The Personal Information Protection Act 2016 (PIPA) is due to come fully into force in late summer 2018 and is intended to establish a bespoke privacy framework for the protection of personal information in Bermuda. While PIPA will be applicable to all organisations using personal information, special care will need to be afforded to the collection, processing and disclosure of personal information relating to children.

PIPA makes a distinction between personal information (which is any information about an identified or identifiable individual) and sensitive personal information (which is any personal in­formation relating to place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disabil­ity, physical or mental health, family status, religious beliefs, political opinions, biometric information or genetic information and typically requires a higher standard of protection).

Although PIPA does not provide any specific procedures to be undertaken by school authorities, supervisory au­thorities or teachers, there are significant penalties that can be issued by the Privacy Commissioner for non-compliance with the framework. In particular, a fine of up to $250,000 for organisations and, in the case of an individual on summary conviction, a fine not exceeding $25,000 or to imprisonment not exceeding 2 years or both.

For these reasons, PIPA will likely serve to strengthen the fundamental rights of children to personal information protec­tion and the Bermuda education com­munity, along with any other organisa­tions providing services to children, should start reviewing their current procedures and poli­cies against the new statutory framework in order to provide adequate time for their organisations to become fully compliant.

Internation­al Rights Afforded to Children

Children, having not achieved physical or psychological maturity, need more protection than other individuals. This concept has long been acknowledged in both general instruments relating to human rights, such as the Universal Declaration of Human Rights, and in specific instruments directly related to the rights of children, such as the Geneva Declaration on the Rights of the Children, 1923 and more recently the European Convention on the Exercise of Children's Rights, 1996.

As school activity comprises a significant part of children's daily lives and educational institutions process much of children's sensitive personal information, it is imperative that educa­tors, parents and community advocates for children familiarise themselves with PIPA's substantive provisions now.

Checklist for Reviewing Current Policies and Procedures

Organisations providing services to children should consider their cur­rent policies and procedures against the new legislative framework and the protection that is currently afforded by their processes to all aspects of student life from enrolment to graduation.

A general review by education institu­tions should include a consideration of:

  • Enrolment Processes: PIPA re­quires issuing privacy notices prior or at the time of obtaining person­al information.
  • Access to Student Files Proce­dures: Access to children's sensi­tive personal information or any information that could become a source of discrimination (for ex­ample, information on the wealth and income of a child's family, disciplinary proceedings, medical treatment in school etc) should be subject to a higher standard of security measures such as storage in a separate file in comparison with personal information and access should be limited only to designated individuals.
  • Retention, Updating and Dele­tion of Student Information Procedures: Children's personal information held by an organisa­tion should be adequate, relevant and not excessive in relation to the purposes for which it is used. It should be accurate and kept up to date in light of the child's constant development.
  • Biometric Information: PIPA defines 'biometric information' as any information relating to the physical, physiological or behavioural characteristics of an individual that allows for unique identification. In the context of education providers, processes relating to student ID cards, CCTV surveillance, student intranet usage and the publication of student photographs for marketing and other purposes should be reviewed.
  • Training of Educators and HR Departments: Current training and on-boarding processes for education facilitators and human resource staff should be reviewed in light of the need to become compliant with PIPA.
  • Privacy Officer: PIPA requires all organisations using personal infor­mation to appoint a privacy officer and consideration should be given to this appointment along with the necessary resources, professional qualifications and autonomy that is needed for the individual to carry out their tasks effectively.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.