Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Bermuda: PrivCom publishes blog on use of personal information by organizations

On March 11, 2024, the Bermuda Office of the Privacy Commissioner (PrivCom) published a blog on the use of personal information by organizations under the Personal Information Protection Act 2016 (PIPA), which is set to come into effect on January 1, 2025. In particular, the blog discusses the different uses of data, the exclusions and exemptions under PIPA, as well as the resulting minimum requirements.

Levels of compliance

The blog notes that there are three levels of PIPA compliance depending on how an organization uses personal information: no compliance, partial compliance, and full compliance. However, the blog highlights that full compliance will be required of most organizations.

What information is not regulated by PIPA?

According to the blog, the following uses of personal information are excluded from PIPA's scope and therefore no compliance is required:

  • information used for personal or domestic purposes with no connection to a professional or commercial activity;
  • information used for artistic, literary, or journalistic purposes for publication in the public interest to protect the right to freedom of expression; and
  • business contact information used to communicate with individuals in their professional roles.

Additionally, the blog notes that certain data is not regulated by PIPA. This includes personal information that relates to individuals deceased for over 20 years and information transferred to archival institutions or contained within court files.

The blog explains that despite any exemptions, all processing must still meet PIPA's minimum requirements which encompass general principles like responsibility, fairness, and security safeguards.

Notably, the blog clarifies that organizations whose use of personal information is only subject to PIPA's minimum requirements are not obligated to respond to access requests by individuals. For personal information acquired before PIPA's enforcement, the blog states that such information is considered collected with consent, allowing its use for its originally intended purposes.

You can read the blog here.