The Office of the Privacy Commissioner sought to raise awareness about legislation and bolster its internal systems last year, according to the body’s first report

Safeguarding Bermuda, the Privacy Commissioner’s Annual Report for 2025-26, was tabled in the House of Assembly on Friday.

The report is the first since the Personal Information Protection Act came into effect on January 1, 2025.

Gretchen Tucker, the Privacy Commissioner, wrote in the report that the departure of her predecessor Alexander White, announced in June 2025, resulted in a prolonged period of leadership transition for the organisation.

As a result of the transition process, she said a formal regulatory enforcement strategy was not fully adopted during the period covered by the report.

However, Ms Tucker said that one of her immediate priorities was to develop and establish an enforcement strategy supported by governance structures, written procedures and operational safeguards.

She wrote: “This strategy starts with ensuring that the office is appropriately resourced to facilitate, at a minimum, the statutory processes expressly provided for in Pipa.

“This includes the statutory right of individuals to ask the commissioner for a review of an organisation’s decision, action or failure to act, as well as the right of individuals to initiate a complaint for the commissioner to investigate.

“It further includes the commissioner’s ability to attempt to resolve the same by negotiation, conciliation, mediation or otherwise.

“It also encompasses the commissioner’s ability to conduct inquiries if a matter is not resolved by the above-mentioned alternative dispute resolution process.”

The report said that the office received 30 written requests over the course of 2025 including 22 complaints.

Of those complaints, 16 were resolved informally during the early resolution stage of case management and the other six were still active at the end of the year.

The office also received 25 reports of information breaches, 21 of which were reviewed and closed before the year ended.

Of the reports, ten related to the accidental disclosure of personal information, seven were related to unauthorised use of personal information by an employee and eight were related to unauthorised use of personal information by an external third party.

The report also noted that 43 general queries were received over the course of the year including questions about how organisations can facilitate Pipa requests, statutory time frames and requirements for notices about breaches.

The office also set out to raise awareness of Pipa with a poster campaign, public engagements and the release of materials aimed to help individuals and organisations navigate privacy challenges.

The report said that priority was given to measures to educate children, parents, guardians, educators and organisations that provide information security services to children.

• To see the report, see Related Media

Download PDF File

Safeguarding Bermuda - PrivCom annual report