PrivCom Pink Sandbox
THE PINK SANDBOX: BUILD YOUR CASTLE IN BERMUDA
As introduced in our Mid-Atlantic Privacy Compass, the Office of the Privacy Commissioner is committed to promoting a responsible approach while facilitating new and innovative technologies.
Responsibility does not solely fall on organisations. Over-
sight bodies and stakeholder groups have a responsibility
to participate constructively in the process.
Regulators around the world have developed "sand-
boxes," or structures where innovative organisations can
test and experiment in a controlled environment and in
close coordination with oversight expertise.
Of course, we know something about sand here in
Bermuda, which is famous for its pink-tinted beaches.
Our community is by nature a collaborative space where interactions between participants are convenient - an ideal testing ground for new ideas.
This page will describe our Privacy Innovation and Knowledge-sharing (or, "Pink") Sandbox and how organisations may express interest.
WHAT IS THE PINK SANDBOX?
The Personal Information Protection Act (PIPA) provides the Privacy Commissioner with the power to "comment on the implications for protection of personal information in relation to an organisation's existing or proposed programmes" (Section 29(1)(f)) and to "give guidance and recommendations of general application to an organisation on matters relating to its rights or obligations" (Section 29(1)(i)).
The Privacy Innovation and Knowledge-sharing ("Pink") Sandbox will serve as a formal mechanism to allow our office to engage with organisations early, without discouraging innovative programmes or ideas that do not have long histories of risk profiles.
The Pink Sandbox will encourage a Privacy by Design approach that anticipates issues early, allowing partners to avoid missteps and build privacy into their products or services as a default setting.
WHAT ARE THE BENEFITS OF PARTICIPATING?
Working through the Pink Sandbox provides entrepreneurs with access to PrivCom expertise to enable them to feel more confident in their product or service, as well as their organisational approach to privacy issues.
Since involvement in the Pink Sandbox will be publicly announced, the organisation will gain visibility as a responsible member of the community who is undertaking their due diligence.
Organisations will also have the ability to contribute to the development of our office's regulatory approach to novel issues.
WHAT DOES PARTICIPATION ENTAIL?
Every organisation and idea is unique, so Pink Sandbox engagements will vary in each instance. As an early step, the organisation and PrivCom will agree on the scope of the engagement, including details such as frequency of communications and meetings.
Generally, the engagement could consist of issue-spotting sessions during design and development phases or product walkthroughs; review of privacy policy and documentation, such as Privacy Impact Assessments (PIA), Privacy Notices, or other Accountability documentation; and/or training and awareness sessions and workshops with design and development teams.
On a case-by-case basis, our Office will issue qualified statements of regulatory comfort to indicate product or service, or organisational, compliance with privacy standards and best practices. Such statements would be qualified to indicate that, on the basis of the Pink Sandbox engagement and information provided, there was no indication of a PIPA violation. This statement would be a point-in-time statement that could be adapted, changed, or revoked (even retroactively) based on future developments or additional information.
HOW DOES AN ORGANISATION EXPRESS INTEREST?
If you are interested in joining the Pink Sandbox, you can apply below.
An organisation should review the Pink Sandbox Terms and Conditions on the form. A signed agreement will be necessary to engage with PrivCom after an expression of interest is accepted.