Writing and Submitting your PIPA Rights Request
​Organisations should describe in their privacy notice how to submit a PIPA rights request. They may have a form or a tool that you can use. In the absence of such an organisational form or tool, you may need to write your request independently and submit it to the organisation.
Be sure to use the contact method stated in the organisation’s privacy notice. The organisation’s privacy notice will have the contact information for the individual or team who deal with PIPA rights requests, such as the designated Privacy Officer.
​
People ask:
1. What should my PIPA rights request say?
Do’s:
• your request should have a clear label (e.g., for your email subject line or a heading for your letter, use “PIPA rights request”);
• include the date of your request;
• include your name (including any aliases, if relevant);
• include any additional information used by the organisation to identify or distinguish you from other individuals (e.g., customer account number or employee number);
• include your up-to-date contact details;
• include a comprehensive list of what personal information you want to access, based on what you need;
• include any details, relevant dates, or search criteria that will help the organisation identify what you want.
​
Don’ts:
• don’t include other information with your request, such as details about a wider customer service complaint;
• don’t include a request for all the information the organisation holds on you, unless that is what you want (if an organisation holds a lot of information about you, it could take them an extra 30 days to respond, or make it more difficult for you to locate the specific information you need in their response);
or***
• don’t use threatening or offensive language.
Note: PIPA does not contain a “portability” clause, where you can demand your personal information
in a certain format. You can tell the organisation how you would like to receive the information
(e.g., by email or printed out), but they are not necessarily obliged to comply with this request.
The organisation is only required to provide the information in a reasonable manner.
2. What should my PIPA rights request look like?
You can use the below PIPA rights request letter/email master template as a guide, adding exactly
what information you are asking for from the organisation.
[Your full address]
​
[Your phone number]
[The date]
[Name and address of the organisation]
[Reference number (if provided within the initial response)]
Dear [Sir or Madam / name of the Privacy Officer or person you have been in contact with]
SUBJECT: Personal Information Concern or Rights Request
[Your full name and address and any other details such as account number to help identify you]***
This letter relates to the following matter under the Personal Information Protection Act 2016
(PIPA):
[Choose one as appropriate from a., b., or c.:]
a. I am concerned that you have not used my personal information properly.
[a. Give details of your concern, explaining clearly and simply what has happened and, where appropriate, the effect it has had on you.]
or
b. I wish to exercise my right to access my personal information.
[b. Give details of the personal information you wish to access]
Please supply the personal information you hold about me, which I am entitled to request under the
Personal Information Protection Act 2016.
[Give specific details of the information and, if known, where to search for the personal information you want, for example:
• my personnel file;
• emails between ‘person A’ and ‘person B’ (from 1 September 2019 to 1 October 2019)
• my medical records (between 2019 and 2023) held by ‘Dr C’ at ‘hospital D’; and
• footage from the CCTV camera situated at (‘location E’) on 1 June 2021 between 11am and 5pm.]
​
If you need any more information, please let me know as soon as possible.
or
c. I wish to exercise my right to have my information corrected/blocked/erased/destroyed under PIPA.
[c. Give details of what personal information you want corrected/erased/destroyed]
I understand that before reporting this matter to the Office of the Privacy Commissioner for Bermuda (PrivCom), I should give you an opportunity to address it.
If, after receiving your response, I would still like to report this matter to PrivCom, I will give PrivCom a copy of your response to consider.
You can find guidance on your obligations under privacy rights legislation on PrivCom’s website (privacy.bm) as well as information on their regulatory powers and the action they can take.
Please acknowledge this message as soon as possible and send a full response within 45 days. If you cannot respond within that timescale, please let me know when you will be able to respond and why.
If there is anything you would like to discuss with me in relation to my letter of concern, please contact me on the following number [telephone number].
If you need advice on dealing with this request, the Office of the Privacy Commissioner for Bermuda can assist you. Their website is privacy.bm, or they can be contacted on 543-7748.
Regards,
[Signature]
In the absence of a standard form provided by the organisation, you can also use any other written format that you deem appropriate.
3. Should I use an organisation’s standard form?
​
Standard forms are not always provided. However, if a standard form is provided, the organisation may require you to use it. This means that if you fail to use the form provided by the organisation, the organisation may refuse your request. The Commissioner may require you to use available mechanisms before submitting a complaint to PrivCom. As a general rule, using an organisation’s form should be the best way to get a response from the organisation.
​
Standard forms can make it easier for an organisation to deal with your PIPA rights request. They can:
• structure your request;
• prompt you to include necessary details and supporting documents; and
• let you know the best contact point at the organisation. If you submit a complaint to PrivCom, you can ask us to review whether the standard form is reasonable.
4. Can someone else make a request on my behalf?
You can authorise someone else to make a PIPA rights request for you. However, you should consider whether you want the other person to have access to some or all of your personal information. Examples of individuals making requests on behalf of other people include, but are not limited to:
• someone with parental responsibility, or guardianship, asking for information about a child or young person (for further information, please read our Guide to PIPA for Organisations on requests for information about children under the age of 14)
• a person appointed by a court to manage someone else’s affairs;
• a solicitor acting on their client’s instructions; or
• a relative or friend that the individual feels comfortable asking for help and has authorised to act on their behalf. An organisation receiving the request needs to be satisfied that the other individual is allowed to represent you. The other person should provide evidence of authorisation to act on your behalf when the organisation asks them to do so. It is strongly recommended that they provide the evidence. The organisation may ask for formal supporting evidence to show this, such as:
• written authorisation from you;
or
• a power of attorney.
5. Should I keep a record of my request?
Yes. It is strongly recommended that you:
• keep a copy of any documents or written correspondence for your own records;
• keep any proof of postage or delivery (such as a postal reference number), if available; and
• take a screenshot before submitting your request if using an online submission form.
Where relevant documents are not available for you to copy, consider making a written log of your request.
This should include key details, for example:
1. the date and time of your request;
2. the location (e.g., if your request was made in person);
3. the contact number or submission form you used;
4. the details of any contacts you have interacted with;
5. notes about any personal information you asked for;
6. any further information that the organisation may have asked you to provide; and
7. any reference numbers given to you and other relevant information.
This written log will provide helpful evidence if you wish to:
• follow up your request;
• make a complaint;
​
or
• complain about an organisation’s response at a later stage.