Last modified 28 January 2024

Data Protection in Bermuda

Breach notification in Bermuda

Download PDF

Download current country

Change countries

Change country

Law

Data protection laws in Bermuda

The Bermuda legislature passed a comprehensive legislative framework that specifically addresses issues of data protection in the form of the Personal Information Protection Act 2016 (PIPA). The principal provisions of PIPA came into force on 1 January 2025.

Apart from PIPA, Bermuda law recognizes a duty of confidentiality in certain circumstances under the common law.

Related resources

Definitions

Definitions in Bermuda

Definition of use

PIPA applies to the "use" of personal information, and defines "use" as carrying out any operation on personal information, including collecting, obtaining, recording, holding, storing, organising, adapting, altering, retrieving, transferring, consulting, disclosing, disseminating or otherwise making available, combining, blocking, erasing or destroying it.

Definition of personal data

PIPA provides for a definition of "personal information" as meaning "any information about an identified or identifiable individual".

At common law, information is generally to be regarded as 'confidential' if it has a necessary quality of confidentiality and has been communicated or has become known in such circumstances as give rise to a reasonable expectation of confidence; for example if obtained in connection with certain professional relationships, if obtained by improper means, or if received from another party who is subject to a duty of confidentiality.

Definition of sensitive personal data

PIPA provides for a definition of "sensitive personal information" as meaning "any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information".

Authority

National data protection authority in Bermuda

Alexander White, a US lawyer, has been the appointed Privacy Commissioner since 20 January 2020. He is responsible for setting up the Privacy Commissioner's Office, hiring and training staff, undertaking investigations, providing reports and developing public awareness of the rights of individuals and the obligations of organisations under PIPA.

Registration

Registration in Bermuda

There is no system of registration and none provided for in PIPA.

Data protection officers

Data protection officers in Bermuda

Organisations covered by PIPA are required to appoint a "privacy officer" for the purposes of compliance with PIPA and communication with the Privacy Commissioner.

Collection and processing

Collection and processing in Bermuda

PIPA regulates the collection and processing of personal information and applies to any individuall, entity or public authority collecting, storing and using personal information in Bermuda either electronically or as part of a structured filing system. The use to which sensitive personal information can be put by an organisation is much more restrictive.

The common law, which continues to apply in parallel with PIPA, will in certain cases consider it a breach of confidence to misuse or threaten to misuse confidential information. The concept of 'misuse' is a broad one, but will often include any unauthorised disclosure, examination, copying or taking of confidential information. The precise scope of the term however will depend largely on the specific circumstances, including the relevant relationship and the nature of the information.

Related resources

Transfer

Transfer in Bermuda

PIPA regulates the transfer of personal information to an overseas third party. The legislation provides that the Privacy Commissioner can designate jurisdictions as providing comparable protection to Bermuda law. In other cases, the organisation subject to PIPA will be required to employ contractual mechanisms, corporate codes of conduct or other means to ensure that the overseas third party provides comparable protection for the personal information.

Related resources

Security

Security in Bermuda

PIPA makes provision for the implementation of proportional security safeguards against risk including loss, unauthorised access, destruction, use, modification or disclosure. In addition, a person who misuses or divulges confidential information (deliberately or otherwise) may be liable at common law.

Related resources

Breach notification

Breach notification in Bermuda

PIPA requires notification of a breach of security leading to the loss or unlawful destruction or unauthorised disclosure of, or access to, personal information which is likely to adversely affect an individual to (a) the individual concerned; and (b) the Privacy Commissioner.

The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and the measures the organisation is taking to address the breach.

Related resources

Enforcement

Enforcement in Bermuda

Once fully in force, PIPA will make provision for investigations and inquiries by the Privacy Commissioner and for a range of remedial orders that may be imposed by the Commissioner. It also provides for a claim for compensation for financial loss or emotional distress for failure to comply with the legislation (subject to a reasonable care defence). In addition, PIPA makes provision for criminal offences and penalties (including imprisonment) for misuse of personal information. In addition, a breach of the common law duty of confidentiality may give rise to a claim for, among other things, damages and/or an injunction. These remedies are to be sought through, and enforced by, the Bermuda courts.

An individual convicted of an offence under PIPA will be liable to a fine of up to BMD 25,000 and/or to imprisonment for up to two years. An organisation convicted of an offence under PIPA will be liable to a fine of up to BMD 250,000. Proceedings can be brought against company directors and other officers in a personal capacity.

Electronic marketing

Electronic marketing in Bermuda

PIPA requires organisations to comply with requests from individuals that they cease, or not begin, use of their personal information for the purposes of advertising, marketing or public relations.

The Electronic Transactions Act 1999 provided that the Minister responsible for electronic commerce had the power to issue a standard to apply to intermediaries or e-commerce service providers and such a standard was issued by the Minister on 5 May 2000 and came into force on 3 July 2000 (Standard). The definition of "e-commerce service provider" is "a person who uses electronic means in providing goods, services or information" while an "intermediary" (with respect to an electronic record) means "a person who, on behalf of another person, sends, receives or stores that electronic record or provides other services with respect to that electronic record". The Standard set out certain "Safe Harbour Guidelines" which included certain privacy requirements and the prohibition on the sale or transfer of personal data or business records of customers to another person for the purposes of sending bulk, unsolicited electronic records.

Online privacy

Online privacy in Bermuda

PIPA makes special provision based on parental consent for certain uses of personal information about a child under the age of 14. Subject to this, there are no specific restrictions addressing online privacy of confidential information beyond those generally applicable to the use of personal and confidential information.

Related resources

Key contacts

Data protection lawyers in Bermuda

Michael Hanson JP

Partner

Carey Olsen

Pembroke

Email Full bio

Keith Robinson

Partner

Carey Olsen

Pembroke

Email Full bio

Jay Webster

Partner

Carey Olsen

Pembroke

Email Full bio

The notice to the Commissioner must describe the nature of the breach, its likely consequences for the individual concerned, and the measures the organisation is taking to address the breach.

Quick links

Data Protection in Bermuda

Breach notification in Bermuda

Continue reading