What can I expect after submitting a PIPA rights request with an organisation?
People ask:
​
How long does an organisation have to respond?
Can an organisation charge a fee?
What should an organisation send back to me?
Will I always receive everything I asked for?
1. How long does an organisation have to respond to my request?
An organisation typically has 45 days to respond to your request.
If your request is complex, the organisation may need extra time to consider your request, and they can take up to an extra 30 days to respond under certain conditions.
If they are going to do this, they should let you know promptly why they need more time and when you can expect to receive their response.
The organisation might need you to prove your identity. However, they should only ask you for just enough information to be sure you are the right person.
Additionally, the organisation may ask you for further information if they believe that your request is incomplete.
If the organisation asks you to prove your identity or your request is incomplete, then the 45-day time period for the organisation to respond to your request begins from when they receive this additional information.
2. Can an organisation charge a fee?
Following consultation with the Commissioner, the Minister responsible for PIPA may prescribe any applicable fees.
Note: An organisation cannot charge you a fee if there is an error or omission in the personal information that it holds on you and you are requesting the organisation to correct the inaccurate personal information.
3. What should an organisation send back to me?
When an organisation responds to your request, they should typically tell you whether or not they use your personal information and, if they do, give you copies of it. The organisation should also include:
• what purpose(s) they are using your information for;
• who they are sharing your information with;
• how long they will store your information, and how they made this decision;
​
• details on your right to challenge the accuracy of your information, your right to have your information deleted, and your right to block the use of your information;
• your right to complain to PrivCom;
• details about where they got your information from;
​
and
• whether and how they have transferred your information to a third party outside Bermuda.
If you wish to receive specific details, it is highly recommended that you state this in your request.
4. Will I always receive everything I asked for?
You may not always receive everything you have asked for. Depending on the circumstances:
• you may receive only part of the information you asked for;
​
or
• the organisation may not provide you with any personal information at all (for exemptions, see page 24).
If you make a request for access to your personal information of a medical or psychiatric nature, or your personal information is kept for the purposes of, or obtained in the course of, carrying out social work relating to you, an organisation may refuse to provide access to personal information if disclosure of your personal information would be likely to prejudice your physical or mental health.
If an organisation refuses your medical records access request, you can ask the organisation to provide access to your personal information to a health professional who has expertise in relation to the subject matter of the record. The health professional will then determine whether or not disclosure of your personal information to you would be likely to prejudice your physical or mental health.
An organisation can also refuse to comply with your PIPA rights request if they think it is “manifestly unreasonable” (see page 30).
There can be other reasons why you may not receive all the information you requested, e.g., when an exemption applies, or the type of information you asked for is not covered by an access request.
5. Am I entitled to receive copies of entire documents?
You are not. Your right of access does not entitle you to receive full copies of original documents held by an organisation: only your personal information contained in the document.
Scenario
You ask your bank to access your personal information, including full copies of your bank statements. Your bank is not required to provide copies of the actual bank statements. However, they must provide you with your personal information contained within them. For example, the bank may provide you with a list of transactions. By doing so, they have complied with your access request without having to give you a full copy of the original bank statements.
6. What is an exemption?
An organisation may withhold all or some of your personal information because of an exemption stipulated in PIPA. Exemptions protect specific types of information or how certain organisations process information.
In rare cases, an organisation may not even have to let you know whether they hold your personal information.
An organisation may also refuse your request to access your information if it includes personal information about someone else, except in situations where:
• the other individual has agreed to the disclosure;
or
• it is reasonable to give you this information without the other individual’s consent.
When deciding on your access right, an organisation must balance your right of access to your personal information against the other individual’s rights with respect to their own information. This may lead the organisation to refuse your access request. An organisation may not provide access to your personal information if the disclosure of your personal information could reasonably be expected to threaten the life or security of another individual.
Alternatively, the organisation may attempt to remove or edit out (redact) the other individual’s information before sending your information to you. This could mean you only receive partial information – such as copies of documents showing blacked-out text or missing sections.
The organisation will still need to:
• tell you why they are not taking action;
• explain how you can challenge this outcome.
If you want to learn more about exemptions and exclusions under PIPA, see our Guide to PIPA and Guidance on uses of personal information for organisations.
7. What if the organisation requires proof of identity (ID)?
Organisations must take reasonable steps to verify the identity of the applicant. This may include an ID check. These steps are part of an organisation’s measures to protect your personal information from unauthorised access.
​
If an organisation requires proof of ID (e.g., valid driver’s licence, passport, etc.), your PIPA rights request is not considered complete until you provide it. Therefore, the 45-day time period for the organisation to respond does not begin until they have received proof of ID from you.
8. What information is not covered by my request?
The right of access does not cover all types of information or uses of personal information. Examples include:
• information used for personal/domestic purposes (e.g., family members’ pictures of you);
• images of you captured on a domestic CCTV system within the boundary of your domestic property;
and
• information about the medical records of a relative who has been dead for at least 20 years.
Section 4 of PIPA describes other situations where the use of personal information is excluded from the Act.
9. Can I resubmit the same request?
Yes, you can ask an organisation for access to your information more than once. However, they may be able to refuse your request if:
• they haven’t yet had the opportunity to deal with your earlier request;
​
or
• not enough time has passed since your last request (e.g., your information has not changed since then).
Remember! An organisation may ask the Commissioner to authorise the organisation to disregard one or more of your requests due to the repetitive and systematic nature of your request(s) if:
• your request has been made with no real purpose except to cause the organisation harassment or disruption to their business activities;
• you have no genuine intention of accessing your personal information (e.g., you may offer to withdraw your request in return for some kind of benefit, such as a payment from the organisation);
or
• your requests would amount to an abuse of the right to make those requests or are otherwise frivolous and vexatious.
10. How should I raise my concerns about how an organisation has used my information?
Initially, you should reach out directly to the organisation to raise concerns (see page 26). You must reach out to the organisation in writing. If necessary, you can adjust the master template provided on pp. 18-19 to help you raise your concern.