Right to get your information erased or destroyed
In a seashell
Under PIPA’s section 19, you have the right to request an organisation to erase or destroy your personal information where that personal information is no longer relevant for the purposes of its use.
You can ask an organisation that holds information about you to erase or destroy that information where that personal information is no longer relevant for the purposes of its use. The right to get your information erased or destroyed is also known as the ‘right to erasure’ or ‘right to be forgotten’.
In some circumstances, they must then do so.
The right only applies in situations where:
-
an organisation no longer needs your information for the purpose for which they originally used it:
Scenario
You have cancelled your gym membership. The gym should delete your personal information since it no longer needs to keep details of your name, address, age, and health conditions (sensitive personal information).
-
you gave consent to an organisation’s use of your personal information but have now withdrawn your it:
Scenario
You agreed to take part in a market research study and no longer want to.
-
you have objected to the use of your information and your interests outweigh those of the organisation using it;
-
you have objected to the use of your information for direct marketing purposes:
Scenario
You agreed to receive specific adverts directly and are no longer interested in them.
-
the organisation using your personal information has collected or used your information unlawfully.
Scenario
The organisation hasn’t complied with the privacy rules under PIPA.
-
The organisation has a legal obligation to erase your information.
-
The information was collected from you when you were still a child (before you turned 14) for an online service.
Scenario
You used social media or a gaming app as a child.
Even if you are an adult, you have a right to have your information erased if it was collected from you as a child. PIPA gives children special protection, especially online. Children are vulnerable: as a result, they may be less aware of the risks and consequences of giving their information to organisations.
People ask
How do I ask for my information to be erased or destroyed?
What should the organisation do?
When can the organisation say no?
How long should the organisation take?
Can the organisation charge a fee?
What can I do if the organisation does not respond or if I am dissatisfied with the outcome?
How do I ask for my information to be erased or destroyed?
You should contact the organisation and let them know what personal information you want them to erase. You don’t have to ask a specific person – you can contact any part of the organisation with your request.
You must make your request in writing. The added value of having everything in writing is that it will allow you to explain your complaint, give evidence and explain what you want to happen. It will also provide clear proof of your actions if you decide to challenge the organisation’s response.
You may find it helpful to use the template below to assist you in exercising your right to erasure.
[Your full address]
[Phone number]
[The date]
[Name and address of the organization]
[Reference number (if applicable)]
Dear [Sir or Madam / name of the person you have been in contact with]
Right to erasure
[Your full name and address and any other details such as account number to help identify you]
I wish to exercise my right of erasure under PIPA.
[Give details of what personal information you want erased/destroyed.]
You can find guidance on your obligations under PIPA on the website of the Office of the Privacy Commissioner for Bermuda (privacy.bm). There, you can also find information on their regulatory powers and the action they can take.
Please send a full response within 45 days confirming if you will comply with my request. If you cannot respond within that timescale, please tell me when you will be able to respond.
If there is anything you would like to discuss with me in relation to my request, please contact me.
Yours faithfully
[Signature]
What should the organisation do?
On receiving a request under subsection (10), an organisation shall erase or destroy
the personal information that the individual has identified in his request, or provide the individual with
its written reasons as to why the use of such personal information is justified.
The organisation should erase/destroy your information, unless a PIPA exemption applies.
The organisation should also tell anyone else that they have shared your information with about the erasure.
The organisation can only refuse your request if it would be impossible or involve disproportionate effort.
If you ask, the organisation must also tell you that they have shared your information with other organisations.
If your information has been made public online – such as on social networks, forums or websites – then the organisation must take reasonable steps to inform the people with responsibility for these sites to erase links or copies of that information.
When can the organisation say no?
The organisation can refuse to erase your information in the following circumstances:
-
When keeping your information is necessary for reasons of freedom of expression and information (this includes journalism and academic, artistic and literary purposes);
-
When the organisation is legally obliged to keep your information such as to comply with financial or other regulations;
-
When the organisation is carrying out a task in the public interest or when exercising their official authority;
-
When keeping your information is necessary for establishing, exercising, or defending legal claims; and
-
When erasing your information would prejudice scientific or historical research or archiving that is in the public interest.
Also, the right to erasure does not apply to sensitive personal information in the following circumstances:
-
when keeping your information is necessary for reasons of public health in the public interest; and
-
when keeping your information is necessary for the purposes of preventative or occupational medicine; for the assessment of the working capacity of the employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services. (This only applies if the information is being used by or under the responsibility of a professional who is under a legal obligation of professional secrecy, such as a health professional.
If a PIPA exemption applies, the organisation can either fully or partly refuse to comply with your request.
The organisation can also refuse your request if it is “manifestly unreasonable”.
There is no set definition of what makes a request “manifestly unreasonable”. It depends on the specific circumstances of your request. For example, an organisation may consider a request to be “manifestly unreasonable” if it is clear that the request has been made with no real purpose except to cause the organisation harassment or disruption.
In such circumstances the organisation can:
-
request a reasonable fee to deal with the request; or
-
refuse to deal with the request.
In either case, they will need to tell you and justify their decision.
If, having considered your request, the organisation decides not to erase your information, they must still respond to you. They should explain why they believe they don’t have to erase your information, and let you know about your right to complain about this decision to PrivCom, or through the courts.
How long should the organisation take?
An organisation has 45 days to respond to your request. In certain circumstances, they may need extra time to consider your request and can take up to an extra 30 days. If they are going to do this, they should let you know promptly that they need more time and the reasons why.
The organisation might need you to prove your identity. However, they should only ask you for just enough information to be sure you are the right person. If they do this, then the 45-day time period to respond to your request begins from when they receive this additional information.
Can the organisation charge a fee?
In most circumstances, no. An organisation can only charge a fee if the request is “manifestly unreasonable”. They may then ask for a reasonable fee for administrative costs associated with your request.
What can I do if the organisation does not respond or if I am dissatisfied with the outcome?
If you are unhappy with how the organisation has handled your request, you should first raise a complaint with them and give them the opportunity to resolve the matter.
If you have done so and still remain dissatisfied, you can make a complaint to PrivCom.
You can also seek to enforce your rights through the courts. If you decide to do this, we strongly advise you to seek independent legal advice first.