On 15 June 2023, the Minister of Tourism and the Cabinet Office, Vance Campbell, announced the tabling of the Bill, which is scheduled to be debated in the House of Assembly today, 16 June 2023. Once passed, the remaining provisions of the Personal Information Protection Act 2016 ("PIPA") will be operative with a suggested effective date of 1 January 2025. The Bill seeks to harmonize PIPA and the Public Access to Information Act 2021, as well as make changes to the Public Access to Information Regulations 2014.
Bermuda has recognized the growing importance of data protection and privacy in the modern digital landscape. PIPA was initially enacted in 2016 to establish a framework for the responsible collection, use and disclosure of personal information by organizations in Bermuda. When PIPA received royal assent in 2016 only the provisions of PIPA that permitted the appointment of the Privacy Commissioner (the "Commissioner") and the establishment of his office became operative. The Bill will now bring into effect the substantive provisions of PIPA that place certain obligations on organisations using personal information in Bermuda. The 1 January 2025 operative date, will allow businesses sufficient time to prepare for compliance. This news now provides a definitive 18-month window for businesses to execute their action plans.
The Bill will also make minor amendments to PIPA, including:
- Privacy Notices
Contact details in addition to the name of the relevant privacy officer must now be included in privacy notices.
- Terminology
The term "rectifying" or "rectification" in relation to an individual's rights under PIPA has been changed to "correcting" and "correction" respectively.
- Health Professionals' Expertise
When requesting access to medical records, the relevant health professional no longer requires to have expertise "in the subject matter of the record" being requested.
- Reports by the Commissioner
Reports will now be issued within 6 months after the end of each calendar year, which has been extended from the initial 3-month provision.
Additional provisions were also added in relation to the vacancy of the Office of the Commissioner, as well as the Commissioner's power to charge fees for any services provided under PIPA.
The forthcoming implementation of PIPA in Bermuda reinforces the jurisdiction's commitment to data protection and privacy rights. Organizations must proactively adapt their data protection practices to ensure compliance with the legislation. Seeking legal advice and engaging in comprehensive compliance efforts will be crucial to mitigating risks and demonstrating commitment to data privacy.