Bermuda has introduced the Personal Information Protection Act, 2016 (“PIPA”) to regulate the use of personal information by organisations in a manner that recognises both the need to protect the rights of individuals in relation to their personal information and the need for organisations to use personal information for legitimate purposes. The Act will come into full force in the latter part of 2018. It will affect every individual and every organisation in Bermuda, including Government and non-profits. Organisations are advised to review their internal governance procedures to ensure compliance with their new statutory obligations.
What is PIPA?
PIPA sets out how organisations, businesses and the Bermuda Government may use personal information. The Act has drawn on legislation from a number of jurisdictions including Canada, the United States and Europe. It reflects a set of internationally accepted privacy principles and good business practices for the use of personal information in the digital age.
PIPA is intended to complement the Public Access to Information Act, 2010, which provides for public access to information held by Bermuda public authorities, while simultaneously protecting personal information.
Who does PIPA affect?
PIPA applies to any individual, entity or public authority that uses personal information in Bermuda. It encompasses both digital and non-digital information. “Personal information” is defined as any information about an identified or identifiable individual. “Use” is defined very broadly and includes collecting, storing, disclosing, transferring and destroying information.