Introduction
Ahead of the Personal Information Protection Act 2016 ("
PIPA") coming into force on 1 January 2025, the Privacy Commissioner has released draft
Financial Services and PIPA Guidance Notes ("
PIPA Guidance"). This follows an outreach programme by the Privacy Commissioner regulators (presumably mainly the Bermuda Monetary Authority ("
BMA")) and those in the industry with a view to establishing strong lines of communication and cooperation. Moreover, with a view to identifying and rectifying areas of PIPA that conflicted, were inconsistent with, or needed amendment to ensure effective implementation in relation to existing financial services laws and regulations.
The overall conclusion is that no such conflict has been identified, and PIPA remains to come in to force as drafted on 1 January 2025.
We set out below some key takeaways from the draft guidance.
Clarification on the scope of PIPA
- PIPA applies to all organisations that use personal information in Bermuda, regardless of where the individual whose personal information is being used, is based. An organisation with headquarters in Bermuda would likely be seen as operating “in Bermuda” according to PIPA. An organisation that is not headquartered in Bermuda may or may not in fact be “in Bermuda” according to PIPA, depending on the facts. The Economic Substance Regulations 2018 can be used as a useful guide when determining the meaning of headquarters.
- Holding entities in Bermuda will not necessarily be using data in Bermuda, it may well be that it is the corporate service provider that is using data, depending on all the facts.
Specific guidance for the insurance sector
- PIPA applies to all organisations that use personal information regardless of their defined area of business. PIPA’s definition of “use” of personal information should be interpreted broadly, meaning many of the activities of insurance entities across the industry may be considered use of personal information.
- Reinsurers and captives should consider whether personal information is in fact needed to accomplish the business purpose. For example, this may be a factor when considering whether personal information of underlying policy holders is needed in order to provide a reinsurance or captive service. Such organisations should consider anonymising data such that it no longer falls within the definition of "personal information" or restricting access.
- Similarly, personal information may not be required for meeting other obligations such as conducting AML/ATF and sanctions checks. In reinsurance, the reinsurer may only require access to policy numbers rather than personal information. The insurer then provides contractual commitments to the reinsurer that the insurer has conducted the relevant AML/ATF and sanctions checks against the policy holders, as the reinsurer does not have access to the necessary data to perform this function. This complies with PIPA's principle of only collecting data that is necessary to perform a function.
- Organisations that use personal information are responsible for their own PIPA compliance, even if the organisation is acting upon the instructions of another organisation. The organisations should use mechanisms such as contracts to arrange how compliance with PIPA will be coordinated between them.
- Under PIPA’s section 6, organisations must select the “Conditions” under which they are lawfully using personal information, this will apply to any reinsurer or captive that is, in fact, using personal information in Bermuda. Such entities, who may not have direct contact with the insured individual may be able to rely on conditions such as:
- consent can be reasonably implied (section 6(2)(b):
- consent has been obtained for an intermediary passing the information to a receiving organisation (section 6(2)(c));
- the individual is deemed to have consented for purpose of coverage under an insurance plan if the individual has an interest in or derives benefit from that plan (section 6(2)(d));
- the use is necessary to perform a contract (section 6(1)(c)); or
- any other condition as applicable to the facts.
-
Privacy notices are required to be given to individuals under section 9. Captive insurers and reinsurance companies do not generally have direct relationships with the insured individual, and many do not have a website or other publicly available platform on which to publish a privacy notice. PIPA section 9(3)(b) states that an organisation need not provide a privacy notice if the organisation can reasonably determine that all uses made, or to be made, of the personal information are within the reasonable expectations of the individual to whom the personal information relates. For example, a captive or reinsurance company could demonstrate this reasonable determination as evidenced by a contractual requirement with their insurers to inform the individual about the uses, or as evidenced by actual steps taken by the insurer to inform the individual about the uses.
Privacy Officer role
Whilst the privacy officer role should generally be an internal person, this is not mandatory provided accountability for PIPA compliance is held by someone else in the organisation. This may pave the way for outsourced compliance roles similar to what already exists for compliance and money laundering reporting officer roles. As with such roles, organisations cannot outsource or delegate the duty of responsibility and compliance itself.
Use of personal information and KYC requirements
- Performance of KYC is required under law for many financial institutions. Where this is the case, it is permissible under PIPA’s section 6(1)(d), which permits the use of personal information when there is a provision of law that authorises or requires such use.
- Further, section 25(a) provides a general exemption to PIPA provisions for the prevention or detection of crime and compliance with international obligations regarding the detection, investigation, and prevention of crime.
- Accordingly, PIPA should not interfere with AML/ATF, KYC or sanctions checks and obligations.
Regulators
PIPA will not interfere with the regulatory activity of other regulators in Bermuda. Primarily this will mean the BMA. This means, for example, a financial institution cannot resist requests for data from the BMA on the basis that it contains personal information, or even sensitive information where that information is required for the BMA to carry out a valid supervisory function.
Sharing data with overseas regulators may be permitted but this must be considered on a case-by-case basis depending on an assessment of the public interest of Bermuda, the scale and nature of the request and likelihood of prejudice of the individual(s) involved.
Outsourcing
Outsourcing is permitted but organisations retain ultimate responsibility for compliance with PIPA. This means organisations will need to:
- establish internal standards that outsourcing partners or third parties must meet;
- create an evaluation process and questionnaire as part of procuring vendors;
- conduct due diligence on service providers privacy and security policies, procedures and controls to validate the responses’ accuracy;
- document the agreement and the parties’ mutual responsibilities in a legally- enforceable contract; and
- monitor the relationship for compliance with these standards.
Additional obligations apply when using overseas outsource providers. In summary, organisations must consider the law that applies to the overseas third party and must reasonably consider the protection by the third party to be comparable, or else must employ mechanisms to create those protections.
Breach notification requirements
Under PIPA’s section 14, a notification is required for any breach:
- leading to the loss or unlawful destruction or unauthorised disclosure of or access to personal information; and
- likely to adversely affect an individual.
Notification is to be made without undue delay. This wording, rather than adopting for example the 72 hours permitted under GDPR, is intended to provide flexibility not be more onerous. What amounts to undue will depend on the circumstances.
How we can help
Walkers dedicated Regulatory & Risk team has considerable experience in advising on data privacy compliance. With many years of GDPR, and UK GDPR experience, we have turned those skills to advising on PIPA preparedness. We are assisting clients with the preparation of policies and procedures, privacy notices, training materials, terms and conditions and providing advice on the more complex areas requiring balance and careful consideration. We regularly deliver training and workshops for clients across all the subsectors of financial services in Bermuda.