With the Personal Information Protection Act 2016 (PIPA) coming into force on 1 January, organisations in Bermuda face the critical challenge of balancing stringent data protection requirements with the increasing demand for data-driven information systems.
The use of these systems requires access to vast amounts of data, raising compliance concerns among tech-forward organisations.
PIPA applies to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means or where it forms part of a structured filing system.
Under PIPA personal information (PI) means any information about an identified or identifiable individual.
The use of PI includes any operation performed on it, such as collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.
Organisations must ensure that the use of PI is limited to specific purposes, as outlined under PIPA. If the purpose for using PI changes, consent should be obtained from the individual before their PI is used for the new purpose.
We note, however, that PIPA applies only to PI as defined above.
This means that where information is not about an identified or identifiable individual, that information will fall outside of PIPA’s scope.
Accordingly, where data is appropriately anonymised so that it does not constitute personal information, it can be used for other purposes, including information systems.
PIPA does not mention or define the term “anonymisation”. Interestingly, the 2024 amendment to the Bermuda Health Council Act 2004 refers to anonymisation of identifying information; however, it does not provide a definition, either.
Absent further regulatory guidance on this point and based on the definition of PI in PIPA, PI is therefore “anonymised” when it cannot be used on its own, or with any other information, to deduce or determine the identity of the individual to whom it relates, directly or indirectly.
There are various factors to consider when determining the degree of anonymisation needed. It is often not as simple as removing one’s name, address or phone number.
The amount and type of information needed to identify an individual can vary based on factors such as location and the source or form of the information.
Information may be unique — and thus identifying — within Bermuda’s smaller population compared with large, densely populated cities such as London or New York.
Biometric and genetic information are examples of PI that pose a higher risk of identification due to their distinctive nature, particularly in smaller populations.
Some more examples:
- In a medical context: a distinct set of physical characteristics or medical conditions, that are not expressly associated with the name of an individual, could identify an individual patient and thus constitute PI.
- In a finance context: a unique combination of rare financial instruments, investment types, and geographic locations could identify a specific investor.
- In a real estate context: details about a property transaction, such as a landmark building or a specific location in a niche market, could lead to the identification of the buyer or seller.
As modern technology’s reliance on data continues to increase, organisations must be cognisant of the implications for data protection.
Anonymising data is one method of safeguarding PI but it requires careful examination and consideration of various factors.
When in doubt, obtaining consent from the individual to which the PI relates is the safest approach to ensuring your organisation remains compliant with its PIPA obligations.
Failing to adhere to these obligations could result in a potential fine of up to $250,000 or imprisonment for up to two years.
For further information, please contact:
Ligaya Sanchez-Wilson, Appleby
LSanchez-Wilson@applebyglobal.com