Bermuda’s Personal Information Protection Act 2016 (PIPA) comes into force on 1 January 2025. PIPA regulates the Bermuda Monetary Authority’s (the Authority or BMA) use of personal information.
The Authority’s Privacy Notice provides amongst other information, a description of the Authority’s use of personal information and the types of organisations and individuals to whom personal information may be disclosed. In accordance with PIPA, an individual may seek to access their personal information.
Guidance
What is a Personal Information Access Request (PIAR or Request)?
PIPA provides an individual with certain rights to access and control their personal information. Therefore, an individual can submit a PIAR to the Authority to seek:
- Personal information about you that is in the custody or control of the BMA
- The purposes for which your personal information has been and is being used by the BMA
- The names of the persons or types of persons to whom (and circumstances in which) your personal information has been and is being disclosed
For example, an individual may seek access to their personal information regarding medical, psychiatric and social work matters.
Additionally, an individual may also submit a PIAR for the following administrative requests (which may need to be supported by these reasons) such as:
- Making a correction of an error or omission in any of your personal information which is under the control of the BMA
- Requesting that the BMA not use your personal information for advertising, marketing or public relations purposes
- Requesting that the BMA not use your personal information where that use is causing or is likely to cause substantial damage or substantial distress to you
- Requesting for the BMA to erase or destroy your personal information
Submitting a PIAR
Your PIAR should set out sufficient detail to enable the BMA to identify the personal information in respect of which the request is made.
After submission, the BMA will confirm receipt of the PIAR and will contact you using the contact information provided if further information is required.
Once the PIAR is considered complete (i.e., if additional information is requested by the Authority and has been submitted in full), the BMA will acknowledge the PIAR, including its date of receipt and respond to the PIAR no later than 45 days (if no extension has been granted) from the day on which it was deemed complete.
Submitting Identification
When making a PIAR your identity must be validated. Therefore, you will be required to provide evidence of your identity. This is a vital part of the process as giving information to an unauthorised person may result in a breach. This process is a delicate balance between ensuring personal information is not being given to unauthorised people and ensuring that requests for proof of identity are reasonable.
To assist the BMA in verifying the identity of an individual who is making a request to access their personal information, the BMA will seek one of the following to verify your identity upon submission of a PIAR.
Resident Requester
- Copy of valid passport; or
- Copy of valid driver’s licence; or
- Copy of birth certificate
Resident means a person who is a resident of Bermuda
Non-Resident Requester
- Certified copy of valid passport; or
- Certified copy of valid driver’s licence; or
- Certified copy of birth certificate
Non-Resident means a person who is not resident in Bermuda
If a third party is submitting the request on behalf of an individual, then the BMA will seek a certified copy of a valid power of attorney.
The BMA reserves the right to request additional information to assist in verifying an identity.
Internal Review
An individual who has made a PIAR to the BMA pursuant to PIPA may request for the Authority to review any decision made with respect to a PIAR or any failure of the Authority to take any required action in respect of such PIAR..
Requesting an Internal Review is optional and does not impact an individual’s right to seek a review by the Privacy Commissioner of Bermuda.
Time limit to request Internal Review
A request for an Internal Review must be made within six weeks of the date that the individual was notified of the Authority’s PIAR decision.
How to make a request for an Internal Review
Please note that where an individual requests an internal review, the decision that is made by the Authority's Chief Executive Officer of the Authority (CEO), will be the final decision for the purposes of the timeframe (in accordance with PIPA) for which an individual may apply to the Privacy Commissioner for a review (i.e., such is considered the Authority's final decision). An individual who seeks to request an Internal Review should complete the Internal Review Form. Once the request for Internal Review has been received, the Authority shall acknowledge the request, commence its review and respond. The Authority may contact the individual at any time during the Internal Review period where further information or clarity regarding the request is needed.
The Internal Review decision
The CEO shall within six weeks after receiving a request for an Internal Review:
- Complete the review
- Make a decision
- Notify the individual of the decision and the reasons for the decision
- Notify the individual of their right to apply to the Privacy Commissioner of Bermuda for a review of the Authority’s decision.
[Insert PIAR and IR Form Buttons]
Contact us
Bermuda Monetary Authority’s Privacy Officer
Dina Wilson, Director Legal Services and Enforcement
43 Victoria Street, Hamilton HM 12
Tel: (441) 278-0250
Email: PIPA@bma.bm
