The following statement was released today (Sept 2) by Opposition Senator Dr Douglas DeCouto, One Bermuda Alliance…

By mid-July, 51,567 Bermuda residents had their personal vaccination data held by ResQwest in US data centres, while 46,300 residents had the same happen with the information contained within their Travel Authorisation (TA) forms.

In addition to the TA form’s financial drag on Bermudian travellers, and its negative impact on Bermuda’s tourism industry, this is a serious risk and potential abuse of Bermudians’ personal information by a commercial enterprise, ResQwest. ResQwest, whose CEO is the Premier’s Fintech adviser, was given a no-bid contract to process the TA forms without the Government following its official tendering and bid process.

On July 20 we asked in the Senate what Privacy Notices or Data Retention Policies applied to this sensitive personal data of Bermudians. In response, Government could only point to a confidentiality clause in the contract between ResQwest and Government. Government also confirmed that they may combine the vaccination data with the TA form data, for statistics and to connect TA forms to vaccination data.

The One Bermuda Alliance is concerned that neither the Bermuda Government nor ResQwest have put in place the appropriate privacy policies or data retention policies to properly protect Bermudians’ personal information. Without these policies, it seems that Bermudians could not have fully consented for their personal vaccination and TA form data to be combined or used for these sorts of analyses.

To quote the Bermuda Government website, “While organisations require the use of personal information to provide services, it is important that individuals have control over their information and how it is used and shared.”

For example, what is to prevent Government or ResQwest from commercializing Bermudians’ private data, by selling it or otherwise exploiting it? Or even using it for political purposes, similar to how the Government mailed political flyers to all residents twice this year. Furthermore, while Bermudians’ data is stored in the US with its relatively loose rules, can we trust it to be protected?

Finally, what is the delay by the Government in implementing the Personal Information and Privacy Act (PIPA), first passed in 2016? While some progress has been made with the establishment of the office of the Privacy Commissioner, there is still much to be done, and it’s clear that the PLP Government has not progressed this adequately since the Act’s passing.