top of page
Search
Writer's pictureprivcombermuda
Dec 31, 20247 min read

Guidance for Organisations on Fees for PIPA Rights Requests

This guidance note provides an update regarding the question of whether an organisation may charge a fee to an individual for making a PIPA Rights Request.




Background


Under the Personal Information Protection Act 2016 (PIPA), individuals may make a request to an organisation to exercise their rights under sections 17 and 18. The rights under section 17 and 18 are the right to request access to one’s own personal information and one’s own medical records.


According to PIPA, the Minister responsible for PIPA may, in consultation with the Commissioner, prescribe any applicable fees that organisations may charge related to PIPA Rights Requests.


PIPA states that an organisation’s ability to charge a fee has limitations:


  • Any fee would be subject to a prescribed maximum [20(8)] set by the Minister [20(11)];

  • Fees cannot be applied if the request results in the correction of an error or omission [20(8)];

  • Fees cannot be charged if the organisation’s professional body prevents it [20(9)];

  • Organisations are permitted to require all or part of the fee to be paid in advance [20(10)]; and 

  • Organisations need not comply with a PIPA Rights Request if the request is manifestly unreasonable [20(12)].


In September 2024, the Office of the Privacy Commissioner (“PrivCom”) provided an opinion to the Government of Bermuda regarding the setting of a prescribed fee. Citing the precedent of jurisdictions with whom Bermuda would seek a determination of the equivalency of its privacy law, the Commissioner recommended that the Minister prohibit a fee for most PIPA Rights Requests. PrivCom is of the opinion that the imposition of a fee might become a barrier to the exercise of privacy rights, which would put Bermuda’s equivalency status at risk.


PrivCom's understanding is that the Government team is considering the issues and developing a fee schedule, but that a fee schedule will not be prescribed as of 1st January 2025 when PIPA enters into effect.


Under section 29 of PIPA, the Commissioner is responsible for monitoring how PIPA is administered to ensure that its purposes are achieved. In pursuit of our regulatory obligations, PrivCom is presenting this guidance in accordance with section 29(c), (i), and (o) of PIPA.

 

General mandates for reasonableness and fairness


PIPA contains a general mandate in section 5(7) that organisations should act in a reasonable manner in meeting their responsibilities in the act. In addition, organisations are required by section 8 to use personal information in a lawful and fair manner, which means in compliance with laws, transparently and openly without hiding relevant details, and neither harmful nor against the interests of the individual.


In the absence of a prescribed fee schedule, these requirements govern any fees that an organisation may charge.


Because a fee may affect an individual’s decision to exercise one’s rights, if an organisation wishes to charge a fee to offset administrative costs, they should be prepared to demonstrate that the fee in question is reasonable and fair.

 

Acknowledgement of a written request should address fees


According to section 20(3), when an individual makes a written request to an organisation to make a PIPA Rights Request, the organisation must promptly acknowledge the request. As part of the acknowledgement, the organisation must at the same time state if there is insufficient detail in the request and, if so, what information is required to complete the request.


If an organisation intends to charge a fee, the organisation may require payment of all or part of the fee in advance. It would be reasonable for an organisation to include as part of the acknowledgement such details as whether they may require that a fee be paid in full or part in advance of a response, if at all, as well as to include a quote of the fee and the date by which payment is required.


If an organisation indicates as part of the acknowledgement that they will require a fee, then for clarity the organisation should include as part of the acknowledgement a statement that they will not consider the individual’s written request to be complete until the individual confirms in writing that they accept the quoted fee. Once an individual responds in writing that they accept the fee, the written request will be considered complete, and the statutory timelines will commence – presuming that other elements, such as the individual's identity, have been confirmed.

 

Questions of reasonableness and fairness


Organisations should act in a reasonable manner. If an individual should make a complaint to PrivCom about the fees that an organisation sets for a PIPA Rights Request, then we will be obliged to investigate it as we would any other complaint.


In evaluating whether an organisation acted reasonably, the Commissioner will consider whether the organisation acted appropriately under the circumstances, which may be unique to the organisation, to the individual, and/or to the particular request.


Drawing examples from questions asked by the public:


  1. Despite these being the early days of PIPA, it would not be reasonable for an organisation to charge its first requester for the costs of developing its privacy programme. For example, if an organisation had never organized its files, then an individual requester should not bear the expense of it doing so simply to access his or her own records.


  2. In some circumstances, organisations that might ordinarily charge a fee should reduce or remove their requirement for a fee. For example, if the personal information is especially sensitive, impactful, or risky to the individual, and/or the individual has an urgent need to access the personal information to prevent harm, and/or the circumstances are otherwise appropriate, then the organisation should not charge a fee.


  3. If an organisation would otherwise rely on section 20(6)(b) to extend the time period of their response, and an individual wishes for their request to be completed more quickly, then it may be reasonable for an organisation to quote a higher fee.


  4. If an individual has made repeated requests or requested additional copies or non-standard delivery, then an organisation may charge an appropriate fee that includes time and materials. Under section 20(12) organisations need not comply with a PIPA Rights Request if the request is manifestly unreasonable.


  5. A regulated entity should consider whether the ability to charge fees is also permitted by its professional or industry regulatory body. If so, the precedent of fees charged in accordance with professional or industry regulations may provide examples of reasonable fees. Nevertheless, these fees may be subject to an investigation by PrivCom upon complaint.


  6. It would not be reasonable for an organisation to profit from the fee charged when an individual requests to exercise privacy rights. The organisation must be accountable to show that any fee is reasonable, and the organisation is not making a profit from the fee. For example, if in the circumstances it would be appropriate for a fee to be charged, an hourly rate for administrative costs that is in line with minimum wage is unlikely to be considered excessive, since this is the minimum cost of labour to respond to the request.


  7. In circumstances where the fee is considered prohibitive to the individual, organisations should engage with individuals to seek solutions. For example, if an individual makes a general, indiscriminate request for “all” of their personal information, the organisation may quote a higher fee than if the request was for a more targeted search for personal information that may take less administrative time, and therefore result in a lowered fee. Organisations should present options to individuals such as these targeted searches for specific personal information items.


  8. Organisations may receive requests for personal information about the individual in their custody or under their control, for the purposes for which the personal information has been and is being used by the organisation, and/or for the names of the persons or types of persons to whom and circumstances in which the personal information has been and is being disclosed. The personal information itself would likely be the most extensive request as it would require a search and preparation of a response. However, a response that provides details regarding the purposes is likely very straightforward and would likely not merit more than a nominal fee, if any. The same may be true regarding the details on sharing, which may only require a uniform response depending on the organisational business practices.


  9. Organisations should be prepared to deliver digital files in standard formats for no charge, or at most a nominal fee. If an individual requests physical media or non-standard delivery, then it may in the circumstances be reasonable for the organisation to quote fees for incurred expenses.


  10. According to section 20(8) fees cannot be applied if the request results in the correction of an error or omission. If in the course of responding to an access request an organisation notes an incorrect or missing detail, then the fee requirement should be waived and/or fees refunded. If, after an individual receives the organisation’s response, the individual notes an error or omission that needs correcting, then any remaining fee requirement should be waived and/or any fees refunded.


Please note that this guidance does not represent an approval or endorsement of the charging of fees for PIPA Rights Requests. This guidance is interpretive guidance, is not considered legal advice, and does not necessarily amount to interpretative precedence that may be relied upon as part of any formal legal proceedings initiated by an organisation or any individual. This guidance does not prevent regulatory action by us or by any other regulatory body or authority, does not affect rights conferred on third parties (such as customers or employees), nor does it bind any courts. It is given without prejudice to any decision or action that we may take in the future, including any enforcement or other regulatory action. Please note that our position and recommendations may change over time, for example on receipt of further information by us, or following a change in law, court judgments, regulatory guidance, or policy.


For more information about your privacy rights or other questions, please visit our website at www.privacy.bm or contact us at 441-543-7748.


bottom of page