The Privacy Commissioner has given assurance that his office aims to assist rather than punish as new personal information protection laws come into effect.

The Personal Information Protection Act will be fully enacted tomorrow with the start of 2025 and Alex White offered guidance for those concerned about their rights.

Mr White said: “I believe in the need for constructive regulation and engagement.

“Our intention isn’t to be punitive. We want to be collaborative and constructive in resolving problems. We will point out problems and give instructions, and if you don’t take those steps then there might be an issue.

“My office can issue orders to instruct compliance but if an organisation acts in violation, that is an offence and the Department of Public Prosecutions could pursue it as an offence. The court would impose a fine or penalty in that way.”

He said Pipa balances individual rights with the legitimate needs of organisations to use personal information for services.

Mr White said: “It does that by creating specific rights for individuals including the right to access personal information, to correct anything that is factually wrong, to delete information that is not needed any more and to block information for things like marketing purposes.

“We have a guide we posted on our website that is written in straightforward terms called the Individuals’ Guide to Pipa.”

Mr White emphasised that not everyone might be able to have a record changed if it was factually true and needed by an organisation.

“Just because they have a right to make a request, it doesn’t mean the organisation will always say yes,” he said.

“In our guide, we talk about those instances and how individuals can go about doing it, and what a letter to an organisation might look like.

“A classic example might be if an employee wants to file a correction request and get their performance evaluation changed. They may feel that the score should have been higher but that is a matter of opinion not a factual matter you can correct under Pipa. However, the organisation must make a record of the request being made.”

Mr White provided examples of when it was inappropriate for an organisation to keep information that is not serving a use.

He said that organisations traditionally tend to “hoard” information in the belief that it may one day prove useful.

Mr White said: “One thing we realised is that collecting those things is creating a risk for the individual.

“It could be, for example, when you sign up for a service you fill a form with your name, address, e-mail and phone number. If an organisation only communicates with you by e-mail, do they need the phone number to perform that service?”

He said that in cases of excessive collection, the subject could “request it be deleted if it is not necessary”.

The use of personal information by media outlets, libraries, museums and archives for artistic, literary or journalistic purposes are excluded from Pipa.

However, other uses of that information, such as for subscription purposes, are not exempt, meaning the organisations must comply with the law.

Mr White said that exclusions most likely to come up included information used for personal or domestic purposes.

“An example is keeping your address book on your night stand. You have a lot of personal information such as your friends’ phone numbers and birthdays in there but you are using it for personal/domestic purposes, so the Act would not apply to something like that.

“A good dividing line between personal and non-personal is publication. If you were to then take the night stand address book, scan copies and post it on the internet, it’s a different situation.”

He cited the example of business contact information, adding: “A lot of the times when we are collecting information, it seems to be personal information but it is just about contacting an individual in their capacity as an employee of an organisation.

“Your work e-mail address or phone number is business contact information and is excluded from the Act.

“Think of it as an exclusion of a business card — you are using it to contact someone as an employee of an organisation.”

Mr White made clear that Pipa applies not only to business but to other organisations including charities, recreational and sport clubs.

"It doesn’t matter if it’s a business or non-business, Pipa still applies,“ he explained.

“The difference is that Pipa uses a risk-based framework in its compliance requirements.

“Often, things like a recreation or sports club may be using information in a way that is not going to harm an individual, such as sports statistics, for example.

“They are not going to result in a privacy harm and so the controls required to be in place are lessened. It is more about informing individuals that they have the information.

“There may be reasons to keep a record. A school may have an interest in retaining records on former students.

”Just because they are not currently a student, they can’t wipe the disciplinary records for example. They might be needed for giving a reference or for a legal reason.

“Pipa can be complex at times and it is our job to try to make it as simple as possible. It is also up to organisations to try to make it understandable for the average person.”

• Individuals’ Guide to Pipais available athttps://www.privacy.bm/.