New legislation in force as of January will bring an “unchartered territory” for most Bermuda organisations, according to a global offshore law firm.

Businesses will be required to make disclosures to individuals or organisations under the penalty of law.

The near century old Conyers, the first offshore law firm in Bermuda, referred to the fast approaching January 1 implementation of the Personal Information Protection Act 2016, and “the brave new world of individual rights requests”.

Conyers lawyers Andrew Barnes and Julie McLean stated in an article just recently republished in JD Supra that Bermuda based organisations from small businesses to multinationals, should be busy preparing for Pipa compliance.

It requires organisations to be ready to receive, process and respond to rights requests from individuals.

Companies will be required upon request to provide access to what information a company has on the individual, the purpose for which it is being used, the names, types of persons and circumstances in which that personal information is being disclosed.

Requests can also be made to correct errors or omissions in the information and erase or destroy such personal information where it is no longer relevant for the purposes of its original use.

Companies should also avoid using personal information for advertising, marketing or public relations purposes, or where using personal information could cause substantial damage or distress to an individual.

The article notes that any rights request must be in writing, and must include sufficient detail to enable an organisation with a reasonable effort to identify the personal information in the request.

Requests can also come from a third party such as a relative or lawyer on an individual’s behalf.

Information access may be refused if protected by legal privilege or if it would disclose confidential commercial information.

Rights requests must be promptly acknowledged, and the response made within 45 days, although extensions are possible.

The article continues: “Your organisation may also charge a fee for a rights request [up to prescribed a maximum to be determined by the Privacy Commissioner], however you cannot charge if the request is to correct incorrect information.

“Most importantly, your organisation does not need to comply with ‘manifestly unreasonable’ requests, and what constitutes such will be on a case-by-case basis for which you will need to be able to justify your rationale to the individual and the Privacy Commissioner.

“As practical considerations for responding to rights requests, your organisation should verify the identity of the individual making the request, and if valid, appropriately and securely provide the individual with the requested information.

“While Pipa’s requirements may initially appear burdensome, particularly for small to medium businesses and non-profit organisations, it is important to bear in mind that Pipa is underpinned by the principles of proportionality and reasonableness as well as a risk-based approach.”