In this four-part series, Conyers continues diving into different topics relating to Bermuda’s privacy legislation, including why we need privacy legislation and its purpose, how to prepare for the Personal Information Protection Act 2016 (“PIPA”), the role and requirements of privacy officers, and what our rights are as individuals. In this fourth and final part, Conyers discusses our individual rights under PIPA.
Data protection, privacy and individuals’ rights relating to their personal information are quite the hot topic in these days of Big Data and growing consumer privacy concerns, but what exactly are those rights? An individual’s rights will vary depending on where their personal information is being collected, stored or used. In Bermuda, PIPA sets out the rights and protections that apply to our personal information and to those organisations that we interact with on a daily basis, whether renewing your vehicle insurance, visiting the dentist or engaging in some retail therapy.
How can I find out what personal information an organisation holds?
For individuals looking to ascertain what personal information an organisation holds, or what options they have with respect to that personal information, an organisation’s “privacy notice” will be the first place to look. Organisations are required to provide individuals a clear and easily accessible statement about their personal information practices and policies in the form of a “privacy notice”. One required element of the privacy notice is the inclusion of the choices and means that an organisation provides individuals for limiting the use of, and for accessing, correcting, blocking, erasing and destroying, their personal information.
What rights does an individual have in relation to personal information?
PIPA provides individuals with a number of rights with respect to their personal information held by an organisation. In terms of access, an individual may submit a written request and an organisation must reasonably provide an individual with access to:
- their personal information under an organisation’s custody or control;
- the purposes for which the organisation has been and is using the personal information; and
- the names or types of persons to whom, and circumstances in which, the personal information has been and is being disclosed.
Beyond just knowing what personal information an organisation holds and how it is used, individuals may also make written requests to an organisation to:
- correct an error or omission in any of their personal information which is under the control of the organisation;
- cease, or not to begin, using their personal information for the purposes of advertising, marketing or public relations, or where the use of that personal information is causing, or is likely to cause, substantial damage or substantial distress to the individual or another individual; or
- erase or destroy personal information about the individual where that personal information is no longer relevant for the purposes of its use.
On receiving a request to correct an error or omission, the organisation must (a) correct the personal information as soon as reasonably practicable; and (b) if the organisation has disclosed incorrect information, where it is reasonable to do so, it must send a notification with the corrected information to each organisation that the incorrect information was disclosed to (and on receiving such notification with the corrected information, that recipient organisation must correct the personal information).
For cessation of use or erasure requests, an organisation must either cease, or not begin, using or erase or destroy the personal information that the individual has identified in his request, or provide the individual with written reasons as to why the use of such personal information is justified.
Can I request access to my medical records?
Medical records are one of the most obvious sources that spring to mind when considering your personal information that is routinely stored and used. In addition to abiding by existing ethical and confidentiality obligations, healthcare practitioners and service providers and social workers should acquaint themselves with PIPA’s provisions relating to an individual’s ability to request access to their medical records.
An individual may request access to personal information: (a) of a medical or psychiatric nature relating to them; or (b) kept for the purposes of, or obtained in the course of, the carrying out of social work in relation to them. These medical record access requests are however, similar to general access requests, restricted, and an organisation may refuse to provide access if such personal information disclosure would be likely to prejudice the physical or mental health of the individual. If an organisation refuses a medical record access request, the individual can alternatively request that the organisation provide access to a registered health professional with expertise, who will determine whether such disclosure would be likely to prejudice the individual’s physical or mental health.
Organisations may also be able to comply with a medical record access request where it is reasonably able to redact the information which is likely to prejudice the individual’s physical or mental health.
Do organisations have to comply with all general and medical record access requests?
Organisations holding or using personal information will take some comfort in knowing that these individual access rights are not carte blanche rights, and there are several circumstances where an organisation may refuse and must refuse to provide an individual with such access. Organisation may refuse access where the personal information:
- is protected by legal privilege;
- if disclosed would reveal an organisation’s or a third party’s confidential information that is of a commercial nature and it is not unreasonable to withhold such information;
- is being used for a current disciplinary or criminal investigation or legal proceedings, and such refusal does not prejudice the individual’s right to receive a fair hearing;
- was used by a mediator or arbitrator, or was created in the conduct of a mediation or arbitration that was sanctioned by an agreement or by a court;
- if disclosed would reveal the organisation’s intentions relating to any negotiations with the individual to the extent that such access would be likely to prejudice those negotiations.
Organisations must refuse access, unless it is reasonable in all the circumstances to provide access, where the personal information:
- if disclosed could reasonably be expected to threaten an individual’s life or security;
- would reveal personal information about another individual; or
- would reveal an individual’s identity who has in confidence provided an opinion about another individual, and the individual providing the opinion does not consent to the disclosure of their identity.
In certain circumstances where a third party is involved, organisations may be able to comply with a general access request where it is reasonably able to redact the third party’s personal information from the personal information about the individual who requested it.
PIPA sets out specific procedures for individuals making access or correction requests and for organisations responding to and managing such requests, which aim to adopt a measured and reasonable approach for the benefit of all parties involved.
Disclaimer: Nothing in this article constitutes legal advice and is for general purposes only. If you would like to obtain legal advice on PIPA, please contact the Conyers team.
This article was first published in The Royal Gazette on March 2022.