A draft bill that would require any public or private sector worker or agency whose job involves controlling personal data to be listed on a government-maintained register has been put out for review during the next two months.
The Data Protection Bill, 2011, is similar to legislation approved by the European Union and the United Kingdom in the 1990s, which seeks to regulate the processing of personal data to ensure those records are maintained fairly, accurately and kept from those with no right to see them. The proposal, which would introduce data protection legislation in the Cayman Islands for the first time, also has major implications for the territory’s Freedom of Information Law and how journalists, writers and artists can make use of personal information.
“Data protection is aimed principally at giving effect to the rights to privacy in relation to data while ensuring that certain exceptions are allowed,” according to a memorandum attached to the draft bill, which was released earlier this week for public comment.
The public review period for the draft bill will last until 2 November. There was no stated timeline for when the bill was expected to come before the Legislative Assembly.
Bill ‘affects everyone’
Unlike the Freedom of Information Law, the Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike. It also applies to certain entities outside the Cayman Islands that have certain data processing functions within the jurisdiction.
Information and Communications Technology Authority Chairman David Archbold directed the efforts of a public-private sector working group that reviewed that draft Data Protection Bill during the last two years. Mr. Archbold said in a statement released by government this week that many businesses and organisations will already comply with data-handling requirements set forth in the draft bill, but that a “minimum standard” for protection of personal data was needed.
“Data protection affects everyone and the working group seeks to present a comprehensive bill to Cabinet that suits the needs of the Cayman Islands while meeting international standards,” Mr. Archbold said. “We are very interested in hearing from individuals and specific business sectors that expect any additional areas will be particularly challenging.”
Data protection is a big concept. First, the bill seeks to define who handles the data as “data controllers” and “data processors”. Both of those groups of people are given specific responsibilities within the draft bill. Those responsibilities are generally set out in the “Data Protection Principles” contained in the bill.
“Personal data shall be obtained only for one or more specified, explicit and legitimate purposes and shall not be further processed in any manner incompatible with that purpose or other purposes,” according to the second principle of data protection.
The bill also defines “personal data”, replacing the definition of that subject contained within the Freedom of Information Law: “Personal data means data related to a data subject and includes an expression of opinion about a data subject and any indication of the intentions of the data controller or any other person in respect of a data subject.”
It also further defines “sensitive personal data” – which also must be handled in a prescribed manner – as issues like a person’s racial or ethnic origin, a person’s political opinions, religious beliefs, membership in a trade union, a person’s mental or physical health, their sex life or any alleged commission of crime by that person.
The law allows anyone whose data is being processed to be granted access to that data, the purposes for which it is being processed and the recipients to whom that data may be disclosed. These items can include reviews of the person’s performance at work, their creditworthiness and their “reliability or conduct”.
If the data controller cannot comply with such a request, they must provide the individuals with reasons why. The person may also ask that data processing stop or not begin if that activity causes them “distress or damage”, including certain “direct marketing” activities.
“An individual who suffers damage by reason of any contravention by a data controller of any requirement of this law has a cause of action for compensation from the data controller for that damage,” according to section 14 of the draft bill.
Part three of the draft bill would require the registration of individuals defined as “data controllers”.
The registration includes the name and address of the data controller, a description of the type of data they process and a description of their purposes in doing so, and a description of individuals to whom that individual may disclose the data.
According to the bill, no one may process personal data unless they are registered by the government. It would be considered a criminal offence to do otherwise.
The office that will be responsible for handling the data controller registrations and also for investigating complaints relating to mishandling of personal information is the Information Commissioner’s Office.
The information commissioner is required under the draft bill to make information on the data controller register available to the public.
There are a number of exemptions to the application of the Data Protection Bill for certain public service functions or industries.
Personal data are exempt from the data protection principles if the exemption was at any time required for the purposes of safeguarding national security. Certain exemptions to the Data Protection Bill are also made in cases where economic interests of the Cayman Islands must be safeguarded.
Personal records processed during activities aimed at the prevention, detection and investigation of crimes are exempted under the bill, along with the processing of personal data for the purposes of taxation or for investigation of corruption-related claims.
Certain government functions are also exempted from the bill as well, including situations that “would likely to prejudice the proper discharge of the functions” of the law, the Crown or the Cabinet or other public functions.
“Special purpose” exemptions are set aside for the processing of data “undertaken with a view to the publication by a person of any journalistic, literary or artistic material”.
However, there are certain requirements placed on data controllers in “special purpose” exemption situations.
The data controller must reasonably believe that publication of that data would be in the public interest and that compliance with the data protection requirements would be “incompatible with special purposes”. The bill also requires a data controller to believe the public interest publication of the personal data was “a feasible one”, in line with any code of practice relevant to the publication in question.
Personal data held by public authorities that are normally required to be made public under the Freedom of Information law would also be exempted from provisions of the Data Protection Bill.
The draft bill gives the Cayman Islands Information Commissioner broad powers to regulate the processing of personal information in both the public and private sectors.
It also makes the commissioner’s office the public complaints body with regard to cases where individuals believe their personal data has been mishandled. For the maintenance of the data controller register, the commissioner’s office is allowed to charge a fee. However, office members have expressed a desire not to do so, if that can be avoided.
The commissioner is also allowed to obtain search warrants in cases where proof of suspected violations of the Data Protection Bill have occurred and can also make “special information orders” in cases where personal data purported to be obtained for a specific purpose is actually being used for something else.