With the Personal Information Protection Act 2016 (PIPA) coming into force on 1 January, organizations in Bermuda face the critical challenge of balancing stringent data protection requirements with the growing demand for data-driven information systems.

Using these systems requires access to large amounts of data, raising compliance issues among technology-savvy organizations.

PIPA applies to any organization that uses personal information in Bermuda, where that personal information is used in whole or in part by automated means or where it is part of a structured filing system.

According to PIPA, personal information (PI) means any information about an identified or identifiable individual.

The use of IP includes any operation performed on it, such as collecting, obtaining, recording, holding, storing, organizing, adapting, modifying, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, deleting or destruction. it.

Organizations must ensure that the use of IP is limited to specific purposes as stated in the PIPA. If the purpose of using the PI changes, consent must be obtained from the individual before the PI is used for the new purpose.

We note, however, that PIPA only applies to PI as defined above.

This means that where the information is not about a identified or identifiable personthis information will not fall within the scope of PIPA.

Accordingly, if the data is properly anonymized so that it does not constitute personal information, it may be used for other purposes, including in information systems.

PIPA does not mention or define the term “anonymization”. Interestingly, the 2024 amendment to the Bermuda Health Board Act 2004 refers to the anonymization of identifying information; however, it does not provide a definition either.

In the absence of further regulatory guidance on this point and based on the definition of PI in PIPA, PI is therefore “anonymised” when it cannot be used alone or with other information to infer or determine the identity of the person whose it is related, directly or indirectly.

There are various factors to consider when determining the degree of anonymization required. Often it’s not as simple as removing your name, address or phone number.

The amount and type of information needed to identify an individual may vary depending on factors such as location and the source or form of the information.

Information may be unique – and thus identifiable – within Bermuda’s smaller population compared to large, densely populated cities such as London or New York.

Biometric and genetic information are examples of IP that pose a higher risk of identification due to their distinct nature, particularly in smaller populations.

More examples:

• In a medical context: A distinct set of physical characteristics or medical conditions, not expressly associated with a person’s name, could identify an individual patient and thus constitute PI.
• In a financial context: A unique combination of rare financial instruments, investment types and geographic locations could identify a particular investor.
• In a real estate context: Details about a real estate transaction, such as a landmark building or a specific location in a niche market, could lead to the identification of the buyer or seller.

As modern technology’s reliance on data continues to grow, organizations must be aware of the implications for data protection.

Anonymizing data is one method of safeguarding IP, but requires careful consideration and consideration of various factors.

When in doubt, obtaining consent from the person to whom the PI relates is the safest approach to ensure your organization remains compliant with its PIPA obligations.

Failure to comply with these obligations could result in a possible fine of up to $250,000 or imprisonment of up to two years.

For more information, please contact:

Ligaya Sanchez-Wilson, Appleby

[email protected]