DATA PROTECTION OVERVIEW
Cayman’s Data Protection Law (DPL) was passed in March 2017 and came into full force on 30 September 2019.
The law was passed with a view to achieving European Union (EU) “adequacy” status to enable personal data to move freely between EU member states and the Cayman Islands. Drafted around a set of EU-style data protection principles to which data controllers (defined below) must adhere, personal data must be collected in a fair and transparent manner and only be used and disclosed for purposes properly understood and agreed to by data subjects (as defined below). Any personal data collected must be adequate, kept up-to-date and should not be retained for longer than is necessary to fulfil the collection purpose.
The DPL is a powerful piece of legislation. It introduces globally recognised principles about the use of personal data to the Cayman Islands. The DPL aligns the Cayman Islands with other major jurisdictions around the world, notably the EU, and thereby facilitates the free flow of data between the two – a pre-requisite for the Cayman Islands being an equal and competitive participant in today’s globalised economy.
Importantly, the DPL provides a standard framework for both public and private entities in the management of the personal data they use. Internationally active organisations will find many similarities between the data protection legislation of the Cayman Islands and of other jurisdictions where they are active. The DPL aims to reduce the administrative burden of operating internationally and cement the Cayman Islands as an attractive jurisdiction in line with international developments.
The DPL also serves to provide assurance to individuals whose personal data is being processed. Indeed, where individuals feel that they are empowered to manage and control their personal data, they are more likely to share personal data with an organisation, to the benefit of both parties.
The Office of the Ombudsman (Ombudsman) is the Cayman Islands’ supervisory authority for data protection.
The DPL adopts similar definitions to those found in most EU data protection laws.
drafted widely, this is any data relating to a data subject.
the person who, alone, or jointly with others, determines the purposes, conditions and means of processing of the personal data.
Where an organisation is not established in the Cayman Islands, but will nevertheless process personal data within the Cayman Islands (other than for the purposes of transit), it must nominate a local representative data controller and identify them in the organisation’s privacy notice. The local representative must be established in the Cayman Islands and will bear all obligations of a data controller under the DPL.
an individual who is the subject of the personal data.
any person who processes personal data on behalf of a data controller, excluding employees of the data controller.
Sensitive personal data:
includes data regarding the data subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, medical data, sex life, commission or alleged commission of an offence (or information relating to any proceedings for any offence committed or alleged to have been committed).
Generally, any information relating to an individual’s physical, physiological or behavioural characteristics is not separately protected under the DPL. Our recommendation would be to treat such information as sensitive personal data.
Collecting personal information
Whether the personal data is being processed by or on behalf of the data controller, when collecting personal data, data controllers must provide the data subject with a description of:
(a) the types of personal data being collected;
(b) the purposes for which the personal data is to be processed by or on behalf of the data controller;
(c) the recipients or classes of recipients to whom the personal data may be disclosed;
(d) any countries or territories outside the Cayman Islands to which the data controller will transfer, or intends to transfer, the data to; and
(e) the general technical and security measures in place to keep that data secure.
This information should be provided within a separate privacy notice, made available to the data subject at each point of data capture, so that the data subject can make a clear informed decision as to whether to proceed.
What constitutes valid consent?
Under the DPL, consent means:
“any freely given specific, informed and explicit indication of a data subject’s wishes by which the data subject, either by a statement or by a clear act, signifies agreement to the data subject’s personal data being processed.”
Consent can be explicit, via a tick box or other mechanism, or it can be implied from the data subject’s actions, for example by proceeding with a service after reading the privacy notice.
The data controller bears the burden of proving the data subject’s consent to the processing of the data subject’s personal data for specified purposes. If the data subject’s consent is to be given by a written declaration which also concerns another matter, the consent requirement shall be presented in a form distinguishable from the other matter. Bundled consent is not valid consent. The data subject has the right to withdraw consent at any time.
Processing and retention of personal data
“Processing” in relation to personal data, includes obtaining, recording, holding, organising, adapting or altering the data, disclosing the data by transmission, dissemination or otherwise making it available, blocking, erasing or destroying the data.
Broadly, personal data can only be processed by a data controller for the purposes notified to the data subject on or before the time of collection of the data. Data controllers must process personal data in a secure manner.
Prior to the processing of sensitive personal data, the data controller must satisfy an additional condition, including: obtaining separate consent; only using the data if it is necessary for the performance of an employment contract; protecting a data subject’s vital interests; or for any legal proceedings.
Where the processing of personal data is carried out by a third-party data processor on behalf of a data controller, the DPL requires that there is a contract in place between the two parties, under which the data processor is to act only on the data controller’s instructions and comply with obligations equivalent to those imposed on the data controller.
Data controllers and processors must ensure the personal data that they hold is accurate and is not kept for longer than necessary to fulfil the original collection purpose. Prescribed data retention periods are not specified in the DPL, but an analysis should be undertaken to determine how long data should be kept. Similarly, it will be important for both data controllers and data processors to evaluate how the personal data can be securely purged once the purposes for holding it have been fulfilled by the organisation.
Accessing Personal Information
Data subjects are entitled to request that any inaccurate data is corrected and also request access to their personal data, and any information available regarding the source of that personal data. The data access request must be made in writing to the data controller, who is entitled to charge a reasonable fee for responding. Following receipt of the written request and fee, the data controller is required to respond within 30 days. The data controller can request a further period of time to respond to the data subject’s request provided that this request is notified to the data subject within the initial 30 day time period.
While there is no requirement under the DPL to provide or disclose the actual document which holds the personal data, the requested information needs to be provided to the data subject in an “intelligible form”.
The DPL recognises a number of exemptions from this right to access, including:
- data to which legal professional privilege applies; and
- data relating to any structure or arrangement that is an ordinary trust.
Consent is not required for the processing of personal data in connection with:
- safeguarding national security;
- the prevention, detection or investigation of a crime;
- the assessment or collection of any fees or duty in the Cayman Islands;
- the monitoring, inspection or regulatory functions connected with public safety;
- the prevention, investigation, detection or prosecution of criminal offences or breaches of ethics for regulated professions;
- an important economic or financial interest of the Cayman Islands; or
- disclosures required by law or made in connection with legal proceedings.
Are there any other exemptions?
Yes, there are exemptions to allow personal data to be processed without consent for the purposes of journalism, literature and art. There is also a general exemption for corporate finance transactions which include (a) underwriting in respect of issues of, or the placing of issues of, any instrument; and (b) advice to undertakings on capital structure, industrial strategy and related matters, and advice and service relating to mergers and the purchase of undertakings.
International transfers of personal information
The Cayman Islands has not yet achieved “adequacy” status from the EU.
Transfers outside of the Cayman Islands are permitted, but personal data shall not be transferred to a country or territory that does not ensure an adequate level of protection for the processing of personal data.
Where the recipient country or territory cannot demonstrate an adequate level of protection, contracts can be put in place to control data transfers with third party processors, or between members of the same group of companies.
The Ombudsman will approve the following data transfer agreements as a means of ensuring adequate safeguards:
- data transfer agreements based on standard contractual clauses published by the Ombudsman (NOTE: no such standard clauses have yet been approved); or
- data transfer agreements which replicate the rights and obligations set out in the EU standard contractual clauses. The Ombudsman will expect organisations to amend these to ensure cross-references to provisions of the GDPR are replaced with corresponding references to the DPL. However, the Ombudsman will accept un-amended clauses on the understanding that the intent of the parties is to interpret references to EU law as being the equivalent under the DPL.
The DPL also sets out a number of exemptions from transfer restriction, for example in instances where the data subject’s consent to the transfer has been obtained, the transfer is in the public interest, or the Ombudsman has authorised the transfer.
How is direct marketing regulated?
Under the DPL, direct marketing means the communication, by whatever means, of any advertising, marketing, promotional or similar material, that is directed to particular individuals.
Prior express consent is not required, but data subjects have the right to unsubscribe from receiving direct marketing materials at any time.
What rules apply to the monitoring of employees in the workplace?
There are no specific restrictions on employee monitoring under the DPL. Best practice would be for the employer to carry out a privacy impact assessment and evaluate less intrusive approaches to achieving the monitoring objectives. Employers should draft and communicate a written monitoring policy to affected employees explaining the purposes of the monitoring, and the types of personal data being collected.
Can telephone calls be recorded?
What rules apply to the recording of CCTV footage?
To the extent that CCTV may capture personal data, its use will be regulated by the DPL. The Cayman Islands’ government issued a code of practice on the use of CCTV in July 2011 but it is anticipated this code will be revised to reflect the DPL’s requirements.
To ensure any personal data collected via CCTV is not excessive or goes beyond the original purposes for its collection, consideration should be given to the location of all cameras and their angles of recording. CCTV footage should be kept secure and for no longer than required to fulfil the collection purpose. Prior to providing access to any footage as part of a subject access request, careful consideration should be given as the footage may include third parties who may be personally identifiable from the images.
Particular care should also be taken if CCTV is used as part of any employee monitoring process, which would need to be disclosed to employees in advance.
The Ombudsman is responsible for overseeing the DPL and can issue guidance as to compliance requirements, investigate complaints of breaches of the DPL and initiate its own investigations. Enforcement under the DPL is generally administrative and consultative in nature but criminal sanctions are also available.
Data controllers are not required to register with the Ombudsman or any other authorities and, while it is considered best practice to appoint a separate privacy or data protection officer this is not a mandatory requirement under the DPL.
What are the penalties for non-compliance?
Refusal or failure to comply with an order issued by the Ombudsman is an offence.
The data controller is liable on conviction to a fine of CI$100,000, or imprisonment for up to 5 years, or both.
The Ombudsman may also issue a monetary penalty order up to CI$250,000, payable by the data controller.
Where an offence has been committed by a body corporate, a director, company secretary, or similar officer, could be held liable.
A data subject who suffers damage or distress by reason of a breach of the DPL by a data controller may seek compensation from that data controller. Compensation should be pursued via the courts and is not awarded by the Ombudsman.
No separate cybersecurity legislation been enacted in the Cayman Islands. However, in rule requiring all regulated entities to establish, implement, and maintain a documented cybersecurity framework to promptly identify, measure, assess, report, monitor and minimise cybersecurity risks as well as respond to and recover from cybersecurity breaches that could have a material impact on their operations. Under this rule, any breaches must be reported to CIMA within 72 hours following discovery of the breach.
The DPL requires that “appropriate” technical and organisational measures be taken against unauthorised or unlawful processing of, accidental loss or destruction of, or damage to, personal data. The technical safeguards need to be appropriate to the types of personal data being processed.
Who needs to be notified in the event of a personal data breach?
In the event of a personal data breach, the data controller must without undue delay and within no more than five days after the data controller becomes aware of the breach, notify the Ombudsman and any affected data subjects, describing the:
(a) nature of the breach;
(b) consequences of the breach;
(c) measures proposed or taken by the data controller to address the breach; and
(d) measures, recommended by the data controller, the data subject may take to mitigate possible adverse effects caused by the breach.
A data controller who fails to notify the Ombudsman and any affected data subjects of a breach commits an offence and is liable on conviction to a CI$100,000 fine.