As of 1 January 2025 when the Personal Information Protection Act (PIPA) 2016 will enter into force, the law will apply to the use of personal information by organisations in Bermuda. In this blog post, we outline three regimens of the use of personal information by organisations in Bermuda to help organisations understand the concepts of different uses of data; exclusions; exemptions; and the resulting minimum requirements.
Organisations have several different uses of personal information and depending on how an organisation uses personal information, there are three basic levels of compliance with PIPA:
Figure 1. Three basic levels of PIPA compliance re use of personal information by organisations
No compliance will be required for uses of personal information that are excluded under section 4 Exclusions. Under Part 1, section 4 (Exclusions), PIPA doesn’t apply to the following uses of personal information:
for personal or domestic purposes;
for artistic, literary, or journalistic purposes with a view to publication in the public interest in so far as is necessary to protect the right to freedom of expression;
the use of business contact information for the purpose of contacting an individual in their capacity as an employee or official of an organisation.
For example, personal information used for the purpose of a purely personal or household activity, with no connection to a professional or commercial activity, is outside PIPA’s scope. This means that if you only use personal information for such things as writing to friends and family or taking pictures for your own enjoyment, you are not subject to PIPA.
Uses of personal information by Bermudian media outlets, libraries, museums, archives etc. for artistic, literary, or journalistic purposes are excluded from PIPA.
However, other uses of personal information by Bermudian media outlets, libraries, museums, archives etc., for example, for HR or subscription purposes, are not excluded from PIPA and the organisations must comply with it.
PIPA also doesn’t apply to
personal information about an individual who has been dead for at least 20 years;
personal information about an individual that has been in existence for at least 150 years;
personal information transferred to an archival institution where access to the personal information was unrestricted or governed by an agreement between the archival institution and the donor of the personal information before the coming into operation of PIPA;
personal information contained in a court file and used by a judge of any court in Bermuda or used as part of judicial administration or relating to support services provided to the judges of any court in Bermuda, but only where such personal information is necessary for judicial purposes;
personal information contained in a personal note, communication or draft decision created by or for an individual who is acting in a judicial, quasi-judicial or adjudicative capacity;
personal information used by a member of the House of Assembly or the Senate where such use relates to the exercise of his political function and the personal information is covered by parliamentary privilege.
If an organisation uses or controls personal information about an individual that was acquired before PIPA comes into force on 1 January 2025, that personal information is deemed to have been collected pursuant to consent given by that individual; and may be used by the organisation for the purposes for which it was originally collected.
Partial exemption may apply for uses of personal information that are exempt under sections 22 (National security exemption), 24 (Regulatory activity and honours exemption) and 25 (General exemption). The minimum requirements and other PIPA requirements still apply to the extent that they do not interfere with the intended purposes.
The term “minimum requirements” means the requirements of PIPA’s Part 2, General principles, sections 5 (Responsibility and compliance), 8 (Fairness), 11 (Proportionality), 12 (Integrity of personal information), and 13 (Security safeguards).
As an organisation whose use of personal information is subject only to PIPA’s minimum requirements, you are not required by law to respond to access requests by individuals. However, under section 5 (below), you must have in place suitable measures and policies, including a privacy programme, and designate a privacy officer. You are also responsible for the use of personal information transferred to a third party.
Full compliance will be required of most organisations in Bermuda, meaning PIPA applies fully to how an organisation uses personal information. For full PIPA compliance, see our Guide to PIPA
To learn more about PrivCom and PIPA, go to our Press Background page.
To reach out to PrivCom, please visit our Contact page.