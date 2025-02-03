The Personal Information Protection Act (PIPA) is a critical framework for protecting individuals' personal information in Bermuda. Under PIPA organisations are required to adhere to several key principles, including ensuring they have a legal basis to use personal data, ensuring data accuracy, and implementing robust security measures to prevent unauthorised access.

With PIPA now in effect, and Data Privacy Day occurring internationally on 28 January 2025, now is a good time to consider your process for responding to an individual's rights request under PIPA.

Below is a concise guide to the steps organisations should follow when handling these requests.

1. Receive the Request

Accept written requests from individuals for the following actions regarding their Personal Information (PI) by:

a) Accessing their PI;

b) Correct errors or omissions in their PI;

c) Erase or destroy their PI; and

d) Cease or refrain from using their PI (including for advertising, marketing, or public relations purposes), especially if it causes or may cause substantial harm or distress

2. Verify and Assess

a) Confirm the identity of the requester;

b) Ensure the request includes sufficient detail to identify the relevant PI;

c) Acknowledge that third parties, such as relatives or legal representatives may submit requests on behalf of an individual; and

d) Assess if there are grounds to refuse the request, such as legal privilege, disclosure of confidential commercial information, or if the request is manifestly unreasonable.

3. Acknowledge Receipt

Promptly confirm receipt of the request in writing, including the date of receipt and indicate if additional details are required to process the request.

4. Consider Extensions

Determine if an extension is necessary under the following circumstances:

A large volume of PI is involved

Responding within the standard timeline would unreasonably disrupt operations

Consultation with third parties is required

Notify the requester if the response period is extended by up to 30 days or longer with PrivCom approval.

5. Respond within the Timeline

Provide a final response to the requester no later than 45 days from the request date or the end of any approved extended period.

6. Deliver Information Securely

If the request is legitimate, securely send the requested information or take the necessary actions outlined in the request.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.