Guidance on vendors, third parties, and overseas data transfers
In this guidance note, we offer a primer on data transfers to third parties and overseas.
As described in the Personal Information Protection Act (PIPA) section 5 (and further outlined in our previous guidance, "What is a privacy programme?") every organisation that uses personal information in Bermuda must implement measures and policies to give effect to its obligations.
PIPA section 5(3) addresses the use of vendors or third parties:
Where an organisation engages (by contract or otherwise) the services of a third party in connection with the use of personal information, the organisation remains responsible for ensuring compliance with this Act at all times.
This requirement should be read along with that of section 5(7) to "act in a reasonable manner" and the requirements described in section 13 "Security safeguards."
Organisations that choose to transfer data to a third party may do so in many different ways and for many different purposes - and the personal information involved may vary in types or sensitivities that must be considered. To ensure they are meeting their obligations, organisations may take steps such as:
establishing internal standards that outsourcing partners or third parties must meet,
creating an evaluation process as part of procuring vendors (such as a survey, questionnaire, or formal audit),
conducting due diligence to validate the responses' accuracy,
documenting the agreement and the parties' mutual responsibilities in a legally-enforceable contract, and
monitoring the relationship for compliance with these standards.
The exact nature of these steps will differ for all vendor relationships or third-party data transfers. The appropriate actions will depend on the sensitivity of the data and risk of harm.
PIPA includes additional obligations under section 15 if an organisation is making a data transfer to an "overseas third party," or a third party not domiciled in Bermuda. Section 15, "Transfer of personal information to an overseas third party" contains the following requirements:
(1) When an organisation transfers to an overseas third party personal information for use by that overseas third party on behalf of the organisation, or for the overseas third party’s own business purposes, the organisation remains responsible for compliance with this Act in relation to that personal information.
(2) Before making any such transfer, the organisation shall assess the level of protection provided by the overseas third party for that personal information.
(3) When assessing the level of protection in subsection (2), an organisation shall consider the level of protection afforded by the law applicable to such overseas third party and the Minister, on the recommendation of the Commissioner, may designate any jurisdiction as providing a comparable level of protection for the purposes of this section.
(4) If the organisation reasonably believes that the protection provided by the overseas third party is comparable to the level of protection required by this Act, which may be evidenced by the third party’s adoption of a certification mechanism recognised by the Commissioner, the organisation may rely on such comparable level of protection while the personal information is being used by the overseas third party.
Like much of PIPA, the provisions of section 15 contain a great deal of flexibility to allow organisations to meet their many, varied circumstances.
Section 15(2) specifically requires an organisations to "assess the level of protection provided." This means using measures such as the ones listed above to understand how the third party will use the information and what safeguards are in place.
Because an overseas data transfer involves sending personal information outside of Bermuda, and outside the reach of PIPA, section 15(3) further adds that "organisations shall consider the level of protection afforded by the law applicable to such overseas third party". Over time, Bermuda will develop equivalency determinations that will assure organisations that a jurisdiction is safe to transfer data. [Note: For those familiar with the European Union's General Data Protection Regulation, this process is called an "Adequacy" decision.]
Section 15(4) clarifies that an organisation may act upon a reasonable belief that the protection in the overseas third party's country is comparable to PIPA. Under this section, our office has the authority to recognise certification mechanisms, and organisations may rely on such a recognition.
As one example, we have recognised the Asia Pacific Economic Cooperation (APEC) Cross Border Privacy Rules (CBPR) System as a certification mechanism for transfers of personal information to an overseas third party. For more, see our blog post "PrivCom recognises APEC CBPR System as a certification mechanism for overseas data transfers."
Even if relying an overseas third party's certification, a Bermudian organisation remains responsible to the individual and must provide appropriate notice (including notice regarding the transfer overseas and its reliance on a particular certification mechanism), ensure section 6 Conditions are met, and fulfill any other responsibilities under PIPA.
Designations of equivalence under section 15(3) or recognitions of a certification mechanism under section 15(4) are not the only bases for an organisation to transfer to an overseas third party. Section 15 continues:
(5) Where subsection (4) is not satisfied, the organisation shall employ contractual mechanisms, corporate codes of conduct including binding corporate rules, or other means to ensure that the overseas third party provides a comparable level of protection.
As with any obligation under PIPA, organisations must assess their specific circumstances to determine what measures would be reasonable and appropriate. For example, a certification may not be appropriate when transferring sensitive personal information or information that may have a high risk of harm if misused. Organisations may need to specify certain controls or promises in their contracts to ensure personal information is used appropriately and properly.
According to section 15(6), transfers may additionally be allowed in circumstances where an organisation needs to conduct the transfer to uphold their legal rights, or if they conduct an assessment of the transfer and consider it to be "small-scale[,] occasional[,] and unlikely to prejudice the rights of an individual." More guidance on these and other topics will be forthcoming from our office.
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Rights and responsibilities relating to data privacy are set out in the Personal Information Protection Act 2016 (PIPA). Bermuda's PIPA received Royal Assent on 27 July 2016. Sections relating to the appointment of the Privacy Commissioner were enacted on 2 December 2016, including the creation of the Office as well as those duties and powers relevant to its operation in the period leading up to the implementation of the whole Act. The Commissioner works to facilitate the advancement of consequential amendments to other Acts in order to harmonise them with PIPA.
The Office of the Privacy Commissioner for Bermuda (PrivCom) is an independent supervisory authority established in accordance with the Personal Information Protection Act 2016 (PIPA).
The mandate of the Privacy Commissioner is to regulate the use of personal information by organisations in a manner which recognizes both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes, among other duties.
The Privacy Commissioner's powers and responsibilities include monitoring the processing of personal information by both private- and public-sector organisations, investigating compliance with PIPA, issue guidance and recommendations, liaise with other enforcement agencies, and advise on policies and legislation that affect privacy. PrivCom also works to raise awareness and educate the public about privacy risks, and to protect people’s rights and freedoms when their personal data is used. The general powers of the Privacy Commissioner are outlined in Article 29 of PIPA.
Alexander White (Privacy Commissioner) was appointed by Excellency the Governor, after consultation with the Premier and Opposition Leader, to take office on 20 January 2020.
Privacy is the right of an individual to be left alone and in control of information about oneself. In addition to the protections in PIPA, the right to privacy or private life is enshrined in the United Nations' Universal Declaration of Human Rights (Article 12) and the European Convention of Human Rights (Article 8).
"Personal information" or data is a defined term in PIPA that means any information about an an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. "Sensitive personal information" is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: This is not a complete list.)
"Use" of personal information is a defined term in PIPA that means "carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it."