Introduction
The CFA Society Bermuda ("the Society") is committed to protecting the privacy and confidentiality of its members' personal information. This Personal Information Protection Act (PIPA) Policy outlines the Society’s approach to managing personal information in accordance with the Bermuda Personal Information Protection Act 2016 ("PIPA"). The policy aims to ensure transparency and compliance with the applicable legal standards for the collection, use, storage, and disclosure of personal data.
Scope
This policy applies to all personal information collected, processed, and stored by the Society in the course of its operations, including that of its members, partners, employees, and other stakeholders.
Definitions
- Personal Information: Any data about an identified or identifiable individual.
- Sensitive personal information: Personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.
- Data Subject: An individual whose personal information is being collected, held, or processed by the Society.
- Processing: Any operation performed on personal information, such as collection, recording, storage, use, or disclosure.
- Controller: The Society, which determines the purposes and means of processing personal information.
Principles for Processing Personal Information
The Society adheres to the following principles under PIPA:
- Accountability
The Society is responsible for protecting personal information and ensuring compliance with PIPA through appropriate internal procedures and security measures.
- Fairness and Transparency
The Society will only collect personal information in a fair and transparent manner. Individuals will be informed about the purposes of data collection and their rights related to their personal information.
- Purpose Limitation
Personal information will be collected only for specified, legitimate purposes related to the Society’s operations and will not be further processed in a manner incompatible with those purposes unless consent is obtained.
- Data Minimization
The Society will only collect the personal information necessary for its operations and will not collect excessive or irrelevant data.
- Accuracy
The Society will ensure that personal information is accurate, up-to-date, and complete, and will make corrections when notified of inaccuracies.
- Storage Limitation
Personal information will be retained only for as long as necessary for the purposes for which it was collected or as required by law.
- Security Safeguards
The Society will implement appropriate security measures to protect personal information from unauthorized access, disclosure, alteration, or destruction.
- Transfer of Personal Information
Personal information will not be transferred outside of Bermuda without adequate safeguards in place to ensure compliance with PIPA.
Collection of Personal Information
The Society collects personal information for the following purposes:
- Membership management and communications
- Event registration and participation
- Professional development and certification tracking
- Compliance with regulatory obligations
Personal information collected may include:
- Name, contact details (address, email, phone number)
- Employment and professional details
- Financial information (related to membership dues and fees)
Use and Disclosure of Personal Information
The Society will only use personal information for the purposes stated at the time of collection or as otherwise permitted by law. Personal information may be shared with third parties, including service providers and regulatory bodies, where necessary for the Society’s operations and legal obligations. These third parties will be required to safeguard the personal information according to PIPA standards.
Consent
Where required, the Society will obtain consent from data subjects for the collection, use, or disclosure of their personal information. Individuals have the right to withdraw their consent at any time, subject to legal or contractual restrictions.
Rights of Data Subjects
Under PIPA, data subjects have the following rights:
- Right to Access: Individuals may request access to their personal information held by the Society.
- Right to Correction: Individuals can request the correction of inaccurate or incomplete personal information.
- Right to Erasure: Individuals may request the deletion of their personal information under certain circumstances.
- Right to Object: Individuals have the right to object to the processing of their personal information based on legitimate interests.
- Right to Restriction: Individuals can request a restriction on the processing of their personal information in certain situations.
Requests to exercise any of these rights must be made in writing to the Society's designated Privacy Officer (contact information below).
Security Measures
The Society implements appropriate physical, technical, and administrative security measures to protect personal information from unauthorized access, disclosure, alteration, or destruction. This includes encryption, secure access controls, and regular audits of data protection practices.
Data Breach Notification
In the event of a data breach, the Society will take immediate steps to mitigate the impact of the breach and will notify affected individuals and the relevant authorities in accordance with PIPA requirements.
Privacy Officer Contact Information
If you have any questions or concerns regarding the Society’s handling of personal information or wish to exercise your rights under PIPA, please contact:
Privacy Officer
CFA Society Bermuda
Suite 133 – 48 Par La Ville Road, Hamilton, Bermuda HM11
Email: [email protected]