Bermuda Personal Information Protection Act (PIPA)

The PIPA defines personal information as any information about an identified or identifiable individual.

Personal information can be used with the individual's consent, provided the organization can reasonably prove that the individual has knowingly given their consent.

An organization shall use personal information lawfully and fairly.

An organization shall ensure that any personal information used is accurate and kept up to date to the extent necessary.

Organizations must implement appropriate measures and policies to fulfill their obligations and protect the rights of individuals as outlined in PIPA.

Individuals have the right to access their personal information, the right to access medical records, and the right to rectify, block, erasure, and destruction of personal information.

In the event of a security breach likely to harm an individual, the responsible organization must promptly notify both the Privacy Commissioner and the affected individuals.

An organization must appoint a privacy officer responsible for ensuring compliance with PIPA and serving as the primary contact with the Privacy Commissioner.

Noncompliance penalties can range from a fine of up to $25,000 or up to two years of imprisonment (or both) for individuals and for organizations, a fine of up to $250,000.