The Cayman Islands’ ability to remain competitive in the international financial services industry and to protect its own residents’ privacy has created an urgent need for enacting data protection legislation, according to a working group that reviewed a draft bill on the subject.
A new draft Data Protection Bill, circulated for public comment last week, is substantially similar to an earlier draft bill proposed three years ago. That bill never made it to the Legislative Assembly for a vote, partly because of a number of concerns from the local business community and the Cayman Islands Human Rights Commission.
The primary goal with data protection, from the view of the local financial services industry, is to gain “adequacy” status with regard to data protection laws in European Union member states. That status allows personal data to move between EU member states and the Cayman Islands without the need for further safeguards, speeding business transactions.
However, the working group also identified the need for privacy protection in the Cayman Islands, particularly in what it terms the “information society,” with the advent of the Bill of Rights protections of family and private lives in Cayman’s Constitution.
“The current gap in applicable legal provisions related to the use of CCTV and the need for privacy protection in the context of some of the international agreements which the Cayman Islands is subject to, suggest[s] that a Data Protection Law is long overdue,” the working group review of the draft bill states.
Data protection is a far-reaching concept. First, the new draft bill seeks to define those who handle the data as “data controllers” and “data processors.” Both of those groups are given specific responsibilities which are set out in the “Data Protection Principles” contained in the draft bill.
“Personal data shall be obtained only for one or more specified, explicit and legitimate purposes and shall not be further processed in any manner incompatible with that purpose or other purposes,” according to the second principle of data protection.
The bill defines “personal data,” replacing the definition of that subject in the Freedom of Information Law: “Personal data means data related to a data subject and includes such data as: (a) the data subject’s location data, his online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the data subject, (b) an expression of opinion about a data subject and, (c) any indication of the intentions of the data controller or any other person in respect of a data subject.”
It also further defines “sensitive personal data” – which also must be handled in a prescribed manner – as such things as a person’s racial or ethnic origin, political opinions, religious beliefs, membership in a trade union, mental or physical health, sex life or any alleged commission of crime by that person.
The law allows anyone whose data is being processed to be granted access to that data, the purposes for which it is being processed, and the recipients to whom that data may be disclosed. These items can include reviews of the person’s performance at work, their creditworthiness and their “reliability or conduct.”
If the data controller cannot comply with such a request, they must provide the individuals with reasons why. The person may also ask that data processing stop or not begin if that activity causes them “distress or damage,” including certain “direct marketing” activities.
“A person who suffers damage by reason of any contravention by a data controller of any requirement of this law has a cause of action for compensation from the data controller for that damage,” according to section 13 of the draft bill.
Unlike the Freedom of Information Law, the latest draft of the Data Protection Bill applies to everyone in the Cayman Islands, public and private sector alike. It also applies to certain entities outside the Cayman Islands that have certain data processing functions in the jurisdiction.
The draft bill would require the registration of individuals defined as “data controllers.” Currently, the registration of data controllers is proposed to be handled by the information commissioner’s office.
The information commissioner is required under the draft bill to make information on the data controller register available to the public. The information commissioner is also given broad powers to subpoena records, investigate breaches of data protection laws and even mete out corrective actions in cases where a breach of the law has occurred.
Any such finding by the information commissioner can be appealed to the Cayman Islands Grand Court.
The registration includes the name and address of the data controller, a description of the type of data they process and a description of their purposes in doing so, and a description of individuals to whom that individual may disclose the data. According to the bill, no one may process personal data unless they are registered with the information commissioner’s office. It would be considered a criminal offence to do otherwise.
A data controller is defined in the legislation as “the person who, alone or jointly with others, determines the purposes, conditions and means of the processing of personal data…” A data processor in the draft bill is “any person who processes personal data on behalf of a data controller, but, for the avoidance of doubt, does not include an employee of the data controller.”
Essentially, the bill’s definitions seek to make the organization that controls, transmits and releases data responsible for those actions rather than the individual employee tasked with those responsibilities.
There are a number of exemptions to the application of the Data Protection Bill for certain public service functions or industries.
Personal data are exempt from the data protection principles if the exemption was at any time required for the purposes of safeguarding national security. Certain exemptions to the Data Protection Bill are also made in cases where economic interests of the Cayman Islands must be safeguarded.
Personal records processed during activities aimed at the prevention, detection and investigation of crimes are exempted under the bill, along with the processing of personal data for the purposes of taxation or for investigation of corruption-related claims.
Certain government functions are also exempted from the bill as well, including situations that “would likely to prejudice the proper discharge of the functions” of the law, the Crown or the Cabinet or other public functions.
“Special purpose” exemptions are set aside for the processing of data “undertaken with a view to the publication by a person of any journalistic, literary or artistic material.”
However, there are certain requirements placed on data controllers in “special purpose” exemption situations.
The data controller must reasonably believe that publication of that data would be in the public interest and that compliance with the data protection requirements would be “incompatible with special purposes.” The bill also requires a data controller to believe the public interest publication of the personal data was “a feasible one,” in line with any code of practice relevant to the publication in question.