Employee access limits under Pipa

Published: 13 Feb 2026
Type: Insight

The Personal Information Protection Act 2016 has been in effect for more than a year now, and employers in Bermuda are now fielding requests from their employees to access and review their employment records — all of them.

Of course, employees are entitled under Pipa to submit such written requests. However, the employer’s requirement to comply with those requests is subject to a few caveats.

Generally, Pipa allows all individuals to request any organisation to provide that individual with access to, and to examine and to receive a copy of, the personal information about them that is in the custody or control of that organisation.

The exercise by individuals, including employees, of such access, review, correction and control rights are at the core of Pipa privacy protection rights and they are intended to be invoked for the purposes Pipa intends.

However, those rights are limited by a few circumstances where employers are not required to comply with such requests.

First, the access rights section of Pipa is qualified by only allowing individuals to make such requests “having regard to what is reasonable”. Arguably, submitting such an access request that is either unreasonable in nature or in scope may relieve an employer of Pipa’s disclosure obligations.

Second, the relevant information may be withheld if the disclosure could: be reasonably expected to threaten the life or security of an individual; reveal personal information about another individual; or reveal the identity of an individual who has in confidence provided an opinion about another individual (and no disclosure consent is provided).

Keep in mind that the ability to redact any such protected information may then permit the disclosure of those records under Pipa.

Third, Pipa directs employers to not provide access if: any of the personal information in question is protected by legal privilege; the disclosure would reveal commercially confidential information that should reasonably be withheld; it is being used for a current disciplinary or criminal investigation or legal proceeding (if the non-disclosure would not prejudice the individual’s fair hearing rights); the personal information was used or created by a mediator or arbitrator to resolve a dispute (with some provisos); or the personal information would prejudice any existing negotiations between the employer and the employee.

There are some additional grounds of access refusal under Pipa that other jurisdictions have experienced and that may arise in Bermuda.

Unfortunately, circumstances do exist where the relationship between an employee and an employer may become extremely adversarial and may even break down into animosity and potential litigation.

In those situations, employees might be tempted to submit extremely broad, and sometimes numerous or repetitive, access requests that are vindictively designed to harass and administratively disrupt the employer.

Sadly, the abusive and vexatious exercise of an employee’s privacy rights for such reprisal motives have all too commonly arisen and been cited in the relevant case law in Britain and Canada since privacy and access to information rights were first introduced.

Some of the case judgments and commentaries refer to such abuses as the “weaponisation” of privacy law, including Scott Stapleton’s 2025 article entitled, Employment Disputes: Weaponisation of Data Protection Legislation by Claimants.

In that article, he explains: “ … we have seen a year-on-year increase in the use of [such requests] by employees … to obtain information … upon which to base workplace grievances and/or litigation. These days, it is very rare for [an employee litigant] to have not already made a [privacy access request] to their employer prior to issuing their claim ….

“For such an employee, a [privacy access request] can be a very effective weapon — compliance will cost the business significant management time and expense, … inconvenience, and there are tight timescales …

“However, businesses can legitimately limit or refuse to comply with requests which are manifestly unfounded and/or manifestly excessive”.

The weaponisation of privacy access requests by employees is nothing new.

That is why it is important to know that Pipa, which was drafted well after other privacy laws, takes such potential weaponisation into account and offers additional protection to employers.

As noted above, the access request itself must be submitted with “regard to that which is reasonable”. Certainly, excessively broad and unfocused access requests that have no defining topic or subject matter may be considered unreasonable.

Furthermore, Pipa allows employers to refuse to comply with an access request that is “manifestly unreasonable”. Arguably, the more a particular interest or subject matter of an access request is provided to help reduce the administrative burden of responding to the request, the more reasonable and co-operative it is likely to appear.

Conversely, the less co-operatively focused the access request is, the more it may appear to be an abusive fishing expedition or a vexatious and bad faith attempt to administratively harass the employer.

As a final warning to employees who might be tempted to weaponise their access rights under Pipa, Section 30 allows employers to request, in writing, the Privacy Commissioner to authorise it to disregard an access request that unreasonably interferes with the operations of the employer, amounts to an abuse of such access rights, or is otherwise “frivolous or vexatious”.

There is no question that the privacy rights of individuals are now a sacred and paramount part of Bermuda law, which is all the more reason to ensure that the privacy rights of employees are not allowed to be misused, abused or weaponised by individuals against organisations that must use personal information for legitimate purposes in Bermuda.

First Published in The Royal Gazette, Legally Speaking column, February 2026

Share
More publications
050-Insolvency-Restructuring-Grid-Image
13 Jul 2026

Bermuda: Restructuring & Insolvency

This country-specific Q&A provides an overview of Restructuring & Insolvency laws and regulations applicable in Bermuda.

Appleby-Website-Regulatory-Practice
10 Jul 2026

It’s healthy to sometimes disagree with regulators

At some point, almost every regulated business will disagree with its regulator.

Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.