Privacy at Work: What PIPA Means for Bermuda Employers

Scope of PIPA in the Employment Context

PIPA applies to organisations that use personal information in Bermuda, whether the information is processed electronically or forms part of a paper filing system. Personal information is defined broadly as any information about an identified or identifiable individual. In the employment context, this definition captures a wide range of data, including employee compensation details, performance evaluations, disciplinary records, health information, and immigration or work permit documentation.

Employers typically gather personal information at several stages of the employment life cycle. During recruitment, organisations collect date from job applications, resumes, and background checks. Once employment begins, additional data may be collected for payroll, benefits administration, performance management, and regulatory compliance. Employers may also hold sensitive information such as health records, security clearance details, drug testing results or pension information.

For employers, this breadth means that privacy compliance is not limited to IT systems or cybersecurity. It also extends to routine human resources practices such as employee record keeping, recruitment processes and internal investigations.

Lawful Bases for Processing Employee Information

One of the central features of PIPA is that organisations must have a lawful basis for using personal information. In practice, the most common lawful basis in the employment context is the consent of employees or job applicants.

Consent may sometimes be implied from the circumstances – for example, when an applicant voluntarily submits a resume in response to a job posting. However, organisations typically rely on express consent in employment contracts and employee acknowledgments of privacy notices and employee handbooks to show consent. These documents generally explain what information will be collected, the purposes for which it will be used, and the parties with whom it may be shared.

However, consent alone cannot realistically govern all aspects of the employment relationship. Employers must also collect and process personal information in order to administer payroll, investigate misconduct and endure workplace safety. These operational realities mean that organisations must carefully identify and document the purposes for which employee information is collected and used.

Proportionality in Data Collection

A key principle underlying PIPA is that organisations should use personal information only for the specific purposes for which it was collected, and collect only information that is relevant and proportionate to the purposes for which it is used. Employers must therefore consider whether the information requested from employees is commensurate with the purpose for which it is sought.

For example, collecting detailed medical information where only confirmation of an employee’s fitness-for-duty or means of accommodation is required may exceed what is reasonably necessary. Similarly, retaining outdated employee records long after they are needed for employment or regulatory purposes may raise compliance concerns.

Adopting clear data retention policies and reviewing the categories of information collected during recruitment and employment can help ensure that organisations meet the proportionality requirement. Although PIPA does not prescribe specific retention periods for employee records, employers are expected to determine appropriate timeframes based on the purpose for which the data is collected. Once that purpose has been fulfilled, organisations must securely delete or anonymise the information.

Monitoring Employees in the Digital Workplace

Modern workplaces increasingly rely on digital technologies that enable employers to monitor employee activities. Email systems, internet access logs, GPS tracking and video surveillance can all generate personal information relating to employees.

Monitoring may serve legitimate business purposes, including protecting confidential information, preventing misconduct, and ensuring productivity. However, PIPA requires that collection of personal information obtained through monitoring, like that of any other personal information, be transparent and proportionate.

Employers should inform employees in advance that monitoring may occur and explain the purposes for which information will be collected. This is typically done through technology use policies or employee handbooks. By clearly communicating these practices, employers can ensure that employees understand the limits of privacy when using workplace systems. Where monitoring becomes excessive or intrusive, it may breach PIPA.

Sensitive Data Requires Extra Care

PIPA recognises a category of sensitive personal information, including data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual life. In the employment context, such information may arise in connection with workplace accommodation, health and safety obligations or regulatory requirements.

The use of such sensitive personal information is subject to stricter protections, particularly where it could result in discrimination. This reinforces protections under the Human Rights Act 1981, which prohibits discrimination in employment on various protected grounds.

Employers should therefore take particular care when requesting or using sensitive personal information and ensure that its collection is genuinely necessary for a lawful purpose. At the same time, PIPA recognises that certain roles may justify the use of sensitive information. For instance, health information may be relevant for workplace safety assessments or fitness-for-duty requirements. In such circumstances, the employer must still demonstrate that the collection and use of the data is justified and proportionate.

Employee Rights Regarding Their Data

PIPA grants individuals several rights regarding their personal information. Employees have the right to request access to personal information held about them and to obtain information about how that data is being used. They may also request corrections where the information is inaccurate or incomplete.

Their rights may arise in various employment disputes. For example, an employee involved in a disciplinary investigation may submit a request to access the records used by the employer in reaching its decision. Similarly, employees may seek corrections to inaccurate performance records or other personnel files. PIPA requests are also sometimes made by employees in anticipation of litigation or a claim before the Employment Tribunal.

Employers should establish procedures to respond to such requests in a timely and transparent manner. Failure to comply with PIPA, including refusing to provide legitimate personal information and unjustifiably redacting information, may expose organisations to regulatory enforcement, resulting in fines and reputational fallout.

Compliance and Practical Implications for Employers

PIPA requires employers to collect and use employee date transparently, limit it to legitimate purposes, protect it thorough appropriate safeguards, and respect employees’ rights to access and correct their information. To comply with it, Bermuda employers must adopt more structured data governance practices. Organisations should implement privacy notices, maintain policies governing the handling of personal information, and train staff with respect to data protection obligations. They may also need to appoint personnel responsible for overseeing compliance with PIPA.

For organisations operating internationally, PIPA may align with privacy regimes already in place in other jurisdictions. Nevertheless, employers must ensure that their internal policies reflect the specific requirements of Bermuda’s legislation.

Because employment relationships inherently involve the collection and use of personal information, compliance with PIPA is bound to increasingly shape the way workplaces operate in Bermuda. From recruitment practices to digital monitoring and record retention, privacy considerations are now an integral component of responsible workplace governance.

First Published in the Bermuda Chamber of Commerce Newsletter (Chamber Insider), March 2026