The Personal Information Protection Act (PIPA) is a critical framework for protecting individuals' personal information in Bermuda. Under PIPA organisations are required to adhere to several key principles, including ensuring they have a legal basis to use personal data, ensuring data accuracy, and implementing robust security measures to prevent unauthorised access.
With PIPA now in effect, and Data Privacy Day occurring internationally on 28 January 2025, now is a good time to consider your process for responding to an individual's rights request under PIPA.
Below is a concise guide to the steps organisations should follow when handling these requests.
1. Receive the Request
Accept written requests from individuals for the following actions regarding their Personal Information (PI) by:
a) Accessing their PI;
b) Correct errors or omissions in their PI;
c) Erase or destroy their PI; and
d) Cease or refrain from using their PI (including for advertising,
marketing, or public relations purposes), especially if it causes
or may cause substantial harm or distress
2. Verify and Assess
a) Confirm the identity of the requester;
b) Ensure the request includes sufficient detail to identify the
relevant PI;
c) Acknowledge that third parties, such as relatives or legal
representatives may submit requests on behalf of an individual;
and
d) Assess if there are grounds to refuse the request, such as legal
privilege, disclosure of confidential commercial information, or if
the request is manifestly unreasonable.
3. Acknowledge Receipt
Promptly confirm receipt of the request in writing, including the date of receipt and indicate if additional details are required to process the request.
4. Consider Extensions
Determine if an extension is necessary under the following circumstances:
- A large volume of PI is involved
- Responding within the standard timeline would unreasonably disrupt operations
- Consultation with third parties is required
Notify the requester if the response period is extended by up to 30 days or longer with PrivCom approval.
5. Respond within the Timeline
Provide a final response to the requester no later than 45 days from the request date or the end of any approved extended period.
6. Deliver Information Securely
If the request is legitimate, securely send the requested information or take the necessary actions outlined in the request.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
