Personal data protection laws to go live in 2025
Legislation designed to protect personal data and information is expected to come into force on January 1, 2025, the Minister of Tourism and the Cabinet Office announced yesterday.
Vance Campbell said that although some companies were ready for the law — passed in July 2016 — he did not want smaller businesses to be left behind.
The Personal Information Protection Amendment Act 2023 is to be debated in the House of Assembly today.
Mr Campbell said yesterday afternoon: “We live in a data-driven world and since the pandemic we have become more and more dependent on operating in an online space.
“Personal information permeates businesses, private and public sector organisations and workplaces, including names, addresses, personal history, contact information, medical and financial data.
“This information may be readily available online or easily accessed in other cases.
“Personal information, in most instances, must be protected because if it falls into the wrong hands it could be harmful to the individual and to the organisation.
“Depending on the situation, individuals could become victims of identity theft, discrimination, physical harm, harassment or the victim of libellous and defamatory communications.
“Organisations may find their reputation affected or may be legally responsible.”
The amendment Bill seeks to harmonise the Personal Information Protection Act 2016 and the Public Access to Information Act 2010, and make changes to Pati regulations.
Mr Campbell explained that Pati provided rights for people to access information held by public authorities, subject to exceptions, whereas Pipa aims to make sure that individuals have control of how their personal information is used.
He added: “The personal information amendment Bill will resolve overlapping provisions currently found in Pati and the Pati Regulations 2014 with the Pipa to ensure, for example, one definition of personal information and one legislative regime to request and correct one’s own personal information.
“The amendments primarily allow personal information requests to public authorities to be managed through Pipa and not Pati, once Pipa comes into force.
“With the anticipated passage in the House of Assembly of the Personal Information Protection Amendment Bill 2023, I can advise that Pipa will formally come into force on January 1, 2025.
“I recognise that Pipa can seem like a daunting prospect for our community and admittedly there is much to consider when it comes to what is required and what the public’s responsibility is as it relates to privacy and the protection of personal information.”
A government spokeswoman said last December that the legislative process regarding Pipa was “substantially completed”.
She added then: “The Government is in the final stages of enacting the legislation, with the aim of having it in place in the spring of 2023.”
Mr Campbell said: “We recognise that there are some companies that are ready for this, particularly larger companies who are already dealing in and have business activities in environments and jurisdictions where this legislation is already in place.
“What we don’t want to do is leave any of the smaller businesses behind so we thought it would be wise to work with the Privacy Commissioner and provide the necessary guidance and training for those who still require it to ensure that come January 1, 2025, everybody is completely on board and ready and operating under what will come into effect on that date.”
The minister, who said in March that fees would be implemented to make Pati applications “to offset onerous costs of administrating requests”, was asked if the charge to access public records was still expected to be introduced.
He replied: “I will actually be making a ministerial statement on Pati tomorrow in the House of Assembly so I would invite you to listen in on that.”
Alexander White became the island’s Privacy Commissioner in January 2020 and explained how his team would continue to work with entities to help them be ready for the privacy legislation.
He said: “We now have an 18-month window for organisations to prepare for Pipa.
“This course of action has my support, and we have worked closely with our government colleagues in developing this implementation window.
“With this fixed, universal date we can provide legal certainty to the community and avoid confusion about deadlines.”
Mr White said the time frame allowed his office to guide organisations with a phased action plan.
He explained that resources available included video training on the basics of Pipa as well as more detailed written information on key topics, such as elements of a privacy programme, what a privacy officer was and what organisations needed to consider when they shared information with third parties on the island and overseas.
The Information Commissioner congratulated the Government and the Privacy Commissioner “on the establishment of the two core foundations for a modern information rights framework”.
Gitanjali Gutierrez’s office carries out functions related to the Public Access to Information Act 2010, which would undergo amendments if the Personal Information Protection Amendment Act 2023 is passed.
She said: “Pipa will provide robust safeguards for the collection, storage, handling and sharing of personal information.
“These principles are complementary to, but different from, the principles driving access to information rights embodied in the Pati Act.
“Together, the right to public access to information under Pati and the privacy rights enshrined in Pipa provide the core foundations for a comprehensive information rights framework.”
Ms Gutierrez added: “The Information Commissioner has been in consultation with the Government about the Pipa/Pati harmonisation since July 2015 and continuing through to the present Pipa/Pati harmonisation Bill that is currently being considered by Parliament.
“The Information Commissioner’s Office has sought to ensure that the harmonisation amendments continue to support robust access to public records and the efficient administration of both Acts.
“The Information Commissioner fully supports the harmonisation legislation.”
Mr White said a Road to Pipa programme was guiding groups from organisations on a six-month plan towards a privacy programme.
He added: “We’ll use the lessons from those cohorts to create feedback for the community as a whole, to benefit from.
“Also, our Pink Sandbox continues to work with organisations who need custom guidance, as part of our office’s Innovation Services programme to encourage organisations, whether already in Bermuda or looking to establish themselves in Bermuda, to be creative and innovative while still meeting their compliance obligations.”
Mr White said an upcoming comprehensive guide to privacy would include tips, checklists and advice.
He added: “Starting on Data Privacy Week in January 2024, we will provide the community with specific goals and actions to take each month as part of a phased action plan that puts the process of privacy compliance in bite-sized proportions.
“Organisations need time to plan, so providing these sorts of concrete action steps will allow the community to progress together.”