On September 2nd, TLC Group hosted a ceremony to celebrate the "first cohort" of home-grown Bermudian privacy professionals. These individuals had completed the "Privacy Officer Foundation" and "Practitioner" courses that were recently recognised by PrivCom as providing training that is appropriate to the knowledge, skills, and abilities needed for an individual to perform the duties of a Privacy Officer. As illustrated in local news coverage (Bernews), the event was held in the large space of Hamilton City Hall, with appropriate limits on attendance and physical distancing.
Commissioner White delivered this speech as the event's keynote. Original script may differ from delivered version.
Thank you for having me here. Not only exciting to simply be in a room with other people, but also a room full of privacy professionals!
I hate to start by citing chapter and verse, but while I have the stage I want to address a question I get often: when will PIPA’s compliance requirements come into effect?
As those of you who have completed the course already know, PIPA Section 52(2) grants the authority to the Minister to “appoint different days for different provisions of the Act.” Some provisions are already in effect, such as the provisions that deal with the creation and powers of the position of Privacy Commissioner. Other provisions relating to specific rights and responsibilities have not yet entered into effect.
My office is working closely with Government personnel on a timeline and procedure for bringing the law into effect, but at the moment I am unable to cite dates of operation. My goal is to provide significant advance notice before provisions come into effect, and to provide information sessions and guidance on specific practices prior to the requirement to implement them. At the moment, I do not anticipate major changes to PIPA before further sections come into effect.
Thinking about this opportunity to speak to a group of individuals, some starting their privacy journey and some having taken a moment to add Bermuda’s specifics to their knowledge, I want to highlight one of the elements of my Mid-Atlantic Privacy Compass that cuts to the core of what a privacy officer’s role should entail: the idea of stewardship.
I want to highlight one of the elements of my Mid-Atlantic Privacy Compass that cuts to the core of what a privacy officer’s role should entail: the idea of stewardship.
As we travel on our various journeys - through space, time, or life itself - we are transitory. In business or otherwise, we have the opportunity to make use of the resources in front of us, but must always act responsibly, conserving common goods for the benefit of the community now and in the future.
These sorts of arguments are often used for natural resources: in various philosophies - even Biblically - humans are considered to be the caretakers of the world, not necessarily its owners. This form of thinking shifts the balance away from a sense of entitlement. We should be stewards in all things.
As with other resources, framing the discussion around personal data as one of stewardship, as opposed to ownership, changes the way we intuitively understand its exploitation or protection.
An “owner” is free to sell or consume a resource, but a “steward” has a duty of care to preserve it. A steward acts on behalf of the individual, in their best interest, ensuring that the data retains its value while also bringing a benefit to the data subject.
An organisation that uses personal data must take the mind-set that the data is not theirs, but only temporarily in their care. Ideas around the legal concept of agency can be very useful in this regard: the organisation should not consider themselves an outside third-party who has triumphed in a negotiation to win data rights from their customer - this mind-set is oppositional, winner-take-all. When using personal data, in fact they are carrying out the instructions of the data subject, and should consider the duties of care and otherwise that such a role implies.
Individuals provide data to organisations so that it may be used in ways they prefer, for a benefit they decide is worthwhile. The organisation must consider themselves a steward - or even an agent - of the individual, acting on their behalf and seeking to preserve the resource.
It is common in business parlance to use the word "owner" as the ultimate expression of responsibility, implying that people will surely treat their own property with the highest care and reasonableness. I would argue that is not the case: I am free to use my own property frivolously if I want, if I deem the goal worthwhile.
On the contrary, the highest duty of care arises when one is a steward, charged with protecting property on behalf of someone who has placed a great deal of trust in them. There is a certain amount of humility to this mind-set, but humility is needed from organisations charged with protecting individuals' rights - in other words, any organisation using personal data.
Certainly, the organisation may still create something of value for themselves as part of the process of providing a service to the individual, but by shifting the mind-set to the context of stewardship, their duties to the individual become more clear.
They are not to exploit the resource, but to engage in careful management of it for the benefit of the individual.
Their duty is not solely to make a profit, but must be balanced against the duties of care or otherwise that they would owe as an agent or caretaker.
This shift in perspective provides an important focus, orienting the organisation towards the individual and counterbalancing other incentives. It would be anathema for a steward to exploit data to the point that it harms their charge. It would be violating their duties.
As you go forward on your privacy journey, I hope you take this philosophy of stewardship with you, and always remember the duties that we owe individuals when we are charged with protecting their data privacy.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by His Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."