In this guidance note, we describe the qualifications and duties of Privacy Officers and direct organisations and individuals to links with additional resources.
The Personal Information Protection Act (PIPA), section 5, "Responsibility and compliance" contains the following requirements:
(4) An organisation shall designate a representative (“privacy officer”) for the purposes of compliance with this Act who will have primary responsibility for communicating with the Commissioner.
(5) A group of organisations under common ownership or control, may appoint a single privacy officer provided that a privacy officer is accessible from each organisation.
(6) A privacy officer designated under subsection (4) may delegate his duties to one or more individuals.
(7) In meeting its responsibilities under this Act, an organisation shall act in a reasonable manner.
These provisions contain some flexibility, which can be useful since every organisation is different.
In short, the "privacy officer" role is an internal designation of responsibility and authority for compliance with PIPA, and an external announcement to the public (including our office) to indicate who is the point of contact about privacy and personal information.
Importantly, the "privacy officer" need not actually undertake each and every duty, but may delegate or employ others to do so. Because the role involves responsibility for compliance, the privacy officer is likely an internal staff member, but need not be. As with other provisions, PIPA provides for flexibility if the organisation can justify its actions under the circumstances and demonstrate it acted reasonably.
However, one aspect that an organisation cannot outsource or delegate is the duty of responsibility and compliance itself.
Below are frequently asked questions about privacy officers. If you have questions that are not addressed here, please reach out to us via our Contact Us page.
Who has to designate a privacy officer?
Any organisation that must comply with PIPA must appoint a privacy officer.
PIPA defines an organisation as "any individual, entity or public authority that uses personal information," and further indicates in section 3 that it applies to "every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means and to the use other than by automated means of personal information which form, or are intended to form, part of a structured filing system."
This language means PIPA has broad application, as many organisation will have some form of automation or filing. Under this broad language, many organisations in Bermuda will need to appoint a privacy officer.
The language of section 5(4) is unambiguous about the need to designate such a representative and does not indicate any exclusions or exemptions for size or scale of operations - but the compliance requirements that the privacy officer is responsible for will vary based on such factors.
What is the privacy officer's role?
The duties of a privacy officer will vary according to the needs of the organisation, depending on what tasks are needed to comply with PIPA. The privacy officer is responsible for developing the organisation's privacy programme and for communicating with our office and the public. As we discussed in our previous guidance notes, the exact actions an organisation must perform for compliance will vary based on the particular circumstances.
Importantly, the privacy officer is "responsible" for compliance, but may delegate the actual duties that make up ensuring organisational compliance.
The privacy officer is responsible for ensuring that the organisation develops appropriate measures and policies to give effect to its obligations and to the rights of individuals under PIPA. Such measures and policies are described in our previous guidance note, "What is a privacy programme?" Our office will continue to develop guidance with examples of practices, and we will work with community groups to develop standards.
Importantly, privacy officers will also serve as the point of contact for our office, so must be available to respond to communications and requests. We do not require registration in advance with our office.
PIPA's section 9 further indicates that a privacy officer's contact information must be listed in an organisation's privacy notices, so the privacy officer must be available to respond to questions from individuals and/or requests to exercise PIPA rights.
Who should be the privacy officer?
The privacy officer should hold a position of responsibility within an organisation, with sufficient authority to oversee and ensure compliance with PIPA. This role may fall in different places depending on the structure of the organisation, and could include an organisation's senior executive, director, or owner.
When considering who to designate as privacy officer, the organisation should assess and document how that individual will effectively fulfil the requirements of the role.
Whoever is designated as privacy officer should be a senior decision maker who is supported by leadership in promoting privacy as an organisational value. The privacy officer should be authorised and empowered to act regarding PIPA compliance across the organisation.
PIPA does not specify that the privacy officer be an internal role. In fact, section 5(5) specifically allows an organisational group to have a single privacy officer - so long as that role is accessible from each organisation.
No matter which type of privacy officer is selected, the privacy officer must be able to effectively ensure organisational compliance with PIPA. Depending on the uses of personal information, the privacy officer may need to be present on site, or have an on-site delegation. Some organisations operate completely virtually, so from an internal perspective the privacy officer could effectively perform their work even outside of Bermuda. Organisations must ensure that the privacy officer is also positioned to respond to public inquiries, and the manner of which may vary depending on, for example, a business' client or customer base.
Some third parties offer privacy officer services, such as providing technical advice on compliance, managing customer service interactions, or even responding to PIPA rights requests using information held by the organisation. PIPA allows an organisation's privacy officer to delegate their duties to such vendors.
However, an organisation cannot outsource its responsibility for complying with PIPA.
What duties does a privacy officer perform?
We provide the following examples of language for privacy officer duties to help organisations evaluate how to designate a privacy officer for their organisation, structure the delegation of duties, or evaluate potential candidates.
This is not an exhaustive list, and specific duties will depend on how an organisation uses personal information.
Compliance with PIPA:
Understand and explain the minimum requirements under PIPA;
Demonstrate knowledge of the organisation’s responsibilities under PIPA;
Establish, maintain, or monitor an organisation's privacy programme and necessary controls;
Evaluate vendors, third-parties and overseas data transfers;
Demonstrate accountability for structuring, designing and managing the privacy programme, including all procedures, training, monitoring/auditing, documenting, evaluating, and follow-up;
Demonstrate knowledge of the organisation’s personal information handling policies and procedures;
Assess organisational compliance with PIPA;
Determine appropriate conditions for using personal information according to PIPA section 6;
Assess risk to determine or evaluate proportional security safeguards;
Map the privacy programme to compliance requirements in legislation and guidance;
Ensure resources are allocated for privacy programmes;
Assess privacy risks and/or conduct periodic risk assessments;
Train other staff at the organisation to deal with privacy matters;
Advise their organisation on compliance with privacy requirements;
Advise their organisation on the potential privacy impacts of changes to the organisation's business practices;
Advise their organisation on how the privacy programme might support or improve the business;
Advise their organisation on what the organisation can and cannot do with personal information;
Review the purposes for use of information to advise on whether the use of information is needed for a purpose (PIPA section 11), the appropriate maintenance or retention of the information (PIPA section 12), or on whether a subsequent purposes would be sufficiently "related" (PIPA section 10);
Advocate or champion privacy within the organisation;
Coordinate with other appropriate persons responsible for related disciplines and functions within the organisation;
For larger organisations, oversee staff with responsibilities to foster a culture of privacy;
For larger organisations, interact with various business units, including product development, customer services or marketing initiatives;
Communicate with PrivCom:
Act as the organisation's liaison with the Office of the Privacy Commissioner;
Demonstrate accountability for how the privacy programme is executed and managed throughout the organisation;
Represent the organisation in the event of an investigation by the Office of the Privacy Commissioner;
Notify, and co-ordinate actions with, the Office of the Privacy Commissioner in the event of a breach of security;
Respond to public questions and rights requests:
Draft privacy notices and other public statements explaining how the organisation uses personal information;
Explain (internally and to the public) the procedures for exercising PIPA rights, such as making a request for access to, correction of, or erasure of personal information;
Respond to queries about privacy matters or complaints about a breach of the security of personal information;
Train and inform front-line and management staff so that they can respond to inquiries or explain matters to the general public;
Develop guidance that will assist staff in responding to questions from customers about your privacy programme, including information on how to contact the privacy officer;
Draft notifications for individuals affected by a breach of security.
Is a privacy officer the same as a GDPR "Data Protection Officer"?
Organisations that must meet regulatory requirements for the United Kingdom, European Union, or other countries with comparable laws may already have someone designated as a "Data Protection Officer" (or DPO) under the General Data Protection Regulation (GDPR).
Under the GDPR, the role of DPO has many specified standards. For example, organisations must only appoint a DPO if they meet certain criteria (and even then, if an organisation that was not required to appoint a GDPR DPO claims to have one, then they will be held to the same standard as if they were so required). A DPO must report to the "highest level of management," and there are detailed rules defining this relationship. The GDPR requires that a DPO be independent and describes rules regarding conflicts of interest that may prevent the individual holding certain positions in the organisation, such as managing operational business units. The GDPR also outlines specific ways that an organisation must support their DPO.
A DPO and a PIPA privacy officer are very similar. They both serve as a regulatory and public-facing contact point. The DPO is charged "to monitor compliance" (GDPR Article 39), while a privacy officer is designated "for the purposes of compliance" (PIPA section 5(4)).
If your organisation has properly designated a GDPR DPO, the holder of that role will almost certainly also meet requirements to be considered a PIPA privacy officer. However, a PIPA privacy officer may not necessarily meet the definition of DPO, depending on how your organisation structures the role or other duties.
Our office is not charged to supervise the GDPR. If you have questions, you should consult your relevant supervisory office. Our international colleagues have guidance posted for DPOs, such as the United Kingdom Information Commissioner's Office ("Guide to the GDPR: Data Protection Officers"), the Data Protection Commission Ireland ("Data Protection Officers"), or the Guernsey Office of the Data Protection Authority ("Data Protection Officers").
Is the privacy officer liable for non-compliance with PIPA?
Ultimately, the organisation itself is responsible for compliance with PIPA. The privacy officer is the officer of the organisation designated to with responsibility within the organisation. For example, the Commissioner's orders will generally be issued to organisations, not individual officers, and relate to the actions and responsibilities of organisations. Further, PIPA section 21 allows a person to receive compensation for financial loss or emotional distress from the organisation, not an individual officer.
However, PIPA section 47 defines the offences that an organisation may commit, and an officer of an organisation could be deemed to have committed an offence in their personal capacity, according to PIPA section 47(6). This would be the case if the organisation is found to have committed an offence, and the offence was "committed with the consent or connivance of, or to be attributable to, any neglect on the part of ... any director, manager, secretary, or similar officer." Whether such an offence has been committed will depend on the circumstances.
For this reason, privacy officers should take care to document their actions and recommendations, such as the steps taken in the development of the organisation's privacy programme. Organisations, or individual officers, may not always choose to follow the recommendations of privacy officers. If so, the privacy officer should document their recommendations and the decision-maker's acceptance of responsibility. Privacy officers should consider how they will demonstrate their due diligence in implementing compliance with PIPA.
If any compliance officer is concerned about their personal liability, our office recommends they engage a legal advisor to discuss further.
As stated previously, our office will continue to develop guidance with examples of practices, and we will work with community groups to develop standards.
However, it will be impossible to cover every possible circumstance in advance. For this reason, organisations would be well served to document their due diligence and the factors entering into their reasonable judgements to show their good accountability.
Several other regulators with laws that are similar to PIPA have described the role of privacy officer. Because of this similarity, our office will find that guides by fellow regulators and experts are persuasive guidance, and an organisation's use of them will show good faith.
Additional Resources:
Office of the Privacy Commissioner of Canada, Office of the Information and Privacy Commissioner of Alberta, Officer of the Information & Privacy Commissioner for British Columbia: "Getting Accountability Right with a Privacy Management Program," Section A(1)(b)
Privacy Commissioner, New Zealand: "Privacy Officers"
Office of the Australian Information Commissioner: "Privacy Officer Toolkit"
Information and Privacy Commission, New South Wales: "The role of Privacy Contact Officers"
To reach out to the Office of the Privacy Commissioner, please visit our Contact Us page.
Last Revised: 31 Aug 2021