In September, the Chamber’s Be Informed series hosted Deputy Information Commissioner Jan Liebaers, attorney Peter Broadhurst and Russell Richardson from the Information and Communications Technology Authority, who make up the Government’s Data Protection Working Group, to deliver a presentation on the draft Data Protection Bill. The presentation was sponsored by STEPPINGSTONES.
Currently in the public consultation period, which ends on 2 November, this draft bill has been based upon European legislation, considered to be the globally recognised standard bearer in such issues, Liebaers explained. Once Cayman adopts the legislation it will also have the most highly compliant data protection laws anywhere in the world.
Cayman’s legislation is based upon the European Union’s Data Protection Directive but has been designed specifically for this jurisdiction. All 27 countries of the EU were compliant with this legislation. Ten other countries are also considered to have adequate data protection. These countries are Andorra, Argentina, Canada, Faeroe Islands, Israel, Jersey, Guernsey, Switzerland, Uruguay and the Isle of Man. The United States is not considered as a country with adequate data protection and neither are any Asian countries.
Draft data protection legislation had been introduced for a number of reasons, Mr Liebaers explained. The most important reason was the Bill of Rights clause, which outlined that the Government was required to respect every person’s private and family life, their home and their correspondence. In addition, the financial services industry was required to comply with EU law under the Alternative Investment Fund Managers Directive, which meant they also needed to comply with the EU’s data protection laws.
The increase in the number of CCTVs in circulation, especially those on Cayman’s roads, had meant that legislation was needed to guide people on what to do with such information.
Liebaers confirmed that it was hoped the draft data protection bill would be considered by Cabinet and passed into law before the dissolution of the Legislative Assembly next year before the general election. He said that they anticipated a staged rollout whereby the public sector would have to comply with the new law first. Private businesses would most likely not have to comply until around 2015.
Liebaers explained that definitions of certain language used in the draft legislation would be helpful in understanding the entire draft law, which was fairly complicated. He explained that a data subject was someone who was dead or alive who was the subject of personal data.
Personal data meant information relating to a data subject and included an expression of opinion about the data subject and any indication of the intentions of the data controller (or anyone else) in respect of the data subject. A data controller was the person who determined the purpose and means of processing the personal data.
Consent meant any freely given information that indicated a data subject’s agreement to their personal data being processed. Processing meant obtaining, recording or the holding of information or data or carrying out any operation on the information or data including erasing or destroying it.
Eight guiding principles of data protection
Outlining the eight principles that guided the development of Cayman’s data protection bill, Liebaers said that the data should be processed fairly (e.g. with the consent of the data subject), the data should be only obtained and used for a specific purpose and the information received should not be excessive and should be adequate for the purpose.
He went on to explain that the data should be kept accurately and up-to-date, it should not be kept longer than for its intended purpose and personal data should be processed in accordance with the rights of the data subject under the law. Proper measures should be taken to ensure no unauthorised processing of the data could take place and that it could not be accidently lost or destroyed, and finally, personal data should not be transferred to another country unless that country has adequate data protection laws.
Exemptions and Enforcement
Under the proposed bill, various exemptions have been written in, but Liebaers explained that the exemptions were varied and only applied to certain parts of the law. Exemptions included where processing was for the purposes of national security, combatting crime, health, education, social work, regulatory activity and journalism, among others.
Liebaers explained that penalties for breaking the law were still under consideration but that the highest penalty for very serious breaches had been set at $250,000. He said penalties still needed some serious determination.
In summing up, Richardson said that the risk of data breaches for the Cayman Islands, as had been seen in countries such as the US and the UK, were very serious. Because of the importance of the issue he encouraged everyone to analyse their own risks as they related to data they held as a business on data subjects.
The Data Protection Working Group welcomed input from the public by Friday, 2 November, so they could then amend the draft legislation where necessary before presenting it to Cabinet.