in engagement

  • Anticipated types of personal information to be used by product or service

  • Anticipated timescale of engagement

  • Organisational goals for engagement

Please note that these details will form a material aspect of your Pink Sandbox engagement letter.

For information about how we use personal information, see our Privacy Notice.