The use of these systems requires access to vast amounts of data, raising compliance concerns among tech-forward organisations.

PIPA applies to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means or where it forms part of a structured filing system.

Under PIPA personal information (PI) means any information about an identified or identifiable individual.

The use of PI includes any operation performed on it, such as collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Organisations must ensure that the use of PI is limited to specific purposes, as outlined under PIPA. If the purpose for using PI changes, consent should be obtained from the individual before their PI is used for the new purpose.

We note, however, that PIPA applies only to PI as defined above.

This means that where information is not about an identified or identifiable individual, that information will fall outside of PIPA’s scope.

Accordingly, where data is appropriately anonymised so that it does not constitute personal information, it can be used for other purposes, including information systems.

PIPA does not mention or define the term “anonymisation”. Interestingly, the 2024 amendment to the Bermuda Health Council Act 2004 refers to anonymisation of identifying information; however, it does not provide a definition, either.

Absent further regulatory guidance on this point and based on the definition of PI in PIPA, PI is therefore “anonymised” when it cannot be used on its own, or with any other information, to deduce or determine the identity of the individual to whom it relates, directly or indirectly.

There are various factors to consider when determining the degree of anonymisation needed. It is often not as simple as removing one’s name, address or phone number.

The amount and type of information needed to identify an individual can vary based on factors such as location and the source or form of the information.

Information may be unique — and thus identifying — within Bermuda’s smaller population compared with large, densely populated cities such as London or New York.

Biometric and genetic information are examples of PI that pose a higher risk of identification due to their distinctive nature, particularly in smaller populations.

Some more examples:

  • In a medical context: a distinct set of physical characteristics or medical conditions, that are not expressly associated with the name of an individual, could identify an individual patient and thus constitute PI.
  • In a finance context: a unique combination of rare financial instruments, investment types, and geographic locations could identify a specific investor.
  • In a real estate context: details about a property transaction, such as a landmark building or a specific location in a niche market, could lead to the identification of the buyer or seller.

As modern technology’s reliance on data continues to increase, organisations must be cognisant of the implications for data protection.

Anonymising data is one method of safeguarding PI but it requires careful examination and consideration of various factors.

When in doubt, obtaining consent from the individual to which the PI relates is the safest approach to ensuring your organisation remains compliant with its PIPA obligations.

Failing to adhere to these obligations could result in a potential fine of up to $250,000 or imprisonment for up to two years.

Authored by Associate Ligaya Sanchez-Wilson and Trainee Akira McDonald. 

First Published in The Royal Gazette, Legally Speaking column, October 2024

Share
X.com LinkedIn Email Save as PDF
More Publications
Corporate Finance
25 Jun 2025

The Rise of Panda Bonds: Enhancing International Investments in China's Bond Market from an Offshore Perspective

Panda bonds, initially launched in 2005, saw unprecedented popularity in recent years. This surge is...

Appleby-Website-Employment-and-Immigration
23 Jun 2025

Practical Tips for Conducting Workplace Investigations

Allegations of harassment, bullying or other misconduct in the workplace can create a legal mine fie...

Appleby-Website-Employment-and-Immigration
20 Jun 2025

Professional emails are personal data

Case Commentary – France, Cour de cassation, 18 June 2025, 23-19.022 Professional emails are pe...

Bermuda-1024x576-1
19 Jun 2025

Bermuda encourages investment with residential certificates

On March 31, 2023, the Bermuda Government replaced its previous tool intended to attract capital to ...

Appleby-Website-Corporate-Practice
11 Jun 2025

Minority shareholder protections in the Cayman Islands - What are your options?

Minority shareholders often query whether a jurisdiction’s laws afford them a level of comfort or ...

Appleby-Website-Insurance-and-Reinsurance
11 Jun 2025

Bermuda Paves the Way for Captive Insurers with New Stablecoin Policy

The Bermuda Monetary Authority (BMA) has announced a significant new policy framework that allows ca...

Website-Code-Mauritius-1
11 Jun 2025

Are our Courts tilting towards procedural flexibility?

Case Commentary: R.K.G FRUITS CO LTD v MAERSK (MAURITIUS) LIMITED 2025 SCJ 220. In a significant ...

Appleby-Website-Insurance-and-Reinsurance
10 Jun 2025

Bermuda benefits from a strong and capital efficient regulatory regime

Bermuda’s long-term reinsurance sector is experiencing a new phase of complexity and scrutiny but ...

Brad Adderley, Bermuda Managing Partner at Appleby, will speak at the 2022 Society of Actuaries (SOA) Life Meeting on 23-26 August in Chicago.
10 Jun 2025

Insurance and reinsurance in the Isle of Man: Overview

Appleby has contributed to a guide on Insurance and Reinsurance in the Isle of Man for Practical Law...

Website-Code-Cayman-2
9 Jun 2025

No fishing allowed: Key lessons from the rejection of cross-border letter of request in high value fraud case

In Byju's Alpha Inc v OCI Ltd and others [2025] EWHC 271 (KB), the English High Court (High Court) s...