An Overview of Bermuda’s Personal Information Protection Act 2016

1. Introduction

The Personal Information Protection Act 2016 (PIPA) is a comprehensive data protection law aimed at protecting the privacy of individuals in Bermuda. It regulates the use of personal information by imposing several obligations on organizations when using individuals’ personal information. Its main objective is to ensure that this personal information is used safely and appropriately.

PIPA received Royal Assent on July 27, 2016, and was partially enacted at that time. The law became fully effective on January 1, 2025. Hence, all the organizations that fall within the ambit of PIPA must be aware of their obligations and ensure complete compliance with the law.

This guide dives into the applicability of PIPA, key definitions, obligations for businesses, and how we can help ensure swift compliance.

2. Who Needs to Comply with the PIPA

A. Material Scope

PIPA applies to all organizations that use personal information in Bermuda, unless it is otherwise specified. The Act covers the personal information that is:

• Used partially or completely through automated means.
• Part of or is intended to be part of a structured filing system.

This means that PIPA is applicable to all organizations using personal information through digital and manual means.

B. Exemptions

The uses of personal information that are completely exempt from the application of PIPA include:

• the use of personal information for domestic or personal purposes;
• personal information used for artistic, literary, or journalistic purposes if the use is for publication in the public interest and necessary to protect freedom of expression;
• the use of business contact information when contacting someone in their role as an employee or official of an organization;
• personal information of individuals who died at least 20 years ago, or information that has existed for at least 150 years;
• personal information given to an archival institution before PIPA took effect, if access was either unrestricted or governed by a prior agreement with the donor;
• personal information used for judicial purposes, including court files, personal notes, communication, or draft decisions by a person serving in a judicial, quasijudicial, or adjudicative capacity, or political functions covered by parliamentary privilege; or
• breach committed by the activities of the communication provider.

Additionally, a few uses of personal information are partially subject to PIPA’s obligations, with only minimum requirements applicable in those cases. These include:

• Personal information used for safeguarding national security after obtaining an exemption certificate from the Minister, which may mention the relevant personal information- the decision of the Minister in the issuance of this certificate is appealable to the Supreme Court by the affected individuals or organisations.
• Personal information necessary to protect the public from financial loss, misconduct, or risks to health and safety arising at work, without interfering with the discharge of these functions.
• Personal information for protecting charities against misconduct or mismanagement and property of charities from loss or misapplication, or to recover such property, without interfering with the discharge of these functions.
• Personal information required for crime prevention or detection and compliance with international obligations regarding the detection, investigation, and prevention of crime.
• Personal information used to investigate or address ethical breaches by regulated professionals.
• Personal information required for the apprehension or prosecution of offenders.
• Personal information required for the assessment or collection of any tax or duty.
• Personal information required for Bermuda's economic or financial interests, including matters related to taxation, compliance with international tax treaties, and regulatory functions by authorities for monetary or budgetary purposes.

The minimum requirements as stated above refer to the requirements outlined in Sections 5, 8, 11, 12, and 13 of the PIPA. These require organizations to:

• Implement appropriate measures and policies, taking into account the nature, context, and risks of using personal information, to fulfil their responsibilities and individuals’ rights under PIPA.
• Be responsible for the compliance with PIPA while engaging third parties.
• Designate a privacy officer to ensure smooth communication with the Commissioner. Organizations under single ownership can have a single privacy officer.
• Act reasonably to meet the responsibilities as prescribed under PIPA.
• Use personal information fairly and lawfully.
• Ensure that the personal information used is adequate, relevant, and within the specified purposes of its use.
• Personal information used is accurate and updated, and is not retained for longer than necessary.
• Implement appropriate safeguards to protect personal information against risks such as loss, unauthorized access, misuse, or disclosure.

Furthermore, PIPA shall not be applied to:

• affect any legal privilege;
• restrict the information that is available by law to a party to any legal proceedings; or
• restrict or affect the use of information covered by trust conditions or undertakings that a lawyer is bound by.

The law treats personal information collected before it came into effect as if it had been collected with the proper consent. Hence, its use for the original purpose for which it was collected is considered compliant with PIPA.

3. Definitions of Key Terms

A. Biometric Information

Biometric information is the information related to an individual’s physical, physiological, or behavioural characteristics enabling their unique identification, such as facial images and fingerprints.

B. Business Contact Information

Business contact information includes business information of an individual, such as name, business contact details, and job title.

C. Business Transactions

Business transaction refers to any transaction involving “purchase, sale, lease, merger or amalgamation or any other type of acquisition or disposal of, or the taking of a security interest in respect of, an organisation or a portion of an organisation or any business or activity or business asset of an organisation and includes a prospective transaction of such a nature”.

D. Child

Child refers to an individual below 14 years.

E. Communication Provider

Communication provider means an organization, including an internet service provider and telecommunications, serving as a conduit for personal information that is transmitted by a third party and does not determine the purpose for which the personal information is being used.

F. Genetic Information

Genetic information includes personal information regarding an individual’s genetic traits, inherited or acquired, providing unique information about their health or physiology based on a biological sample analysis.

G. Information Society Service

Information society service refers to services delivered via digital or electronic communication.

H. Personal Information

Personal information refers to information of an identified or identifiable individual.

I. Publicly Available Information

Publicly available information means an individual’s personal information that is knowingly made or permitted to be made public, legally obtained, or required by law.

J. Sensitive Personal Information

Sensitive personal information includes an individual’s personal information regarding their place of origin, race, sex, sexual orientation, marital status, disability, health, family status, religious beliefs, political opinions, trade union membership, biometrics, or genetics.

K. Use or Using

Use or using, with regards to the personal information, refers to any operation on personal information such as to collect, obtain, record, hold, store, organise, adapt, alter, retrieve, transfer, consult, disclose, disseminate or otherwise make available, combine, block, erase or destroy it.

4. Obligations for Organizations under PIPA

Organizations must implement appropriate measures and policies to fulfill their responsibilities under PIPA and protect individuals’ rights. These measures should reflect the nature, scope, and risks associated with how personal information is used. Moreover, organizations must act in a reasonable manner to meet their responsibilities under this Act. Let’s dive into some of the major requirements for organizations under PIPA.

A. Privacy Officer

Organizations must designate a Privacy Officer, responsible for communicating with the Commissioner and with the power to further delegate the duties to individuals. If a group of organizations comes under a common ownership or control, they can have the same privacy officer provided each organization has access to the officer.

B. Conditions for Use of Personal Information

Organizations can only use the personal information of an individual:

• With the consent of that individual, where this can be reasonably demonstrated.
• When a reasonable person, taking the sensitivity of the information into account, believes that the individual would not reasonably request to cease the use of their information, and the use does not harm their rights.
• When it is necessary to fulfil a contract, or steps taken at an individual’s request to enter into a contract.
• When it is mandated by law or requires such use.
• When the information is publicly available and is used for the same purpose for which it's publicly available.
• When the use is necessary to handle an emergency situation involving life, health, or safety of a single individual or the public at large.
• When the use is important to carry out a public interest task or an official duty.
• When the use is important for an employment relationship of an individual with the organization.

If the above-mentioned conditions are not met, organizations can still use personal information, but only if:

• The information is collected from or given to a public authority authorized by law to collect or provide to the organization;
• The use of information is necessary to comply with a court order or an order by an individual or a body that has jurisdiction over the organization;
• The use is necessary to collect debt from the individual or to repay money owed to them;
• The information is disclosed to a deceased individual’s spouse or relative, where the organization deems it appropriate; or
• The use of information is reasonable to protect or defend the organization in a legal proceeding.

C. Conditions for Use of Sensitive Personal Information

Organizations cannot use sensitive personal information of an individual to discriminate against them and can only use it if:

• The individual consents to the use of their sensitive personal information;
• The use in line with the court order or the Commissioner’s order;
• The use is for any criminal or civil proceedings; or
• The use is for an employment or recruitment context where such use is justified.

D. Data Protection Principles

Under PIPA, the use of personal information by organizations must be based on the following principles:

• Fairness: The personal information must be used fairly and lawfully.
• Proportionality: The personal information used must be relevant, adequate, and not excessive to the specified purposes for which it was collected.
• Integrity: The personal information used must be accurate and up-to-date and not retained longer than necessary to fulfill the specified purposes for which it was collected.
• Purpose limitation: The personal information must be used only for the specified purposes for which it was collected. This shall not apply when the personal information is:
  • used with the consent of an individual for the specific purpose;
  • necessary to provide a product or service at an individual’s request;
  • necessary by a law or court order;
  • used for detecting or monitoring fraud or fraudulent misconduct of personal information; or
  • used for conducting scientific, statistical, or historical research, provided that the rights of the individual are adequately safeguarded.

E. Privacy Notices

Organizations must provide a clear and accessible privacy notice to the data subjects, outlining their practices and policies related to the personal information. This privacy notice must include:

• Acknowledgement that the personal information is being used;
• The purposes for which the information is collected;
• The identity and types of organizations and individuals to whom the personal information may be disclosed;
• The location and contact details of the organization;
• The name of the privacy officer;
• The options and methods the organization offers for individuals to limit the use of, and for accessing, correcting, blocking, erasing, or destroying their personal information.

Organizations must take all reasonably practical measures to provide a privacy notice either before or at the time of collecting personal information or as soon as is reasonably possible after that.

However, in some cases, organizations are not required to provide the privacy notice. These include:

• When they are holding publicly available information; or
• When they can reasonably determine that all uses of the personal information they hold are within the reasonable expectations of the person to whom the information relates.

F. Security Measures

Organizations must implement appropriate safeguards to protect personal information against risks such as loss, unauthorized access, disclosure, destruction, or misuse. These safeguards should be proportional to the:

• potential harm caused by the access, misuse, or loss;
• sensitivity of the information, especially if it is classified as sensitive; and
• context in which the information is held.

Organizations must regularly review and reassess these measures.

G. Breach Requirements

Organizations must promptly notify both the Privacy Commissioner and the affected individual in case of a security breach involving personal information that is likely to negatively impact an individual. The notification to the Privacy Commissioner must detail the nature of the breach, its likely impact, and the steps taken to address it. This enables the Commissioner to assess whether further action is needed and to maintain a record of the breach.

H. Communication of Personal Information to Third Parties

Organizations transferring personal information to an overseas third party, whether for processing on its behalf or for the third party’s own use, are responsible for ensuring compliance with PIPA. They must assess the level of data protection provided by the overseas party, considering the laws of that jurisdiction prior to the transfer of personal information. If the protection is comparable to PIPA’s standards, which can be demonstrated through a recognized certification mechanism by the Commissioner, the transfer may proceed. However, when it’s not, organizations must use contracts, corporate rules, or similar safeguards to ensure adequate protection.

Additionally, despite other restrictions, the transfer of personal information can occur if necessary for legal proceedings or when the transfer is minimal, occasional, and unlikely to harm individuals’ rights.

I. Protections for Minors

PIPA imposes certain obligations on organizations to ensure minors’ protection. Organizations offering digital or online services targeted at children or knowingly handling children’s personal information must obtain verifiable parental consent from the parent or guardian of a child before collecting or using the child's personal information. This applies when the organization is relying on consent to use or collect such information. They must also take steps to verify whether a user is a child and ensure that consent comes only from a parent or guardian.

PIPA further prohibits organizations from collecting personal information about others from the child, including parents’ jobs or finances. Only the contact details of the parent or guardian can be collected to obtain consent. Organizations must also provide privacy notices that are age-appropriate and easy for children to understand. Additionally, in legal proceedings related to non-compliance with any of the above-mentioned minor-specific requirements, an organization has the defence to demonstrate that it took all the reasonable steps to fulfill its obligations under the law.

J. Consent Requirements

PIPA allows the use of personal information collected with consent for a clear intended purpose before the commencement of this law. Under PIPA, personal information can generally only be used if the individual knowingly consents. When organizations rely on consent to use an individual's personal information, they must provide clear, prominent, and easily understandable ways for individuals to provide consent. In some instances, the implied consent may apply based on an individual’s behavior, given that the individual was informed of the intended use of their personal information.

Furthermore, if an organization receives personal information through an intermediary, and the individual has already consented to the disclosure of such information for a specific purpose, that consent is valid for the receiving organization to use the information for that same purpose. Consent is also assumed to be given to the use of personal information for coverage or enrollment purposes in insurance or trust plans when an individual derives some benefit from that plan.

There are specific consent requirements related to minors, already covered above, including the obtaining of verifiable consent before using and collecting personal information of minors and verifying the consent.

5. Data Subject Rights

Similar to other significant data protection regulations around the world, PIPA guarantees certain rights to individuals, including:

A. Right to Access

Individuals have the right to access their personal information. This includes:

• The personal information collected by the organization;
• The purposes for which personal information is or is to be used; or
• The names of the individuals and circumstances in which their information has been and is being disclosed.

However, organizations must not provide access to personal information when:

• When the disclosure poses a reasonable risk to an individual's life or security;
• When the disclosure reveals another individual’s identity, but the information should be provided after redaction, if possible; or
• When the disclosure reveals an opinion expressed confidentially without consent, but the information should be provided after redaction, if possible.

Organizations may also refuse the request to access personal information when:

• A legal privilege protects the information:
• The disclosure would expose sensitive information about the organization or a third party, but the information should be provided after redaction, if possible;
• The information is being used for a current disciplinary, criminal investigation, or legal proceedings, provided it does not affect an individual's right to a fair hearing;
• The information was used by a mediator or arbitrator, or generated during a mediation or arbitration involving an appointed mediator or arbitrator; or
• The disclosure would reveal the organization's intentions in negotiations with the individual, potentially prejudicing those negotiations.

Access to Medical Records

Organizations must provide access to medical records at the individual’s request, including:

• The medical or psychiatric personal information; or
• Information obtained during social work.

Organizations can refuse to provide access to the medical records when the disclosure is likely to prejudice the physical or mental health of the individual. In such cases, organizations must provide access to personal information to a health professional with expertise in the subject matter to determine if disclosure would harm the individual's physical or mental health. However, if an organization can reasonably remove the information harming an individual’s physical and mental health, it must provide access to the rest of the personal information, as requested by the individual, after making those redactions.

The instances where organizations must or can refuse to provide access to personal information apply to the access of medical records as well.

B. Right to Rectification

Individuals have the right to rectify their personal information under an organization's control. Organizations, after receiving the request, must correct the information as soon as possible and send a notification to all affected organizations to which the information has been disclosed. They must obtain consent from the authors of the opinion, including professional or expert opinions, before correcting or altering the information. If the author does not give consent, organizations must record the individual’s request to correct the information and link that written request to the original opinion.

C. Right to Cease the Use of Personal Information

Individuals have the right to request that the organization stop or not start using their personal information for advertising, marketing, or public relations. Organizations must complete the request.

Individuals may also request that organizations cease or not start using their information if it is likely to cause substantial damage or distress. Organizations must fulfill the request or provide written reasons justifying the use of such information.

D. Right to Erasure

Individuals have the right to have their personal information deleted or destroyed if it is no longer relevant to its intended use, and organizations must either erase or provide written justification for using such information.

Exercising the DSRs

The request to access or correct personal information must be in writing and include sufficient details for the organization to identify the personal information regarding which the request is being made. Individuals requesting the information can ask for a copy of or examine their personal information.

Additionally, organizations are not required to comply with individuals’ requests for personal information, for which the requests are already pending with the Commissioner.

Timeline to respond to a DSR request

Organizations must promptly acknowledge the receipt of a written request, including the date of the request, and inform the applicant of the request if the details in the request are insufficient. Organizations are required to respond within 45 days of receiving the request. The response time for access, correction, cease, or deletion requests can be extended up to 30 days or as the Commissioner permits, when the request requires large amounts of personal information, would interfere with the organization's operations, or requires more time for consulting a third party. When the response period is extended, the applicant needs to be informed of the reason for the extension and the expected time of response from the organization.

Charges for Access Request

Organizations must respond free of charge to the correction and deletion request. However, they may charge a fee from the individuals requesting access to their personal information, which must be within the prescribed maximum amount. The fee may not be charged if the professional regulatory body prevents the organization from doing so. In case of charging the fee, the organization may ask the applicant to pay the complete or part of the fee in advance. Moreover, the Minister and Commissioner can prescribe applicable fees.

Refusal of a DSR request

Organizations are not required to comply with the requests that are manifestly unreasonable. In doing so, organizations must inform the individuals about the reasons for the refusal in writing and their right to complain to the Commissioner.

6. Regulatory Authority

The Privacy Commissioner is the independent regulatory authority under PIPA, appointed by the Governor for a five-year term. The Commissioner is responsible for enforcing the Act by monitoring compliance, investigating complaints, issuing orders, and collaborating with law enforcement. They may approve data transfer rules, establish certification mechanisms, and conduct inquiries with subpoena and warrant powers. Supported by staff and funded by the Legislature, the Commissioner must report annually and can delegate powers. Regulations and codes of practice are developed in consultation with the Minister, and individuals may seek reviews or file complaints, with decisions subject to judicial review.

The Minister has the authority to make regulations for the purposes of this Act in consultation with the Commissioner, who must carry out a detailed review of the Act within five years of its enactment.

7. Penalties for Non-Compliance

Under PIPA, the offence constitutes:

• Wilful misuse or negligent use of the personal information.
• Intentional unauthorised access to personal information.
• Altering, hiding, destroying, or falsifying personal information or instructing someone else to do so to avoid responding to an access request.
• Causing hindrance in the performance of the duties of the Commissioner or authorised delegated authority.
• Intentional false statements or attempts to mislead the Commissioner in carrying out their official duties.
• Intentional non-compliance with the restrictions on disclosure by the Commissioner or its staff.

A court shall consider whether a person has followed any code of practice issued by the Minister when determining whether they commit an offence.

A person is also considered to have committed an offence under PIPA when they:

• Fail to comply with a notice served and order made by the Commissioner under the law.
• Do not comply with the law's sensitive personal information requirements.
• Alter, hide, destroy, or falsify evidence during an investigation or a Commissioner’s inquiry.
• Fail to notify the Commissioner about the breach of security as per the law.

Organizations or individuals have the defence that they acted in a reasonable manner in the circumstances that led to the offence. Again, the court shall take into account if a person has followed any code of practice issued by the Minister in order to determine whether an offence is committed by them.

Any person who commits an offense under PIPA is liable to:

• In case of an individual, on summary conviction, a fine up to $25,000 or imprisonment of up to 2 years or both.
• In case of a person other than an individual, on conviction on indictment, a fine of up to $250,000.

If an offence committed by an organization is proven to have occurred with the consent or involvement of a director, manager, or similar office holder, that individual can be held liable in personal capacity.

Financial loss or distress

Individuals who suffer financial loss or emotional distress due to an organization's failure to comply with the provisions of PIPA are entitled to compensation. In legal proceedings, organizations can defend themselves by proving that they took reasonable care. In such cases, it is the court’s discretion to determine the amount of compensation.

8. How an Organization Can Operationalize the PIPA

Organizations can operationalize the law by:

• Establishing and implementing governance policies and practices;
• Appointing a Privacy Officer as required under the law;
• Developing clear and accessible privacy notices in compliance with the requirements of the law;
• Obtaining clear, free, and informed consent of the individuals before processing their personal information; and
• Implementing appropriate data security safeguards.

9. How Securiti Can Help

Securiti Data Command Center enables organizations to comply with the Bermuda Personal Information Protection Act 2016 by securing the organization’s data and enabling organizations to maximize data value and fulfill an organization’s obligations around data security, data privacy, data governance, and compliance.

Organizations can overcome hyperscale data environment challenges by delivering unified intelligence and controls for data across public clouds, data clouds, and SaaS, enabling organizations to swiftly comply with privacy, security, governance, and compliance requirements.

Request a demo to learn more.