A hardware store that used infrared thermometers to screen customers for signs of COVID-19 during the pandemic was among almost 100 Cayman Islands entities investigated for data protection breaches in 2020.
An inquiry was launched after the store installed equipment capable of capturing temperature readings and facial recognition data of patrons and staff, the Ombudsman’s annual report indicates.
If the temperature reading was high, the device – installed amid public safety concerns about the virus – notified the individual, and others in the vicinity, with a loud alarm. No privacy notices were provided to tell customers the information being recorded and how it would be used.
“We were concerned about this processing of sensitive personal data in the context of the COVID-19 pandemic and in a public space,” the report indicates.
“We asked the business to explain its rationale for processing the health data in this manner, as well as the legal basis for doing so, the expected retention period for the data, and the technical and organizational measures being taken to ensure a high level of security, as required.”
In this instance, staff said the information was not being stored and the devices were intended largely as reassurance to the community during the pandemic.
Ultimately, the store voluntarily removed the devices, though the Ombudsman notes in its report, this was not strictly necessary.
“The manner in which they were being used needed to be clarified, explained and possibly avoided,” the report notes.
The complaint was one of 87 alleged data breaches reported to the office in 2020.
On another occasion, a Cayman Islands health insurance firm was ordered to stop asking for details of clients’ sex lives.
The application form for medical insurance asked male applicants if they were ever involved in homosexual activities, according to a summary of the case in the report.
The summary indicates that the data controller for the company acknowledged there was no legal basis for the question and agreed it should be removed from the form and to delete all data previously collected concerning the question.
The Ombudsman also examined a number of data breaches, including a ransomware attack on a financial services company.
“The company could not operate any of its business systems for two days, and its clients were unable to use their accounts for withdrawals or deposits,” the report notes.
“The ransom note indicated that the perpetrators had extracted at least some of the data contained in the bank’s systems.”
Though the business had a presence in Cayman and some clients on island that were impacted, it was based overseas and the Ombudsman did not have jurisdiction to investigate, the report states.
The Ombudsman also issued her first enforcement order under the Data Protection Act, which required the Registrar of Companies to “immediately cease gathering and processing personal data of non-registrable persons because there was no legal basis for its blanket approach”.
Data protection investigators also issued a number of information orders directing both public and private sector entities to provide documents as part of data protection investigations, because the entities were not responding to requests in a timely manner.
- This story is part of a short series highlighting the cases investigated by the Ombudsman in 2020.