Augmented Advocacy Series (Bermuda): PIPA and Anonymisation

Published: 29 Oct 2024
Type: Insight

With the Personal Information Protection Act 2016 (PIPA) coming into force on 1 January, organisations in Bermuda face the critical challenge of balancing stringent data protection requirements with the increasing demand for data-driven information systems.

The use of these systems requires access to vast amounts of data, raising compliance concerns among tech-forward organisations.

PIPA applies to every organisation that uses personal information in Bermuda where that personal information is used wholly or partly by automated means or where it forms part of a structured filing system.

Under PIPA personal information (PI) means any information about an identified or identifiable individual.

The use of PI includes any operation performed on it, such as collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Organisations must ensure that the use of PI is limited to specific purposes, as outlined under PIPA. If the purpose for using PI changes, consent should be obtained from the individual before their PI is used for the new purpose.

We note, however, that PIPA applies only to PI as defined above.

This means that where information is not about an identified or identifiable individual, that information will fall outside of PIPA’s scope.

Accordingly, where data is appropriately anonymised so that it does not constitute personal information, it can be used for other purposes, including information systems.

PIPA does not mention or define the term “anonymisation”. Interestingly, the 2024 amendment to the Bermuda Health Council Act 2004 refers to anonymisation of identifying information; however, it does not provide a definition, either.

Absent further regulatory guidance on this point and based on the definition of PI in PIPA, PI is therefore “anonymised” when it cannot be used on its own, or with any other information, to deduce or determine the identity of the individual to whom it relates, directly or indirectly.

There are various factors to consider when determining the degree of anonymisation needed. It is often not as simple as removing one’s name, address or phone number.

The amount and type of information needed to identify an individual can vary based on factors such as location and the source or form of the information.

Information may be unique — and thus identifying — within Bermuda’s smaller population compared with large, densely populated cities such as London or New York.

Biometric and genetic information are examples of PI that pose a higher risk of identification due to their distinctive nature, particularly in smaller populations.

Some more examples:

  • In a medical context: a distinct set of physical characteristics or medical conditions, that are not expressly associated with the name of an individual, could identify an individual patient and thus constitute PI.
  • In a finance context: a unique combination of rare financial instruments, investment types, and geographic locations could identify a specific investor.
  • In a real estate context: details about a property transaction, such as a landmark building or a specific location in a niche market, could lead to the identification of the buyer or seller.

As modern technology’s reliance on data continues to increase, organisations must be cognisant of the implications for data protection.

Anonymising data is one method of safeguarding PI but it requires careful examination and consideration of various factors.

When in doubt, obtaining consent from the individual to which the PI relates is the safest approach to ensuring your organisation remains compliant with its PIPA obligations.

Failing to adhere to these obligations could result in a potential fine of up to $250,000 or imprisonment for up to two years.

Authored by Associate Ligaya Sanchez-Wilson and Trainee Akira McDonald. 

First Published in The Royal Gazette, Legally Speaking column, October 2024

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Banking-and-Asset-Finance
13 Jul 2026

Guide to Loans & Secured Financing in the Cayman Islands 2026

This guide provides local insights into the legal and regulatory framework governing bank lending and finance. It covers key topics including bank loans versus debt securities, common forms of bank loan facilities, bridge financing, the roles of agents, trustees and lenders, and governing laws. It also examines the regulatory landscape, including capital, liquidity and disclosure requirements, the use of loan proceeds, cross-border lending, and interest rate and currency restrictions. In addition, the guide explores security interests and guarantees, the impact of fraudulent conveyance and similar doctrines on bank loan financing structures, intercreditor arrangements, loan terms and structures, and recent market developments.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Insolvency-and-Restructuring
9 Jul 2026

A Warning to Litigants Seeking Funding: English High Court Clarifies the Limits of Litigation Privilege

Important for Cayman litigants, funders and attorneys given the growing use of third-party funding in disputes.

Appleby-Website-Fraud-and-Asset-Tracing
8 Jul 2026

A Cautionary Tale in Interim Injunctive Relief: Lessons from Dixon v Seymour

In a recent judgment of Chief Justice Ramsay-Hale, the Cayman Grand Court provided guidance on the necessary components of an application for interim injunctive relief. The ruling illustrates how an ex parte application may fail to satisfy the American Cyanamid test when unsupported by proper evidence.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Appleby-Website-Corporate-Practice
8 Jul 2026

The Privy Council Provides Clarity to the Global Business Industry: Interest Exemptions Upheld in Mauritius

On 30 June 2026, the Judicial Committee of the Privy Council (JCPC) delivered a judgment impacting the domestic and global business sectors in Mauritius.

Appleby-Website-Regulatory-Practice
7 Jul 2026

CIMA’s 2026 Reinsurance Thematic Review: Focus Points for Boards

The Cayman Islands Monetary Authority (CIMA) has published its 2026 Thematic Review of Reinsurance Companies (Thematic Review). This reflects fieldwork conducted by CIMA between mid-2025 and Q1 2026 at selected Class B(iii) and Class D licensed reinsurers. The focus being on compliance with the Insurance Act (as revised) and other applicable legislation, regulations, rules and statements of guidance as issued by CIMA centering around stress-testing, cash flow testing frameworks, capital and collateral adequacy management, and corporate governance. Corporate governance weaknesses account for 68% of all findings with the remaining 32% spread across stress-testing, cash flow testing capital and collateral adequacy. Notwithstanding these findings, CIMA has noted several good practices across all areas including, importantly, comprehensive risk management frameworks covering key risk areas and strong capital and collateral adequacy monitoring processes. With Cayman’s reinsurance sector having grown to an institutional scale, and over 110 licensed reinsurers writing in the order of US$30 billion in annual premiums against over US$100 billion in assets, this latest Thematic Review demonstrates development in CIMA’s supervisory expectations of Cayman’s licensed reinsurers. It represents a reflection of the jurisdiction’s increasingly sophisticated and maturing reinsurance market and reinforces that CIMA’s expectations align closely with the standards that onshore counterparty cedants, rating agencies and US state regulators already expect. We take this opportunity to review certain of the key findings alongside CIMA’s cross-sectoral 2026 Thematic Review on Outsourcing, note some of the good practices highlighted by CIMA and make some associated recommendations for Cayman reinsurers.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.