PIPA access requests in Bermuda – what you need to know
With the Personal Information Protection Act 2016 (PIPA) now in full effect (from 1 January 2025), individuals have new rights, including the right to access personal information held by organisations about them. Requests can be made by submitting an access request. Note, whilst PIPA does not prescribe the form of an access request, the Privacy Commissioner has now published guidance (see below link) which, amongst other matters, explains how individuals can make access requests.
Scope of access requests
PIPA requires individuals to set out in sufficient detail the identity of the information in respect to which a request is made. As such, access requests are commonly limited by reference to subject matter, dates and, in relation to emails, seek to identify the persons sending or receiving the emails. However, if the request is not sufficiently precise the employer can seek that the requester limit the scope and this can pause the timeframe for responding to the request.
Responding to access requests can be time-consuming and in other jurisdictions are frequently made in the context of an ongoing employment dispute or a tribunal or court claim as a tactic for early disclosure and are also used as leverage in settlement negotiations. We anticipate that similar tactics will be deployed by claimant attorneys in Bermuda. For example, in a redundancy scenario, the employee could seek personal information relating to any selection criteria applied to them and any emails between identified individuals during a set date range which relate in any way to their proposed redundancy and seek to leverage this information.
All organisations who ‘use’ personal information in Bermuda should develop clear processes for responding to an access request and be mindful that any information which is recorded or stored by an organisation about an identified or identifiable individual will be “personal information” for PIPA purposes and may be disclosable in response to an access request.
This includes “personal information” about an individual contained in their personnel files, or held on work email servers or other instant messaging platforms operated by organisations for work purposes (for example, WhatsApp and Microsoft Teams).
Responding to access requests
After an access request is submitted, an organisation typically has 45 days to respond to the individual's request. The response period can be extended by an additional 30 days in certain circumstances, including, where a large amount of information is requested. Currently there is no charge associated with making an access request, however the Minister responsible for PIPA may prescribe an applicable fee.
Priv Comm guidance
The Privacy Commissioner has published an, "Individuals Guide to PIPA" (Guide) https://www.privacy.bm/_files/ugd/f70f79_298f35cb913b4fd99c9387d5237986c3.pdf which provides advice and guidance for individuals to better understand their rights under PIPA. The Guide also sets out how individuals can submit an access request and how organisations should respond to access requests. The Guide also provides a template outlining what an access request should look like for use by individuals.
How we can help
Please contact our team to discuss how Carey Olsen can assist your organisation with:
- Preparing responses to access requests (including clarifying the request, reviewing in scope documentation, considering any necessary redactions and possible exemptions (privilege, third party information etc.));
- Developing bespoke policies and procedures for responding to access requests; and
- Training employees on how to respond to access requests and other aspects of your organisation's privacy framework.
For further information or professional advice please reach out to our key contacts.
