All questions

Data protection

i Requirements for registration

The Bermuda Personal Information Protection Act 2016 (PIPA) is the country's first piece of data protection legislation. It does not contain any registration requirements. The preliminary provisions of the PIPA were introduced in 2016 and the rest are expected to come into force in 2019. The PIPA seeks to regulate the use of personal information by organisations in Bermuda by protecting both the rights of individuals and the need for organisations to retain and use personal data for proper purposes. Personal information 'means any information about an identified or identifiable individual', except for information that is publicly available. Every employer will, therefore, possess personal information about every employee and applicant for employment. The operation of the PIPA will be overseen by a privacy commissioner, who will also be responsible for handling complaints about alleged breaches of the Act. A graduated regime applies to the complaint procedure, starting with mediation, then followed by an inquiry by the privacy commissioner, followed by possible criminal sanctions. Every employer will be required to appoint a privacy officer who will communicate with the privacy commissioner.

ii Cross-border data transfers

All personal information protection policies apply to cross-border data transfers.

iii Sensitive data

The PIPA defines this as 'any personal information relating to an individual's place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information'.

iv Background checks

Background checks, credit checks and criminal record checks are permitted in Bermuda. Practically, the person being checked must consent to the release of information, but there are no legal requirements per se regarding consent. The Credit Association provides credit checks in certain industries and provides results to paying members. Criminal conviction records will not be released by the court or police without the express consent of the offender. Protection comes with the common law duty of confidence, which prohibits the disclosure or misuse of confidential information. The PIPA will protect personal information provided by employees during background checks when its main provisions come into effect.