With the 1 January 2025 implementation date of the Personal Information Protection Act 2016 (“PIPA”) fast approaching, Bermuda based organisations from small-businesses to multinationals, should be busy preparing for compliance. PIPA requires in scope organisations to adopt suitable measures and policies to give effect to their obligations and to individuals rights under PIPA.
This article focuses on a new concept under PIPA, an unchartered territory for most Bermuda organisations – the introduction of individual’s personal information rights. Commencing in 2025 organisations must be ready to receive, process and respond to these individual rights requests. Such requests include that your organisation:
- provide access to (a) their personal information that your organisation holds; (b) the purposes for which your organisation is using their personal information; and (c) the names, types of persons and circumstances in which their personal information is being disclosed;
- correct errors or omissions in their personal information that your organisation holds;
- erase or destroy their personal information where it is no longer relevant for the purposes of its original use; and
- cease, or not to begin, using their personal information for advertising, marketing or public relations purposes, or where using their personal information could cause substantial damage or distress to an individual.
For organisations which are likely to receive individual rights requests there are some salient points to be aware of. Firstly any rights request must be in writing, however rights requests do not need to follow any specific form or reference any PIPA provision. A rights request must include sufficient detail to enable your organisation with a reasonable effort to identify the personal information in the request. A rights requests can either come directly from an individual or through a third party such as a relative or lawyer, who can make a request on an individual’s behalf.
PIPA aims to balance what is reasonable for both organisations and for individuals, and as such rights requests are not unrestricted rights to be exercised without legitimate reason. Your organisation may be able to refuse access where personal information is protected by legal privilege or it would disclose confidential commercial information.
Once your organisation receives a rights request you must promptly acknowledge receipt of the request and respond within 45 days (although time extensions may be possible). Your organisation may also charge a fee for a rights request (up to prescribed maximum to be determined by the Privacy Commissioner), however you cannot charge if the request is to correct incorrect information. Most importantly, your organisation does not need to comply with “manifestly unreasonable” requests, and what constitutes such will be on a case-by-case basis for which you will need to be able to justify your rationale to the individual and the Privacy Commissioner.
As practical considerations for responding to rights requests your organisation should verify the identity of the individual making the request, and if valid, appropriately and securely provide the individual with the requested information.
While PIPA’s requirements may initially appear burdensome, particularly for small to medium businesses and non-profit organisations, it is important to bear in mind that PIPA is underpinned by the principles of proportionality and reasonableness as well as a risk-based approach.
[View source.]
