Safeguarding employees’ personal information
by Juliana Snelling and Olga Rankin
Protecting private records from exposure has always been important, but the advancement of digital technology has exacerbated the need to guard against the misuse of personal information, or data.
Perils include identity theft, phishing scams, cybercriminal activities, fraudulent credit card and banking charges, and any number of other threats. In response, Bermuda has adopted data protection legislation, the Personal Information Protection Act 2016. The majority of PIPA has not yet come into force, but employers are advised to prepare to comply in anticipation of its expected commencement in the near future.
PIPA is particularly important for employers because everyday business operations necessitate the processing of personal information relating to employees, clients and professional contacts for purposes that include recruitment, administration, AML/ATF compliance, background checks, government surveys, health insurance, sick leave monitoring, billing and payroll, etc.
PIPA is designed to control the way businesses collect, store and process personal information. “Personal information” relates to any detail identifying a person by reference to certain attributes, such as name and address, date of birth and other identifiers. PIPA offers stronger protections for “sensitive personal information” covering, for example, origin, race, gender, sexual orientation, family status, physical or mental disability, religious beliefs, political opinions, trade union membership, biometrics or genetics, etc.
Such information may only be obtained if the nature of the employment justifies it but may never be used without the person’s consent or to discriminate in any way.
Employers must use personal data in a lawful and fair manner and put in place security safeguards to protect it against loss, unauthorised access, disclosure or destruction. They must ensure that it is accurate and current and not kept for longer than is necessary. They must also appoint their own Privacy Officer to ensure compliance. PIPA itself will be overseen by the new office of the Privacy Commissioner who will have power, inter alia, to conduct investigations and issue warnings.
Employers must also publish a “privacy notice” containing the organisation’s data practices and policies, including the purpose for which the data was collected and the name of the Privacy Officer. The criminal penalty for non-compliance is severe – a fine of up to $25,000 or two years’ imprisonment, or both, while the penalty for an organisation is a fine of up to $250,000.
Where a Bermuda entity transfers personal data overseas for a third party’s use, the Bermuda entity will remain responsible for compliance with PIPA. This is of vital importance for multinational employers who routinely exchange personal data about their staff across national borders.
The implementation of PIPA will allow Bermuda to apply for EU “adequacy” status, which allows data to flow freely to and from a non-EU country without the latter having to implement costly safeguards. Offshore jurisdictions already enjoying this status include Jersey and the Isle of Man.
More fundamentally, the commencement of PIPA will help bring Bermuda closer into line with international data protection standards, thereby enhancing our island’s reputation as a place that will not tolerate the abuse or misuse of data concerning its people.
Juliana Snelling is director of Canterbury Law Ltd and her colleague Olga Rankin is an associate attorney.
This article was originally featured in the TOP TEN 2019 edition of the RG Business Magazine.