Employers, employees and PIPA

Published: 6 Jul 2023
Type: Insight

Now that a date has been set for the coming into force of the Personal Information Protection Act 2016, employers need to be aware of how this important legislation will affect them.

PIPA, which received Royal Assent on July 27, 2016, will come into full effect on January 1, 2025, meaning that the clock has started ticking and employers must begin preparing for its impact.

Personal information is defined under PIPA as “any information about an identified or identifiable individual”.

Sensitive personal information, which is a category of personal information, is defined as “any personal information relating to an individual’s place of origin, race, colour, national or ethnic origin, sex, sexual orientation, sexual life, marital status, physical or mental disability, physical or mental health, family status, religious beliefs, political opinions, trade union membership, biometric information or genetic information”.

In practice, the sort of personal information about employees that an employer is likely to have access to and retain includes financial information, pension information, age, security clearance information, drug test results and health records or medical information.

Such information may be obtained by an employer for many reasons, such as for insurance purposes, work permit submission or workplace diversity and equality monitoring.

Personal information should be collected with consent. Where an employer retains personal information prior to PIPA coming into force, it is deemed to have been collected pursuant to consent being given by that individual.

When an employer wishes to use the personal information of an employee, they may rely on provisions in contracts of employment whereby the employee has consented to such use.

It may seem to an employer that consent is the most obvious and straightforward method by which to establish a lawful basis to use the personal information of an employee. However, to rely on consent under PIPA, an employer must “reasonably demonstrate that the individual has knowingly consented”.

The difficulty here is that where there is a clear imbalance of power between an employer and employee, as there almost always is, it could be hard for an employer to show that there was knowing consent.

Instead, employers can rely on alternative bases for use of personal information laid out in PIPA, including showing that the “use of the personal information is necessary in the context of the individual’s present, past or potential employment with the organisation”.

While that approach actually makes it easier for the employer to use the personal information of the employee if the employer is able to show that such use was “necessary in the context of” employment, it may carry a higher risk for potential disputes. This is on the basis that what is necessary in the context of employment is in fact sensitive depending on each individual circumstance; thus it is open to an employee to argue that it was not necessary in the context of their employment to use their personal information.

In preparing for the arrival of PIPA, employers should ensure that they have clear policies in place which address the requirements of, and establish measures to ensure compliance with, the legislation.

For example, PIPA requires an employer to “ensure that any personal information used is accurate, relevant and not excessive to the purposes for which it is used”.

As such, measures and policies that address the handling and retention of data, such as data management, data handling and privacy policies, will require careful consideration.

Employers will need to ensure that the purpose for which the use of personal information is retained is clear, as well as making sure that only personal information that is relevant to the purpose is retained for a proportionate and considered period of time.

Clear policies should also be established regarding the disposal of personal information.

Employers should begin to think about these considerations now to ensure that by January 1, 2025, when PIPA comes into full force, they are compliant.

First Published in The Royal Gazette, Legally Speaking column, July 2023

Share
More publications
Appleby-Website-Privacy-and-Data-Protection
8 Jul 2026

Bermuda Privacy Commissioner Signals Shift to Stronger PIPA Enforcement

The Office of the Privacy Commissioner (PrivCom) has issued its first annual report since Bermuda's Personal Information Protection Act 2016 (PIPA) came fully into force, with the reports content signaling a transition from education and implementation to a stronger focus on enforcement.

Bermuda-1024x576-1
1 Jul 2026

A Forest for the Future

A first since the blight, the airport cedar forest is growing tall and standing strong.

Appleby-Website-Regulatory-Practice
1 Jul 2026

Complied out of business

Firms are complying themselves out of business because compliance no longer matches the evolving sophistication of the Bermuda Monetary Authority (BMA).

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

The long game: how Bermuda became the world’s life reinsurance capital

Ask a life insurer in New York, London or Tokyo where the liabilities behind their book ultimately sit and there is an increasingly good chance the answer is a 21-square-mile island in the North Atlantic.

Appleby-Website-Insurance-and-Reinsurance
1 Jul 2026

Record H1’26 Cat Bond Issuance Driven by Rising Sponsor Comfort and Diversified Risk

With H1 2026 officially breaking the record for the most catastrophe bond deals to come to market and settle in the first six months of the year, a key trend driving this momentum is how comfortable sponsors have become with the mechanics of the overall cat bond space. This familiarity has ultimately encouraged a wave of new sponsors to enter the market, according to Brad Adderley, Managing Partner at law firm Appleby.

Appleby-Website-Employment-and-Immigration
12 Jun 2026

The Cost of Getting Employee Departures Wrong: Five Common Pitfalls for Bermuda Employers

Employee departures are an inevitable part of running a business, but the way they are managed can have significant legal, financial and operational consequences. In Bermuda, employers who approach terminations without adequate preparation may expose themselves to unnecessary disputes, regulatory issues, and reputational harm. Whether an employee is being dismissed for performance reasons, made redundant or departing as part of a negotiated exit, by recognizing the following common mistakes and taking a proactive approach, organizations can manage departures more effectively and reduce risk.

Appleby-Website-Privacy-and-Data-Protection
8 Jun 2026

It’s time to bridge Pipa compliance gap

A review of 200 publicly available privacy notices of companies in Bermuda has revealed that just one in nine are fully compliant with the Personal Information Protection Act 2016.

Appleby-Website-Privacy-and-Data-Protection
26 May 2026

Transparency is a legal requirement under Pipa

Major companies across the European Union have faced substantial fines between 2019 and 2024, estimated at a total of €930 million (about $1.08 billion), not only for cyberattacks or data breaches, but also for issues such as noncompliant privacy notices. A common theme in many cases has been a lack of transparency.

Appleby-Website-Insurance-and-Reinsurance
8 May 2026

Outsourcing considerations for Bermuda insurers

As Bermuda insurers engage with third-party service providers to support their business functions, the Bermuda Monetary Authority has clarified its regulatory expectations surrounding outsourcing arrangements and operational resilience.

Economic Substance
27 Apr 2026

Economic substance regime now falls under Cita

Recent amendments to Bermuda’s economic substance regime have transferred regulatory responsibility from the Registrar of Companies to the Corporate Income Tax Agency.