PIPA: What You Need to Know

Data Security imageThe Personal Information Privacy Act (PIPA) is expected to come into effect this year. PIPA will impose obligations on organizations using personal information in Bermuda. Under PIPA, personal information means any data about an identified or identifiable individual. If a company holds personal information about customer or employees, there are obligations in the Act that organizations must comply. Failure to comply may lead to fine of up to $25,000 or imprisonment (for individuals), or a fine of up to $250,000 (for non-individuals).

What are your organization’s obligations under PIPA?

Organizations should plan and adopt suitable measures and policies to meet the obligations in PIPA. They may use personal data only if several specific conditions are met.

Among these conditions are:

  • The individuals have given consent.
  • The use of the information is necessary for specific purposes (for example, responding to public emergency).
  • The information must be used in a lawful and fair manner.

Organizations also must comply with a set of procedural obligations, such as:

  • Putting in place appropriate safeguards against risk.
  • Appointing a Privacy Officer.
  • Providing individuals with a privacy notice explaining its practices and policies on personal information.

Access to personal information

When PIPA is in effect, individuals will have the right to request access to their personal information. In response to this request, organizations will have to provide access to:

  • Personal information being requested.
  • The purposes for which the information has been or is being used.
  • The parties to whom the information was disclosed.

Organizations may refuse request for access to personal information in some circumstances, for example, if it is protected by legal privilege. In some cases, organizations are required to refuse access if disclosure if is expected to:

  • Threaten an individual’s life or security.
  • Would reveal third party’s personal information.
  • Reveal the identity of an individual who has in confidence provided an opinion about another individual.

Access can be granted in these circumstances only if the organization deems it reasonable.

This is small fraction of what PIPA will entail.  For more information about the PIPA act and how it will affect your organization, in a more detailed way, or for more information on how Oyster can help, please complete our contact form.

Tel: 441 541 5036 | www.oyster.bm