Bermuda Data Protection Readiness: the Power of PIPA

Now that the Personal Information Protection Act (PIPA) has been enacted, Bermuda joins the growing number of jurisdictions with enhanced privacy protections. PIPA was passed on July 27, 2016, and will be enforced in the latter part of 2018 It shares similarities with the protections offered by Europe’s General Data Protection Regulation (GDPR) and other jurisdictions globally as part of a trend towards beefed up privacy regimes.

In this introduction to PIPA I will outline the key considerations for all businesses in Bermuda that are using personal data or personal sensitive data.

To start with, it is important to understand that PIPA will strengthen the rights of children to personal information protec¬tion. That means Bermuda educators, and indeed all organisa¬tions providing services to children, need to review their current procedures and poli¬cies against the new statutory if they want to become fully compliant.

Children are defined as being under 14 years old and any of their data being processed required content from their parent or guardian. Failure to achieve compliance whether for children or adult could result in maximum fines that will be determined by the courts on a case-by-case basis.

PIPA’s objectives are to outline the regulatory requirements for companies based in Bermuda who process personal data and provide individuals with greater control over their data.

Personal Data as defined by PIPA is considered to be any information about an identified or identifiable individual. That encompasses a range of examples, which I have listed below:

• Name
• Employee Id 

• Employee appraisals 

• SSN or similar 

• Bank account details 

• Credit card number 

• Email address 

• Telephone number 

• IP Address? 


A wider definition of PIPA is any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information.

Organizations shall provide individuals with a clear and easily accessible statement about its practices and policies with respect to personal information.

Other information that needs to be included, is as follows:

• Personal information is being used 

• The purpose(s) of use 

• Who else will be give 
access to the data 

• The organization’s location 
and contact information 

• The name of the privacy 
officer 

• The choices and means 
the organization provides to an individual for limiting the use of their personal data 


The personal information is used with the consent of the individual where the organization can reasonably demonstrate that the individual has knowingly consented.

Businesses need to consider the following best practices:

• Active opt-in (no more pre- ticked checkboxes) 

• Record the individual’s consent 

• Ask for multiple consents where appropriate 


In my next blog on this topic I will outline the potential impact on businesses in Bermuda.