The ombudsman has issued an enforcement order to the Department of Agriculture to stop collecting personal data from customers purchasing its retail items, after it failed to comply with an earlier recommendation to cease gathering the information.
In the enforcement order, issued by the ombudsman on 12 July, the department was also ordered to delete any personal data it had collected without a legal basis and to provide a privacy notice to people from whom it is collecting such data.
The order from Ombudsman Sandy Hermiston came after a member of the public lodged a complaint in November last year, under the Data Protection Act, that the DoA was unnecessarily collecting personal data from people purchasing simple goods such as plants and trees.
The information collected included the person’s name, street address, postal address, email address and telephone contact.
The DoA confirmed to the ombudsman that it collects customers’ personal data every time it sells a product. The personal data is collected at the point of sale by verbally requesting it from each individual who makes a purchase, and is then entered into the sales system.
Hermiston found that the DoA had no privacy notification process to inform its customers who was processing the data or the specific purposes for which that information was being collected.
The department told the ombudsman that it believed it had a valid legal basis to process the data under a mandate from the Ministry of Finance, which, it claimed, required it to collect personal data to ensure that customers receive a correctly issued Cayman Islands government receipt for every transaction, and that all receipts must, at a minimum, include a customer’s name and address.
According to the enforcement order, the DoA advised the ombudsman to reach out directly to the Ministry of Finance to obtain a copy of the mandate “as it was not able to present us with any documentary evidence of its existence”. When the ombudsman contacted the ministry, it stated that it had no record of the mandate referred to by the DoA.
“The DoA then conceded that the mandate did not exist, and that it did not have a legal basis to collect and process the personal data requested from its retail clients,” the notice pointed out.
Hermiston found the DoA had no legal basis for processing the personal data of its customers and that collecting personal data for a simple retail purchase was unnecessary and excessive.
Earlier, on 30 March this year, the DoA had requested 31 days to take steps to address its non-compliance with the Data Protection Act, the ombudsman noted.
“We agreed and provided the DoA with a list of action points to complete. We also made it clear that we would issue an Enforcement Order in case of continued non-compliance. To date the DoA has not changed the contravening data collection practices, and it continues to require personal data from retail customers who are making a purchase,” Hermiston said.
The DoA was given 30 days to put the required changes into effect, and was also give 45 days to comply or seek judicial review of the decision.