The Office of the Privacy Commissioner of Bermuda
What is Personal Information?
In a seashell...
​
Under PIPA, “personal information” means any information that relates to an identified or identifiable individual.
​​
Understanding whether you as an organisation are processing the personal information of individuals in Bermuda is critical to understanding whether PIPA applies to your activities.
​​
Examples include names, dates of birth, photographs, video footage, email addresses, and telephone numbers.
​​
“Use” of personal information is a defined term in PIPA that means “carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.”
​​
“Sensitive personal information” is a defined term in PIPA that includes information relating to such aspects as place of origin, race, colour, sex, sexual life, health, disabilities, religious beliefs, and biometric and genetic information. (Note: For a complete list, click here.)
​​
The information that identifies an individual could be as simple as a name or a number, or it may include other identifiers such as an IP address or a cookie identifier, or other factors of identification.
​​
If it is possible to identify an individual from the information you are using as an organisation, then that information may be personal information.
​​
If one cannot directly identify an individual from that information, as an organisation, you need to consider whether the individual is still identifiable. You should consider the information you are using in conjunction with all the means reasonably likely to be used by either you or any other person in the organisation to identify that individual.
​​
When considering whether information “relates” to an individual, you need to take into account the “nature, scope, context, and risk” per section 5 (Responsibility and compliance), including the content of the information, the purposes for which you are using it and the likely impact or effect of that use on the individual.
​​
It is possible that the same information is personal information for the purposes of one organisation but is not personal information for the purposes of another organisation because context can help identify individuals.
​​
If information that seems to relate to a particular individual is inaccurate – i.e., it is factually incorrect or is about a different individual – the information is still personal information since it relates to that individual.
Organisations ask
​
What are identifiers and related factors?
Can we identify an individual from the information we have?
What does “any information about an identified or identifiable individual” mean?
What do “use” and “using” mean?
What happens when different organisations use the same information for different purposes?
What is personal information?
​
-
PIPA applies to the use of personal information that is:
-
used wholly or partly by automated means; and
-
used other than by automated means of personal information which form, or are intended to form, part of a structured filing system.
-
​
-
Personal information only includes information relating to natural persons who:
-
can be identified or who are identifiable from the information in question; or
-
can be identified from that information used in conjunction with other available information.
-
​​
-
Personal information may also include sensitive personal information. This information is considered more sensitive and you may only use it in more limited circumstances.
​​
-
Information about organisations (i.e., companies and public authorities) is not personal information.
​​
-
PIPA does not apply to the use of business contact information for the purpose of contacting an individual in their capacity as an employee or official of an organisation.
​​
-
However, information about individuals acting as sole traders, employees, partners, and company directors, where they are individually identifiable and the information relates to them as an individual, may constitute personal information.
​​
-
PIPA does not apply to personal information about an individual who has been dead for at least 20 years.
​​
-
PIPA does not apply to personal information about an individual that has been in existence for at least 150 years.
What are identifiers and related factors?
​
-
An individual is “identified” or “identifiable” if you can distinguish them from other individuals.
​​
-
A name is the most common means of identifying someone. However, whether any potential identifier actually identifies an individual depends on the context.
​​
-
A combination of identifiers may be needed to identify an individual.
​​
-
Identifiers may include:
-
name
-
identification number such as social insurance number
-
location information
-
“online identifiers” such as IP addresses or “cookie” identifiers which may be personal information.
-
Can we identify an individual from the information we have?​
​
-
If, by looking solely at the information you are using, you can distinguish an individual from other individuals, that individual will be identified or identifiable.
​​
-
One doesn’t have to know someone’s name for them to be identifiable, a combination of other elements may be sufficient to identify the individual.
​​
-
If an individual is identifiable from the information, this will constitute personal information.
Can we identify an individual from the information we have in conjunction with other available information?
​
-
It is important to be aware that the information you hold may identify an individual and therefore constitute personal information.
​​
-
Even in situations where you may need additional information to be able to identify someone, they may still be identifiable. That additional information may be information that you already hold, or it may be information that you need to obtain from another source.
​​
-
In some circumstances, there may be a slight hypothetical possibility that someone might be able to reconstruct the information in such a way that identifies the individual. However, this is not necessarily sufficient to make the individual identifiable in terms of PIPA. You are obliged to consider all the factors.
You have the continuing obligation to consider whether the likelihood of an individual being identified or identifiable has changed over time (e.g., as a result of the latest developments in technology).
What does “any information about an identified or identifiable individual” mean?
​
-
“Any information about an identified or identifiable individual” constitutes personal information.
​​
-
This means that it must concern the individual in some way.
​​
-
To decide whether or not such information is personal information, you may have to consider:
-
The content of the information: it is about the individual or their activities?;
-
The purpose you will use the information for; and
-
The results or the effects on the individual from using the information.
-
-
Information can reference an identifiable individual and not be personal information about that individual as the information is not “about” them.
​​
-
There may be circumstances where it may be difficult to determine whether information is personal information. As a matter of good practice, in such situations, you should treat the information with care, ensure that you have a clear reason for using the information, and ensure that you hold and dispose of the information securely.
​​
-
Inaccurate information may still be personal information if it relates to an identifiable individual.
What do “use” and “using” mean?
​
-
Under PIPA, “use” or “using”, in relation to personal information, means carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.
What happens when different organisations use the same information for different purposes?
​
-
Although information does not relate to an identifiable individual for one organisation, it may in the hands of another organisation.​​
​​
-
When used for a different purpose, or in conjunction with additional information available to another organisation, the information is about the identifiable individual.​Therefore, in order to decide whether the information relates to an individual, it is necessary to consider carefully the purpose for which the organisation is using it.
​​
-
Organisations should take care when they make an analysis of this nature.