This article has been updated form a previous article

The Personal Information Protection Act 2016 (PIPA) came into effect on 1 January 2025. In this updated guidance note, we take a look at key privacy-related aspects of using personal information in the medical field.

As a general rule, the Office of the Privacy Commissioner for Bermuda (PrivCom) may provide guidance and comments of general application to an organisation in accordance with the general powers of the Commissioner under section 29(1)(i) of PIPA.

Generally speaking, PIPA is not intended to create a barrier regarding the use of individuals’ personal information and individuals’ rights with respect to their personal information. PIPA gives control to individuals regarding their personal information.

Medical records

Under section 7 of PIPA, information related to physical and mental health is sensitive personal information. Sensitive personal information is a defined term that includes, among other things, information relating to an individual’s place of origin, race, colour, sex, sexual life, physical and mental health, disabilities, genetic information, etc. (for a full list, see section 7, Sensitive personal information). Besides containing individuals’ information related to their physical and mental health, medical records may often contain the above-mentioned elements of sensitive personal information. By its very nature, this sensitive information requires organisations to implement enhanced protections.

Contact information

Under section 2 of PIPA, personal information means any information that relates to an identified or identifiable individual. Examples include names, dates of birth, photographs, video footage, addresses, email addresses, and telephone numbers.

A patient’s contact information is the personal information of the patient. The organisation or the healthcare practitioner that use the individual’s personal information are ‘stewards’ of that information.

Organisations using personal information in Bermuda are obliged to comply with the legal requirements stipulated by the Personal Information Protection Act 2016 (PIPA). Under section 5, organisations are required to adopt suitable policies and measures, i.e., a privacy programme, to give effect to their obligations and to the rights of individuals.

PIPA gives individuals the right to request access to their personal information (section 17), the right to request access to their medical records (section 18), and the right to request correction, blocking, erasure or destruction (section 19). These rights are not absolute. This means that there are situations where an organisation may refuse an individual’s request to access their personal information.

Consent

Consent to use an individual’s personal information under section 6(1)(a) is not the same as consent to medical treatment. Medical professions should be clear that consent under PIPA is not required in a life-threatening situation or when needed to treat an individual’s health.

PIPA section 6(2)(a) requires that consent to the use of personal information must be given in clear, prominent, easily understandable, accessible mechanisms. Medical professionals should make clear when medical treatment requires the use of personal information and when it does not.

PIPA section 6(2)(c) states that an individual is legally “deemed” to have given consent when an individual consents to the disclosure of their personal information by an intermediary for a specified purpose. In such cases, that individual will be deemed to have consented to the use of that personal information by the receiving organisation for the specified purpose.

Consent is only one condition for the use of personal information under PIPA, specifically listed under subsection 6 (1)(a), except for the use of sensitive personal information [subsection 6(1)(b)].

Besides consent, there are other lawful conditions under which organisations may use personal information. PIPA requires organisations to rely on a “lawful condition” of use of personal information. Such a condition could include an emergency or a contractual obligation. Consent is one of several options and is not always the most suitable. If you would like to learn more, read our guidance note Conditions under which organisations use personal information in Bermuda.

Sharing patient medical records

Patient medical records can be shared with a physician whose patient may be in danger of harming themselves. PIPA allows the use of personal information in the condition of emergency situations. This is listed under section 6(1)(f).

Another example is using personal information on a blood work order that needs to be sent to an overseas laboratory. The organisation should identify a purpose and a condition for this use of personal information, notify individuals of this use with a privacy notice, and implement controls according to the risk.

Information essential for medical treatment in relation to the principle of proportionality

According to section 11 of PIPA, Proportionality, organisations must ensure that personal information is adequate, relevant, and not excessive in relation to the purposes for which it is used. Doctors are encouraged to collect personal information that may be medically useful. Importantly, the concept of proportionality does not replace medical judgment about what amount of information is “essential” or “necessary” for the purpose of medical treatment.

Transparency and purpose limitation: using personal information for a specified purpose

In their privacy notices, organisations must be transparent to individuals about their information handling practices. Often, a wide variety of information is needed for the purpose of medical treatment. PIPA permits the legitimate use of personal information as long as the organisation meets the other requirements as to providing individuals with privacy notices, assessing risk, and implementing controls and safeguards. Organisations are generally mandated to act reasonably, but this can vary based on the specific circumstances.

Personal information should be used for a specified purpose. How often a health service provider should update the personal information held will depend on their specific circumstances. What is the purpose for using the information? How accurate, complete, and up to date does the information need to be to accomplish the purpose? For example, birthdate does not change but blood work results might. Organisations should assess their use of personal information, ensure its accuracy, and mitigate any risks of harm or breach.

When no longer necessary for a purpose, deleting personal information can reduce any residual risk. However, there may be reasons to retain that information. If human resources (HR) records need to be retained for a purpose, such as, for instance, a requirement under law, organisations should identify that purpose and work from that basis.

PIPA states that if organisations have a legal requirement such as to retain personal information for a specified period of time, they should identify it as their lawful condition for using personal information [section 6], explain the purpose to individuals in their privacy notice [section 9], and implement measures, policies, [section 5], controls and security safeguards [section 13] against risk of harm.

Even when personal information is used for one purpose, section 10(2)(e) permits organisations to also use the personal information for the purposes of scientific, statistical, or historical research subject to the appropriate safeguards for the rights of the individual.

Transferring patient information to another health service provider

After a patient has given consent for their personal information and sensitive personal information to be shared with a third-party health service provider, including an overseas third party, the documentation or other measures that an organisation takes will depend on the specific circumstances. A formal authentication statement by the recipient health service provider may serve as an example. As organisations remain responsible for compliance with PIPA, they should ensure they have conducted due diligence, including an assessment of the risks associated with transferring information to overseas third parties. The nature of this diligence can vary, as explained in PrivCom’s Guidance note: Transfer of personal information to overseas third parties and comparable jurisdictions.

A patient may wish to switch to another physician or a health service provider and have their medical records transferred there. The health service provider who has been requested to transfer the patient’s medical information to another health service provider should assess the risk of harm to the individual that may stem from the potential transfer of the individual’s medical information. The health service provider transferring the information should implement controls appropriate to the circumstances. Once the transfer of the patient’s medical records to another health service provider (recipient) has been successfully completed, the sending organisation can erase and securely destroy the information about that patient unless there is another legal provision requiring the organisation to keep it. If the sending organisation no longer needs the information for the purpose for which it was originally collected, PIPA does not require organisations to retain it.

Legal requirements in other jurisdictions

Health service providers (organisations) should be mindful that different jurisdictions have various legal requirements for protecting personal information. When setting up a privacy programme, legal regulations in other jurisdictions such as the General Data Protection Directive (GDPR) in the EU and the UK and the Health Insurance Portability and Accountability Act (HIPAA) in the US may be useful to establish what controls or best practices are “suitable”. Organisations should identify whether they are subject to data protection and/or privacy laws in other jurisdictions, document them, and ensure they are transparent about their practices. However, organisations need to be aware that the applicable privacy law in Bermuda is PIPA.

Security safeguards 

Under section 13 of PIPA, organisations are required to implement appropriate security safeguards to protect the personal information that they hold against risk, loss, unauthorised access, destruction, use, modification, disclosure, or any other misuse. Although PIPA does not specify what such appropriate security safeguards are, encryption is often a best practice and highly recommended. Encryption refers to the process during which information gets encoded in such a way that only authorised parties can read it.

Maintaining privacy in email communications 

Unauthorised access to electronic mail can occur while an email is in transit, as well as when it is stored on email servers or on a user’s computer. Mistakes in handling sensitive information through email are prevalent. Sending confidential documents to the wrong recipient by accident is a common oversight. Lack of encryption is a primary concern with email communication. Organisations are encouraged to maintain privacy in their email communications.

General email announcements differ in nature from individual emails regarding a patient’s appointment, test results, condition, etc. Patients must first consent to receive general email announcements. If a  health service provider (organisation) wishes to make a general email announcement regarding a specific health practitioner (for example, their start or end date), it is up to the organisation to make a privacy-driven determination on a need-to-know-basis as to whether to send the email announcement to the healthcare practitioner’s patients only or whether to send it to all patients.

Email marketing tools are services that offer a lot of useful features. Many organisations use them to send information to their clients, for instance newsletters and promotional emails. There are several privacy-related concerns that one should be aware of when using email marketing tools.

Data collection

Ø  Personal information: An email marketing tool may collect a lot of personal information from its individuals. This includes names, email addresses, and sometimes even more detailed information like purchase history or location.

Ø  Usage: An email marketing tool may track how individuals interact with emails, i.e., they can see who opens emails, who clicks on links, and other engagement metrics.

Behavioural tracking

Ø  An email marketing tool can use the data it collects to create detailed profiles of individuals. This profiling can be used to target individuals with specific content or advertisements (invasion of privacy)

Data sharing

Ø  Third parties: An email marketing tool may share individuals’ personal information with other third-party services for various purposes, such as analytics, advertising, or improving their services. This can raise concerns about where the data are going and how they are being used.

Data security

Ø  Server locations: An email marketing tool may store data on servers, which are located in different countries, including jurisdictions that do not have a comparable level of protection. Different countries have different privacy laws, and this can affect the level of protection your personal information receives. Organisations making overseas transfers of information must be able to guarantee a level of protection comparable to the level of protection under PIPA.

Control over individuals’ personal information

Ø  Consent: Organisations using email marketing tools need to ensure they have proper consent from individuals to collect and use their personal information.

Ø  Data deletion: While an email marketing tool allows individuals to delete their data, it might not be immediate, and some data might still be retained for a period or for backup purposes.

Changes in policies

Ø  Policy updates: An email marketing tool can update its privacy policy, and individuals must stay informed about these changes to understand how their data may be used over time.