The Personal Information Protection Act 2016 (PIPA) is due to come fully into force in late summer 2018 and is intended to establish a bespoke privacy framework for the protection of personal information in Bermuda. While PIPA will be applicable to all organisations using personal information, special care will need to be afforded to the collection, processing and disclosure of personal information relating to children.
PIPA makes a distinction between personal information (which is any information about an identified or identifiable individual) and sensitive personal information (which is any personal information relating to place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, biometric information or genetic information and typically requires a higher standard of protection).
Although PIPA does not provide any specific procedures to be undertaken by school authorities, supervisory authorities or teachers, there are significant penalties that can be issued by the Privacy Commissioner for non-compliance with the framework. In particular, a fine of up to $250,000 for organisations and, in the case of an individual on summary conviction, a fine not exceeding $25,000 or to imprisonment not exceeding 2 years or both.
For these reasons, PIPA will likely serve to strengthen the fundamental rights of children to personal information protection and the Bermuda education community, along with any other organisations providing services to children, should start reviewing their current procedures and policies against the new statutory framework in order to provide adequate time for their organisations to become fully compliant.
International Rights Afforded to Children
Children, having not achieved physical or psychological maturity, need more protection than other individuals. This concept has long been acknowledged in both general instruments relating to human rights, such as the Universal Declaration of Human Rights, and in specific instruments directly related to the rights of children, such as the Geneva Declaration on the Rights of the Children, 1923 and more recently the European Convention on the Exercise of Children's Rights, 1996.
As school activity comprises a significant part of children's daily lives and educational institutions process much of children's sensitive personal information, it is imperative that educators, parents and community advocates for children familiarise themselves with PIPA's substantive provisions now.
Checklist for Reviewing Current Policies and Procedures
Organisations providing services to children should consider their current policies and procedures against the new legislative framework and the protection that is currently afforded by their processes to all aspects of student life from enrolment to graduation.
A general review by education institutions should include a consideration of:
- Enrolment Processes: PIPA requires issuing privacy notices prior or at the time of obtaining personal information.
- Access to Student Files Procedures: Access to children's sensitive personal information or any information that could become a source of discrimination (for example, information on the wealth and income of a child's family, disciplinary proceedings, medical treatment in school etc) should be subject to a higher standard of security measures such as storage in a separate file in comparison with personal information and access should be limited only to designated individuals.
- Retention, Updating and Deletion of Student Information Procedures: Children's personal information held by an organisation should be adequate, relevant and not excessive in relation to the purposes for which it is used. It should be accurate and kept up to date in light of the child's constant development.
- Biometric Information: PIPA defines 'biometric information' as any information relating to the physical, physiological or behavioural characteristics of an individual that allows for unique identification. In the context of education providers, processes relating to student ID cards, CCTV surveillance, student intranet usage and the publication of student photographs for marketing and other purposes should be reviewed.
- Training of Educators and HR Departments: Current training and on-boarding processes for education facilitators and human resource staff should be reviewed in light of the need to become compliant with PIPA.
- Privacy Officer: PIPA requires all organisations using personal information to appoint a privacy officer and consideration should be given to this appointment along with the necessary resources, professional qualifications and autonomy that is needed for the individual to carry out their tasks effectively.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.